(702) 825-0288
Donate|Patient Portal|Staff Login
Legal & Compliance

HIPAA Notice of Privacy Practices

Last updated: March 19, 2026

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Effective Date: March 19, 2026

1. Required Notice Statement

This Notice of Privacy Practices ("Notice") is provided to you as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), and the regulations issued under those statutes, including the HIPAA Privacy Rule (45 CFR Parts 160 and 164). This Notice describes the privacy practices of Helix BioMedical and all healthcare providers, staff, volunteers, and business units that are part of our organized healthcare arrangement. We are required to provide you with this Notice before we first provide healthcare treatment to you, or as soon as reasonably practicable in emergency circumstances.

By receiving services from Helix BioMedical, you acknowledge receipt of this Notice. You are not required to sign an acknowledgment of receipt; however, if you decline to sign an acknowledgment form, we will document our good-faith effort to provide this Notice and your declination in your records.

2. Our Legal Duties

Helix BioMedical is required by law to:

  • Maintain the privacy of your Protected Health Information (PHI) in accordance with HIPAA and applicable state law;
  • Provide you with this Notice describing our legal duties and privacy practices with respect to PHI;
  • Abide by the terms of the Notice currently in effect;
  • Notify you following a breach of your unsecured PHI as required by 45 CFR Part 164, Subpart D;
  • Not use or disclose your PHI except as described in this Notice or as otherwise required or permitted by law;
  • Apply the minimum necessary standard to our uses and disclosures of PHI, meaning we use, disclose, and request only the minimum amount of PHI needed to accomplish the intended purpose;
  • Train all workforce members on our privacy and security policies and procedures; and
  • Mitigate, to the extent practicable, any harmful effects from uses or disclosures of PHI by us or a business associate that violate our policies or applicable law.

"Protected Health Information" means individually identifiable health information that is created, received, maintained, or transmitted by us, including information in any format -- electronic, paper, or oral -- that relates to your past, present, or future physical or mental health or condition; the provision of healthcare to you; or the past, present, or future payment for the provision of healthcare to you. PHI includes 18 categories of identifiers defined under HIPAA that can be used to identify you individually.

3. Uses and Disclosures for Treatment, Payment, and Healthcare Operations

3.1 Treatment

We may use and disclose your PHI to provide, coordinate, and manage your healthcare and any related services. Treatment includes the provision of healthcare services, as well as consultation between healthcare providers regarding your care and the referral of patients to other providers. We may disclose your PHI to physicians, nurses, technicians, students, and other healthcare personnel who are involved in your care.

Example: Your primary care provider may share your medical history, current medications, and recent test results with a specialist to whom you are referred for treatment of a specific condition. The specialist's clinical notes will then become part of your designated record set, accessible to all members of your care team.

3.2 Payment

We may use and disclose your PHI to obtain payment for services provided to you. Payment activities include billing, claims management, collection activities, utilization review, and related healthcare data processing. We may disclose your PHI to your insurance carrier, Medicare, Medicaid, or other payers for purposes of obtaining reimbursement for services rendered.

Example: We will submit a claim to your health insurance carrier that includes your name, date of birth, diagnosis codes, procedure codes, and the date and location of service. The insurance carrier will use this information to determine your coverage and to calculate your co-pay or deductible obligation.

3.3 Healthcare Operations

We may use and disclose your PHI for our healthcare operations, which are activities necessary to run our organization and ensure the quality and efficiency of care. Healthcare operations include: quality assessment and improvement activities; competency reviews and clinical evaluations of providers and staff; conducting or arranging for clinical training programs; conducting medical review, legal, and auditing functions; business planning, management, and general administrative activities; and certain fundraising activities, subject to applicable limitations.

Example: We may use your PHI to evaluate the quality of care you received, assess the performance of clinicians who treated you, or review your case as part of a medical education program. These activities are conducted under strict confidentiality protections and are designed to improve care for all patients.

4. Other Permitted Uses and Disclosures Without Your Authorization

4.1 Public Health Activities

We may disclose your PHI to public health authorities authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. This includes reporting of communicable diseases, birth and death records, adverse events related to FDA-regulated products, and suspected child abuse or neglect. We may also disclose PHI to public health authorities for the purpose of conducting public health surveillance, investigations, and interventions.

4.2 Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure and disciplinary actions; and other activities necessary for appropriate oversight of the healthcare system, government benefit programs, and compliance with civil rights laws.

4.3 Judicial and Administrative Proceedings

We may disclose your PHI in the course of any judicial or administrative proceeding, including in response to a court order, administrative order, subpoena, discovery request, or other lawful process. Where disclosure is sought through a subpoena or other process that does not include a court order, we will make reasonable efforts to provide you with notice of the request or to obtain a qualified protective order before complying.

4.4 Law Enforcement

We may disclose your PHI to law enforcement officials for specific law enforcement purposes, including: to comply with a court order, warrant, or grand jury subpoena; to identify or locate a suspect, fugitive, material witness, or missing person; to provide information about a victim of a crime (subject to certain conditions); to alert law enforcement about a death that may have resulted from criminal activity; to provide information about criminal conduct on our premises; and to comply with any applicable law that requires reporting of certain types of wounds or physical injuries.

4.5 Coroners, Medical Examiners, and Funeral Directors

We may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person or determining the cause of death. We may also disclose PHI to funeral directors as necessary to carry out their duties.

4.6 Organ and Tissue Donation

If you are an organ or tissue donor, we may use or disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ and tissue donation and transplantation.

4.7 Research

We may use or disclose your PHI for research purposes under limited circumstances: where a properly constituted Institutional Review Board (IRB) or Privacy Board has reviewed and approved a waiver of individual authorization; where the research involves only PHI of decedents; or where the researcher represents that the PHI is needed solely to prepare a research protocol and will not be removed from our premises, combined with non-research data, or used to identify individual patients. All research involving PHI is subject to stringent ethical and privacy protections.

4.8 Serious Threat to Health or Safety

We may use or disclose your PHI to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Disclosures are made only to persons reasonably able to prevent or lessen the threat, including the target of the threat. We comply with applicable state mandatory reporting laws, including laws requiring reporting of domestic violence and elder abuse.

4.9 Specialized Government Functions

We may disclose PHI for specialized government functions, including: activities related to national defense and security; protective services for the President and certain other persons; medical suitability determinations for armed forces personnel; disclosures required by the Department of Veterans Affairs; and disclosures to federal officials for the conduct of lawful intelligence, counterintelligence, and national security activities.

4.10 Workers' Compensation

We may disclose PHI as authorized by and to the extent necessary to comply with applicable workers' compensation laws and other similar programs that provide benefits for work-related injuries or illnesses.

4.11 Facility Directories and Family Members

Unless you object, we may use your name, location within our facility, and general condition to maintain a facility directory, to notify family members and others involved in your care, and to notify clergy. We will inform you of our intended use of this information and give you the opportunity to object. If you are incapacitated or in an emergency, we may disclose this information if we determine it is in your best interest, based on our professional judgment.

5. Uses and Disclosures Requiring Your Written Authorization

We will obtain your specific written authorization before using or disclosing your PHI in the following circumstances, which are not covered by the permitted uses described above:

5.1 Marketing

We will not use or disclose your PHI for marketing purposes -- meaning communications that encourage you to purchase a product or service -- without your written authorization, except for face-to-face communications about our own services and promotional gifts of nominal value. We will not accept payment from a third party in exchange for making marketing communications to you without your authorization.

5.2 Sale of PHI

We will never sell your PHI. We will not receive direct or indirect remuneration in exchange for your PHI without your written authorization.

5.3 Psychotherapy Notes

Psychotherapy notes -- meaning notes recorded by a mental health professional about the content of individual counseling sessions -- receive heightened protection under HIPAA and may not be used or disclosed without your specific written authorization, except in narrow circumstances involving our own treatment activities, training programs, legal defense proceedings, or legally mandated reporting.

5.4 Most Other Uses

Any use or disclosure of your PHI not described in this Notice or otherwise required or expressly permitted by law requires your prior written authorization. You may revoke any authorization you have given to us at any time by submitting a written revocation to our Privacy Officer. Revocation will apply prospectively and will not affect actions we have already taken in reliance on the authorization.

6. Summary of Your Patient Rights

Federal law gives you important rights with respect to your PHI. These rights are described in detail in Sections 7 through 11 of this Notice. A summary of those rights is:

  • Right to inspect and copy your PHI in a designated record set, including medical records and billing records;
  • Right to request amendment of PHI you believe is inaccurate or incomplete;
  • Right to an accounting of certain disclosures we have made of your PHI;
  • Right to request restrictions on uses or disclosures of your PHI for treatment, payment, or healthcare operations;
  • Right to request confidential communications by alternative means or at alternative locations;
  • Right to a paper copy of this Notice upon request; and
  • Right to notification in the event of a breach of your unsecured PHI.

To exercise any of these rights, please submit a written request to our Privacy Officer at [email protected] or (702) 825-0288. We will not retaliate against you for exercising your rights under HIPAA.

7. Right to Access and Obtain Copies of Your Records

You have the right to inspect and request copies of your PHI contained in a designated record set, which includes medical records, billing records, and other records used to make decisions about your care. This right applies to PHI maintained in any form -- paper, electronic, or otherwise.

To request access, you must submit a written request to our Privacy Officer. We will respond within 30 days of receiving your request, or within 60 days if we need an extension (in which case we will notify you in writing of the need for an extension and the reason). We may charge a reasonable, cost-based fee for copying, labor, and postage, but we will inform you of the applicable fee before processing your request so you may withdraw or modify it if you choose.

We may deny your request in limited circumstances -- for example, if access could reasonably endanger your life or the life of another person, or if the information was compiled in anticipation of civil, criminal, or administrative proceedings. If we deny your request, we will provide you with a written denial that includes the reason for the denial and information about your right to request a review of the denial by a licensed healthcare professional.

For electronic PHI maintained in an electronic health record, you have the right to obtain your records in electronic format. If you direct us to transmit your records directly to a third party (such as another provider), we will do so provided the request is in writing, is signed by you, and clearly identifies the designated recipient and where to send the records.

8. Right to Request Amendment of Your Records

If you believe that PHI we hold about you is inaccurate or incomplete, you have the right to request that we amend the information. Your request must be submitted in writing to our Privacy Officer and must include a reason for the requested amendment. We will respond to your request within 60 days of receipt. If we need additional time, we may extend the response period by up to 30 days, provided we inform you in writing of the extension and the reason for it.

We may deny your request to amend if the information: (a) was not created by us, unless the originating provider is no longer available; (b) is not part of the information you would be permitted to inspect and copy; (c) is not part of a designated record set; or (d) is accurate and complete, in our determination.

If we deny your amendment request, you have the right to submit a written statement of disagreement, which we will include in your records and append to future disclosures of the relevant PHI. We may prepare a written rebuttal to your statement of disagreement, which we will also provide to you and include in your records.

9. Right to an Accounting of Disclosures

You have the right to receive a written accounting of disclosures of your PHI that we have made in the six years prior to the date of your request. This right applies to disclosures other than those: made for treatment, payment, or healthcare operations purposes; made to you or your personal representative; made incident to a permitted use or disclosure; made pursuant to a valid authorization you provided; made for facility directories and to individuals involved in your care; made for national security or intelligence purposes; made to correctional institutions or law enforcement officials; or made prior to the applicable compliance date.

Your request must be in writing and must specify the time period for the accounting. We will provide you with one free accounting per 12-month period. For additional requests within the same 12-month period, we may charge a reasonable fee, which we will disclose to you before processing the request so you may withdraw or modify it.

10. Right to Request Restrictions on Uses and Disclosures

You have the right to request that we restrict our uses or disclosures of your PHI for treatment, payment, or healthcare operations. We are not required to agree to a restriction unless the restriction involves a disclosure to a health plan and the PHI pertains solely to a healthcare item or service for which you paid out-of-pocket in full and you specifically request that we not disclose the information to the health plan. In that circumstance, we are required by HIPAA to honor your restriction.

For other restriction requests, we will consider the request and evaluate whether the restriction is appropriate and feasible. If we agree to a restriction, we will honor it except in emergency treatment situations where the restricted information is needed to provide emergency care. We will inform you if we terminate a restriction we previously agreed to honor.

11. Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information through specific means or at specific locations. For example, you may request that we contact you only at a work telephone number or that we send correspondence only to a post office box. You may also request that we not leave voicemail messages at your home phone number or that correspondence be sent in plain envelopes with no external indication of the sender.

We will accommodate all reasonable requests for confidential communications. You are not required to provide a reason for your request. We may require that the request be submitted in writing and include information about how payment will be handled, if applicable. We will not ask you to explain why you are making the request.

12. Business Associates

We share your PHI with third-party contractors and service providers who perform functions on our behalf that require access to PHI. These entities are our "Business Associates" under HIPAA. Examples of Business Associates include our electronic health record (EHR) vendor, billing and collections services, laboratory services, telehealth platform providers, health information exchanges, and IT support services that may have incidental access to PHI.

We are required by HIPAA to execute a Business Associate Agreement (BAA) with each Business Associate before sharing PHI. Each BAA requires the Business Associate to: use PHI only for the purposes for which it was shared; implement appropriate administrative, physical, and technical safeguards to protect PHI; report breaches and security incidents to us promptly; ensure that its own subcontractors that handle PHI are bound by similar obligations; and return or destroy PHI at the end of the business relationship.

We conduct due diligence on all Business Associates before entering into a relationship and periodically review their compliance. We are not responsible for the actions of Business Associates beyond our contractual protections and applicable legal requirements, but we take commercially reasonable steps to select reliable partners and to monitor their performance.

13. Breach Notification

In the event we discover a breach of your unsecured PHI, we are required by the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) to notify you, the U.S. Department of Health and Human Services, and, in certain cases, prominent media outlets serving the affected geographic area. We will provide notice to you without unreasonable delay and in any event within 60 calendar days of discovering the breach.

Our breach notification to you will include: a brief description of what happened, including the date of the breach and the date of discovery; a description of the types of unsecured PHI that were involved (such as full name, Social Security number, date of birth, home address, medical record number, and account number); any steps you should take to protect yourself from potential harm resulting from the breach; a brief description of what we are doing to investigate the breach, mitigate harm to individuals, and protect against further breaches; and contact information for you to ask questions or learn additional information.

Notice will be provided by first-class mail to the most recent address we have on file for you, or by email if you have previously expressed a preference for electronic notice and specified an email address. In emergency situations, we may provide initial notice by telephone, followed by written notice as described above. If you are deceased and we know of a next of kin or personal representative, we will provide notice to that individual. If contact information is insufficient to notify 10 or more individuals, we will provide substitute notice through our website or prominent media outlet, as required by regulation.

14. Our Organizational Duties and Commitments

In addition to our legal obligations under HIPAA, we make the following organizational commitments regarding the privacy and security of your PHI:

  • We maintain a designated Privacy Officer and Security Officer responsible for the development and implementation of our privacy and security programs;
  • We provide comprehensive HIPAA training to all workforce members, including employees, contractors, and volunteers, at the time of hire or engagement and annually thereafter;
  • We conduct annual enterprise-wide HIPAA risk assessments to identify potential vulnerabilities in our PHI handling and to implement appropriate safeguards;
  • We maintain documented policies and procedures governing all aspects of PHI access, use, disclosure, storage, and disposal;
  • We impose appropriate sanctions on workforce members who violate our privacy and security policies, up to and including termination and referral to licensing boards;
  • We mitigate, to the extent practicable, harmful effects resulting from impermissible uses or disclosures of PHI by us or our Business Associates;
  • We refrain from retaliating against any individual who files a complaint about our privacy practices, participates in a compliance investigation, or otherwise exercises rights under HIPAA; and
  • We do not require any individual to waive their HIPAA rights as a condition of receiving treatment or enrollment in any program.

15. How to File a Complaint

If you believe that your HIPAA privacy rights have been violated, or if you are dissatisfied with our privacy practices, you have the right to file a complaint. You may file a complaint with us, with the U.S. Department of Health and Human Services, or both. We encourage you to contact us first so that we can address your concern directly, but you are under no obligation to do so before contacting the government.

15.1 Complaints to Helix BioMedical

To file a complaint with us, please contact our Privacy Officer in writing:

  • Email: [email protected]
  • Phone: (702) 825-0288
  • Organization: Helix BioMedical, Attention: Privacy Officer, 508(c)(1)(a) faith-based organization, Wyoming jurisdiction

We will acknowledge receipt of your complaint within 5 business days and provide a substantive response within 30 days. All complaints are investigated promptly and thoroughly, and corrective action is taken where appropriate. We will not retaliate against you in any way for filing a complaint.

15.2 Complaints to the U.S. Department of Health and Human Services

You may also file a complaint with the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services:

  • Online: ocrportal.hhs.gov/ocr/portal/lobby.jsf
  • Mail: U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue, S.W., Washington, D.C. 20201
  • Phone: 1-800-368-1019 | TDD: 1-800-537-7697

Complaints to OCR must generally be filed within 180 days of when you knew or should have known that the violation occurred. OCR may extend this deadline for good cause.

16. Changes to This Notice

We reserve the right to change this Notice and to make the revised or changed Notice effective for PHI we already hold about you, as well as any PHI we receive in the future. We are required by law to comply with the terms of the Notice currently in effect. When we make a material change to this Notice, we will:

  • Post the revised Notice prominently in our facilities;
  • Make the revised Notice available on our website with an updated effective date;
  • Provide a paper copy of the revised Notice to any patient who requests one; and
  • Distribute the revised Notice to existing patients as required by applicable law or upon their next encounter with our Services.

We encourage you to review this Notice periodically to stay informed of how we protect your health information and what rights you have with respect to it. Questions about this Notice may be directed to our Privacy Officer at [email protected] or (702) 825-0288.