Privacy Policy
Last updated: March 19, 2026
Helix BioMedical ("we," "us," or "our") is a 508(c)(1)(a) faith-based healthcare organization incorporated under the laws of the State of Wyoming. We are deeply committed to protecting the privacy and security of your personal information, your health information, your educational records, and your research data. This Privacy Policy describes how we collect, use, disclose, and safeguard information across all of our programs and services, including our mobile medical clinics, telehealth platform, diagnostic testing services, educational programs, bioinformatics tools, and website. It also explains your rights with respect to your information and how to contact us with questions or concerns.
This Policy applies to information collected from patients, students, donors, research participants, website visitors, and all other individuals who interact with our Services. For health information specifically, this Policy operates in conjunction with our HIPAA Notice of Privacy Practices, which provides additional detail about your rights under federal law. In the event of a conflict between this Policy and our HIPAA Notice, the HIPAA Notice controls with respect to Protected Health Information.
1. Overview and Scope
1.1 Who We Are
Helix BioMedical operates as a faith-based healthcare ministry under Section 508(c)(1)(a) of the Internal Revenue Code. Our services span clinical care (mobile medical missions, primary and preventive care, diagnostics, telehealth, bioresonance therapy), educational programming (CRISPR/Cas9 bioengineering training, community health education), bioinformatics research tools, and charitable fundraising. Because our services are diverse, this Policy addresses the different types of information associated with each program category.
1.2 Applicability
This Policy applies to all personal information collected through: our website at helixbiomedical.us and any related subdomains; our patient portal; our telehealth platform; in-person clinical encounters at Mobile Clinic events and fixed-site locations; educational program enrollment and participation; research data submission; donation processing; and any other direct communications with us. It does not apply to the practices of third-party websites or services that may be linked from our website; we are not responsible for the privacy practices of those sites.
1.3 Faith-Based Commitment to Privacy
As a ministry organization, we view the privacy of your personal and health information not merely as a legal obligation, but as an ethical and spiritual responsibility. We handle your information with the same discretion and care we would expect for ourselves, and we go beyond the minimum requirements of applicable law wherever feasible to protect your confidentiality and dignity.
2. Information We Collect
2.1 Patient Information
For individuals receiving clinical services, we collect: full legal name, date of birth, sex, and government-issued identification; contact information including address, telephone number, and email address; emergency contact name and relationship; health insurance information and policy numbers; Social Security Number, collected only where required for insurance billing or legally mandated reporting; complete medical and surgical history, including current medications, allergies, immunization records, and prior diagnoses; clinical notes, examination findings, vital signs, diagnostic test results, laboratory values, pathology reports, and imaging results; treatment plans and prescriptions; records of telehealth and in-person encounters; information about family medical history where clinically relevant; information about lifestyle factors, including tobacco use, alcohol and substance use, diet, and physical activity; and any other information you provide or that is generated in the course of your care.
2.2 Student and Program Participant Information
For individuals enrolling in our educational programs, we collect: full name, date of birth, and contact information; educational background and applicable professional credentials or licensure numbers; enrollment application materials; payment information for tuition and fees; participation and attendance records; assessment results and academic performance data; any written work or laboratory submissions; and information about biosafety training completion and certifications received.
2.3 Donor Information
For individuals making charitable donations, we collect: name and contact information; payment card or bank account information (processed through our secure payment processor and not stored on our systems in unencrypted form); donation amount, date, and purpose; gift acknowledgment preferences; and any communications you send us in connection with a donation.
2.4 Website Visitor Information
When you visit our website, we automatically collect certain technical information, including: your IP address and approximate geographic location derived from it; browser type, version, and language settings; operating system and device type; referring URLs and exit pages; pages viewed and time spent on each page; search terms used to find our site; and interaction data such as clicks, scrolls, and form completions. This information is collected through cookies, web beacons, and similar technologies as described further in Section 7.
3. HIPAA Protected Health Information
3.1 What Constitutes PHI
Protected Health Information (PHI) is any individually identifiable health information that relates to: the past, present, or future physical or mental health or condition of a patient; the provision of healthcare to a patient; or the past, present, or future payment for the provision of healthcare to a patient. PHI includes information in any format -- electronic, written, or oral -- that can be used to identify an individual. The 18 categories of HIPAA identifiers that can make health information individually identifiable include name, address, dates (other than year), telephone numbers, email addresses, Social Security Numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate and license numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.
3.2 How We Use and Disclose PHI
We use and disclose PHI primarily for Treatment, Payment, and Healthcare Operations (collectively, "TPO") as permitted under the HIPAA Privacy Rule without requiring your specific written authorization. Treatment includes providing, coordinating, and managing your healthcare and related services. Payment includes billing, claims processing, and collecting payment for services rendered. Healthcare Operations includes quality assessment, provider education, accreditation activities, and general administrative functions necessary to run our organization.
Beyond TPO, we may use or disclose PHI without your authorization in limited circumstances required or permitted by law, including: mandatory reporting of communicable diseases to public health authorities; reporting suspected abuse, neglect, or domestic violence to authorized government agencies; responding to lawful court orders, subpoenas, or administrative requests; cooperating with health oversight activities such as audits and licensure inspections; disclosures necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; workers' compensation disclosures as required by applicable law; and disclosures to coroners, medical examiners, and funeral directors as necessary to carry out their legal duties.
3.3 Uses Requiring Your Written Authorization
Certain uses and disclosures of PHI require your prior written authorization, which you may revoke at any time in writing. These include: most uses for marketing purposes; the sale of PHI; disclosure of psychotherapy notes; disclosure of PHI for research not conducted under a proper IRB waiver of authorization; and any other uses not described in this Policy or our HIPAA Notice. If you revoke an authorization, it will apply prospectively and will not affect actions we have already taken in reliance on the authorization.
3.4 Minimum Necessary Standard
Consistent with HIPAA requirements, we apply the minimum necessary standard to all uses, disclosures, and requests for PHI. This means we use, disclose, and request only the amount of PHI reasonably necessary to accomplish the intended purpose. We have implemented role-based access controls that limit staff access to PHI based on their job functions. We conduct regular access audits and take disciplinary action for unauthorized access or disclosure.
4. Student Educational Records
4.1 Scope and Treatment
Educational records collected from participants in our training programs are treated with strict confidentiality. While our programs are non-accredited and are therefore not subject to the Family Educational Rights and Privacy Act (FERPA), we voluntarily apply FERPA-equivalent privacy protections to all student educational records as a matter of policy. This means we will not disclose your academic performance, enrollment status, or other educational records to third parties without your written consent, except as required by law.
4.2 Use of Student Data
Student data is used exclusively to administer our educational programs, communicate with you about program-related matters, issue certificates of completion, maintain records for our own quality assurance and program development purposes, and comply with any applicable regulatory requirements. We do not use student data for marketing to third parties, and we do not sell student data under any circumstances.
5. Research Data and Protein Sequences
5.1 Bioinformatics and Genetic Research Data
Participants in our research programs or users of our bioinformatics tools may submit or generate data including genetic sequences, protein structure data, guide RNA designs, plasmid maps, and related research outputs. This data is treated with the highest level of confidentiality. We do not use research data submitted by users for any purpose other than delivering the requested computational service and improving the accuracy and reliability of our tools, unless we have obtained your separate written authorization.
5.2 De-Identified Data
We may use de-identified data -- information from which all HIPAA identifiers have been removed in compliance with the HIPAA Safe Harbor or Expert Determination de-identification standard -- for research, quality improvement, and publication purposes. De-identified data is not considered PHI and is not subject to HIPAA protections, but we remain committed to handling it responsibly and in accordance with applicable research ethics standards.
5.3 Research Participant Rights
Individuals who participate in research conducted or facilitated by Helix BioMedical are entitled to the protections set forth in the applicable research protocol and any applicable IRB-approved consent form, in addition to the rights described in this Policy. Research participants may contact us at [email protected] to inquire about the use of their data in research activities.
6. How We Use Your Information
6.1 Clinical and Operational Purposes
We use personal and health information to: provide, coordinate, and manage your healthcare; diagnose and treat your medical conditions; conduct diagnostic tests and interpret results; manage prescriptions and medication records; facilitate telehealth consultations; coordinate referrals to specialists and other providers; communicate with you about appointments, test results, and follow-up care; process insurance claims and manage patient billing; evaluate and improve the quality of our clinical services; train clinical staff; and conduct operational planning and resource allocation.
6.2 Educational and Research Purposes
We use student and research data to: administer and deliver educational programs; assess student performance and issue certificates of completion; improve our educational curricula; support bioinformatics research and tool development; and analyze de-identified data to advance understanding of public health, disease prevention, and genetic medicine.
6.3 Fundraising and Communications
We may use contact information to send you information about our mission, programs, and fundraising activities, subject to applicable opt-out rights. We will not use PHI for fundraising without your separate written authorization. You may opt out of fundraising communications at any time by contacting us at [email protected] or (702) 825-0288.
6.4 Legal and Safety Purposes
We may use your information to comply with applicable legal obligations; respond to lawful legal process; enforce our Terms of Service and other agreements; protect the rights, property, and safety of our organization, staff, patients, and the public; investigate and prevent fraud; and respond to emergencies.
7. Cookies and Tracking Technologies
7.1 Types of Cookies Used
Our website uses the following types of cookies and similar technologies: Essential Cookies, which are strictly necessary to enable core website functionality, including authentication, session management, and security features -- these cannot be disabled without impairing the site; Functional Cookies, which remember your preferences, such as language selection and portal settings; Analytics Cookies, which collect aggregate, anonymous information about how visitors use our website, including pages visited, time spent, and navigation paths, using tools such as Google Analytics; and Communication Cookies, which support embedded video, contact forms, and other interactive features.
7.2 Your Cookie Choices
You can control cookies through your browser settings and, for non-essential cookies, through the cookie preference panel available on our website. Please note that disabling certain cookies may impair the functionality of our website and patient portal. We do not respond to browser "Do Not Track" signals at this time because a uniform industry standard for responding to such signals has not yet been established. We will update this section if we adopt a DNT response policy in the future.
7.3 Third-Party Tracking
We may engage third-party analytics and advertising service providers who may place cookies or other tracking technologies on our website. These providers operate under their own privacy policies. We require these providers to use your information only for the purposes of providing services to us and prohibit them from using your information for their own marketing purposes.
8. Data Sharing and Third Parties
8.1 Business Associates
We share PHI with third-party vendors and service providers ("Business Associates") who perform functions on our behalf that require access to PHI. Examples include electronic health record vendors, billing services, laboratory services, telehealth platform providers, and health information exchanges. All Business Associates are required to execute a Business Associate Agreement (BAA) with us that obligates them to use and disclose PHI only as permitted by our BAA and applicable law, to implement appropriate safeguards to protect PHI, and to report any breaches to us promptly.
8.2 Insurance and Payment Processors
We share billing information and limited PHI with your health insurance carrier as necessary to process claims and receive payment for services. We also share financial information (but not PHI) with payment card processors and banking institutions as necessary to process payments and donations. All payment transactions are processed using industry-standard encryption and tokenization.
8.3 Legal and Governmental Disclosures
We may disclose your information to government agencies, law enforcement, courts, and regulatory bodies when required by law or when we believe disclosure is necessary to comply with a legal obligation, protect our rights or property, prevent fraud or abuse, or protect the safety of our staff, patients, or the public. We will provide notice of such disclosures to you to the extent permitted by law.
8.4 No Sale of Information
We do not sell, rent, or trade your personal information, health information, student data, or research data to any third party for any purpose, under any circumstances. This prohibition is absolute and not subject to exception, even where applicable law might otherwise permit the sale of certain categories of information.
9. Data Retention and Deletion
9.1 Medical Records
Medical records are retained for a minimum of ten (10) years from the date of service, or six (6) years from the date of the patient's last visit, whichever is longer, in compliance with applicable state medical record retention laws and HIPAA requirements. Medical records for minors are retained until the later of: ten years from the date of service, or three years after the patient reaches the age of majority under applicable state law.
9.2 Educational Records
Student enrollment and performance records are retained for five (5) years following completion or termination of a student's enrollment in our programs, to support certificate verification and program quality review. Biosafety training records are retained for the duration required by applicable regulatory standards.
9.3 Website and Technical Data
Website access logs and technical data collected through cookies and analytics tools are retained for a period of up to 26 months, after which they are either deleted or de-identified. If you request deletion of your account and non-PHI personal information, we will process your request within 30 days, subject to our legal obligation to retain certain records.
9.4 Deletion Requests
To request deletion of your personal information (to the extent not subject to a legal retention obligation), please contact our Privacy Officer at [email protected] or (702) 825-0288. We will acknowledge your request within 10 business days and provide a substantive response within 30 days. We will inform you if we are unable to fulfill all or part of your deletion request due to legal obligations.
10. Security Measures
10.1 Technical Safeguards
We implement a comprehensive set of technical safeguards to protect your information, including: AES-256 encryption for all data at rest stored in our electronic health record and administrative systems; TLS 1.3 encryption for all data in transit; multi-factor authentication (MFA) required for all staff access to systems containing PHI; role-based access controls (RBAC) that limit data access to personnel with a defined need; comprehensive audit logging of all access to and modifications of PHI, with log review conducted regularly; intrusion detection and prevention systems (IDS/IPS) monitored around the clock; automated vulnerability scanning and regular penetration testing by independent third parties; end-to-end encrypted communications for telehealth sessions; and encrypted, geographically redundant backups.
10.2 Administrative Safeguards
Our administrative security program includes: designation of a Privacy Officer and a Security Officer with defined responsibilities under HIPAA; comprehensive, role-specific security and privacy training for all workforce members, conducted at hire and annually thereafter; execution of Business Associate Agreements with all vendors who handle PHI; annual enterprise-wide HIPAA risk assessments and remediation planning; documented policies and procedures for all aspects of PHI handling; a formal incident response plan and breach notification procedures; workforce sanctions for violations of privacy and security policies; and background checks for all personnel with access to PHI.
10.3 Physical Safeguards
We maintain physical safeguards including: controlled access to facilities where PHI is stored or processed; automatic screen lock and workstation security policies; secure disposal of PHI-containing paper records through cross-cut shredding; secure disposal of electronic media through certified data destruction services; and locked storage for physical patient files and portable devices.
10.4 Breach Notification
In the event of a breach of unsecured PHI, we will notify affected individuals, the U.S. Department of Health and Human Services, and, where applicable, the media, in accordance with the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) and any applicable state breach notification laws. We will provide notice to affected individuals within 60 days of discovering a breach, or sooner where required by state law. Breach notices will describe what happened, the types of information involved, steps you can take to protect yourself, what we are doing to address the breach, and our contact information for questions.
11. Children's Privacy (COPPA)
11.1 Online Services and COPPA
Our website and online patient portal are not directed to children under 13, and we do not knowingly collect personal information from children under 13 for purposes unrelated to healthcare services without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe that your child under 13 has provided personal information through our website without your consent, please contact us at [email protected] and we will take steps to delete such information.
11.2 Minor Patients
We provide clinical services to minors with the written consent of a parent or legal guardian, except where applicable state law permits a minor to consent to specific categories of healthcare independently (such as reproductive health services, mental health treatment, or substance abuse treatment). In those circumstances, the minor may exercise privacy rights independently for those specific records, and we are required under state law to keep such records separate and confidential from the minor's general health record accessible to parents or guardians.
11.3 Privacy Rights for Minor Records
When a parent or guardian provides consent for a minor's healthcare, the parent or guardian generally has the right to access and control the minor's health records under HIPAA. However, we may use our professional judgment to decline access in specific circumstances where access could endanger the minor. Once a minor reaches the age of majority, all privacy rights transfer to the now-adult patient and the parent or guardian no longer has automatic access rights unless separately authorized by the patient.
12. State-Specific Privacy Rights
12.1 California Residents (CCPA/CPRA)
California residents have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including: the right to know what personal information we collect and how it is used and shared; the right to request deletion of personal information, subject to legal retention obligations; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information (we do not sell or share personal information for cross-context behavioral advertising); the right to limit the use and disclosure of sensitive personal information; and the right to non-discrimination for exercising CCPA rights. Note that personal information constituting PHI under HIPAA is generally exempt from CCPA. To exercise your California privacy rights, contact us at [email protected] or (702) 825-0288.
12.2 Nevada Residents
Nevada residents may request that we not sell certain covered information as defined under Nevada Senate Bill 220. We do not sell personal information. Nevada residents with questions may contact us at [email protected].
12.3 Other State Privacy Laws
Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, and others) may have rights similar to those described for California residents. We comply with applicable state privacy laws and honor requests from residents of those states. Please contact us to exercise any state privacy rights applicable in your jurisdiction.
13. International Data Transfers
Our Services are operated from the United States and are governed by United States law. If you access our Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your home country. By using our Services, you consent to this transfer and processing.
We do not generally target individuals outside the United States with our clinical or educational programs. If you are accessing our bioinformatics tools or educational resources from outside the United States, you do so at your own initiative and are responsible for compliance with applicable local laws, including any regulations governing the transfer of genetic data or personal health information across international borders.
14. Your Rights and Choices
14.1 Right to Access
You have the right to request a copy of the personal information and health information we hold about you. For PHI, we will respond to your request within 30 days as required by HIPAA, or within a shorter period where required by applicable state law. For non-health personal information, we will respond within 45 days. We may charge a reasonable, cost-based fee for providing copies of records.
14.2 Right to Correct
You have the right to request correction of inaccurate or incomplete personal information. For PHI, this right is governed by the HIPAA right to amendment. We may deny amendment requests where we determine that the record is accurate and complete; in such cases, we will inform you of the denial and your right to submit a statement of disagreement.
14.3 Right to Restrict
You have the right to request that we restrict the use or disclosure of your PHI. We are required to honor restrictions where you have paid out-of-pocket in full for the services to which the PHI pertains and you request that we not disclose the PHI to your health insurer. We may but are not required to honor other restriction requests; we will inform you of our decision in writing.
14.4 Right to Confidential Communications
You have the right to request that we communicate with you through specific means or at a specific location (for example, by phone only, or at a work address rather than home address). We will accommodate reasonable requests without requiring you to explain the reason for your request.
14.5 Right to Accounting of Disclosures
You have the right to receive a written accounting of certain disclosures we have made of your PHI during the six years prior to your request. This accounting does not include disclosures for TPO purposes, disclosures pursuant to your authorization, or certain other categories of disclosures. The first accounting in any 12-month period is free; we may charge a reasonable fee for subsequent requests within the same 12-month period.
14.6 Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Privacy Policy and our HIPAA Notice of Privacy Practices upon request, even if you have previously agreed to receive these documents electronically.
15. Changes to This Policy
We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will update the "Last Updated" date at the top of this Policy and provide notice through our website, patient portal, and, where appropriate, by direct communication to affected individuals. For changes to our HIPAA Notice of Privacy Practices specifically, the revised notice will apply to all PHI we maintain, including PHI created or received before the effective date of the revision. We will post updated HIPAA notices in our facilities and make them available upon request. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the revised Policy.
16. Contact and Complaints
For questions or concerns about this Privacy Policy, to exercise any of your rights described in this Policy, or to report a potential privacy violation, please contact our Privacy Officer:
- Email: [email protected]
- Phone: (702) 825-0288
- Organization: Helix BioMedical, a 508(c)(1)(a) faith-based organization, Wyoming jurisdiction
If you believe your HIPAA privacy rights have been violated, you may also file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights at hhs.gov/ocr or by calling 1-800-368-1019. You have the right to file a complaint without fear of retaliation. We will not take any action against you, limit your care, or treat you adversely in any way as a result of a good-faith privacy complaint.