Privacy & HIPAA

Privacy Policy & Notice of Privacy Practices

How we collect, use, and protect your health information and website activity, and the rights you have under federal and state law.

Effective Date: April 20, 2026 · Last Updated: April 20, 2026

1. About this Notice

This combined document serves as both (a) the Notice of Privacy Practices required by the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 C.F.R. § 164.520, for patients who receive clinical services from Midwest Mind & Body Healthcare, and (b) our general Website Privacy Policy for everyone who visits this website, including prospective patients and members of the public.

In this Notice, "we," "us," "our," and "the practice" mean Midwest Mind & Body Healthcare, a Nebraska healthcare practice with its principal office at 131 N Washington Street, Suite A, Papillion, Nebraska 68046. "You" means the individual reading this Notice, whether you are a patient, the legal representative of a patient, a prospective patient, or a general visitor to our website.

We are a covered entity under HIPAA and are required by law to maintain the privacy of your protected health information ("PHI"), to give you notice of our legal duties and privacy practices with respect to PHI, to notify you following a breach of unsecured PHI, and to follow the terms of the Notice currently in effect.

Please do not send health information by email. Standard email is not secure and is not an appropriate channel for protected health information. Please use our patient portal (provided after you book) for anything related to your care.

2. HIPAA Notice of Privacy Practices

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

PHI is information we collect or create about you that identifies you and that relates to your past, present, or future physical or mental health, the healthcare we provide to you, or the payment for your healthcare. PHI includes information we receive from you directly, from other healthcare providers, from your insurance plan, and from the electronic health record and patient-portal systems we use.

3. How We May Use and Disclose Your Health Information

Federal law allows us to use and disclose your PHI in several categories without obtaining your written authorization. The categories below are not meant to list every possible use or disclosure; rather, they describe the types of uses and disclosures we may make.

3.1 For Treatment

We use and disclose your PHI to provide, coordinate, and manage your healthcare and related services. For example, we may share information with pharmacists who fill your prescriptions, with therapists who co-treat you (such as our care network partners), with primary-care or specialty providers to whom we refer you, and with laboratories that perform testing we order.

3.2 For Payment

We use and disclose PHI to bill and collect payment for the services we provide. This may include verifying insurance coverage, obtaining prior authorizations, submitting claims, and following up on unpaid balances.

3.3 For Health Care Operations

We use and disclose PHI to operate our practice. Examples include quality-improvement activities, credentialing, provider training, licensing and accreditation, legal and compliance review, and general business management.

3.4 Other Uses and Disclosures That Do Not Require Your Authorization

  • Appointment reminders, treatment alternatives, and health-related benefits. We may contact you to remind you of upcoming appointments or tell you about care options or services that may interest you.
  • Individuals involved in your care. With your verbal agreement (or where we reasonably infer from the circumstances that you do not object), we may share limited PHI with a family member, friend, or personal representative who is involved in your care or helps pay for it.
  • As required by law. We will disclose PHI when federal, state, or local law requires it, for example in response to a valid subpoena or court order.
  • Public health activities. We may disclose PHI to public-health authorities for purposes such as disease prevention and reporting, adverse-event reporting to the U.S. Food and Drug Administration, and reporting child abuse or neglect.
  • Victims of abuse, neglect, or domestic violence. We may disclose PHI to appropriate government authorities when we reasonably believe someone is a victim of abuse, neglect, or domestic violence.
  • Health oversight. We may disclose PHI to health-oversight agencies for audits, investigations, licensure actions, and similar activities.
  • Judicial and administrative proceedings. We may disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, subject to HIPAA safeguards.
  • Law enforcement. We may disclose PHI to law-enforcement officials for specific purposes permitted by HIPAA.
  • Serious threat to health or safety. We may disclose PHI when necessary to prevent a serious and imminent threat to your health and safety or that of others, consistent with applicable law and ethical standards (including the "duty to warn" standards recognized in Nebraska and other states where we treat patients).
  • Workers' compensation. We may disclose PHI as authorized by and to the extent necessary to comply with workers' compensation laws.
  • Coroners, medical examiners, and funeral directors. We may disclose PHI as permitted by law.
  • Organ and tissue donation. We may disclose PHI to organizations that handle organ procurement.
  • Research. We do not currently participate in research involving identifiable PHI. Any future research use of PHI would require either your authorization or an Institutional Review Board waiver that meets HIPAA requirements.
  • Business associates. We use third-party service providers (such as our electronic health record vendor) who help us operate the practice. These parties are our "business associates," and HIPAA requires them to protect your PHI by written agreement.

3.5 Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for any purpose not described in this Notice, including:

  • Most uses and disclosures of psychotherapy notes (notes kept separately from the rest of your record that document or analyze a counseling session).
  • Marketing communications that involve financial remuneration to us from a third party.
  • Sale of PHI. We do not sell PHI and will not do so without your written authorization. Any such authorization would include the specific disclosures HIPAA requires, including that we would receive remuneration for the sale.
  • Fundraising. We do not contact patients for fundraising purposes. If this changes, you will have the right to opt out.

If you give us written authorization, you may revoke it in writing at any time. Your revocation will not affect any uses or disclosures we have already made in reliance on your prior authorization.

3.6 Heightened Protection for Certain Categories of PHI

Certain categories of health information are given extra protection by federal or state law, and we will handle them accordingly. These include, but are not limited to:

  • Mental-health treatment information and psychotherapy notes. The practice does not routinely maintain psychotherapy notes separate from the rest of the medical record. In the rare case we do, those notes are protected under HIPAA's psychotherapy-notes rule and applicable Nebraska law, and require your written authorization for most disclosures.
  • Substance-use disorder records, to the extent we create them, consistent with federal and state confidentiality requirements. (42 C.F.R. Part 2 does not directly apply to our practice, but we treat these records with equivalent care.)
  • HIV-related information, consistent with applicable state laws.
  • Genetic information, consistent with the Genetic Information Nondiscrimination Act (GINA).
  • Reproductive health information, consistent with the HIPAA Privacy Rule amendments of 2024. See Section 4.

4. Reproductive Health Information

Effective December 23, 2024, the HIPAA Privacy Rule provides heightened protection for PHI related to reproductive healthcare, including pregnancy, pregnancy loss, contraception, fertility, and related care. We comply with these protections and will not use or disclose your reproductive-health PHI:

  • To conduct a criminal, civil, or administrative investigation into any person for seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances in which it was provided; or
  • To impose criminal, civil, or administrative liability on any person for such care; or
  • To identify any person for such purposes.

Before disclosing reproductive-health PHI in response to certain law-enforcement, administrative, or oversight requests, we will obtain a signed attestation from the requester confirming that the information will not be used for any of the prohibited purposes above. We reserve the right to refuse any request that does not meet HIPAA's reproductive-health protections.

5. Your Rights Regarding Your Health Information

You have the following rights with respect to PHI we maintain about you. To exercise any of these rights, submit a written request to our Privacy Officer at the contact information in Section 14.

5.1 Right to Inspect and Copy

You have the right to inspect and obtain a copy of PHI we maintain in your designated record set. You have the right to receive your records in the form or format you request, including in electronic form, if we maintain them electronically and the format is readily producible. You also have the right to direct us to send a copy of your records to a person or entity you designate in writing, at no greater cost than we would charge you.

Response time. We will act on your request within 30 days of receiving it. If we need more time, we will tell you in writing and take no more than one additional 30-day extension, consistent with 45 C.F.R. § 164.524.

Fees. We may charge a reasonable, cost-based fee for paper or electronic copies, limited to the labor of copying, supplies, and postage if you request mail, as permitted by HIPAA and HHS guidance. Access to view your records (as opposed to receiving a copy) is free.

Denial. In certain limited circumstances (for example, psychotherapy notes, or information compiled for legal proceedings), we may deny a request, and you may ask for the denial to be reviewed by a licensed healthcare professional.

5.2 Right to Request an Amendment

If you believe PHI we maintain about you is incorrect or incomplete, you have the right to request an amendment, in writing, with a reason supporting the request. We may deny the request under certain circumstances. If we deny it, we will explain why in writing and tell you how to submit a statement of disagreement.

5.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI during the six years prior to the date of your request, other than disclosures for treatment, payment, operations, and a few other categories that HIPAA excludes. The first accounting in any 12-month period is free; we may charge a reasonable fee for additional requests in the same 12-month period.

5.4 Right to Request Restrictions

You have the right to request that we restrict certain uses and disclosures of your PHI for treatment, payment, or operations, or to family members or others involved in your care. We are not required to agree, except that if you pay out-of-pocket in full for a particular item or service, you can require us not to disclose PHI about that item or service to your health plan for payment or operations purposes.

5.5 Right to Confidential Communications

You have the right to ask us to communicate with you about your health by alternative means or at alternative locations (for example, by telephone only at your work number, or by mail only to a specific address). We will accommodate reasonable requests.

5.6 Right to a Paper Copy of this Notice

Even if you have agreed to receive this Notice electronically, you have the right to request and receive a paper copy at any time. Contact us and we will provide one.

5.7 Right to Breach Notification

You have the right to be notified, without unreasonable delay, if we discover a breach of unsecured PHI that affects you, as required by 45 C.F.R. Part 164, Subpart D.

5.8 Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint. See Section 14.

If your concern involves the Privacy Officer directly. Our Privacy Officer is also the practice's founder and lead clinician. If your complaint concerns the Privacy Officer personally, you are not required to route it through us first. You may file directly with the U.S. Department of Health and Human Services, Office for Civil Rights, and with the Nebraska Attorney General's office, at the contacts in Section 14.

6. Our Duties

  • We are required by law to maintain the privacy of PHI, to provide you with this Notice of our legal duties and privacy practices with respect to PHI, to notify you following a breach of unsecured PHI, and to abide by the terms of the Notice currently in effect.
  • We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. If we make a material change, we will post the revised Notice on this website and make copies available at our office.
  • We do not condition your treatment, payment, enrollment, or eligibility for benefits on whether you sign an authorization, except where HIPAA permits (for example, research-only treatment).

7. Website Privacy Policy

This section applies to everyone who visits midwestmindandbodyhealthcare.com, including people who are not patients. Information you submit to us through the website before a clinical relationship exists (for example, a question sent through a contact form) is not technically "PHI" under HIPAA, but we treat it with appropriate confidentiality and only use it to respond to your inquiry or to provide care if you subsequently become a patient.

7.1 Information We Collect on the Website

  • Information you provide directly: your name, email address, phone number, and the contents of any message you send through a web form or by email link.
  • Information collected automatically: your IP address (anonymized; see below), browser type and version, operating system, referring URL, pages viewed, approximate geographic location (city/region level), the date and time of your visit, and the device you used. This information is collected through standard web-server logs and, when you consent, through Google Analytics 4.
  • Cookies and similar technologies: small files stored on your device. See Section 8.

7.2 How We Use Website Information

  • To respond to inquiries and provide the information you request.
  • To operate, maintain, and improve the website and the services we offer.
  • To measure site performance and understand how visitors find and use our content (with your consent, via analytics).
  • To comply with legal obligations and to protect our rights.

7.3 We Do Not Sell Personal Information

We do not sell your personal information or PHI, and we do not share it with third parties for their own advertising purposes. We do not engage in cross-context behavioral advertising, and we do not use targeted advertising cookies on this website.

8. Cookies & Analytics

Our website uses a limited number of cookies and similar technologies. Non-essential cookies (such as analytics cookies) are only set after you accept them through our cookie-consent banner. If you decline, only strictly necessary storage (such as the record of your consent choice) is kept, and Google Analytics is configured to deny analytics storage.

Cookie / TechnologyPurposeCategoryRetention
mmbh_cookie_consentRecords your cookie preference so we do not ask again on every page load.Strictly necessary12 months (localStorage)
_ga, _ga_<id> (Google Analytics 4)Measures aggregate site usage. IP anonymization is enabled. Google Signals and ad-personalization signals are disabled.Analytics (consent-based)Up to 14 months
Trustindex widgetLoads recent Google reviews into structured data on our pages. Does not set tracking cookies.FunctionalSession

You can withdraw your consent at any time by clearing your browser storage for this site or by using your browser's cookie-management controls. Your browser may also support a "Global Privacy Control" (GPC) signal; we honor GPC signals where required by applicable state law.

9. Third-Party Service Providers

We rely on a small number of vendors to operate the practice and the website. Each of them is bound either by a HIPAA Business Associate Agreement (for PHI) or by appropriate data-processing terms (for website data):

  • Tebra. Electronic health record, patient portal, and scheduling. Business associate.
  • Pharmacy partners. Retail, mail-order, and compounding pharmacies that dispense medications we prescribe. Treatment-related disclosures, not business associates.
  • Care-network clinicians. Independent therapists we refer to, as described on our Partnerships page. Treatment-related disclosures, not business associates.
  • Netlify. Website hosting. Processes only non-PHI website data.
  • Google (Analytics 4). Aggregate, privacy-configured website analytics loaded only after consent. Non-PHI.
  • Trustindex. Review aggregation and display. Non-PHI.

We do not authorize any of these providers to use information we share with them for their own marketing purposes.

10. State-Specific Privacy Rights

HIPAA is the federal floor for patient privacy, and state law may add further protections. We provide clinical services to patients in the states below; additional rights described here may apply to you.

Important: HIPAA-covered records are exempt from most state privacy acts. The general consumer-privacy statutes referenced below (Colorado, Utah, Montana, Kentucky, Iowa, California) each include an exemption for PHI that is regulated by HIPAA. This means the state rights to "delete" or "port" personal data generally do not apply to your medical records with us. Your medical records are governed by HIPAA and by state medical-records law. State privacy-act rights described below apply primarily to non-PHI website data (for example, analytics or contact-form submissions before you became a patient).

10.1 Nebraska

Mental-health services are licensed in Nebraska only. The Nebraska Data Privacy Act (Neb. Rev. Stat. §§ 87-1101 et seq., effective January 1, 2025) applies only to businesses that meet specific thresholds (generally, processing the personal data of 175,000 or more Nebraska consumers, or 25,000 or more with 25% or more of revenue from the sale of such data). A practice of our size does not meet those thresholds and is not a "controller" under the NDPA. Nebraska residents nonetheless retain rights under HIPAA and Nebraska's patient-records statutes, which give you the right to access and copy your medical records. You may also file a complaint with the Nebraska Attorney General.

10.2 Iowa

Iowa's Consumer Data Protection Act (Iowa Code ch. 715D) provides Iowa residents the right to confirm whether we process their personal data, to access that data, to delete it, and to opt out of sale (we do not sell). Requests: contact our Privacy Officer.

10.3 Colorado

Colorado residents have rights under the Colorado Privacy Act (C.R.S. §§ 6-1-1301 et seq.), including access, correction, deletion, data portability, and opt-out of targeted advertising, sale of personal data, and certain profiling. We do not engage in any of these. We honor Global Privacy Control (GPC) signals as an opt-out of sale/targeted advertising.

10.4 Utah

Utah residents have rights under the Utah Consumer Privacy Act (Utah Code §§ 13-61-101 et seq.), including the right to confirm, access, delete, and obtain a copy of personal data, and to opt out of targeted advertising and sale.

10.5 Montana

Montana residents have rights under the Montana Consumer Data Privacy Act (Mont. Code Ann. §§ 30-14-2801 et seq.), including access, correction, deletion, portability, and opt-out of targeted advertising, sale, and profiling with significant effects. We honor GPC as an opt-out signal.

10.6 Kentucky

Kentucky residents have rights under the Kentucky Consumer Data Protection Act (KRS ch. 367), including access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling.

10.7 Kansas, Arizona, Illinois, Idaho, New Mexico, North Dakota, South Dakota, Vermont, New Hampshire, Maine

These states do not currently have comprehensive consumer-privacy statutes comparable to those above, but their residents still have rights under HIPAA and under their state's medical-records laws, insurance-information-privacy laws, and general consumer-protection laws. Illinois residents are also protected by the Personal Information Protection Act and the Biometric Information Privacy Act (we do not collect biometric identifiers). Maine residents benefit from Maine's Act to Protect the Privacy of Online Customer Information for ISP-provided service; that statute does not apply to us, but we adhere to equivalent practices.

10.8 California Visitors

We do not currently offer clinical services to patients located in California. However, because our website is accessible from California, California residents who visit the site may have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), including the rights to know, access, correct, delete, and opt out of sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, and we do not use "sensitive personal information" for purposes other than those permitted without a right to limit.

10.9 How to Exercise Your State Rights

Submit a written request to our Privacy Officer at the contact below. We will verify your identity using information you already have on file with us (or, for non-patients, using a reasonable verification method) and will respond within the timeframe required by the applicable state law (generally 45 days, extendable once as permitted). You may designate an authorized agent to make requests on your behalf by providing the agent with signed written permission that we can verify.

Appeals. Colorado, Montana, and Kentucky residents (among others) have the right to appeal a denial of a privacy request. You may appeal by replying to our denial in writing within 45 days. We will respond within 60 days. If we deny your appeal, you may contact your state Attorney General.

11. Data Security & Retention

11.1 Security Safeguards

We maintain administrative, physical, and technical safeguards designed to protect PHI and other personal information, consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). These safeguards include access controls on our electronic health record, encryption of PHI in transit and at rest where feasible, workforce training, audit logging, and regular review of our security practices. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

11.2 Retention Schedule

We retain records for the periods below. Retention periods are measured from the date of the last clinical encounter (for medical records) or the date of collection (for non-PHI website data).

  • Medical records (PHI): at least 10 years for adult patients, consistent with Nebraska medical-records retention requirements and comparable laws in other states where we provide care. Some categories of records (for example, records of minors, if applicable; records related to ongoing investigations) are retained longer as required by law.
  • HIPAA accounting-of-disclosures log: at least 6 years.
  • Billing and financial records: at least 7 years.
  • Website analytics (Google Analytics 4): up to 14 months.
  • Web-server logs: up to 90 days.
  • Contact-form and inquiry emails from non-patients: up to 24 months, then deleted unless a clinical relationship has formed.

When a retention period ends, we dispose of records in a secure manner that renders them unreadable and unrecoverable (for example, cross-cut shredding for paper, cryptographic erasure or drive destruction for electronic media).

12. Children's Privacy

Our website and our clinical services are directed to adults aged 18 and older. We do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act. If you believe we have inadvertently collected such information, please contact us and we will delete it.

13. Changes to this Notice

We may change this Notice from time to time. The effective date at the top shows when the current version took effect. Material changes will be highlighted on this page for a reasonable period after posting and will apply to all PHI we maintain, past and present. You may request a paper copy of the current Notice from our office at any time.

14. Contact & Complaints

Privacy Officer
Kimberly Wohlwend, MSN, APRN
Midwest Mind & Body Healthcare
131 N Washington Street, Suite A
Papillion, NE 68046
Phone: 531-217-5257
Email: Info@midwestmindandbodyhealthcare.com (please do not include health information)

HHS Office for Civil Rights You may also file a HIPAA complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue SW, Washington, DC 20201, or online at hhs.gov/ocr/complaints. We will not retaliate against you for filing a complaint.

Civil rights and nondiscrimination. Discrimination complaints on the basis of race, color, national origin, age, disability, or sex are handled under a separate federal process established by Section 1557 of the Affordable Care Act. For our nondiscrimination commitment, free language-assistance services, auxiliary aids and services, and the process for filing a Section 1557 complaint (with us or directly with HHS OCR), see our Notice of Nondiscrimination.

Version History
v1.0 — April 20, 2026 — Initial publication.