Meadow Creek Hypnotherapy
Comprehensive Privacy Policy & HIPAA Notice of Privacy Practices
Effective Date: June 2 2025
1. Scope of this Policy
This Privacy Policy explains how Meadow Creek Hypnotherapy (“MCH,” “we,” “our,” “us”) collects, uses, discloses, and safeguards your information when you:
- visit our website, scheduling pages, or social-media channels;
- complete any paper or electronic forms (e.g., Client Intake Form, Consent Form);
- participate in in-person or virtual hypnotherapy sessions conducted via Zoom or similar platforms; and
- otherwise interact with us (email, SMS, telephone, payment portals).
Although hypnotherapy is a complementary wellness modality and MCH is not a licensed health-care provider, we voluntarily apply the same privacy and security standards required under the U.S. Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) to any health-related information you entrust to us.
2. Information We Collect
3. How We Collect Information
- Directly from you via intake, consent, and preparation forms; email or phone; during sessions.
- Automatically through cookies and similar technologies on our website.
- From third parties such as payment processors or referral sources, but only with your authorization.
4. How We Use Your Information
| Purpose | Legal / Ethical Basis |
|---|---|
| Provide hypnotherapy services—tailor sessions, track progress, schedule appointments | Consent; Legitimate interest |
| Communicate with you—confirmations, reminders, follow-up, wellness resources | Consent |
| Payment & bookkeeping | Contract performance; Legal obligation |
| Improve services & website (analytics, quality assurance) | Legitimate interest |
| Marketing (e.g., newsletters) only if you opt in | Consent |
| Comply with laws & defend our rights | Legal obligation |
5. HIPAA Notice of Privacy Practices
Even though MCH is not a covered entity under HIPAA, we voluntarily adopt HIPAA’s privacy framework:
5.1 Permitted Uses & Disclosures of PHI
We may use or disclose your PHI without additional written authorization for:
- Treatment – planning and conducting your sessions; consulting with a supervising hypnotherapist if needed.
- Payment – processing fees, verifying insurance benefits if ever applicable.
- Operations – quality reviews, client satisfaction surveys, internal training.
Other disclosures require your written authorization unless law permits or compels us (threat of harm, abuse reporting, court order).
5.2 Your HIPAA Rights
You have the right to:
| Right | Description |
|---|---|
| Access | Receive a copy of your records within 30 days. |
| Amend | Request corrections to incomplete or inaccurate PHI. |
| Accounting of Disclosures | Ask who we shared your PHI with in the past six years (excluding treatment, payment, operations). |
| Restrict Uses/Disclosures | Ask us not to share certain PHI; we will honor reasonable requests when legally possible. |
| Confidential Communications | Receive PHI at alternate address/email you specify. |
| File a Complaint | With our Privacy Officer or the U.S. Dept. of Health & Human Services if you believe your rights were violated. We will not retaliate. |
5.3 Our Duties
- Maintain the privacy and security of your PHI.
- Notify you promptly if a breach compromises your PHI.
- Abide by the terms of this notice and obtain your written acknowledgement of receipt.
- Retain session records for at least seven (7) years after your last appointment (or longer if state-law requires).
6. Data Security Safeguards
- Administrative – staff HIPAA training; least-privilege access controls; Business-Associate Agreements with vendors who handle PHI.
- Technical – encrypted storage, password-protected devices, TLS-secured email portals, HIPAA-enabled Zoom settings.
- Physical – locked filing cabinets; private office space for sessions; shredding of discarded documents.
7. Third-Party Sharing
We share information only with:
- Business Associates (e.g., HIPAA-compliant scheduling, telehealth, and payment platforms) bound by contract to protect your data;
- Cloud & IT providers supplying hosting or back-ups;
- Legal authorities when required by subpoena, court order, or to prevent imminent harm;
- Successors in the event of a business transfer, provided they honor this Policy.
We never sell your personal data.
8. International, State, and Child-Specific Requirements
- GDPR: If you are in the EEA/UK, we process your data on the bases listed above and may transfer it to the U.S. under Standard Contractual Clauses.
- CCPA/CPRA: California residents may request disclosure or deletion of personal information and opt out of any “sale” (we do none).
- Children: Services are intended for adults 18+. We do not knowingly collect data from minors without parental consent.
9. Data Retention
We keep your records for seven years after your final session (or until age 28 for minors) unless a longer period is mandated. Non-essential marketing data is deleted within 24 months of last interaction unless you re-subscribe.
10. Changes to This Policy
We may update this Policy periodically. The latest revision date will appear at the top. Material changes will be announced via email or website banner at least 30 days before they take effect.
11. Contact & Complaints
Meadow Creek Hypnotherapy
tandi@meadowcreekhypnotherapy.com
P.O. Box 38 Meadow, UT 84644
If you believe your privacy rights have been violated, contact us in writing. You may also file a complaint with the U.S. Department of Health & Human Services, Office for Civil Rights at www.hhs.gov/ocr/privacy.
By continuing to interact with Meadow Creek Hypnotherapy, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy and HIPAA Notice.