Privacy Policy

March 10, 2026

This Privacy Policy describes how HEXADYN, operated by Karen Minchow, MPAS, PA-C ("HEXADYN," "we," "us," or "our"), collects, uses, stores, and protects your personal information when you use our website, enroll in services, or interact with us.

IMPORTANT: HEXADYN operates under a two-tier service model with different privacy protections:

  • Clinical Integrative Care (Utah residents) - Protected by HIPAA

  • Wellness Education Services (nationwide) - NOT protected by HIPAA

This Privacy Policy applies to both tiers, with specific differences noted below.

1. INFORMATION WE COLLECT

1.1 Clinical Services (HIPAA-Protected Health Information)

If you receive clinical services, we collect Protected Health Information (PHI) as defined by HIPAA, including:

  • Personal identifiers (name, date of birth, address, phone, email)

  • Medical history and current health conditions

  • Medications, allergies, and supplement use

  • Laboratory test results and diagnostic information

  • Treatment plans and clinical notes

  • Prescription records

  • Insurance information (if applicable)

  • Billing and payment information

Legal Basis: We collect this information with your written consent to provide licensed medical care.

1.2 Educational Services (Not HIPAA-Protected)

If you receive educational services, we collect:

  • Personal identifiers (name, email, phone)

  • General wellness goals and interests

  • Education session notes and progress tracking

  • Payment information

Legal Basis: We collect this information with your consent through the Wellness Education Services Agreement. This information is NOT protected by HIPAA.

1.3 Website Information

When you visit our website, we may collect:

  • IP address and browser type

  • Pages visited and time spent on site

  • Referring website or search terms

  • Device information (mobile, desktop)

  • Cookies and similar tracking technologies

2. HOW WE USE YOUR INFORMATION

2.1 Clinical Services (HIPAA-Protected)

We use PHI for:

  • Treatment: Providing medical care, ordering labs, prescribing medications

  • Payment: Processing payments and insurance claims (if applicable)

  • Healthcare Operations: Quality improvement, staff training, compliance

  • Legal Requirements: Complying with laws, regulations, and public health reporting

You will receive a separate HIPAA Notice of Privacy Practices that explains your rights under federal health privacy law.

2.2 Educational Services (Not HIPAA-Protected)

We use educational service information for:

  • Providing education sessions and wellness coaching

  • Tracking progress toward wellness goals

  • Sending educational content and program updates

  • Processing payments

  • Improving our educational offerings

2.3 Marketing and Communications

With your consent, we may use your contact information to:

  • Send newsletters and educational content

  • Notify you of new services or programs

  • Request feedback or testimonials

You may opt out of marketing communications at any time by clicking "unsubscribe" in our emails or contacting us directly.

3. HOW WE STORE AND PROTECT YOUR INFORMATION

3.1 Clinical Records (HIPAA-Protected)

Storage: Clinical medical records are stored in paper format in locked file cabinets with restricted access. Only authorized personnel may access clinical records.

Security Measures: 

  • Physical security: Locked storage in secure location

  • Access controls: Limited to authorized staff only

  • Confidentiality agreements: All staff sign Business Associate Agreements

  • Secure disposal: Records destroyed by shredding when no longer needed

Retention: Clinical records are retained for at least 7 years from the date of last service, or as required by Utah law.

3.2 Educational Records (Not HIPAA-Protected)

Storage: Educational session summaries are stored separately from clinical records and are not subject to HIPAA protections.

Security: We use reasonable security measures to protect educational records, including physical security and access controls.

Retention: Educational records are retained for the duration of your enrollment and up to 2 years after termination of services.

4. SHARING YOUR INFORMATION

4.1 Clinical Services (HIPAA-Protected)

We may share PHI without your authorization only as permitted by HIPAA:

  • Healthcare providers involved in your care (with your consent)

  • Compounding pharmacies for prescription fulfillment

  • Laboratories for test processing

  • Insurance companies for payment (if applicable)

  • Legal authorities when required by law (court orders, public health reporting)

  • Business associates who have signed HIPAA-compliant agreements

We will NOT sell your PHI or use it for marketing without your written authorization.

4.2 Educational Services (Not HIPAA-Protected)

We do not sell your personal information. We may share information from educational services with:

  • Service providers (payment processors, email platforms) who assist with program delivery

  • Legal authorities when required by law

We will not share your information for marketing purposes without your consent.

5. THIRD-PARTY TOOLS AND SERVICES

Our website and services may use third-party tools that collect information:

Analytics: We may use Google Analytics or similar tools to understand website traffic and user behavior. These tools use cookies and may collect IP addresses, browser information, and pages visited.

Email Platforms: We use email service providers to send newsletters and communications. These providers may track email opens and clicks.

Payment Processors: We use secure third-party payment processors for credit card transactions. We do not store full credit card numbers.

Video Conferencing: For telemedicine or virtual education sessions, we may use video platforms that have their own privacy policies.

Business Associates: Any third-party service provider that has access to PHI signs a HIPAA-compliant Business Associate Agreement.

6. COOKIES AND TRACKING TECHNOLOGIES

Our website uses cookies (small text files stored on your device) to:

  • Remember your preferences

  • Analyze website traffic and performance

  • Improve user experience

You can control cookies through your browser settings. Disabling cookies may affect website functionality.

7. YOUR RIGHTS

7.1 Clinical Services (HIPAA Rights)

Under HIPAA, you have the right to:

  • Access: Request copies of your medical records

  • Amendment: Request corrections to your medical records

  • Accounting: Receive an accounting of disclosures of your PHI

  • Restriction: Request restrictions on certain uses or disclosures

  • Confidential Communications: Request communications via specific methods

  • Complaint: File a complaint with us or the U.S. Department of Health & Human Services

For detailed information, see the HIPAA Notice of Privacy Practices provided separately.

7.2 Educational Services & Website Data

You have the right to:

  • Access: Request information about what data we have collected

  • Correction: Request correction of inaccurate information

  • Deletion: Request deletion of your information (subject to legal retention requirements)

  • Opt-Out: Unsubscribe from marketing communications

To exercise these rights, contact us using the information below.

8. DATA BREACH NOTIFICATION

In the event of a data breach involving your information:

  • Clinical Services (PHI): We will notify you within 60 days as required by HIPAA

  • Educational Services: We will notify you promptly and provide information about the breach

We maintain security measures to prevent unauthorized access and regularly review our practices.

9. CHILDREN'S PRIVACY

HEXADYN services are not intended for individuals under 18 years of age. We do not knowingly collect information from minors. If we learn that we have collected information from a minor, we will delete it promptly.

10. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on our website with a new effective date

  • Sending an email notification (if we have your email address)

Continued use of services after changes are posted constitutes acceptance of the updated Privacy Policy.

11. CONTACT INFORMATION

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact:

HEXADYN

Karen Minchow, MPAS, PA-C

Privacy Officer

Email: info@hexadyn.com

Phone: 385-501-3773

For HIPAA-related complaints, you may also contact:

U.S. Department of Health & Human Services

Office for Civil Rights

Website: www.hhs.gov/ocr/privacy