Start Online Intake →
Privacy & HIPAA

Privacy Policy & Notice of Privacy Practices

How we collect, use, and protect your health information and website activity, and the rights you have under federal and state law.

Effective Date: April 20, 2026 · Last Updated: April 20, 2026

1. About this Notice

This combined document serves as both (a) the Notice of Privacy Practices required by the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 45 C.F.R. § 164.520, for patients who receive clinical services through this website, and (b) our general Website Privacy Policy for everyone who visits this website, including prospective patients and members of the public.

OralMinoxidilOnline.com is an online service of Midwest Mind & Body Healthcare, a Nebraska healthcare practice with its principal office at 131 N Washington Street, Suite A, Papillion, Nebraska 68046. In this Notice, "we," "us," "our," and "the practice" mean Midwest Mind & Body Healthcare operating under the OralMinoxidilOnline.com brand. "You" means the individual reading this Notice, whether you are a patient, the legal representative of a patient, a prospective patient, or a general visitor to our website.

We are a covered entity under HIPAA and are required by law to maintain the privacy of your protected health information ("PHI"), to give you notice of our legal duties and privacy practices with respect to PHI, to notify you following a breach of unsecured PHI, and to follow the terms of the Notice currently in effect.

Please do not send health information by email. Standard email is not secure and is not an appropriate channel for protected health information. After your intake is reviewed, we will send secure documents (consent forms and payment authorization) through a secure e-signature and payment platform.

2. HIPAA Notice of Privacy Practices

This Notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.

PHI is information we collect or create about you that identifies you and that relates to your past, present, or future physical or mental health, the healthcare we provide to you, or the payment for your healthcare. PHI includes information you submit through our online intake form, information we receive from pharmacies or other healthcare providers, and information we generate when a licensed provider reviews your intake and, if appropriate, issues a prescription.

3. How We May Use and Disclose Your Health Information

Federal law allows us to use and disclose your PHI in several categories without obtaining your written authorization. The categories below are not meant to list every possible use or disclosure; rather, they describe the types of uses and disclosures we may make.

3.1 For Treatment

We use and disclose your PHI to provide, coordinate, and manage your healthcare. For example, we transmit prescriptions you authorize to the pharmacy you designate on your intake. If clinically relevant, we may communicate with your primary-care provider or with another healthcare provider you identify, with your permission.

3.2 For Payment

We use and disclose PHI to bill and collect payment for the services we provide. For OralMinoxidilOnline.com, payment is limited to the one-time provider review fee, which is processed through a third-party payment platform (Stripe) after you review and sign a payment authorization. We do not bill your health insurance for the provider review fee. Your pharmacy bills separately for medication.

3.3 For Health Care Operations

We use and disclose PHI to operate our practice. Examples include quality-improvement activities, provider training, licensing and accreditation, legal and compliance review, and general business management.

3.4 Other Uses and Disclosures That Do Not Require Your Authorization

  • Appointment and follow-up communications. We may contact you about the status of your intake, renewal of your annual prescription, or care options that may be relevant to you.
  • Individuals involved in your care. With your verbal agreement (or where we reasonably infer from the circumstances that you do not object), we may share limited PHI with a family member or personal representative who is involved in your care or helps pay for it.
  • As required by law. We will disclose PHI when federal, state, or local law requires it, for example in response to a valid subpoena or court order.
  • Public health activities. We may disclose PHI to public-health authorities for purposes such as disease prevention and reporting, adverse-event reporting to the U.S. Food and Drug Administration, and reporting child abuse or neglect.
  • Victims of abuse, neglect, or domestic violence. We may disclose PHI to appropriate government authorities when we reasonably believe someone is a victim of abuse, neglect, or domestic violence.
  • Health oversight. We may disclose PHI to health-oversight agencies for audits, investigations, licensure actions, and similar activities.
  • Judicial and administrative proceedings. We may disclose PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process, subject to HIPAA safeguards.
  • Law enforcement. We may disclose PHI to law-enforcement officials for specific purposes permitted by HIPAA.
  • Serious threat to health or safety. We may disclose PHI when necessary to prevent a serious and imminent threat to your health and safety or that of others, consistent with applicable law and ethical standards.
  • Coroners, medical examiners, and funeral directors. We may disclose PHI as permitted by law.
  • Research. We do not currently participate in research involving identifiable PHI. Any future research use of PHI would require either your authorization or an Institutional Review Board waiver that meets HIPAA requirements.
  • Business associates. We use third-party service providers (listed in Section 8) who help us operate the practice. These parties are our "business associates" where they handle PHI on our behalf, and HIPAA requires them to protect your PHI by written agreement.

3.5 Uses and Disclosures That Require Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for any purpose not described in this Notice, including:

  • Marketing communications that involve financial remuneration to us from a third party.
  • Sale of PHI. We do not sell PHI and will not do so without your written authorization. Any such authorization would include the specific disclosures HIPAA requires.
  • Fundraising. We do not contact patients for fundraising purposes.

If you give us written authorization, you may revoke it in writing at any time. Your revocation will not affect any uses or disclosures we have already made in reliance on your prior authorization.

3.6 Heightened Protection for Certain Categories of PHI

Certain categories of health information are given extra protection by federal or state law, and we will handle them accordingly. These include, but are not limited to:

  • Reproductive health information. Our intake may ask whether you are pregnant or breastfeeding, because oral minoxidil is not recommended during pregnancy. Effective December 23, 2024, the HIPAA Privacy Rule provides heightened protection for PHI related to reproductive healthcare. We will not use or disclose reproductive-health PHI to conduct a criminal, civil, or administrative investigation into any person for seeking, obtaining, providing, or facilitating reproductive healthcare that is lawful under the circumstances, to impose liability on any person for such care, or to identify any person for such purposes. Before disclosing reproductive-health PHI in response to certain law-enforcement or oversight requests, we will obtain a signed attestation from the requester as required by the Rule.
  • Substance-use disorder records, to the extent we create them, consistent with federal and state confidentiality requirements.
  • HIV-related information, consistent with applicable state laws.
  • Genetic information, consistent with the Genetic Information Nondiscrimination Act (GINA).

4. Your Rights Regarding Your Health Information

You have the following rights with respect to PHI we maintain about you. To exercise any of these rights, submit a written request to our Privacy Officer at the contact information in Section 13.

4.1 Right to Inspect and Copy

You have the right to inspect and obtain a copy of PHI we maintain in your designated record set. You have the right to receive your records in the form or format you request, including in electronic form, if we maintain them electronically and the format is readily producible. You also have the right to direct us to send a copy of your records to a person or entity you designate in writing, at no greater cost than we would charge you.

Response time. We will act on your request within 30 days of receiving it. If we need more time, we will tell you in writing and take no more than one additional 30-day extension, consistent with 45 C.F.R. § 164.524.

Fees. We may charge a reasonable, cost-based fee for paper or electronic copies, limited to the labor of copying, supplies, and postage if you request mail, as permitted by HIPAA and HHS guidance. Access to view your records (as opposed to receiving a copy) is free.

Denial. In limited circumstances (for example, information compiled for legal proceedings), we may deny a request, and you may ask for the denial to be reviewed by a licensed healthcare professional.

4.2 Right to Request an Amendment

If you believe PHI we maintain about you is incorrect or incomplete, you have the right to request an amendment, in writing, with a reason supporting the request. We may deny the request under certain circumstances. If we deny it, we will explain why in writing and tell you how to submit a statement of disagreement.

4.3 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your PHI during the six years prior to the date of your request, other than disclosures for treatment, payment, operations, and a few other categories that HIPAA excludes. The first accounting in any 12-month period is free; we may charge a reasonable fee for additional requests in the same 12-month period.

4.4 Right to Request Restrictions

You have the right to request that we restrict certain uses and disclosures of your PHI for treatment, payment, or operations, or to family members or others involved in your care. We are not required to agree, except that if you pay out-of-pocket in full for a particular item or service, you can require us not to disclose PHI about that item or service to your health plan for payment or operations purposes.

4.5 Right to Confidential Communications

You have the right to ask us to communicate with you about your health by alternative means or at alternative locations (for example, by telephone only at a specific number, or by email only to a specific address). We will accommodate reasonable requests.

4.6 Right to a Paper Copy of this Notice

Even if you have agreed to receive this Notice electronically, you have the right to request and receive a paper copy at any time. Contact us and we will provide one.

4.7 Right to Breach Notification

You have the right to be notified, without unreasonable delay, if we discover a breach of unsecured PHI that affects you, as required by 45 C.F.R. Part 164, Subpart D.

4.8 Right to File a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services, Office for Civil Rights. We will not retaliate against you for filing a complaint. See Section 13.

If your concern involves the Privacy Officer directly. Our Privacy Officer is also the practice's founder and the provider who reviews your intake. If your complaint concerns the Privacy Officer personally, you are not required to route it through us first. You may file directly with the U.S. Department of Health and Human Services, Office for Civil Rights, and with the Nebraska Attorney General's office, at the contacts in Section 13.

5. Our Duties

  • We are required by law to maintain the privacy of PHI, to provide you with this Notice of our legal duties and privacy practices with respect to PHI, to notify you following a breach of unsecured PHI, and to abide by the terms of the Notice currently in effect.
  • We reserve the right to change the terms of this Notice and to make the new Notice provisions effective for all PHI we maintain. If we make a material change, we will post the revised Notice on this website.
  • We do not condition your treatment, payment, or eligibility for services on whether you sign an authorization, except where HIPAA permits.

6. Website Privacy Policy

This section applies to everyone who visits oralminoxidilonline.com, including people who are not patients. Information you submit to us through the website before a clinical relationship exists (for example, the online intake form) is not technically "PHI" under HIPAA until a provider reviews it and a treatment relationship begins; however, we treat it with equivalent confidentiality from the moment it is submitted.

6.1 Information We Collect on the Website

  • Information you provide directly: your name, email address, phone number, state of residence, preferred pharmacy, and the health information you provide on our online intake form.
  • Information collected automatically: your IP address (anonymized via Google Analytics settings), browser type and version, operating system, referring URL, pages viewed, approximate geographic location (city/region level), and the date and time of your visit. This information is collected through standard web-server logs and, when you consent, through Google Analytics 4.
  • Cookies and similar technologies: small files or local-storage entries on your device. See Section 7.

6.2 How We Use Website Information

  • To review your intake and, if appropriate, issue a prescription through a licensed medical provider.
  • To transmit your prescription to the pharmacy you designate.
  • To collect the one-time provider review fee after you review and sign a payment authorization.
  • To operate, maintain, and improve the website.
  • To measure site performance and understand how visitors find and use our content (with your consent, via analytics).
  • To comply with legal obligations and to protect our rights.

6.3 We Do Not Sell Personal Information

We do not sell your personal information or PHI, and we do not share it with third parties for their own advertising purposes. We do not engage in cross-context behavioral advertising, and we do not use targeted advertising cookies on this website.

7. Cookies & Analytics

Our website uses a limited number of cookies and similar technologies. Non-essential cookies (such as analytics cookies) are only set after you accept them through our cookie-consent banner. If you decline, only strictly necessary storage (such as the record of your consent choice) is kept, and Google Analytics is configured to deny analytics storage.

Cookie / TechnologyPurposeCategoryRetention
cookie_consent_v1Records your cookie preference so we do not ask again on every page load.Strictly necessaryUntil cleared (localStorage)
_ga, _ga_<id> (Google Analytics 4)Measures aggregate site usage. Loaded only after you grant consent.Analytics (consent-based)Up to 14 months

You can withdraw your consent at any time by clearing your browser storage for this site or by using your browser's cookie-management controls. Your browser may also support a "Global Privacy Control" (GPC) signal; we honor GPC signals where required by applicable state law.

8. Third-Party Service Providers

We rely on a small number of vendors to operate the website and the service. Each of them is bound either by a HIPAA Business Associate Agreement (for vendors that handle PHI) or by appropriate data-processing terms (for vendors that only process website data):

  • Netlify. Website hosting and intake-form submission. We configure form submissions to be transmitted over TLS and delivered to the practice. Business associate relationship where PHI is transmitted.
  • Stripe. Payment processing for the one-time provider review fee. Stripe receives your name, email, billing details, and the amount charged. Stripe does not receive clinical information.
  • Pharmacy of your choice. The retail, mail-order, or compounding pharmacy you designate on your intake, to which we transmit a prescription if one is issued. These pharmacies are treatment-related disclosures, not business associates.
  • Google (Analytics 4). Aggregate, privacy-configured website analytics loaded only after you consent. Non-PHI.

We do not authorize any of these providers to use information we share with them for their own marketing purposes.

9. State-Specific Privacy Rights

HIPAA is the federal floor for patient privacy, and state law may add further protections. We provide clinical services through this website to patients in the states below; additional rights described here may apply to you.

Important: HIPAA-covered records are exempt from most state privacy acts. The general consumer-privacy statutes referenced below (Colorado, Utah, Montana, Kentucky, Iowa, California) each include an exemption for PHI that is regulated by HIPAA. This means state rights to "delete" or "port" personal data generally do not apply to your medical records with us. Your medical records are governed by HIPAA and by state medical-records law. State privacy-act rights described below apply primarily to non-PHI website data (for example, analytics or intake submissions before you became a patient).

9.1 Nebraska

The Nebraska Data Privacy Act (Neb. Rev. Stat. §§ 87-1101 et seq., effective January 1, 2025) applies only to businesses that meet specific thresholds (generally, processing the personal data of 175,000 or more Nebraska consumers, or 25,000 or more with 25% or more of revenue from the sale of such data). A practice of our size does not meet those thresholds and is not a "controller" under the NDPA. Nebraska residents nonetheless retain rights under HIPAA and Nebraska's patient-records statutes, which give you the right to access and copy your medical records. You may also file a complaint with the Nebraska Attorney General.

9.2 Iowa

Iowa's Consumer Data Protection Act (Iowa Code ch. 715D) provides Iowa residents the right to confirm whether we process their personal data, to access that data, to delete it, and to opt out of sale (we do not sell). Requests: contact our Privacy Officer.

9.3 Colorado

Colorado residents have rights under the Colorado Privacy Act (C.R.S. §§ 6-1-1301 et seq.), including access, correction, deletion, data portability, and opt-out of targeted advertising, sale of personal data, and certain profiling. We do not engage in any of these. We honor Global Privacy Control (GPC) signals as an opt-out of sale/targeted advertising.

9.4 Utah

Utah residents have rights under the Utah Consumer Privacy Act (Utah Code §§ 13-61-101 et seq.), including the right to confirm, access, delete, and obtain a copy of personal data, and to opt out of targeted advertising and sale.

9.5 Montana

Montana residents have rights under the Montana Consumer Data Privacy Act (Mont. Code Ann. §§ 30-14-2801 et seq.), including access, correction, deletion, portability, and opt-out of targeted advertising, sale, and profiling with significant effects. We honor GPC as an opt-out signal.

9.6 Kentucky

Kentucky residents have rights under the Kentucky Consumer Data Protection Act (KRS ch. 367), including access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling.

9.7 Kansas, Arizona, Illinois, Idaho, New Mexico, North Dakota, South Dakota, Vermont, New Hampshire, Maine

These states do not currently have comprehensive consumer-privacy statutes comparable to those above, but their residents still have rights under HIPAA and under their state's medical-records laws, insurance-information-privacy laws, and general consumer-protection laws. Illinois residents are also protected by the Personal Information Protection Act and the Biometric Information Privacy Act (we do not collect biometric identifiers).

9.8 California Visitors

We do not currently offer clinical services to patients located in California. However, because our website is accessible from California, California residents who visit the site may have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.), including the rights to know, access, correct, delete, and opt out of sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising, and we do not use "sensitive personal information" for purposes other than those permitted without a right to limit.

9.9 How to Exercise Your State Rights

Submit a written request to our Privacy Officer at the contact below. We will verify your identity using information you already have on file with us (or, for non-patients, using a reasonable verification method) and will respond within the timeframe required by the applicable state law (generally 45 days, extendable once as permitted). You may designate an authorized agent to make requests on your behalf by providing the agent with signed written permission that we can verify.

Appeals. Colorado, Montana, and Kentucky residents (among others) have the right to appeal a denial of a privacy request. You may appeal by replying to our denial in writing within 45 days. We will respond within 60 days. If we deny your appeal, you may contact your state Attorney General.

10. Data Security & Retention

10.1 Security Safeguards

We maintain administrative, physical, and technical safeguards designed to protect PHI and other personal information, consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C). These safeguards include access controls, encryption of PHI in transit (TLS) and at rest where feasible, workforce training, audit logging, and regular review of our security practices. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

10.2 Retention Schedule

We retain records for the periods below. Retention periods are measured from the date of the last clinical encounter (for medical records) or the date of collection (for non-PHI website data).

  • Medical records (PHI): at least 10 years for adult patients, consistent with Nebraska medical-records retention requirements and comparable laws in other states where we provide care.
  • HIPAA accounting-of-disclosures log: at least 6 years.
  • Billing and financial records: at least 7 years.
  • Website analytics (Google Analytics 4): up to 14 months.
  • Web-server logs: up to 90 days.
  • Intake submissions from people who do not become patients: up to 24 months, then deleted.

When a retention period ends, we dispose of records in a secure manner that renders them unreadable and unrecoverable (for example, cryptographic erasure or secure deletion for electronic media).

11. Children's Privacy

Our website and our clinical services are directed to adults aged 18 and older. We do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act. If you believe we have inadvertently collected such information, please contact us and we will delete it.

12. Changes to this Notice

We may change this Notice from time to time. The effective date at the top shows when the current version took effect. Material changes will be highlighted on this page for a reasonable period after posting and will apply to all PHI we maintain, past and present. You may request a paper copy of the current Notice from our office at any time.

13. Contact & Complaints

Privacy Officer
Kimberly Wohlwend, MSN, APRN
Midwest Mind & Body Healthcare (OralMinoxidilOnline.com)
131 N Washington Street, Suite A
Papillion, NE 68046
Phone: 531-217-5257
Email: Info@midwestmindandbodyhealthcare.com (please do not include health information)

HHS Office for Civil Rights You may also file a HIPAA complaint with the U.S. Department of Health and Human Services, Office for Civil Rights, 200 Independence Avenue SW, Washington, DC 20201, or online at hhs.gov/ocr/complaints. We will not retaliate against you for filing a complaint.
Version History
v1.0 — April 20, 2026 — Initial publication.