HIPAA COMPLIANCE STATEMENT
Strategic Changes | Neural Pain Resolution
Last updated February 03, 2026
Our Commitment to Protecting Your Health Information
Strategic Changes is committed to protecting the privacy and security of your health information with the same rigorous standards as medical practices, even though we are not technically a "covered entity" under HIPAA (the Health Insurance Portability and Accountability Act).
Why this matters: As a hypnotherapy practice specializing in chronic pain management, we work with physician referrals and handle sensitive medical information including:
- Medical diagnoses and pain conditions
- Current medications and treatment history
- Physician referral documentation
- Session notes and progress documentation
- Telehealth session recordings (with your explicit consent)
While we are not legally required to comply with HIPAA as a non-medical practitioner, we voluntarily follow HIPAA standards to ensure your health information receives the highest level of protection.
Our HIPAA-Compliant Infrastructure
Strategic Changes uses Carepatron, a HIPAA-compliant practice management platform, for all client health information storage, session notes, telehealth services, and documentation.
What Carepatron Provides
Business Associate Agreement (BAA):
- Automatically established when we created our account
- Legally binds Carepatron to HIPAA requirements
- Covers all platform features and services
- Available at: carepatron.com/business-associate-agreement
Technical Security Safeguards:
- AES-256 encryption (bank-level security) for all data at rest and in transit
- End-to-end encrypted telehealth video and audio sessions
- Multi-factor authentication for account access
- Role-based access controls limiting who can view your information
- Audit trails tracking all actions within the system
- Note locking to prevent unauthorized edits to clinical documentation
Physical Security Safeguards:
- Data hosted through Amazon Web Services (AWS) and Google Cloud in the United States
- Enterprise-grade data centers with 24/7 security
- Biometric access controls and physical security measures
- 99.99% uptime guarantee
Administrative Security Safeguards:
- Dedicated Data Protection Officer
- Regular third-party security audits
- GDPR compliance (European data protection standards)
- PIPEDA compliance (Canadian privacy law)
- SOC 2 compliance
How We Protect Your Health Information
Minimum Necessary Standard
We only collect, use, and disclose the minimum amount of health information necessary to:
- Provide hypnotherapy services
- Process payments
- Coordinate with your physician (with your written consent)
- Comply with legal obligations
No Marketing or Fundraising Use
Your Protected Health Information (PHI) will never be used for marketing or fundraising purposes without your explicit written consent.
Secure Telehealth Sessions
All hypnotherapy sessions conducted via Carepatron's HIPAA-compliant telehealth platform include:
- Encrypted HD video and audio
- Secure waiting room functionality
- No downloads or software installation required
- AI-powered transcription (HIPAA-compliant, never used for AI training)
- Session recordings only with your explicit written consent
Data Retention and Deletion
Retention Period:
- Health records: Minimum 7 years from last session (California law requirement)
- Billing records: 7 years (tax law requirement)
- Session recordings (if applicable): [Specify retention period] or until you request deletion
Secure Deletion:
- When no longer required, data is securely destroyed, deleted, or permanently anonymized
- Deleted items are recoverable for 90 days, then permanently removed
- Upon account closure, PHI is returned to you or destroyed as per BAA requirements
Access Controls
Access to your health information is strictly limited:
- Only Tim Biden (your hypnotherapist) has access to your client records
- Multi-factor authentication required for system access
- Automatic session timeout after inactivity
- No unauthorized access permitted
Your Rights Regarding Your Health Information
Even though we are not a HIPAA-covered entity, we honor the same patient rights as medical practices:
Right to Access Your Records
You have the right to:
- Request a copy of your health records
- View your records through the secure Carepatron client portal 24/7
- Receive copies within 30 days of your request
- Obtain records in electronic or paper format
How to request: Email [email protected] with "Medical Records Request" in the subject line.
Right to Amend Your Records
You may request corrections to inaccurate or incomplete health information. We will:
- Review your request within 15 days
- Make appropriate amendments or explain why we cannot
- Allow you to submit a statement of disagreement if request is denied
Right to an Accounting of Disclosures
You may request a list of disclosures of your health information made in the past 6 years (excluding disclosures for treatment, payment, or healthcare operations). We will provide this within 30 days of your request.
Right to Request Restrictions
You may request limits on how we use or share your health information. While we are not required to agree to all requests, we will:
- Consider all reasonable requests
- Honor requests to not disclose to health plans if you paid out-of-pocket in full
- Document agreed-upon restrictions
Right to Confidential Communications
You may request that we communicate with you about your health matters at alternative locations or by alternative means. We will accommodate reasonable requests.
Right to Data Portability
You may request your health information in portable electronic format (.CSV, .XLS, .XLSX) for transfer to another provider.
Breach Notification Procedures
In the unlikely event of a breach of your unsecured health information, we are committed to transparent and timely notification:
Carepatron's Obligations to Us
Security incidents: Carepatron must report within 3 business days of becoming aware of any security incident or non-permitted use/disclosure.
Confirmed breaches: Carepatron must provide written notification within 30 calendar days of discovering a breach of unsecured PHI, including:
- Description of what happened
- Types of information involved
- Steps to protect affected individuals
- Investigation and mitigation actions taken
- Contact information for questions
Our Obligations to You
If a breach affects your health information, we will:
- Notify you without unreasonable delay and no later than 60 days after discovery
- Provide notification by first-class mail or email (your choice)
- Include all required information about the breach and steps you can take
- Offer credit monitoring or identity theft protection services if appropriate
- Report to appropriate authorities as required by law
Cost coverage: Carepatron will reimburse us for reasonable notification costs, including administrative expenses, printing, mailing, and mitigation services.
Our Responsibilities Beyond the Platform
While Carepatron provides the technical infrastructure, Strategic Changes maintains additional safeguards:
Administrative Safeguards
- Regular review and updates of privacy and security policies
- Documented risk analysis and management procedures
- Breach response and investigation procedures
- Business Associate Agreements with all service providers handling PHI
Physical Safeguards
- Secure home office with locked storage for any physical documents
- Screen privacy protections during sessions
- Secure disposal of any printed PHI (shredding)
Technical Safeguards
- Use of secure, encrypted devices for accessing client information
- Strong passwords and multi-factor authentication on all accounts
- Automatic session timeouts
- Regular software and security updates
- Secure Wi-Fi networks with WPA3 encryption
- No use of public or unsecured networks for accessing PHI
Workforce Training
As the sole practitioner, Tim Biden maintains current knowledge of:
- HIPAA Privacy and Security Rules
- Best practices for protecting health information
- Proper use of Carepatron's security features
- Breach response procedures
- Patient rights and how to honor them
Coordination with Your Healthcare Providers
Physician Referrals: We require a physician referral for all chronic pain management clients. This coordination:
- Ensures continuity of care
- Allows your medical team to understand all treatments you're receiving
- Requires your written authorization before any information is shared
Communication with Physicians: With your explicit written consent, we may share:
- Progress updates
- Treatment approaches used
- Relevant session outcomes
You control what information is shared, with whom, and for what purpose. You may revoke authorization at any time.
Limitations and Disclaimers
Not a Covered Entity: Strategic Changes is not a HIPAA "covered entity" because we are not a healthcare provider as defined by law. However, we voluntarily implement HIPAA-equivalent standards for data protection.
No Guarantee of Absolute Security: While we implement robust security measures, no system is 100% secure. We cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. By using our Services, you acknowledge and accept these inherent risks.
Third-Party Limitations: Our HIPAA compliance depends in part on Carepatron maintaining their security standards and BAA obligations. While we have carefully selected Carepatron for their strong compliance record, we cannot control their actions or guarantee their ongoing compliance.
Your Responsibility: You are responsible for:
- Maintaining the confidentiality of your client portal login credentials
- Using secure internet connections when accessing your health information
- Notifying us immediately of any suspected unauthorized access
- Ensuring your devices are secure and protected with passwords
Updates to This Statement
We may update this HIPAA Compliance Statement from time to time to reflect:
- Changes in our practices
- Changes in applicable laws and regulations
- Updates to Carepatron's services or security measures
- Changes in industry best practices
The updated version will be indicated by an updated "Last updated" date at the top of this statement. We will notify active clients of material changes via email.
Questions or Concerns
If you have questions about our HIPAA compliance practices, how we protect your health information, or how to exercise your rights, please contact:
Tim Biden, Board Certified Hypnotherapist
Strategic Changes
544 Chester Place
Pomona, CA 91768
United States
Strategic Changes
544 Chester Place
Pomona, CA 91768
United States
Email: [email protected]
Phone: (840) 243-9990
Phone: (840) 243-9990
For questions specifically about Carepatron's HIPAA compliance:
- Carepatron Privacy: [email protected]
- Carepatron Support: [email protected]
- Carepatron Help Center: help.carepatron.com
Related Policies
For additional information about how we handle your information, please review:
- Privacy Policy - Comprehensive information about data collection and use
- Terms of Service - Legal terms governing use of our Services
- Carepatron Business Associate Agreement - Legal agreement binding Carepatron to HIPAA requirements
- Carepatron Privacy Policy - How Carepatron handles your data
— END OF HIPAA COMPLIANCE STATEMENT —
COMPANY
CUSTOMER CARE
LEGAL
Copyright 2026, Strategic Changes. All Rights Reserved.