What is HIPAA?  The “Health Insurance Portabilty and Accountability Act”: law enacted by Congress in 1996 to enable privacy of health information and streamline health insurance administration.  Privacy Regulations were published by the Secretary of Health and Human Services December 28, 2000.  They provide certain protections that “covered entities” (in this case a health care provider), must apply with regard to the use of medical records and identifiable health related information, whether in oral, paper, or in this case, electronic format.  The purpose of these protections are to prohibit misuse and unauthorized disclosure of patients’ health records and medical information.  Stiff penalties for non-compliance apply.

What is PHI (Protected health Information)?

This refers to any information, including demographic information (e.g.- name, social security number, e-mail address, etc), that identifies an individual.  It meets any or all of the following:

information created or received by a health care provider (e.g.- e-mail, paper record, oral communication,  etc),

information relating to past, present, or future physical or mental health condition of an individual,

information that describes past, present, or future payment for health care of the individual.

What makes Information Identifiable?

This is related to “demographic” information, and includes: names, addresses, employer, relatives names, date birth, phone/fax numbers, e-mail address, social security number, medical record number, or any other characteristic that may identify an individual.

What about patient authorization?

Authorization is required for the release of information for any purpose other than medical management and treatment.  The patient cannot be denied treatment, simply because they refuse to authorize release of information.  Authorization may be revoked at any time, but the provider cannot be held responsible for information released when the authorization was active.  The authorization is typically signed at the first office visit.

Why are privacy and confidentiality necessary?

As health care providers, we are ethically and now legally obliged to protect health related information.  HIPAA privacy rules are designed to give patients the right to control who has access to such information.  Communication of this information must remain private and limited to health care providers who need this information to manage diagnostic and treatment endeavors, and administer related healthcare operations (such as payment and insurance issues).

Examples of misuse of healthcare information might include: loss of employment because of potential downtime related to a medical condition, HIV status published in a newspaper, political and financial implications of “discovered” conditions such a physical and mental impairments, etc.


Our “Notice of Privacy Protection and Practice”

We will make and take every reasonable effort to protect the privacy of your healthcare information.  We will avoid discussions of your health care without your express permission in public areas, or areas where our discussion can be readily overheard.  We will avoid leaving written information visible on desks, computer screens, or workspaces when not actually being undertaken (work-in-progress).  We will make phone calls from “secure areas” where conversations cannot be overheard.  We will safeguard your medical record, both written and electronic.

How might this apply to the Internet, and to e-mail communication?

With regard to e-mail communication, it is obvious from the above that I cannot communicate information regarding your care even with your expressed consent over the Internet without encryption or secure-server technology. If you choose to pose questions regarding your problem, diagnosis, or care over the Internet, you must realize that the privacy of this information cannot be guaranteed.

Notice of Privacy Practices


Uses and Disclosures of Health Information for Treatment, Payment and Health Care Operations

We may use or disclose identifiable health information about you without your authorization for treatment, to obtain payment for treatment, for purposes of health care operations and to evaluate the quality of care you receive.

Treatment:  We will use and disclose your health information to provide, coordinate or manage your health care and any related services.  For example, we would disclose your health information, as necessary, with Specialists One-Day Surgery or other hospitals/surgery centers in order to correctly book your surgery, with your primary care physician to coordinate your care or  to a home health agency that provides care for you.

Payment:   Your health information will be used, as needed, to obtain payment for your health care services.  This may include certain activities that your health care insurance plan may undertake before it approves or pays for the health care services we provide, such as making a determination of eligibility or coverage, reviewing services provided for medical necessity, and undertaking utilization review activities.   For example, we may disclose your health information to your health plan in order to obtain approval for a treatment or surgical procedure.

Healthcare Operations: We may disclose, as needed, your health information in order to perform a variety of administrative activities.  These activities include, but are not limited to: quality assessment activities; training; cooperating with outside organizations that evaluate, certify or license health care providers or facilities; and  resolution of grievances within our own organization.  For example, we may use the information in your health record to evaluate the quality of care provided to you.  We may also share your health information with third party “business associates” that perform various activities for us, such as lawyers, accountants and other consultants.  To protect the privacy of your health information, we require our business associates to appropriately safeguard your information.


Other Permitted and Required Uses and Disclosures
We will use and disclose your health information without your authorization whenever we are required by law to do so.

We may also use or disclose your health information without your authorization for other purposes, including:

To state and federal authorities for public health activities, including but not limited to, activities related to investigating diseases, monitoring drugs and devices regulated by the Food and Drug Administration, and monitoring work-related illnesses or injuries;

To government authorities, including protective service agencies, authorized to receive reports of abuse, neglect or domestic violence;

To government health oversight agencies, such as the U.S. Department of Health and Human Services, Medicare/Medicaid Peer Review Organizations, state Boards of Medicine, Nursing, Pharmacy, and other licensing authorities;

When required by law in a judicial or administrative proceeding;

To law enforcement officials for certain purposes, including the reporting of certain types of wounds or injuries, or pursuant to legal process to identify or locate a subject, fugitive, material witness, missing person, or victim;

To coroners, medical examiners, or funeral directors for purposes of carrying out their duties as required by law;

To organ procurement organizations for purposes of organ or tissue donation and transplantation;

For research approved by an Institutional Review Board (IRB) or Privacy Board that has reviewed the research proposal and established protocols to ensure the privacy of your health information;

When required to avert a serious threat to health or safety;

When requested for certain specialized government functions authorized by law, including military and national security and intelligence activities;

As authorized by law in connection with Worker’s Compensation programs.


Other than the uses and disclosures described above, we will not use or disclose your health information without your written authorization. If you sign a written authorization allowing us to disclose your health information, you may later revoke that authorization in writing.  If you revoke your authorization, we will follow your instructions except to the extent that we have already acted upon your written authorization.

We may change our policies at any time. Before we make a significant change in our policies we will change our notice and post the new notice in the waiting area.  You can also request a copy of our notice at any time. For more information about our privacy practices, contact the person listed below.


Individual Rights

Right to a copy of this Notice:  You have the right to have a paper copy of our Notice of Privacy Practices at any time.  In addition, a copy of this Notice will always be posted in our waiting area.  

Right of Access:  In most cases you have the right to look at or get a copy of your medical record if you provide us with a written request.  We will charge you $0.75 (seventy five cents) for copying each page.

Right to an Accounting:  You also have the right to receive a list of instances where we have disclosed health information about you for reasons other than treatment, payment or health care operations.

Right of Correction and Amendment:  If you believe that information in your record is incorrect or if you believe important information is missing, you have the right to request that we correct the existing information or add the missing information.  We have the right to deny your request and if we do we will explain in writing our reason for doing so.  You will have the opportunity to send us a statement explaining why you disagree with our decision and we will share your statement whenever we disclose your health information in the future.

Right to request restrictions:  You may request in writing that we not use or disclose your information for treatment, payment, and health care operations except when specifically authorized by you, when required by law or in emergencies. We will consider your request but are not legally required to accept it.  If we do agree to your request, we will follow your restrictions.   You may cancel your restrictions at any time.  In addition, we may cancel a restriction at any time as long as we notify you of the cancellation, but we will continue to apply your restriction to any information we received before the cancellation.

Right to request alternative method of contact:  You have the right to request to be contacted at a different location or by a different method.  For example, you may prefer to have all written information mailed to your work address rather than your home address.  We will agree to abide by any reasonable request for alternative methods of contact.  You must provide us with your request in writing.


If you are concerned that we have violated your privacy rights or you disagree with a decision we made about access or correction to you records you may contact the person listed below. You may also send a written complaint to the US Department of Health and Human Services.  The person listed below can provide you with the appropriate address upon request.

If you decide to contact the undersigned person with a complaint, or if you send a written complaint to the US Department of Health and Human Services, you will not suffer any retaliation.

Our Legal Duty

We are required by law to protect the privacy of your information, provide this notice of our information practices, and follow the information practices that are described in this notice.

If you have any questions or complaints, please contact: Daniel C. Wnorowski, MD


Effective Date: 12/16/2002