Original effective date: April 14, 2003

Last Revised: February 11, 2010

This notice describes the practices of our employees and staff.  The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires us to: (1) maintain the privacy of medical information provided to us; (2) provide notice to our legal duties and privacy practices; and (3) abide by the terms of our Notice of Privacy Practices currently in effect.  The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 requires us to notify patients if a breach of security occurs that involves their medical information.  The Red Flags Rule issued by the Federal Trade Commission (FTC) in 2007 requires us to have a policy in place to identify, detect and respond to patterns or account activities that indicate possible identity theft.



Medical identity theft occurs when someone uses a person’s name and sometimes other parts of their identity, such as insurance information or social security number, without that person’s knowledge or consent to obtain or make false claims for medical services or goods.  Medical identity theft can lead to false entries into existing medical records or the creation of fictitious medical records in the victim’s name.  We are required to have procedures in place to verify an individual’s identity.  These include use of photographic identification (such as a driver’s license, state –issued ID card or passport), address and signature verification.  Cases of potentially fraudulent activity will result in internal investigation and notification of appropriate law enforcement as well as the affected patient.


In this Notice we describe the ways that we may use and disclose health information about our patients.  HIPAA requires that we protect the privacy of health information that identifies a patient, or where there is a reasonable basis to believe the information can be used to identify a patient.  This information is called protected health information (PHI).  This Notice describes your rights and our obligations regarding the use and disclosure of PHI.  We are required to:

  • Maintain the privacy of PHI about you;
  • Give you this Notice of our legal duties and privacy practices with respect to PHI; and
  • Comply with the terms of our Notice of Privacy Practices that is currently in effect.

As permitted under HIPAA, we reserve the right to make changes to this Notice and to make such changes effective for all PHI we may already have about you.  If and when this Notice is changed, we will post a copy in our office in a prominent location.  We will also provide you with a copy of the revised Notice upon your request.  You will be asked to sign a form to show that you received this Notice.  Even if you do not sign this form, we will still provide you with treatment.


The following categories describe the different ways we may use and disclose PHI for treatment, payment, or health care operations.  The examples included do not list every type of use or disclosure that may fall within that category.

Treatment: We may use and disclose PHI about you to provide, coordinate, or manage your health care and related services.  We may consult with other health care providers regarding your treatment and coordinate and manage your health care with others.  For example, we may use and disclose PHI when you need a prescription, lab work, an X-Ray or other health care services.  In addition, we may use and disclose PHI about you when referring you to another health care provider.  For example, we may disclose PHI to your new doctor regarding whether you are allergic to any medications; or we may send a report about you to a physician so that the other physician may treat you.  In emergencies, we may use and disclose PHI to provide the treatment you need.

Payment: We may use and disclose PHI so that we can bill and collect payment for the treatment and services provided to you.  Before providing treatment or services, we may share details with your health plan concerning the services you are scheduled to receive.  For example, we may ask for payment approval from your health plan before providing surgical services.  We may use and disclose PHI to find out if your health plan will cover the cost of care and services we provide.  We may use and disclose PHI to confirm you are receiving the appropriate amount of care to obtain payment for services.  We may use and disclose PHI for billing, claims management, and collection activities.  We may disclose PHI to insurance companies providing you with additional coverage.  We may disclose limited PHI to consumer reporting agencies relating to collection of payments owed to us.  We may also disclose PHI to another health care provider or to a company or health plan required to comply with the HIPAA Privacy Rule for the payment activities of that health care provider, company, or health plan.  For example, we may allow a health insurance company to review PHI for that company’s activities to determine the insurance benefits to be paid for your care.

Health Care Operations: We may use and disclose PHI in performing business activities that allow us to improve the quality of care that we provide and that reduce health care costs.  We may disclose PHI about you in the following:

  • Reviewing and improving the quality, efficiency and cost of care we provide to our patients.  For example, we may use PHI about you to develop was to assist our physicians in deciding how we can improve medical treatment we provide to others.
  • Providing training programs for other health care providers to help them practice or improve their skills,
  • Cooperating with outside organizations that evaluate, certify, or license health care providers or staff.  For example, we may use or disclose PHI so that one of our doctors may become certified as having expertise in a specific field.
  • Cooperating with outside organizations that assess the quality of the care that we provide.
  • Cooperating with various people who review our activities.  For example, PHI may be seen by doctors reviewing the services provided to you, and by accountants, lawyers and others who assist us in complying with the law and managing our business.
  • Assisting us in making plans for our practice’s future operations.
  • Resolving grievances within our practice.
  • Business management and general administrative activities of our practice, including managing our activities related to complying with the HIPAA Privacy Rule and other legal requirements.
  • Creating “de-identified” or a “limited data set” of information that does not contain information directly identifying any individual.  Our ability to disclose this information under limited conditions is discussed later in this Notice.

If another health care provider, company, or health plan that is required to comply with the HIPAA Privacy Rule also has or once had a relationship with you, we may disclose PHI about you for certain health care operations of that provider or company.  Such health care operations may include the examples detailed above for our practice.  We may also disclose PHI for the health care operations of an organized health care arrangement in which we participate.  An example is the joint care provided by a hospital and the physicians who see patients at the hospital.

Communication From Our Office: We may contact you to remind you of or to schedule an appointment.


Individuals Involved in Your Care or Payment for Your Care: We may use and disclose PHI about you in some situations where you have the opportunity to agree or to object.  If you do not object, we may make these types of disclosures:

  • We may disclose PHI to your family member or any other person identified by you if that information is directly relevant to the person’s involvement in your care or payment for your care.  If you are present and able to consent or object, we may only disclose PHI if you do not object after being informed of your opportunity to do so.  If you are not present or are unable to consent or object, we may exercise professional judgment in determining whether the use or disclosure of PHI is in your best interests.  For example, if you are brought to this office and are unable to communicate with your physician for some reason, we may find it is in your best interest to give your prescriptions to the friend or relative who brought you in for treatment.
  • We may also use and disclose PHI to notify such persons of your location, general condition, or death.  We may also coordinate with disaster relief agencies to make this type of notification.
  • We may also use professional judgment and our experience with common practice to make reasonable decisions about your best interest in allowing a person to act on your behalf to pick up prescriptions, medical supplies or other things that contain PHI about you.


Required By Law: We may use and disclose PHI as required by federal, state, or local law.

Public Health Activities: We may use and disclose PHI to public health authorities or other authorized persons to carry out certain activities, including the following:

  • To prevent or control disease, injury, or disability;
  • To report disease, injury, or death
  • To report child or elder abuse or neglect;
  • To report reactions to medications or problems with products or devices regulated by the federal Food and Drug Administration (FDA) or other activities related to quality, safety, or effectiveness of FDA-regulated products or devices;
  • To locate and notify you of recalls of products you may be using;
  • To notify a person who may have been exposed to a communicable disease; or
  • To report to your employer, under limited circumstances, information related primarily to workplace injuries and illnesses.

Abuse, Neglect, or Domestic Violence: We may disclose PHI to proper government authorities if we reasonably believe that a patient has been a victim of domestic violence, abuse or neglect.

Health Oversight Activities: We may disclose PHI to a health oversight agency for activities including audits, investigations, inspections, licensure, and disciplinary activities as well as monitoring of government health care programs and of compliance with certain laws.

Lawsuits and Other Legal Proceedings: We may use or disclose PHI when required by a court or administrative tribunal order.  We may also disclose PHI in response to subpoenas, discovery requests, or other required legal process when efforts have been made to advise you of the request or to obtain an order protecting the information requested.

Law Enforcement: Under certain conditions, we may disclose PHI where the disclosure is:

  • About a suspected crime victim, if we are unable to obtain a person’s agreement because of incapacity or emergency;
  • To alert law enforcement of a death that we suspect was the result of criminal conduct;
  • Required by law;
  • In response to a court order, warrant, subpoena, summons, administrative agency request, or other authorized process;
  • To identify or locate a suspect, fugitive, material witness, or missing person;
  • About a crime or suspected crime committed at our office; or
  • In response to a medical emergency not occurring at the office, if necessary to report a crime, including the nature of the crime, the location of the crime or victim, and the identity of the person who committed the crime.

Coroners, Medical Examiners, Funeral Directors: We may disclose PHI to allow identification of a deceased person and to determine the cause of death.  In addition, we may disclose PHI to funeral directors, as authorized by law, so that they may carry out their jobs.


Organ and Tissue Donation: If you are an organ donor, we may disclose PHI to organizations that procure and transplant organs in order to facilitate a donation.

To Avert a Serious Threat to Health or Safety: We may use and disclose PHI in limited circumstances when necessary to prevent a threat to the health or safety of a person or the public.  This disclosure can only be made to a person who is able to help prevent the threat.

Specialized Government Functions: We may disclose PHI for:

  • Certain military and veteran activities, including determination of eligibility for benefits and where deemed necessary by military command authorities;
  • National security and intelligence activities;
  • Protective services for the President of the United States and others;
  • Health and safety of inmates and others at correctional institutions or other law enforcement custodial situations or for general safety and health related to correctional facilities.

Workers’ Compensation: We may disclose PHI as authorized by law or to other similar programs that provide benefits for work-related injuries and illness.

Disclosures Required by HIPAA Privacy Rule: We are required to disclose PHI to the Secretary of the United States Department of Health and Human Services (HHS), when requested by the Secretary, to review our compliance with the HIPAA Privacy Rule.  We are also required in certain cases to disclose PHI to you upon your request to access PHI or for an accounting of PHI about you (as described in the following section on your rights).


Incidental Disclosures: We may use or disclose PHI incident to a use or disclosure permitted by the HIPPA Privacy Rule so long as we have reasonably safeguarded against such incidental uses and disclosures and have limited them to the minimum necessary information.


Limited Data Set Disclosures: We may use or disclose a limited data set (PHI with certain identifying information removed) for the purposes of research, public health, or health care operations.  The person receiving the information must sign an agreement to protect the information.



All other uses and disclosures of PHI about you will only be made with your written authorization.  You may revoke a previous authorization at any time, except to the extent we have taken action based on the prior authorization.



A breach is use, disclosure, acquisition of or access to PHI which is not permitted by the HIPAA Privacy Rules that compromises the security or privacy of an individual.  We are required to perform a risk assessment of potential harm to an individual, including financial or reputational, resulting from unauthorized use or disclosure of PHI.    We are required to notify affected individuals of any unauthorized acquisition, access, use or disclosure of PHI not later than 60 calendar days after discovery.  Written notification by first class mail will be provided to each affected individual (or if deceased, the individual’s next of kin) at the last known address.  In the case of a situation where it is deemed there may be imminent misuse of the PHI, we may provide additional forms of notice, such as by telephone or e-mail.  If the address is unknown, then a substitute notice will be provided, such as by telephone, the practice web homepage or by publication in the newspaper.  Additionally, we will notify HHS of the breach as required by law.


Right to Request Restrictions: You may request additional restrictions on the PHI that we may use and disclose for treatment, payment and health care operations.  You may also request additional restrictions on our disclosure of PHI to certain individuals involved in your care that otherwise are permitted by the HIPAA Privacy Rule.  We are not required to agree with your request. If we do not agree to your request, we are required to comply with agreement except in certain cases, including where the information is needed to treat you in case of an emergency.  A request for additional restrictions must be made in writing to our Privacy Official.  In your request, please include (1) the information you wish to restrict; (2) how you want to restrict that information (for example, restricting use to this office, restricting disclosure to persons outside this office, or both); and (3) to whom you want the restrictions to apply.

Right to Receive Confidential Communications: You may request that you receive communications regarding HPI in a certain manner or at a certain location.  You must make this request in writing to our Privacy Official.  You must specify how you would like to contacted (for example, by regular mail to your post office box and not your home or work).  We are required to accommodate reasonable requests.

Right to Inspect and Copy: You may request the opportunity to inspect and receive a copy of PHI about you in certain records that we maintain.  This includes your medical and billing records but does not include information gathered or prepared for a civil, criminal, or administrative proceeding.  We may deny your request to inspect and copy PHI only in limited circumstances.  To inspect and copy PHI, contact our Privacy Official.  If you request a copy of PHI about you, we may charge a reasonable fee for copying, postage, labor and supplies used in meeting your request.


Right to Amend: You may request that we amend PHI about you as long as such information is kept by or for our office.  You must submit your request in writing to our Privacy Official along with the reason for the request.  We may deny your request in certain cases, including failure to submit the request in writing or to provide a reason for the request.

Right to Receive an Accounting of Disclosures: You may request a list of disclosures of PHI about you made by us during a specified period of up to six years, excepting disclosures for treatment, payment and health care operations; for use in or related to a facility directory; to family or authorized persons involved in your care; to you directly; pursuant to an authorization by you or your personal representative; for certain notification purposes (including national security, intelligence, correctional, and law enforcement purposes); as incidental disclosures that occur as a result of otherwise permitted disclosures; as part of a limited data set of information that does not directly identify you; and those occurring prior to April 14, 2003.  If you wish to make such a request, please contact our Privacy Official.  The first list that you request in a 12-month period will be free, but we may charge you for our reasonable costs of providing additional lists in the same 12-month period.  We will tell you about these costs, and you may choose to cancel your request before costs are incurred.

Right to a Paper Copy of this Notice: Please contact our Privacy Official to receive a paper copy of this Notice.



If you feel you are a victim of identity theft, we encourage you to file a police report.  We encourage you also to complete the ID Theft Affidavit developed by the FTC which is available from our Privacy Official.  If you feel your privacy rights have been violated, you may file a complaint with us or with the Secretary of the United States Department of Health and Human Services.  To file a complaint with our office, please contact our Privacy Official.  We will not retaliate or take action against you for filing a complaint.  Please contact our Privacy Official with any questions.



Privacy Official: Sharon Wildes

227 Eastern Avenue

Augusta, Maine 04330

(207) 622-3185