Health Information Practices Policy

This policy describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. If you have any questions about this Policy, our Privacy Contact is Dr. Edward M. Covelli, Jr. This policy is effective April 13, 2003.

Notice of Privacy Practices (NPP) Policy

  • On your first office visit after 4/13/03 you will be offered the opportunity to review this policy. At that time, you may be asked to sign a consent and authorization form stating that you have had the opportunity to review these policies and that you agree with them.
  • An abbreviated notice will be prominently displayed in the office.
  • This policy may be distributed via email.
  • This notice will be posted on our web site.

This office will be in compliance with all appropriate laws and regulations, federal, state, and local and will comply with the policies below.

Confidentiality Policy

All employees, staff, contractors, and agents of our practice will have access to your complete medical record and protected health information. All employees, staff, contractors, and agents of our practice will be trained to respect the health care information of the patients of our practice. They will treat all medical, personal, biometric, and financial information as confidential.

All employees, staff, contractors, and agents of our practice will receive confidentiality training and sign confidentiality agreements annually. Any person who breaches this trust will be disciplined and risks immediate termination.

Incidental Disclosure Policy

Incidental uses and disclosures are defined by HHS as disclosures that: (1) cannot be reasonably prevented; (2) are limited in nature; and (3) occur as a by-product of an otherwise permissible use or disclosure.


Examples of incidental disclosures are:

  • When a patient or other person happens to see individually identifiable health information of other patient’s on sign-in sheets, on patient charts, on computer screens or other place within the doctor’s office.
  • When a doctor’s office staff calls out a patient’s name in a waiting room.
  • When doctors confer in public areas.
  • When a doctor confers with a patient in his/her office.

This office will make certain that reasonable safeguards are in place to minimize such disclosures, and, where applicable, the minimum necessary standard has been implemented. The modification does not, however, excuse erroneous uses or disclosures or those that result from neglect or carelessness.

Authorization Form Policy

Protected health information (PHI) will only be released from our practice with a properly executed authorization from the patient or his/her personal representative, except for treatment, payment, or health care operations (TPO) and as otherwise required by law.

Examples of some instances in which we are required to disclose your PHI include:

Public health activities; information regarding victims of abuse, neglect, or domestic violence; health oversight activities; judicial and administrative proceedings; law enforcement purposes; organ donations purposes; research purposes under certain circumstances; national security and intelligence; correctional institutions; and Worker’s Compensation.


A patient may revoke his authorization to use or disclose PHI at any time but actions taken prior to the revocation are excluded. If authorization is a condition of obtaining insurance coverage, and the authorization is revoked, the insurer may contest a claim under the policy.


Authorizations must be properly executed by the patient or his personal representative. It should include, the date signed, specific PHI to be released or used, to whom this use or release relates, and an expiration date for the authorization.

Minimum Necessary Disclosure Policy

All uses, disclosures of, or requests for protected health information (PHI) will be limited to the minimum amount necessary to accomplish the stated purpose. Professional judgment will determine the amount of information to be released. The minimum necessary standard is not intended to impede the provision of quality health care.


Disclosures of PHI between providers for treatment, payment and health care operations, or pursuant to an authorization without complying with this requirement are exempt from the minimum necessary rule.

Accounting of Non-Authorized Disclosures Policy

Protected health information (PHI) may be disclosed without patient authorization (“non-authorized”) in certain circumstances. These include but are not limited to:

  • Public health authority,
  • The FDA
  • The medical examiner or coroner after a patient has died
  • Worker’s Compensation
  • As authorized by state or federal law


This practice is not required to account for disclosures made: to the individual to which the information pertains, for treatment, payment or health care operations, when authorization is given, to person’s involved in the patient’s care, for national security or intelligence, to correctional institutions or law enforcement officials, as part of a limited data set or that occurred prior to April 14, 2003.


If this practice makes certain non-authorized disclosures, it will keep a log of the disclosures for six (6) years. An accounting must include: the date of disclosure, the name of the entity or person who received the PHI, person’s address, a brief description of the PHI disclosed, and a brief statement of purpose for the disclosure.

A patient may request, in writing, an accounting of any non-authorized disclosures of his PHI. The patient is allowed one accounting per year at no charge. If a patient requests frequent disclosures, this practice may charge for this service, PROVIDED he is informed of the approximate charge in advance and agrees to it. The practice must retain documentation of any accounting made to an individual.


The practice will respond to the request for accounting within 60 days of the receipt of the request, but may have a one-time 30-day extension in which to respond to or comply with the request from the patient.

Patient Access to the Medical Record Policy

Patients have the right to inspect and receive copies of their medical records. This practice may charge for the copying of the record, as well as supplies, labor, and postage, and the patient should be notified of this cost in advance. The patient should agree to this financial responsibility in writing, in advance.


This practice has the right to deny a patient’s request to inspect and copy their medical record. This denial must be in writing and explain why the request has been denied.


The patient can appeal the denial and has the right to request review by another licensed health professional designated by the practice and who was not a part of the original decision to deny.

Medical Record Amendment Policy

Any patient may request that his/her medical recorded be changed, corrected, or amended. This request must be in writing and must include the reason for the desired change, amendment, or correction.


This practice may accept or deny this request and will inform the patient in writing of the decision within 60 days. One 30-day extension is permitted if the patient is notified of the reason for the delay. If the request is denied, the practice must give a reason for denying the request. The patient may file a written rebuttal to the denial.

Right to Confidential Communications Policy

Patients may request to receive confidential communications of their protected health information (PHI). Requests must be in writing.

A patient may request that communications from the practice be sent to an alternate location or by an alternate means. Medical Practice Name will accommodate reasonable requests for such confidential communications. The patient is not required to give a reason for this request. If disclosing information through regular channels will endanger the patient, he/she may want to make that known to you.

Restriction of Use or Disclosure of Protected Health Information (PHI) Policy

A patient has the right to REQUEST that the use and disclosure of his protected health information (PHI) be restricted for treatment, payment, and health care operations (TPO), as well as restricting disclosure to certain people, such as family members.




The restriction request must be in writing, be specific as to what information is covered by the request, whether it covers use, disclosure, or both, and to whom these limitations apply.


If this practice agrees to the request, it will honor the request except when overriding laws or emergencies apply.


The agreement to restrict health information use and/or disclosure of treatment, payment, or health care operations may be terminated at any time, in writing, by the patient, or by the practice for health information created or received after the date of the notice.

Privacy Complaint Policy

Patients have a right to file a formal complaint if they feel we have not adequately protected their privacy. This complaint must be submitted in writing to the privacy officer or may be submitted directly to the U.S. Department of Health and Human Services Secretary. The complaint must be submitted within 180 days of the event of concern.


The privacy officer is responsible for the investigation and resolution of the complaint.


The practice must maintain a record of the complaints and the resolution, if applicable, for six (6) years.

Modification Policy

The office may change or amend these policies from time to time as needed or to comply with appropriate laws and regulations.

Written by Mark Covelli