These policies and procedures address handling, safeguarding, using, and disclosing protected health information (PHI). Under HIPAA, covered entities must ensure the privacy of a patients’ protected health information.

PHI refers to all information (oral, paper-based documents, and electronic documents) that relates to an individual including but not limited to:

  • Medical information
  • Billing information
  • Financial information
  • Names and other identifying information such as:
    • Telephone numbers
    • Fax numbers
    • Electronic Mail addresses
    • Social security numbers
    • Medical record numbers
    • Birth date
    • Date of death
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial number, including license plate numbers
    • Device identifiers and serial numbers
    • Full face photographic images and any comparable images
    • Any other unique identifying number characteristic, or code


Policies and Procedures


Minimum Necessary

  1. When using or disclosing protected health information, we will take reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
  2. The following are situations in which the Minimum Necessary provisions would not apply:
  • Uses or Disclosures that are required by law
  • Uses or Disclosures made to the individual
  • Uses or Disclosures made pursuant to an authorization
  • Disclosures to a health care provider for treatment purposes
  • Disclosures to the Secretary of Health and Human Services for enforcement purposes 
  • Uses or Disclosures that are required for compliance with HIPAA requirements
  1. Before using or disclosing information consider two basic questions:
    1. How much information is needed to fulfill the purpose of this request?
    2. Are we about to provide information that is not necessary to fulfill the purpose of this request?

For example: When an insurance company requests documentation that the patient was treated for a broken arm, it is not necessary to provide information about the patient’s treatment for high blood pressure.




  1. PHI may be used by or disclosed to the appropriate health care providers to provide patients with medical treatment or services. 
  2. The identity of any person contacting this practice requesting protected health information (PHI) must be verified before any disclosure may take place. 


  1.  Staff members must also verify the requesting person’s authority to have access to the PHI.
  2. In cases where a public official is requesting PHI, you must verify the identity of the requester by examining reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge or similar proof of status.  In addition, the legal authority must be determined and verified by examining the reasonable evidence, i.e., a written request provided on agency letterhead that describes the legal authority for requesting the release.




  1. PHI may be used or disclosed so that the treatment and services patients receive may be billed and payment may be collected from the patient, an insurance company or a third party.
  2. PHI may be used or disclosed to obtain prior approval or to determine whether a patient’s insurance will cover the treatment.


Healthcare Purposes


  1. PHI may be used or disclosed to appropriate personnel in reviewing treatment and services and in evaluating the performance of staff in caring for patients.


Appointment Reminders


  1. The minimum necessary medical information may be used to contact patients as a reminder that they have an appointment for treatment or medical care.
  2. If a patient makes a reasonable request for an appointment reminder via an alternative method of notification (such as e-mail), the medical staff will honor such a request.


Immunization Disclosures


  1. We may provide proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student, without written authorization.
  2. Before providing immunization information to a school we will attempt to obtain authorization to release the immunization information. The authorization may be oral, from a parent , guardian or other person in loco parentis for the individual or from the individual themselves if the individual is an adult or an emancipated minor.
  3. We should document the agreement obtained.
  4. The agreement if obtained will remain in effect until revoked.


Marketing Communications


  1. Communications for marketing purposes can only be made with a patient’s prior written authorization.  The three exceptions to this are:
    1. communications we make about our own health care products or services; 
    2. communications for treatment purposes;  
    3. communications for purposes of case management or care coordination or to recommend alternative treatments, therapies, health care providers, or settings of care AND it does not involve direct or indirect payment for making such communication.


  1. The minimum necessary PHI should be used/disclosed in those marketing communications.
  2. Communication about a product or service that encourages recipients of the communication to purchase or use that product or service must NOT involve direct or indirect payment for making such communication and must be among one of following groups of communications below:
    1. The communication only describes a drug or biologic that has been previously prescribed or administered, provided the amount of the payment is reasonable
    2. Our organization makes the communication pursuant to an authorization from the recipient of the communication
    3. A business associate makes the communication pursuant to its business associate agreement 

Fund Raising


  1. Any fund raising communications to patients should include “clear and conspicuous” opt-out language.  We will take “reasonable efforts” to not send further fundraising communications to those who opt-out.
  2. We will treat any opt-out as a revocation of authorization.
  3. The use of demographic information, date of birth, department of service (e.g., pediatrics, oncology, etc), treating physician, and outcome information (e.g., optimal, sub-optimal, death, etc) in making fund raising communications is allowed.  However, the minimum necessary standard still applies and only the minimum amount of PHI should be used or disclosed to accomplish the intended purpose.


Disclosure for Deceased Individual


  1. We may use and disclose a deceased individual’s PHI to family members and others who were involved in an individual’s care, unless doing so is inconsistent with any prior expressed wishes or preferences of the deceased individual.

To Avert A Serious Threat to Health or Safety


  1. We may use and disclose PHI about patients when necessary to prevent a serious threat to the patient’s health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

Lawsuits and Disputes


  1. PHI may be disclosed in response to a subpoena, discovery request, or other lawful order from a court.


As Required by Law


  1. We will disclose PHI about patients when required to do so by federal, state or local law.


As Permitted by Law


  1. To the extent that the law permits us to release information, we may disclose PHI if asked to do so by a law enforcement official as part of law enforcement activities; in investigations of criminal conduct or of victims of crime; in response to court orders; in emergency circumstances.