Privacy Practices


A federal regulation, known as the “HIPAA Privacy Rule,” requires that we provide detailed notice in writing our privacy practices.  We know this Notice is long.  The HIPAA Privacy Rule requires us to address many specific issues in this Notice.

YOU MUST COMPLETE THE ACKNOWLEDGEMENT OF RECEIPT FORM BEFORE WE CAN RENDER ANY FURTHER CARE TO YOUR CHILD! This only certifies that you have received a copy – the rules do not require that you agree or even read the notice – just that we provide you with a copy.


In this notice, we describe the ways that we may use and disclose health information about our patients.  The HIPAA Privacy Rule requires that we protect the privacy of health information that identifies a patient, or where there is a reasonable basis to believe the information can be used to identify a patient.  This information is called “protected health information” or “PHI”. Genetic Information is PHI.  This Notice describes your rights as our patient and our obligations regarding the use and disclosure of PHI.  We are required by law to:

  • Maintain the privacy of PHI about you and your child(ren);
  • Give you this Notice of our legal duties and privacy practices about PHI; and
  • Comply with the terms of our Notice of Privacy Practices currently in effect.

We reserve the right to make changes to this Notice and to make such changes effective for all PHI we may already have about you.  If and when this Notice is changed, we will post a copy in our office, and on our website.  We will also provide you with a copy of the revised Notice upon your request.


A. USES AND DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS: The following categories describe the different ways we may use and disclose PHI for treatment, payment, or health care operations.  The examples included with each category do not list every type of use or disclosure that may fall within that category.

1. Treatment:  We may use and disclose PHI about patients to provide, coordinate or manage health care and related services.  We may consult with other health care providers regarding treatment and coordinate and manage patient’s health care with others.  For example, we may use and disclose PHI when a patient needs a prescription, lab work, an x-ray, or other health care services.  In addition, we may use and disclose PHI about patients when referring to another health care provider.  For example, if your child is referred to another physician, we may disclose PHI to the new physician and staff about the reason for the referral, and your child’s prior illnesses.

We may also disclose PHI about your child for the treatment activities of another health care provider.  For example, we may send a report about your child’s care to a physician that we have referred your child to so that the other physician may treat your child.

2. Payment:  We may use and disclose PHI so that we can bill and collect payment for the treatment and services provided to patients.  Before providing treatment or services, we may share details with patient’s health plans concerning the services scheduled to be performed.  For example, we may ask for payment approval from a patient’s health plan before we provide care or services.  We may use and disclose PHI to find out if a patient’s health plan will cover the cost of care and services we provide.  We may use and disclose PHI to confirm you are receiving the appropriate amount of care to obtain payment for services.  We may use and disclose PHI for billing, claims management, and collection activities.  We may disclose PHI to insurance companies providing patients with additional coverage.   We may disclose limited PHI to consumer reporting agencies relating to collection of payments owed to us.

Disclosure of PHI to health plans for treatments that have been paid out of pocket in full is prohibited. Disclosure of Genetic Information for Underwriting Purposes to health plans is prohibited.

We may also disclose PHI to another health care provider or to a company or health plan required to comply with the HIPAA Privacy Rule for the payment activities of that health care provider, company, or health plan.  For example, we may allow a health insurance company to review limited PHI for the insurance company’s activities to determine the insurance benefits paid for patient’s care.

3. Health Care Operations:  We may use and disclose PHI in performing business activities, which are called health care operations.  Health care operations include doing things that allow us to improve the quality of care we provide and to reduce health care costs.  We may use and disclose PHI about patients in the following health care operations:

  • Reviewing and improving the quality, efficiency and cost of care that we provide to our patients.  For example, we may use PHI about patients to develop ways to assist our physicians and staff in deciding how we can improve the medical treatment we provide to others.
  • Improving health care and lowering costs for groups of people who have similar health problems and helping to manage and coordinate the care for these groups of people.  We may use PHI to identify groups of people with similar health problems to give them information, for instance about treatment alternatives, and educational classes. 
  • Reviewing and evaluating the skills, qualifications, and performance of health care providers taking care of your child(ren) and our other patients.
  • Providing training programs for students, trainees, health care providers, or non-health care professionals (for example, billing personnel) to help them practice or improve their skills.
  • Cooperating with outside organizations that assess the quality of the care that we provide.
  • Cooperating with outside organizations that evaluate, certify, or license health care providers or staff in a particular field or specialty.  For example, we may use or disclose PHI so that one of our providers may become certified as having expertise in a particular form of healthcare.
  • Cooperating with various people who review our activities.  For example, PHI may be seen by physicians or nurses reviewing the services provided to you, and by lawyers, and others who assist us in complying with the law and managing our business.
  • Assisting us in making plans for our practice’s future operations.
  • Resolving grievances within our practice.
  • Reviewing our activities and using or disclosing PHI in the event we sell our practice to someone else or combine with another practice.
  • Business planning and development, such as cost-management analyses.
  • Business management and general administrative activities of our practice, including managing our activities related to complying with the HIPAA Privacy Rule and other legal requirements.

Wherever possible, we create “de-identified” or “blinded” information that is not identifiable to any individual patient.

If another health care provider, company or health plan that is required to comply with the HIPAA Privacy Rule has or once had a relationship with a patient, we may disclose PHI about the patient for certain health care operations of that provider or company.  For example, such health care operations may include, reviewing and improving the quality, efficiency and cost of care provided to patients; reviewing and evaluating the skills, qualification and performance of health care providers; providing training programs for students, trainees, health care providers, or non-health care professionals; cooperating with outside organizations that evaluate, certify, or license health care providers or staff in a particular field or specialty; and assisting with legal compliance activities of that health care provider of company.

We may also disclose PHI for the health care operations of an “organized health care arrangement” in which we participate.  An example, of an “organized health care arrangement” is the joint care provided by a hospital and the doctors who see patients at the hospital.

4. Communication from our office:  We may contact you to remind you of your child(ren)’s appointments, and to provide you with information about treatment alternatives, or other health related benefits and services that may be of interest to you.  We may also contact you to coordinate specialist and other appointments for your child.  We may also contact you to obtain insurance and payment information about your child’s care.  We may contact you by telephone, mail or email.


1. Uses and Disclosures for which you have the opportunity to Agree or Object:  We may use and disclose PHI in some situations where you have the opportunity to agree or object to certain uses and disclosures of PHI.  If you do not object, then we may make these types of uses and disclosures of PHI.

  • Individuals Involved in You or Your Child’s Care or Payment for You or Your child’s care:  We may disclose PHI to your family member, close friend, or any other person identified by you if that information is directly relevant to the person’s involvement in the care or payment for care.  If you are present and able to consent or object (or if you are available in advance), then we may only use or disclose PHI if you do not object after you have been informed of your opportunity to object.  If you are not present or you are unable to consent or object, we may exercise professional judgment in determining whether the use or disclosure of PHI is in your best interests.  For example, if a patient is brought into this office by a caregiver other than a parent or legal guardian, we may find in the patient’s best interest to give a prescription and other medical supplies to the caregiver.  We may also use and disclose PHI to notify such persons of patient’s location, general condition, or death. 
  • We may also coordinate with disaster relief agencies to make this type of notification.
  • We may also use professional judgment and our experience with common practice to make reasonable decisions about patient’s best interests in allowing a person to act on their behalf to pick up filled prescriptions, medical supplies, or other things which may contain PHI.

2. Uses and Disclosures for which you may not have the opportunity to Agree or Object:  We may use and disclose PHI about patients in the following circumstances without their authorization or opportunity to agree or object, provided that we comply with certain conditions that may apply.

  • Required by Law:  We may use and disclose PHI as required by federal, state, or local law.  Any disclosure complies with the law and is limited to the requirements of the law.
  • Public Health Activities:  We may use or disclose PHI to public health authorities or other authorized persons to carry out certain activities related to public health, including the following activities:
    • To report immunization compliance;
    • To prevent or control disease, injury, or disability;
    • To report child abuse or neglect;
    • To report reactions to medications or problems with products or devices regulated by the Food and Drug Administration or other activities related to quality, safety or effectiveness of FDA-regulated products or activities;
    • To locate and notify persons of recalls of products they may be using;
    • To notify a person who may have been exposed to a communicable disease in order to control who may be at risk of contracting or spreading the disease; or
    • To report to a patient’s employer, under limited circumstances, information related primarily to workplace injuries or illness, or workplace medical surveillance.
  • Abuse, Neglect, or Domestic Violence:  We may disclose PHI in certain cases to proper government authorities if we reasonably believe that a patient has been a victim of domestic violence, abuse, or neglect.
  • Health Oversight Activities:  We may disclose PHI to a health sight oversight agency for oversight activities including, for example, audits, investigations, inspections, licensure and disciplinary activities and other activities conducted by health oversight agencies to monitor the health care system, government health care programs, and other compliance with certain laws.
  • Lawsuits and Other Legal Proceedings:  We may use or disclosed PHI when required to by a court or administrative tribunal order.  We may also disclose PHI in response to subpoenas, discovery requests, or other required legal process when efforts have been made to advise patients of the request or to obtain an order protecting the information requested.
  • Law Enforcement:  Under certain conditions, we may disclose PHI to law enforcement officials for the following purposes where the disclosure is:
    • About a suspected crime victim if, under certain limited circumstances, we are unable to obtain a person’s agreement because of incapacity or emergency;
    • To alert law enforcement of a death that we suspect was the result of criminal conduct;
    • Required by law;
    • In response to a court order, warrant, subpoena, summons, administrative agency request, or other authorized process;
    • To identify or locate a suspect fugitive, material witness, or missing person;
    • About a crime or suspected crime committed at our office; or
    • In response to a medical emergency not occurring at the office, if necessary to report a crime, including the nature of the crime, the location of the crime or victim, and the identity of the person who committed the crime.
  • Coroners, Medical Examiners, Funeral Directors: We may disclose PHI to a coroner or medical examiner to identify a deceased person and determine the cause of death.  In addition, we may disclose PHI to funeral directors, as authorized by law, so that they may carry out their jobs.
  • Organ and Tissue Donation:  If your are an organ donor, we may use or disclose PHI to organizations that help procure, locate, and transplant organs in order to facilitate an organ, eye, or tissue donation and transplantation.
  • Research:  We may use and disclose PHI about patients for research purposes under certain limited circumstances.  We must obtain a written authorization to use and disclose PHI for research purposes except in situations where a research project meets specific, detailed criteria established by the HIPAA Privacy Rule to ensure the privacy of PHI.
  • To Avert a Serious Threat to Health or Safety:  We may use or disclose PHI in limited circumstances when necessary to prevent a threat to the health or safety of a person or the public.  This disclosure can only be made to the person or agency that is able to prevent the threat.
  • Specialized Government Functions:  Under certain circumstances we may disclose PHI:
    • For certain military and veteran activities, including determination of eligibility of military participation and veteran benefits and where deemed necessary by military command authorities;
    • For national security and intelligence activities;
    • To help provide protective services for the president and others;
    • For the health or safety of inmates and others at correctional institutions or other law enforcement custodial situations for the general safety and health related to corrections facilities.
  • Disclosures Required by HIPAA Privacy Rule:  We are required to disclose PHI to the Secretary of the Unites States Department of Health and Human Services when requested by the Secretary to review our compliance with the HIPAA Privacy Rule.  We are also required in certain cases to disclose PHI to patients upon request to access PHI or an accounting of certain disclosures of PHI about them (described in Section III of this Notice).
  • Worker’s Compensation:  We may disclose PHI as authorized by worker’s compensation laws or other similar programs that provide benefits for work-related injuries or illness.


Massachusetts provides special privacy protections for sensitive PHI such as HIV/AIDS, mental health and substance use/abuse.  We will disclose such information only in a manner consistent with these laws.

All other uses and disclosures of PHI will only be made with your written authorization.  If you have authorized us to use or disclose PHI, you may revoke authorization at any time, except to the extent we have taken action based on the authorization.


The rights described apply to the parent or legal guardian until the child’s 18th birthday and to the child thereafter, except where Massachusetts state law prohibits disclosure to the parent of an adolescent.

Under federal law, you have the following rights regarding PHI:

  1.    Right to Request Restrictions:  You have the right to request additional restrictions on the PHI that we may use for treatment, payment and health care operations.  You may also request additional restrictions on our disclosure of PHI to certain individuals involved in you or your child’s care that otherwise are permitted by the Privacy Rule.  We are not required to agree with your request.  If we agree to your request, we are required to comply with our agreement except in certain cases, including where the information is needed to treat in the case of an emergency.  To request restrictions, you must make the request in writing to our Privacy Official.  In your request please include 1) the information you want to restrict; 2) how you want to restrict the information; and 3) to whom you want those restrictions to apply.
  2.    Right to Receive Confidential Communications:  You have the right to request that you receive communications regarding PHI in a certain manner or at a certain location.  For example, you may request that we contact you at home, rather than at work.  You must make your request in writing to our Privacy Official.  You must specify how you would like to be contacted (for example, by regular mail and not electronically.)  We are required to accommodate reasonable requests.
  3.    Right to Inspect and Receive a Copy:  You have the right to request the opportunity to inspect and receive a copy of PHI about you or your children in certain records that we maintain, in any format, and if it is readily producible in such form or format, are entitled to receive the copy within 30 days of written request. The practice may request a one-time 30-day extension in writing. The practice may send PHI in unencrypted emails only if the requesting individual is advised of the risk and still requests that form of transmission. This includes medical and billing records but does not include psychotherapy notes, or information gathered or prepared for a civil, criminal, or administrative proceeding.   This does not include disclosure to parents of Massachusetts mandated protected information contained in adolescent medical records.  Massachusetts’s statute requires disclosure to both parents in a divorced family, unless the court has ordered otherwise.  We may deny your request to inspect and copy PHI only in limited circumstances.  To inspect and copy PHI please contact our Privacy Official.  If you request a copy of PHI, we may charge a reasonable fee for the copying, postage, labor and supplies used in meeting your request.
  4.    Right to Append:  You have the right to request that we append PHI as long as such information is kept by or for our office.  You must submit your request in writing to our Privacy Official.  You must also give us a reason for your request.  We may deny your request in certain cases, including if it is not in writing, or if you do not give us a reason for the request.
  5.     Right to Receive an Accounting of Disclosures:  You have the right to request an “accounting” of certain disclosures that we have made of PHI about you.  This is a list of disclosures made by us during a specified period of up to six years other than disclosures made:  for treatment, payment and health care operations; for use in or related to a facility directory; to family members or friends involved in you or your child’s care; to you or your child directly; pursuant to an authorization of you or your personal representative, or for certain notification purposes (including national security, intelligence, correctional, and law enforcement purposes) and disclosures made before April 14, 2003.   Please direct requests to the Privacy Official.  The first list we provide in a 12-month period will be free, but we may charge reasonable costs for additional requests in the same 12-month period.  We will tell you about these costs, and you may choose to cancel your request at any time before costs are incurred.
  6.     Right to a Paper Copy of this Notice:  You have a right to receive a paper copy of this Notice at any time, even if you have previously agreed to receive this Notice electronically.  Please contact our Privacy Official to obtain a copy of this Notice.
  7.   Right to Notification in the Event of a Breach:  Consistent with federal and state laws, we will notify you in the event unsecured PHI is used or disclosed by an unauthorized individual.


If you believe your privacy rights have been violated, you may file a complaint with us at the address or phone number below, or with the Secretary of the United States Department of Health and Human Services in Washington, DC or at JFK Federal Building, Room 1874, Boston, MA 02203.  The complaint must be filed within 180 days of the alleged violation.  We will not retaliate or take action against you for filing a complaint.

If you have any questions about this Notice, please contact our Privacy Official at the address and number listed below.


Jacky Psoinos, CPNP
477 Andover Street
North Andover, MA 01835

This notice was published and first became effective on April 14, 2003.
Children’s Medical Office of North Andover, P.C.


This form must be completed, either on paper or on-line, before we can provide
healthcare of any kind (in person, by telephone, or by email)
to your child after April 15, 2003. Click above to complete on-line now,
or click here to download a paper copy to return to our office.