Privacy Practices

Our Notice of Privacy Practices describes the rights of our patients and explains Winchester Physician Associates responsibilities under the law to maintain the privacy of our patients’ health information.


This Notice describes the privacy practices of Winchester Physician Associates, Inc. (WPA), its Medical and Allied Health Care Professional Staff, Nurses and other clinical personnel (“we” or “us”), and the privacy practices of WPA’s affiliate, Winchester Hospital. It applies to services furnished to you at your physician’s office location. 


Our practice is dedicated to maintaining the privacy of your health information (“Protected Health Information” or “PHI”). In conducting our business, we will create records regarding you and the treatment and services we provide to you. These records are our property. 

However, we are required by law to:


Maintain the privacy of your medical information.

Provide you with this Notice of Privacy Practices and legal duties concerning your PHI.

Follow the terms of our Notice of Privacy Practices in effect at the time.


This Notice provides you with information regarding:

How we may use and disclose your medical information.

Your privacy rights to your medical information.

Our obligation concerning the use and disclosure of your medical information.



In order to facilitate your treatment, obtain payment or maintain our health care operations, we can use/disclose your PHI without your written authorization under the specific circumstances listed below. Section 3 outlines circumstances where we must obtain your written authorization in order to use and/or disclose your PHI. The following uses and disclosures can be made without your authorization:

A. Uses and Disclosures for Treatment, Payment and Health Care Operations. We are generally permitted to use and disclose PHI in order to treat you, obtain payment for services provided to you, and conduct our “health care operations” as detailed below: 

Treatment. We use and disclose your PHI to provide treatment and other services to you -- for example, to diagnose and treat your injury or illness. In addition, we may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you, provided that we abide by restrictions on third party funding for such communications. We may also disclose PHI to other providers involved in your treatment.

Payment. We may use and disclose your PHI to obtain payment for services that we provide to you -- for example, disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your health care (“Your Payor”), and to verify that Your Payor will pay for health care. 

Health Care Operations. We may use and disclose your PHI for our health care operations, which include internal administration and planning and various activities that improve the quality and cost effectiveness of the care that we deliver to you. For example, we may use PHI to evaluate the quality and competence of our physicians, nurses and other health care workers in order to resolve any complaints you may have during your visit with us. We may also disclose PHI to your other health care providers for their health care operations, such as quality assessment and improvement activities, reviewing the quality and competence of health care professionals, or for health care fraud and abuse detection or compliance. We may also disclose PHI to remind you that you have an appointment. 


B. Use or Disclosure for Directory of Individuals in Winchester Hospital. This section intentionally omitted. 

C. Disclosure to Relatives, Close Friends and Other Caregivers. We may use or disclose your PHI to a family member, other relative, a close personal friend or any other person identified by you when you are present for, or otherwise available prior to, the disclosure, if we (1) obtain your agreement; (2) provide you with the opportunity to object to the disclosure and you do not object; or (3) reasonably infer that you do not object to the disclosure.

If you are not present, or the opportunity to agree or object to a use or disclosure cannot practicably be provided because of your incapacity or an emergency circumstance, we may exercise our professional judgment to determine whether a disclosure is in your best interests. If we disclose information to a family member, other relative or a close personal friend, we would disclose only information that we believe is directly relevant to the person’s involvement with your health care or payment related to your health care. We may also disclose your PHI in order to notify (or assist in notifying) such persons of your location, general condition or death.

D. Fundraising Communications. We may disclose to Winchester Hospital and/or Winchester Hospital Foundation or Foundation staff demographic information about you (e.g., your name, address and phone number) and dates on which we provided health care to you, as well as information about your health insurance status, department of service, treating physician and outcome information without your written authorization. Each fundraising communication will include a clear and conspicuous opportunity for you to elect not to receive any further fundraising communications. You may also opt back in to receive fundraising communications if you change your mind. If you would like your name removed from the Foundation database, you may write Winchester Hospital Foundation, 41 Highland Avenue, Winchester, MA 01890.

E. Public Health Activities. We may disclose your PHI for the following public health activities: (1) to report health information to public health authorities for the purpose of preventing or controlling disease, injury or disability; (2) to report child abuse and neglect to public health authorities or other government authorities authorized by law to receive such reports; (3) to report information about products and services under the jurisdiction of the U.S. Food and Drug Administration; (4) to alert a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition; and (5) to report information to your employer as required under laws addressing work-related illnesses and injuries or workplace medical surveillance. 

F. Victims of Abuse, Neglect or Domestic Violence. If we reasonably believe you are a victim of abuse, neglect or domestic violence, we may disclose your PHI to a governmental authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect or domestic violence. 

G. Health Oversight Activities. We may disclose your PHI to a health oversight agency that oversees the health care system and is charged with the responsibility of ensuring compliance with the rules of government health programs such as Medicare or Medicaid. 

H. Judicial and Administrative Proceedings. We may disclose your PHI in the course of a judicial or administrative proceeding in response to a legal order or other lawful process.

I. Law Enforcement Officials. We may disclose your PHI to the police or other law enforcement officials as required or permitted by law or in compliance with a court order or a grand jury or administrative subpoena.

J. Decedents. We may disclose your PHI to a coroner or medical examiner as authorized by law. 

K. Organ and Tissue Procurement. This section intentionally omitted.

L. Research. We may use or disclose your PHI without your consent or authorization if our Institutional Review Board/Privacy Board approves a waiver of authorization for disclosure, or as otherwise permitted under Federal privacy rules. 

M. Health or Safety. We may use or disclose your PHI to prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety. 

N. Specialized Government Functions. We may use and disclose your PHI to units of the government with special functions, such as the U.S. military or the U.S. Department of State under certain circumstances.

O. Workers’ Compensation. We may disclose your PHI as authorized by and to the extent necessary to comply with state law relating to workers’ compensation or other similar programs.

P. As Required By Law. We may use and disclose your PHI when required to do so by any other law not already referred to in the preceding categories.


A. Use or Disclosure with Your Authorization. For any purpose other than those described in Section 2, we only may use or disclose your PHI when you grant us your written authorization on our authorization form (“Your Authorization”). For instance, you will need to execute an authorization form before we can send your PHI to a life insurance company or to your attorney. 

B. Marketing. We may communicate with you about products or services relating to your treatment, case management or care coordination, or alternative treatments, therapies, providers, or care settings without obtaining your written authorization (“Your Marketing Authorization”). However we are required to obtain Your Marketing Authorization when these communications are subsidized by a third party that may benefit from the communication. We must also obtain Your Marketing Authorization prior to using your PHI to send you any marketing materials that are not permissible treatment or health care operations communications. We can, however, provide you with marketing materials in a face-to-face encounter without obtaining Your Marketing Authorization. We are also permitted to offer you a promotional gift of nominal value without obtaining Your Marketing Authorization. 

C. Sale of PHI. We are prohibited from selling your PHI without your authorization. 

D. Uses and Disclosures of Your Highly Confidential Information. Federal and state law requires special privacy protections for certain highly confidential information (“Highly Confidential Information”), including: (1) your HIV/AIDS status; (2) genetic testing information; (3) confidential communications with a psychotherapist, psychologist, social worker, allied mental health professional, or human services professional; (4) substance abuse (alcohol or drug) treatment or rehabilitation information; (5) venereal disease information; (6) abortion consent form(s); (7) family planning services; (8) treatment or diagnosis of emancipated minors; (9) mental health community program records; and (10) research involving controlled substances. We may be required to obtain your separate, specific written consent for communications of Highly Confidential Information unless we are otherwise permitted by law to make such disclosure. In addition, if you are an emancipated minor, certain information relating to your treatment or diagnosis may be considered “Highly Confidential Information” and as a result will not be disclosed to your parent or guardian without your consent. However, your consent is not required if a physician reasonably believes your condition to be so serious that your life or limb is endangered. Under such circumstances, we may notify your parents or legal guardian of the condition, and will inform you of any such notification.


A. For Further Information, Complaints. If you desire further information about your privacy rights, are concerned that we have violated your privacy rights or disagree with a decision that we made about access to your PHI, you may contact our Privacy Officer. You may also file written complaints with the Secretary of the U.S. Department of Health and Human Services. Upon request, the Privacy Officer will provide you with the correct address for the Secretary. We will not retaliate against you if you file a complaint with the Secretary or with us.

B. Right to Request Additional Restrictions. You may request restrictions on our use and disclosure of your PHI: (1) for treatment, payment and health care operations, (2) to individuals (such as a family member, other relative, close personal friend or any other person identified by you) involved with your care or with payment related to your care, or (3) to notify or assist in the notification of such individuals regarding your location and general condition. While we will consider requests for additional restrictions carefully, we are not required to agree to all requested restrictions, but we must agree to your request to restrict disclosures of PHI to a health plan regarding health care for which you have paid out-of-pocket in full. If you wish to request additional restrictions, please obtain a request form from our Privacy Officer and submit the completed form to the Privacy Officer. We will send you a written response.

C. Right to Receive Confidential Communications. You may request, and we will accommodate, any reasonable written request for you to receive your PHI by alternative means of communication or at alternative locations. 

D. Right to Revoke Your Authorization. You may revoke Your Authorization, Your Marketing Authorization or any written authorization obtained in connection with your Highly Confidential Information, except to the extent that we have taken action in reliance upon it, by delivering a written revocation statement to the Privacy Officer identified below. (A form for Written Revocation is available upon request from the Privacy Officer.)

E. Right to Inspect and Copy Your Health Information. You may

request access to your medical record file and billing records maintained by us in order to inspect and request copies of the records. Under limited circumstances, we may deny you access to a portion of your records. If you desire access to your records, please obtain a record request form from Medical Records and submit the completed form to Medical Records. If you request copies, we will charge you a reasonable cost-based fee, which we have determined to be $20.59 plus 70 cents per page for the first 100 pages and 36 cents per page for pages in excess of 100 pages. We may also charge you for postage costs if you request that we mail the copies to you.

F. Right to Amend Your Records. You have the right to request that we amend Protected Health Information maintained in your medical record file or billing records. If you desire to amend your records, please obtain an amendment request form from Medical Records and submit the completed form to Medical Records. We will comply with your request unless we believe that the information that would be amended is accurate and complete or other special circumstances apply. 

G. Right to Receive an Accounting of Disclosures. Upon request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time prior to the date of your request provided such period does not exceed six years or three years for certain disclosures made through an electronic health record. If you request an accounting more than once during a twelve (12) month period, we will charge you 25 cents per page of hard copy records. 

H. Right to Receive Notice in the Event of a Breach. In the event of a breach of your PHI that has not been secured in accordance with federal standards (such as encrypted), you have the right to be notified of the breach and to be provided, to the extent available, with a description of the breach, a description of the types of information that were involved in the breach, the steps you should take to protect yourself from potential harm, a brief description of what we are doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for questions or concerns regarding the breach.

I. Right to Receive Paper Copy of this Notice. Upon request, you may obtain a paper copy of this Notice, even if you have agreed to receive such notice electronically. 


A. Effective Date. This Notice is effective on April 15, 2013.

B. Right to Change Terms of this Notice. We may change the terms of this Notice at any time. If we change this Notice, we may make the new notice terms effective for all Protected Health Information that we maintain, including any information created or received prior to issuing the new notice. If we change this Notice, we will post the new notice in waiting areas at the WPA practice site and on our Internet site at You also may obtain any new notice by contacting the Privacy Officer.


You may contact:

Privacy Officer

Winchester Physician Associates, Inc.

41 Highland Avenue

Winchester, MA 01890

Telephone Number: 781-756-2900


State law may offer protections more stringent than those listed in this Notice of Privacy Practices. We will follow the more stringent law regarding the privacy and security of your PHI. 


 If you have questions or concerns regarding this Notice or privacy issues in general, please call the Winchester Physician Associates Privacy Line at (781) 756-2900.