Privacy Practices

Privacy Practices

PRACTICE NAME: Waltham Clinic



All employees, volunteers, staff, doctors, health professionals and other personnel are legally required to and must abide by the policies set forth in this notice, and to protect the privacy of your health information.

This “protected health information”, or PHI for short, includes information that can be used to identify you. We collect or receive this information about your past, present or future health condition to provide health care to you, or to receive payment for this health care. We must provide you with this notice about our privacy practices that explains how, when and why we use and disclose (release) your PHI. With some exceptions, we may not use or release any more of your PHI than is necessary to accomplish the need for the information.

We reserve the right to change the terms of this notice and our privacy policies at any time. Any changes to this notice will apply to the PHI already in existence. Before we make any change to our procedures, we will promptly change this notice and post a new notice in our lobby. You can also request a copy of this notice from the contact person listed at the end of this notice, and can view a copy of the notice on our Web site at:

I. We may use and release your protected health information for many different reasons . For some of these reasons, we will need your permission or a specific, signed authorization. Below, we describe the different categories of when we use or release your PHI and give you some examples of each category, and tell you when we need your permission.


1. For Treatment. We may release your PHI to physicians, nurses, and other health care personnel and agencies who provide or are involved in your health care. For example, if you are being treated for sleep apnea, we may release your PHI to sleep specialist to coordinate your care.

2. To obtain payment for treatment. We may use and release your PHI to bill and collect payment for services provided to you. It is important that you provide us with correct and uptodate PHI. For example, we may release portions of your PHI to our billing department and your health plan to get paid for the health care services we provided to you. We may also release your PHI to our business associates, such as a Pharmacy Benefits Manager (PBM), to obtain eligibility and/or approval for medication.

3. To run our health care business. We may release your PHI to operate our practice in compliance with healthcare regulations. For example, we may use your PHI to review the quality of our services, to evaluate the performance of our staff in caring for you, or to seek outside accreditation.

4. Organized Health Care Arrangements. We may use or disclose your PHI with members of an Organized Health Care Arrangement for health care operations. An example of an arrangement is on-site specialty care.


1. When federal, state, or local law; judicial or administrative proceedings; or law enforcement agencies request your PHI. We release your PHI when a law requires that we report information to government agencies and law enforcement personnel about victims of abuse, neglect, or domestic violence; for notification and identification purposes when a crime has occurred or in missing person cases; when a crime has taken place on our premises; about victims of a crime with their consent or in an emergency situation; or when ordered in a judicial or administrative proceeding.

2. For public health activities. We may disclose PHI about you for public health activities. These activities generally include the following: (1) to prevent or control disease, injury or disability; (2) to report births and deaths; (3) to report child abuse or neglect; (4) to report reactions to medications or problems with products; (5) to notify people of recalls of products they may be using; (6) to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; or (7) to notify the appropriate government authority if we believe a patient has been a victim of abuse, neglect or domestic violence. We also provide coroners, medical examiners and funeral directors necessary information relating to an individual’s death.

If we keep genetic testing information about you, we will release that information only to the state departments that monitor our work or if required by law to release that information. Otherwise, we will disclose this information only if you give us your permission in writing.

3. Disaster Relief. We may disclose medical information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

4. For purposes of organ donation. For patients that have previously agreed to organ donation, we may notify organ procurement organizations to assist them in organ, eye or tissue donation and transplants.

5. To avoid harm. In order to avoid a serious threat to health or safety of a person or the public, we may provide your demographic PHI to law enforcement personnel or persons able to prevent or lessen such harm.

6. For workers’ compensation purposes. We release your PHI to comply with workers’ compensation laws. If you do not want workers’ compensation notified, alternate insurance or payment information must be supplied.

7. For appointment reminders and health related benefits and services. We may use your demographic PHI to contact you as a reminder that you have an appointment or to recommend possible treatment options or alternatives that may be of interest to you.

8. For Marketing Activities. We have the right to use PHI about you to contact you in an effort to encourage you to purchase or use a product or service. If we receive any direct or indirect payment for making such a communication, however, we would need your prior written permission to contact you. The only exceptions for seeking such permission are when our communications (i) describes only a drug or medication that is currently being prescribed for you and our payment for the communication is reasonable in amount or (ii) is made by one of our business partners consistent with our written agreement with the business partner.

9. Research. Under certain circumstances, we may use and disclose PHI about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of PHI, trying to balance the research needs with patients’ need for privacy of their medical information. Before we use or disclose PHI for research, the project will have been approved through this research approval process, but we may, however, disclose medical information about you to people preparing to conduct a research project, for example, to help them look for patients with specific medical needs, so long as the medical information they review does not leave the office. We will almost always ask for your specific permission if the researcher will have access to your name, address or other information that reveals who you are, or will be involved in your care.

10. For health oversight activities. We may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for oversight of the healthcare system, government benefit programs, or entities subject to government regulations or civil rights laws.

11. For specialized government functions. For example, we may disclose PHI about you if it relates to military and veterans activities, national security and intelligence activities, protective services for the President, and medical suitability or determinations of the Department of State. If you are a member of the armed forces, we may release PHI about you as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate foreign military authority.

12. Correctional Institution. If you are or become an inmate of a correctional institution, we may disclose to the institution or its agents PHI necessary for your health and the health and safety of other individuals.
If state law is more stringent (gives you more protection), it will be applied to our use of your PHI.


Information shared with family, friends or others. We may release your PHI to a family member, friend, or other person that you indicate is involved in your care or the payment for your health care, unless you object in whole or in part. Your choice to object may be made at any time.


We will ask for your written authorization before using or releasing any of your PHI except as previously stated. If you choose to sign an authorization to release your PHI, you may later cancel that authorization in writing. This will stop any future release of your PHI for the purposes you previously authorized but will not change what was released by the valid authorization.

To the extent required by law, when using or disclosing your PHI or when requesting your PHI from another covered entity, we will make reasonable efforts not to use, disclose or request more than a “limited data set” (as defined below) of your medical information, or, if needed by us, no more than the minimum amount of medical information necessary to accomplish the intended purpose of the use, disclosure or request, taking into consideration practical and technological limitations.

A “limited data set” means medical information that excludes the following items:
(i) Names;
(ii) Postal address information other than town or city, State, and zip code;
(iii) Telephone numbers;
(iv) Fax numbers;
(v) Electronic mail addresses;
(vi) Social security numbers;
(vii) Medical record numbers;
(viii) Health plan beneficiary numbers;
(ix) Account numbers;
(x) Certificate/license numbers;
(xi) Vehicle identifiers and serial numbers, including license plate numbers;
(xii) Device identifiers and serial numbers;
(xiii) Web Universal Resource Locators (URLs);
(xiv) Internet Protocol (IP) address numbers;
(xv) Biometric identifiers, including finger and voice prints; and
(xvi) Full face photographic images and any comparable images.


To help improve your medical care, we use an electronic health record (EHR) to create, store and maintain your medical record. Our management company provides the EHR to us, and we use it in conjunction with other physicians and health care providers (Users) in our community served by the same management company.

The EHR allows us to send and receive your health information to and from other Users who have treated you and who also use the EHR, but only if the reason we or another User seeks your health information is also to provide you with treatment, obtain payment for your medical treatment, or to perform other administrative tasks permitted by the our privacy policies and law. We and other Users will not send or receive your health information through the EHR for any other purposes.

We believe the EHR will help improve your care by allowing us to quickly and efficiently receive the health information your other health care providers have collected from their treatment of you and by similarly sharing with your other providers the health information we have collected from our treatment of you. To help ensure the privacy and security of your health information, the EHR is protected by a variety of security measures and privacy rules.


A. You Have the Right to Request Limits on How We Use and Release Your PHI.

You have the right to request a restriction or limitation on the PHI we use or disclose about you for treatment, payment or health care operations. You also have the right to request a limit on the PHI we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend. We are not required to agree to your request, except if the disclosure is to a health plan for purposes of carrying out payment or health care operations (and not for treatment purposes) and the PHI relates solely to a health care item or service for which we have been paid out-of-pocket in full. If we agree with (or are required to honor) your request, we will put any limits in writing and abide by them except in emergency situations. You may not limit PHI that we are legally required or allowed to release.

B. You Have the Right to Choose How We Communicate PHI to You.

All of our communications to you are considered confidential. You have the right to ask that we send information to you to an alternative address (for example, sending information to your work address rather than your home address), or by alternative means (for example, email instead of regular mail). We must agree to your request so long as we can easily provide it in the format you requested. Any additional expenses will be passed on to you for payment.

C. You Have the Right to See and Get Copies of Your PHI.

You must make the request in writing. We will respond to you within 30 days, or less if directed by state law, after receiving your written request. In certain situations, we may deny your request. If we do, we will tell you, in writing, why we denied your request. You have the right to have the denial reviewed. We will choose another licensed healthcare professional to review your request and the denial. The person conducting the review will not be the person who denied your first request. You can also request a summary or a copy of the entire medical record as long as you agree to the cost in advance. If your request to see or get a copy of the medical record is approved, we will arrange this in accordance with established policy. Because your PHI is maintained in an electronic health record, you may obtain an electronic copy of your PHI and, if you choose, instruct us to transmit such a copy to an entity or person you designate in a clear, conspicuous and specific manner. Our fee for providing you an electronic copy of your PHI will not exceed our labor costs in responding to your request for the electronic copy (or summary or explanation).

D. You Have the Right to Get a List of Instances of When and to Whom We Have Disclosed Your PHI (“Accounting of Disclosures”).

Upon written request, you may obtain an accounting of certain disclosures of your PHI made by us during any period of time six years prior to the date of your request, except that for requests made on or after January 1, 2011 that relate to treatment, payment or health care operation disclosures from our electronic health record system, the accounting period is three years. Your written request should indicate in what form you want the list (for example, on paper or electronically). If you request an accounting more than once during a twelve (12) month period, we will charge you for the costs involved in fulfilling your additional request. We will inform you of such costs in advance, so that you may modify or withdraw your request to save costs. In addition, we will notify you as required by law if there has been a breach of the security of your PHI.

E. You have the Right to Correct or Update Your PHI.

If you believe there is a mistake in your PHI or that a piece of important information is missing, you have the right to request that we correct the existing or add the missing information. We can do this for as long as the information is retained by our practice. You must provide the request and your reason for the request in writing. We will respond within 60 days, or less if directed by state law, of receiving your request. If we approve your request, we will make the change to your PHI, tell you that we have done it, and tell others that need to know about the change or amendment to your PHI. If we deny your request, our written denial will state our reasons and explain your right to file a written statement of disagreement. If you do not file a written statement of disagreement, you have the right to request that your request and our denial be attached to all future uses or releases of your PHI.

F. Right to Addendum. If you are a California resident, you have the right to submit a 250 word addendum about anything in your record you disagree with. If you tell us to, we will put this addendum in your medical record. We may add a written rebuttal to the addendum and we will supply you with a copy of this rebuttal.

G. You have the Right to Get This Privacy Notice by email, as well as paper. You may ask us to give you a copy of this notice at any time. Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.

H. Please submit all requests to view and or obtain a copy of your medical record, to obtain a list of disclosures, or to amend or correct your PHI to:
Nicole Kelleher M.D. At Name Title +1 818 575 6351

If you think that we may have violated your privacy rights, or you disagree with a decision we made about access to your PHI, you may file a complaint with the practice listed above or you can file a complaint with the Privacy Officer or with the Secretary of Health and Human Services. There will be no retaliation for filing a complaint. If you have questions or would like additional information about our privacy practices, you may contact our Privacy Office at 2950 Buskirk Avenue, Suite 300
Walnut Creek, CA 94597 or +1 818 575 6351

This notice went into effect on October 20, 2020.