These Health Information Privacy
Policies & Procedures implement our obligations to protect the privacy
of individually identifiable health information that we create, receive,
or maintain as a healthcare provider.
We implement these Health Information Privacy Policies
and Procedures as a matter of sound business practice; to protect the
interests of our patients; and to fulfill our legal obligations under
the Health Insurance Portability and Accountability Act of 1996
("HIPAA"), its implementing regulations at 45 CFR Parts 160 and 164 (65
Fed. Reg 82462 (Dec. 28, 2000)) ("Privacy Rules"), as amended (67 Fed.
Reg. 53182 [Aug. 14, 2002]), and state law that provides greater
protection or rights to patients than the Privacy Rules.
As a member of our workforce or as our Business
Associate, you are obligated to follow these Health Information Privacy
Policies & Procedures faithfully. Failure to do so can result in
disciplinary action, including termination of your employment or
affiliation with us.
These Policies & Procedures address the basics of
HIPAA and the Privacy Rules that apply in our dental practice. They do
not attempt to cover everything in the Privacy Rules. The Policies &
Procedures sometimes refer to forms we use to help implement the
policies and to the Privacy Rules themselves when added detail may be
needed.
Please note that while the Privacy Rules speak in
terms of "individual" rights and actions, these Policies & Procedures
use the more familiar word "patient" instead; "patient" should be read
broadly to include prospective patients, patients of record, former
patients, their authorized representatives, and any other "individuals"
contemplated in the Privacy Rules.
If you have questions or doubts about any use or
disclosure of individually identifiable health information or about your
other obligations under these Health Information Privacy Policies &
Procedures, the Privacy Rules or other federal or state law, please
contact our office. This policy was adopted effective 4/14/03
Back to Top
1. General Rule: No Use or Disclosure
Our dental office
must not use or disclose protected health information (PHI),
except as these Privacy Policies & Procedures permit or require.
2. Acknowledgement and Optional Consent
Our dental office
will make a good faith effort to obtain a written acknowledgement of
receipt of our Notice of Privacy Practices (see Section 9) from a
patient before we use or disclose his or her protected health
information (PHI) for treatment, to obtain payment for that treatment,
or for our healthcare operations (TPO).
Our dental office’s use or disclosure of PHI for our
payment activities and healthcare operations may be subject to the
minimum necessary requirements (see Section 7).
Our dental office
will become familiar with our state’s privacy laws. If required by our
state law, or as directed by the dentist, we will also seek Consent
from a patient before we use or disclose PHI for TPO purposes – in
addition to obtaining an Acknowledgement of receipt of our Notice of
Privacy Practices.
a) Obtaining Consent
– If consent is to be obtained,
upon the individual’s first visit as a patient (or next visit if
already a patient), our dental office will request and obtain the
patient’s written Consent for our use and disclosure of the
patient’s PHI for treatment, payment, and healthcare operations.
Any consent we
obtain must be on our Consent form, which we may not alter in
any way. Our dental office will include the signed Consent
form in the patient’s chart.
b)
Exceptions –
Our dental office does not have to obtain the patient’s Consent in
emergency treatment situations; when treatment is required by law;
or when communications barriers prevent consent.
c) Consent
Revocation – A patient from whom we obtain consent may revoke it
at any time by written notice. Our dental office will include the
revocation in the patient’s chart. There is space at the bottom of
our Consent form where the patient can revoke the consent.
d) Applicability – Consent for use or
disclosure of PHI should not be confused with informed consent for
dental treatment. This section applies to our practice.
3. Authorization
In some cases we
must have proper, written Authorization from the patient (or the
patient’s personal representative) before we use or disclose a patient’s
PHI for any purpose (except for TPO purposes) or as permitted or
required without consent or authorization (see Sections 3, 4, or 5).
Our dental office
will use the Authorization form. We will always act in strict
accordance with an Authorization.
a)
Authorization Revocation
– A patient may revoke an authorization at any time by written notice.
Our dental office will not rely on an Authorization we know has
been revoked.
b)
Authorization from Another Provider
– Our dental office will use or disclose PHI as permitted by a valid
Authorization we receive from another healthcare provider.
Our dental office
may rely on that covered entity to have requested only the minimum
necessary protected PHI. Therefore, our dental office will not make our
own "minimum necessary" determination, unless we know that the
Authorization is incomplete, contains false information, has been
revoked, or has expired.
c)
Authorization Expiration
– Our dental office will not rely on an Authorization we know has
expired.
4. Oral Agreement
Our dental office
may use or disclose a patient’s PHI with the patient’s Oral Agreement
or if the patient is unavailable subject to all applicable requirements.
Our dental office may use
professional judgment and our experience with common practice to make
reasonable inferences of the patient’s best interest in allowing a
person to act on behalf of the patient to pick up dental/medical
supplies, X-rays, or other similar forms of PHI.
Back to Top
5. Permitted Without Acknowledgement, Consent
Authorization or Oral Agreement
Our dental office
may use or disclose a patient’s PHI in certain situations, without
Authorization or Oral Agreement. In our dental office, these
disclosures are not likely to be frequent.
a) Verification of Identity
– Our dental office will always verify the identity of any patient, and
the identity and authority of any patient’s personal representative,
government or law enforcement official, or other person, unknown to us,
who requests PHI before we will disclose the PHI to that person.
Our dental office will obtain appropriate
identification and, if the person is not the patient, evidence of
authority. Examples of appropriate identification include photographic
identification card, government identification card or badge, and
appropriate document on government letterhead. Our dental office will
document the incident and how we responded.
b) Uses or Disclosures
Permitted under this Section 5 – The
situations in which our dental office is permitted to use or disclose
PHI in accordance with the procedures set out in this Section 5 are
listed below.
-
For public health activities;
-
To health oversight agencies;
-
To coroners, medical examiners, and funeral
directors;
-
To employers regarding work-related illness or
injury;
-
To the military;
-
To federal officials for lawful intelligence,
counterintelligence, and national security activities;
-
To correctional institutions regarding inmates;
-
In response to subpoenas and other lawful judicial
processes;
-
To law enforcement officials;
-
To report abuse, neglect, or domestic violence;
-
As required by law;
-
As part of research projects; and
-
As authorized by state worker’s compensation laws.
6. Required Disclosures
Our dental office will disclose protected health
information (PHI) to a patient (or to the patient’s personal
representative) to the extent that the patient has a right of access to
the PHI (see Section 10); and to the U.S. Department of Health and Human
Services (HHS) on request for complaint investigation or compliance
review.
Our dental office will use the disclosure log to
document each disclosure we make to HHS.
Back to Top
7. Minimum Necessary
Our dental office
will make reasonable efforts to disclose, or request of another covered
entity, only the minimum necessary protected health information
(PHI) to accomplish the intended purpose.
There is no
minimum necessary requirement for disclosures to or requests by one
another in our dental office or by a healthcare provider for treatment;
permitted or required disclosures to, or for disclosure requested and
authorized by, a patient; disclosures to HHS for compliance reviews or
complaint investigations; disclosures required by law; or uses or
disclosures required for compliance with the HIPAA Administrative
Simplification Rules.
a) Routine or Recurring Requests
or Disclosures – Our dental office will
follow the policies and procedures that we adopt to limit our routine or
recurring requests for our disclosures of PHI to the minimum reasonably
necessary for the purpose.
b) Non-Routine or Non-Recurring Requests or
Disclosures – No non-routine or non-recurring request for or
disclosure of PHI will be made until it has been reviewed on a
patient-by-patient basis against our criteria to ensure that only the
minimum necessary PHI for the purpose is requested or disclosed.
c) Other’s Requests
– Our dental office will rely, if reasonable for the situation, on a
request to disclose PHI being for the minimum necessary, if the
requester is: (a) a covered entity; (b) a professional (including an
attorney or accountant) who provides professional services to our
practice, either as a member of our workforce or as our Business
Associate, and who represents that the requested information is the
minimum necessary; (c) a public official who represents that the
information requested is the minimum necessary; or (d) a researcher
presenting appropriate documentation or making appropriate
representations that the research satisfies the applicable requirements
of the Privacy Rules.
d) Entire Record
– Our dental office will not use, disclose, or request an entire record,
except as permitted in these Policies & Procedures or standard protocols
that we adopt reflecting situations when it is necessary.
e) Minimum Necessary Workforce Use – Our dental
office will use only the minimum necessary PHI needed to perform our
duties.
Back to Top
8. Business Associates
Our dental office
will obtain satisfactory assurance in the form of a written contract
that our Business Associates will appropriately safeguard and
limit their use and disclosure of the protected health information (PHI)
we disclose to them.
These Business
Associate requirements are not applicable to our disclosures to a
healthcare provider for treatment purposes. The Business Associate
Contract Terms document contains the terms that federal law requires
be included in each Business Associate Contract.
a.) Breach by Business
Associate – If our dental office learns that
a Business Associate has materially breached or violated its
Business Associate Contract with us, we will take prompt, reasonable
steps to see that the breach or violation is cured.
If the Business
Associate does not promptly and effectively cure the breach or
violation, we will terminate our contract with the Business Associate,
or if contract termination is not feasible, report the Business
Associate’s breach or violation to the U.S. Department of Health and
Human Services (HHS).
9. Notice of Privacy Practices
Our dental office
will maintain a Notice of Privacy Practices as required by the
Privacy Rules.
a) Our Notice
– Our dental office will use and disclose PHI only in conformance with
the contents of our Notice of Privacy Practices. We will promptly
revise a Notice of Privacy Practices whenever there is a material
change to our uses or disclosures of PHI to legal duties, to the
patients’ rights or to other privacy practices that render the
statements in that Notice no longer accurate.
Form 1, Notice of Privacy
Practices, found in this Privacy Kit, contains the terms that federal
law requires.
b) Distribution of Our Notice
– Our dental office will provide our Notice of Privacy Practices
to any person who requests it, and to each patient no later than the
date of our first service delivery after April 14, 2003.
Our dental office
will have our Notice of Privacy Practices available for patients
to take with them. We will also post our Notice of Privacy Practices
in a clear and prominent location where it is reasonable to expect
patients seeking services from us will be able to read the Notice.
c) Acknowledgement of Notice
– Our dental office will make a good faith effort to obtain from the
patient a written Acknowledgement of receipt of our Notice of Privacy
Practices.
Our dental office
shall use Form 2, Acknowledgement of Receipt of Notice of Privacy
Practices, found in this Privacy Kit, to obtain the Acknowledgement.
If we cannot obtain written Acknowledgement from the patient, we will
use the form to document our attempt and the reason why written
Acknowledgement was not signed by the patient.
Back to Top
10. Patients’ Rights
Our dental office will honor the rights of patients
regarding their PHI.
a) Access
– With rare exceptions, our dental office must permit patients to
request access to the PHI we or our Business Associates hold.
No PHI will be
withheld from a patient seeking access unless we confirm that the
information may be withheld according to the Privacy Rules. We may offer
to provide a summary of the information in the chart. The patient must
agree in advance to receive a summary and to any fee we will charge for
providing the summary. Our dental office will contact our Business
Associates to retrieve any PHI they may have on the patient.
b) Amendment
– Patients have the right to request to amend their PHI and other
records for as long as our dental office maintains them.
Our dental office may deny a request to amend PHI or
records if: (a) we did not create the information (unless the patient
provides us a reasonable basis to believe that the originator is not
available to act on a request to amend); (b) we believe the information
is accurate and complete; or (c) we do not have the information.
Our dental office
will follow all procedures required by the Privacy Rules for denial or
approval of amendment requests. We will not, however, physically alter
or delete existing notes in a patient’s chart. We will inform the
patient when we agree to make an amendment, and we will contact our
Business Associates to help assure that any PHI they have on the
patient is appropriately amended. We will contact any individuals whom
the patient requests we alert to any amendment to the patient’s PHI. We
will also contact any individuals or entities of which we are aware that
we have sent erroneous or incomplete information and who may have acted
on the erroneous or incomplete information to the detriment of the
patient.
When we deny a request for an
amendment, we will mark any future disclosures of the contested
information in a way acknowledging the contest.
c) Disclosure
Accounting – Patients have the
right to an accounting of certain disclosures our dental office made of
their PHI within the 6 years prior to their request. Each disclosure we
make, that is not for treatment payment or healthcare operations, must
be documented showing the date of the disclosure, what was disclosed,
the purpose of the disclosure, and the name and (if known) address of
each person or entity to whom the disclosure was made. The
Authorization or other documentation must be included in the
patient’s record. We use the patient’s chart to track each disclosure of
PHI as needed to enable us to fulfill our obligation to account for
these disclosures.
We are not required to account for disclosures we
made: (a) before April 14, 2003; (b) to the patient (or the patient’s
personal representative); (c) to or for notification of persons involved
in a patient’s healthcare or payment for healthcare; (d) for treatment,
payment, or healthcare operations; (e) for national security or
intelligence purposes; (f) to correctional institutions or law
enforcement officials regarding inmates; or (g) according to an
Authorization signed by the patient or the patient’s representative; (h)
incident to another permitted or required use disclosure.
We will temporarily
suspend the accounting of any disclosure when requested to do so
pursuant according to the Privacy Rules by health oversight agencies or
law enforcement officials. We may charge for any accounting that is more
frequent than every 12 months, provided the patient is informed of the
fee before the accounting is provided. We will contact our Business
Associates to assure we include in the accounting any disclosures
made by them for which we must account.
d) Restriction on Use or Disclosure – Patients
have the right to request our dental office to restrict use or
disclosure of their PHI, including for treatment, payment, or healthcare
operations. We have no obligation to agree to the request, but if we do,
we will comply with our agreement (except in an appropriate
dental/medical emergency).
We may terminate an
agreement restricting use or disclosure of PHI by a written notice of
termination to the patient. We will contact our Business Associates
whenever we agree to such a restriction to inform the Business
Associate of the restriction and its obligations to abide by the
restriction. We will document in the patient’s chart any such agreed to
restrictions.
e) Alternative Communications –
Patients have the right to request us to use alternative means or
alternative locations when communicating PHI to them. Our dental office
will accommodate a patient’s request for such alternative communications
if the request is reasonable and in writing.
Our dental office will inform the patient of our
decision to accommodate or deny such a request. If we agree to such a
request, we will inform our Business Associates of the agreement and
provide them with the information necessary to comply with the
agreement.
f) Applicability – Our dental office will be aware
of and respect these patients’ rights regarding their PHI, even though
in most situations patients are unlikely to exercise them.
Back to Top
11. Staff Training and Management, Complaint
Procedures, Data Safeguards, Administrative Practices
a) Staff Training and Management
* Training – Our dental office will train all
members of our workforce in these Privacy Policies & Procedures, as
necessary and appropriate for them to carry out their functions. We will
complete the privacy training of our existing workforce by April 14,
2003.
After April 14, 2003, our dental office will train
each new staff member within a reasonable time after the member starts.
We will also retain each staff member whose functions are affected
either by a material change in our Privacy Policies and Procedures or in
the member’s job functions, within a reasonable time after the change.
Form 7, Staff
Review of Policies and Procedures, can be used to have workforce
members acknowledge they have received and read a copy of these Policies
and Procedures.
*Discipline and Mitigation
– Our dental office will develop, document, disseminate, and implement
appropriate discipline policies for staff members who violate our
Privacy Policies & Procedures, the Privacy Rules, or other applicable
federal or state privacy law.
Staff members who violate our Privacy Policies &
Procedures, the Privacy Rules or other applicable federal or state
privacy law will be subject to disciplinary action, possibly up to and
including termination of employment.
b) Complaints – Our dental office will implement
procedures for patients to complain about our compliance with our
Privacy Policies and Procedures or the Privacy Rules. We will also
implement procedures to investigate and resolve such complaints.
The Complaint
form can be used by the patient to lodge the complaint. Each complaint
received must be referred to management immediately for investigation
and resolution. We will not retaliate against any patient or workforce
member who files a Complaint in good faith.
c) Data Safeguards
– Our dental office will "add to" and strengthen these Privacy Policies
& Procedures with such additional data security policies and procedures
as are needed to have reasonable and appropriate administrative,
technical, and physical safeguards in place to ensure the integrity and
confidentiality of the PHI we maintain.
Our dental office will take reasonable steps to limit
incidental uses and disclosures of PHI made according to an otherwise
permitted or required use or disclosure.
d) Documentation and Record Retention – Our dental
office will maintain in written or electronic form all documentation
required by the Privacy Rules for six years from the date of creation or
when the document was last in effect, whichever is greater.
e) Privacy Policies & Procedures – Only
Dr. Rita M. Cammarata may change these
Privacy Policies & Procedures.
Back to Top
12. State Law Compliance
Our dental office will comply with the privacy laws of
each state that has jurisdiction over our practice, or its actions
involving protected health information (PHI), that provide greater
protections or rights to patients than the Privacy Rules.
13. HHS Enforcement
Our dental office will give the U.S. Department of
Health and Human Services (HHS) access to our facilities, books,
records, accounts, and other information sources (including individually
identifiable health information without patient authorization or notice)
during normal business hours (or at other times without notice if HHS
presents appropriate lawful administrative or judicial process).
We will cooperate with any compliance review or
complaint investigation by HHS, while preserving the rights of our
practice.
14. Designated Personnel
Our dental office will designate a Privacy Officer and
other responsible persons as required by the Privacy Rules.
Back to Top
