Privacy Policy
Notice of HIPAA Private Policy
I. INTRODUCTION
Recently, the United States Department of Health and Human Services (“HHS”) issued comprehensive regulations relating to the privacy of patient records. It is the intent of this office to comply with each of these new rules, and this policy is designed to provide a framework to accomplish this goal.
These rules apply to this office because, among other things, we transmit patient records electronically. However, the rules apply to all “protected patient information,” whether in electronic or paper form, or whether disclosed orally. For purposes of this Privacy Policy, “protected patient information” includes any individually identifiable information, such as names, dates, phone/fax numbers, email addresses, home addresses, social security numbers, and demographic data. Employment records are not included within the definition (and thus not subject to the privacy rule) unless they are used in connection with the provision of employment.
II. PRIVACY OFFICIAL
Rachel McKibben shall be this office’s “privacy official.” As such, he/she shall be responsible for implementing this Privacy Policy, as well as developing any future amendments or revisions to this Policy.
III. CONTACT PERSON
Dr. Jackie Berkowitz shall be designated as this office’s “contact person.” He/she shall therefore be responsible for receiving any complaints or inquiries about patient privacy matters, and responding to such complaints or inquiries.
The Contact Person shall document all complaints or inquiries received.
If any patient or other person desires to make a complaint relating to patient privacy, the Contact Person shall instruct him or her to submit the complaint in writing. The Contact Person shall then investigate the complaint or inquiry, determine a resolution in conjunction with Dr. Berkowitz, and respond to the complainant or inquirer as to the results of the investigation and resolution.
If the inquiry is a complaint, the person shall be advised of his/her right to file a complaint with HHS and notified that the complaint must be filed within 180 days of the date of the alleged violation.
IV. PRIVACY TRAINING
This office will routinely undertake privacy training for all staff. The training will occur on an annual basis for all existing staff, unless otherwise changed to a more frequent basis. In addition, all new staff shall participate in privacy training immediately upon their commencement of employment with this office. A written record of this training will be maintained by the Privacy Official.
V. USE AND DISCLOSURE OF PROTECTED PATIENT INFORMATION
A. GENERALLY
No protected patient information shall be used or disclosed in any manner other than in conformity with this Policy. Staff should always be mindful of the need to maintain confidentiality of patients’ records and protected health information. Thus, for example, in certain instances it may be appropriate to lower voices or request waiting patients stand a few feet away from patients with whom you are discussing treatment aspects, scheduling appointments, etc.
Access to protected patient information shall only be given to the following staff members : Administrative and Clinical Staff.
B. NOTICE AS TO USE AND DISCLOSURE OF PATIENT INFORMATION
The form Notice attached to this Policy shall be given to all patients at their first appointment. A copy of the signed and dated Notice must be maintained in each patient’s file.
The notice may be amended upon approval of Dr. Berkowitz. If the Notice is amended, it must be amended promptly and distributed to all patients who have been given the earlier version(s). No material change to the Notice will be implemented prior to the effective date shown on the revised notice.
C. CONSENT TO USE AND DISCLOSE PATIENT INFORMATION
The form Consent attached to this Policy is optional and may, at the option of Dr. Berkowitz, be presented to all patients with the notice. If it is used, it should be presented at their first appointment and prior to the disclosure of any of the patient’s protected health information, and must be signed and dated by the patient. A copy of the signed and dated Consent shall be kept in the patient’s file.
This form relates to the use or disclosure of any protected patient information in connection with treatment, payment or “health care operations.” (Health care operations include performance reviews, training, obtaining professional liability insurance, certification, accreditation and licensing.)
The Notice and Consent may not be combined on the same form.
D. AUTHORIZATION TO USE AND DISCLOSE PATIENT INFORMATION
If Dr. Berkowitz ever determines that protected patient information will be used or disclosed for any purpose other than in connection with treatment, payment or health care operations (defined above), then the patient must sign the form Authorization attached to this Policy. For example, this form would be appropriate where the patient’s information will be used to determine whether to hire the patient, making a disclosure of the information to a financial institution, marketing, etc.
Special rules apply (and additional items must be included in the form) where Dr. Berkowitz intends to use the protected health information for his own purposes, additional items are requested by Dr. Berkowitz in connection with disclosure by other third parties, or where the use or disclosure relates to research that includes the patient’s treatment.
A patient will not be refused treatment on the basis of his/her refusal to sign the Authorization form, unless the treatment will be used for research, in which case treatment may be refused at the option of Dr. Berkowitz. A patient may revoke the Authorization in writing at any time. In general, the form Authorization should be reviewed by legal counsel prior to signature by the patient.
E. “MINIMUM NECESSARY” USE AND DISCLOSURE OF PATIENT INFORMATION FOR NON-TREATMENT PURPOSES
Wide latitude is given as to the use or disclosure of patient information for purposes of treatment. Thus, any information that Dr. Berkowitz deems appropriate will be used or disclosed.
However, if the use or disclosure of protected patient information occurs for any other reason (i.e., for payment, reimbursement or health care operations, etc.), the information used, disclosed or requested must be limited to the minimum degree necessary to accomplish the purpose for which the use, disclosure or request is made. (Note that this restriction does not apply to uses or disclosures of the information to the patient to whom the information relates.)
F. DISCLOSURES TO SERVICE PROVIDERS
Any disclosure to service providers by this office (i.e., labs, collection agencies, attorneys, accountants, etc.) may only occur after certain safeguards are in place. Namely, there must be a written agreement substantially in the form attached to this Policy prior to the release of any protected patient information. Because there are special rules in the privacy regulations relating to vendors and unique state laws, the attached form should be reviewed by legal counsel prior to signature.
VI. SPECIFIC PATIENT REQUESTS
A. FOR RESTRICTIONS ON USE AND DISCLOSURE
Patients may request restrictions on the use and disclosure of their protected health information. However, we are not obligated to honor these requests. But if we elect to honor the request, we must adhere to it. Any denial must be in writing.
B. FOR COMMUNICATION OF THEIR INFORMATION
Patients have the right to request confidential communication of their protected health information. For example, they may request that the information be communicated by alternative means (i.e., sending correspondence to their office rather than to their home). If such a request is made, it should be in writing and we will abide by that request as long as it is reasonable. We are not allowed to inquire as to the reason(s) for the request.
C. FOR INSPECTION AND COPIES OF THEIR RECORDS
Consistent with applicable ethics rules of the American Association of Orthodontists and the new privacy rules, we will provide patient records to them or their designee at any time. However, special permission from Dr. Berkowitz must be obtained prior to releasing the information if the information is compiled in anticipation of, or for use in, litigation or administrative (i.e., dental board) proceedings. (The new privacy rules do not require that the information be provided to the patient in those instances.) Any denial must be in writing.
We have 30 days after receiving a request for access or copies from a patient within which to provide the access or information, unless the data is maintained off-site, in which case we have 60 days from the date of the request. A 30-day extension may be obtained if, within the initial 30-day period, we provide written notice to the patient of the reasons for the delay and give a date on which we will provide a response.
D. TO ADMEND OR MODIFY THEIR HEALTH INFORMATION
From time to time, patients may request that their protected health information be modified. Generally, we will honor their requests. However, such requests will not be honored if the information is accurate and complete, or if we did not create the information.
If we honor the request, we must obtain a list of persons or entities that the patient wants us to inform of the amendment from the patient, along with the patient’s authorization to inform them. We must then undertake reasonable efforts to notify those persons or entities of the amendment.
If we deny the request, the denial must be in writing and advise the patient of (1) the reasons for the denial, (2) their right to submit a “written disagreement”, (3) his/her right to ask that the request to amend and our denial be included with any future disclosure of the subject information if not “written disagreement” is submitted, and (4) his/her right to file a complaint with the HHS Secretary.
We must respond to any request to amend health information within 60 days of receiving the request. An additional 30 days is allowed if, within the original 60-day period, we notify the patient of the reason(s) for the delay and provide a date on which we will provide a response.
E. FOR AN ACCOUNTING OF DISCLOSURES
If requested and unless an exception exists, we will provide patients with a written accounting of all disclosures of their protected health information that we have made for the period requested, but not to exceed six years from the date of the request.
Unless decided otherwise by Dr. Berkowitz, we will not provide disclosures relating to the following:
1. Treatment of the patient, including disclosures made to other treatment providers (i.e., their general dentist, periodontist, etc.);
2. Payment by or on behalf of the patient;
3. Health Care Operations (i.e., information disclosed in connection with performance reviews, training, certification, accreditation or licensing);
4. Disclosures made to the patient or those involved in the care of the patient;
5. Incidental disclosures (i.e., from sign-up sheets, overheard conversations, etc.);
6. Any disclosures that occurred pursuant to an Authorization signed by the patient or,
7. Any disclosures that occurred prior to April 14, 2003 .
We must respond to a patient’s request for an accounting of disclosures within 60 days of the request. We can obtain an additional 30 days to respond by, within the initial 60-day period, providing the patient with written notice of the reason(s) for the delay and giving a date on which a response will be provided.
Patients are entitled to one free accounting within a 12-month period. Any further requests for an accounting of disclosures may involve a reasonable fee, which will be determined by Dr. Berkowitz on a case-by-case basis.
VII. VIOLATION OF PRIVACY POLICY
Any violation of this Privacy Policy shall be grounds for discipline, including termination. Compliance with this Policy is required in addition to all other office personnel policies, if any.