|
This web site is provided for
information and education purposes only. No doctor/patient
relationship is established by your use of this site. No
diagnosis or treatment is being provided. The information
contained here should be used in consultation with a dentist of
your choice. No guarantees or warranties are made regarding any
of the information contained within the web site. This web site
is not intended to offer specific medical or dental advice to
anyone. Dr. Michael Leach is licensed to practice in the state
of Georgia and this web site is not intended to solicit patients
from other states. Further, this web site and Dr. Michael Leach take no responsibility for web sites
hyper-linked to this site and such hyper-linking does not imply
any relationships or endorsements.
Copyright: Information and names within this web site may be
subject to copyright and trademark protection with all rights
reserved. Duplication or use without the expressed written
permission by Michael Leach, D.D.S., subjects the violator to
both civil and criminal penalties.
HEALTH INFORMATION PRIVACY
POLICIES & PROCEDURES
These Health Information Privacy
Policies & Procedures implement our obligations to protect the
privacy of individually identifiable health information that we
create, receive, or maintain as a healthcare provider.
We implement these Health Information Privacy Policies and
Procedures as a matter of sound business practice; to protect
the interests of our patients; and to fulfill our legal
obligations under the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), its implementing
regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg 82462 (Dec.
28, 2000)) ("Privacy Rules"), as amended (67 Fed. Reg. 53182
[Aug. 14, 2002]), and state law that provides greater protection
or rights to patients than the Privacy Rules.
As a member of our workforce or as our Business Associate, you
are obligated to follow these Health Information Privacy
Policies & Procedures faithfully. Failure to do so can result in
disciplinary action, including termination of your employment or
affiliation with us.
These Policies & Procedures address the basics of HIPAA and the
Privacy Rules that apply in our dental practice. They do not
attempt to cover everything in the Privacy Rules. The Policies &
Procedures sometimes refer to forms we use to help implement the
policies and to the Privacy Rules themselves when added detail
may be needed.
Please note that while the Privacy Rules speak in terms of
"individual" rights and actions, these Policies & Procedures use
the more familiar word "patient" instead; "patient" should be
read broadly to include prospective patients, patients of
record, former patients, their authorized representatives, and
any other "individuals" contemplated in the Privacy Rules.
If you have questions or doubts about any use or disclosure of
individually identifiable health information or about your other
obligations under these Health Information Privacy Policies &
Procedures, the Privacy Rules or other federal or state law,
please contact our office. This policy was adopted effective
4/14/03
Back to Top
1. General Rule: No Use or Disclosure
Our dental office must not use or disclose protected health
information (PHI), except as these Privacy Policies & Procedures
permit or require.
2. Acknowledgement and Optional Consent
Our dental office will make a good faith effort to obtain a
written acknowledgement of receipt of our Notice of Privacy
Practices (see Section 9) from a patient before we use or
disclose his or her protected health information (PHI) for
treatment, to obtain payment for that treatment, or for our
healthcare operations (TPO).
Our dental office’s use or disclosure of PHI for our payment
activities and healthcare operations may be subject to the
minimum necessary requirements (see Section 7).
Our dental office will become familiar with our state’s privacy
laws. If required by our state law, or as directed by the
dentist, we will also seek Consent from a patient before we use
or disclose PHI for TPO purposes – in addition to obtaining an
Acknowledgement of receipt of our Notice of Privacy Practices.
a) Obtaining Consent – If consent is to be obtained, upon the
individual’s first visit as a patient (or next visit if already
a patient), our dental office will request and obtain the
patient’s written Consent for our use and disclosure of the
patient’s PHI for treatment, payment, and healthcare operations.
Any consent we obtain must be on our Consent form, which we may
not alter in any way. Our dental office will include the signed
Consent form in the patient’s chart.
b) Exceptions – Our dental office does not have to obtain the
patient’s Consent in emergency treatment situations; when
treatment is required by law; or when communications barriers
prevent consent.
c) Consent Revocation – A patient from whom we obtain consent
may revoke it at any time by written notice. Our dental office
will include the revocation in the patient’s chart. There is
space at the bottom of our Consent form where the patient can
revoke the consent.
d) Applicability – Consent for use or disclosure of PHI should
not be confused with informed consent for dental treatment. This
section applies to our practice.
3. Authorization
In some cases we must have proper, written Authorization from
the patient (or the patient’s personal representative) before we
use or disclose a patient’s PHI for any purpose (except for TPO
purposes) or as permitted or required without consent or
authorization (see Sections 3, 4, or 5).
Our dental office will use the Authorization form. We will
always act in strict accordance with an Authorization.
a) Authorization Revocation – A patient may revoke an
authorization at any time by written notice. Our dental office
will not rely on an Authorization we know has been revoked.
b) Authorization from Another Provider – Our dental office will
use or disclose PHI as permitted by a valid Authorization we
receive from another healthcare provider.
Our dental office may rely on that covered entity to have
requested only the minimum necessary protected PHI. Therefore,
our dental office will not make our own "minimum necessary"
determination, unless we know that the Authorization is
incomplete, contains false information, has been revoked, or has
expired.
c) Authorization Expiration – Our dental office will not rely on
an Authorization we know has expired.
4. Oral Agreement
Our dental office may use or disclose a patient’s PHI with the
patient’s Oral Agreement or if the patient is unavailable
subject to all applicable requirements.
Our dental office may use professional judgment and our
experience with common practice to make reasonable inferences of
the patient’s best interest in allowing a person to act on
behalf of the patient to pick up dental/medical supplies,
X-rays, or other similar forms of PHI.
Back to Top
5. Permitted Without Acknowledgement, Consent Authorization or
Oral Agreement
Our dental office may use or disclose a patient’s PHI in certain
situations, without Authorization or Oral Agreement. In our
dental office, these disclosures are not likely to be frequent.
a) Verification of Identity – Our dental office will always
verify the identity of any patient, and the identity and
authority of any patient’s personal representative, government
or law enforcement official, or other person, unknown to us, who
requests PHI before we will disclose the PHI to that person.
Our dental office will obtain appropriate identification and, if
the person is not the patient, evidence of authority. Examples
of appropriate identification include photographic
identification card, government identification card or badge,
and appropriate document on government letterhead. Our dental
office will document the incident and how we responded.
b) Uses or Disclosures Permitted under this Section 5 – The
situations in which our dental office is permitted to use or
disclose PHI in accordance with the procedures set out in this
Section 5 are listed below.
Our dental office may disclose a patient’s PHI to that patient
on request.
Our dental office may disclose to a patient’s personal
representative PHI relevant to the representative capacity. We
will not disclose to a personal representative we reasonably
believe may be abusive to a patient any PHI we reasonably
believe may promote or further such abuse.
Our dental office will not use or disclose a patient’s PHI for
fundraising purposes without the patient’s Authorization.
Our dental office will not use or disclose PHI for marketing
without a patient’s Authorization unless the marketing is in the
form of a promotional gift of nominal value that we provide, or
face-to-face communications between us and the patient.
Our dental office may use or disclose PHI in the following types
of situations, provided procedures specified in the Privacy
Rules are followed:
For public health activities;
To health oversight agencies;
To coroners, medical examiners, and funeral directors;
To employers regarding work-related illness or injury;
To the military;
To federal officials for lawful intelligence,
counterintelligence, and national security activities;
To correctional institutions regarding inmates;
In response to subpoenas and other lawful judicial processes;
To law enforcement officials;
To report abuse, neglect, or domestic violence;
As required by law;
As part of research projects; and
As authorized by state worker’s compensation laws.
6. Required Disclosures
Our dental office will disclose protected health information
(PHI) to a patient (or to the patient’s personal representative)
to the extent that the patient has a right of access to the PHI
(see Section 10); and to the U.S. Department of Health and Human
Services (HHS) on request for complaint investigation or
compliance review.
Our dental office will use the disclosure log to document each
disclosure we make to HHS.
Back to Top
7. Minimum Necessary
Our dental office will make reasonable efforts to disclose, or
request of another covered entity, only the minimum necessary
protected health information (PHI) to accomplish the intended
purpose.
There is no minimum necessary requirement for disclosures to or
requests by one another in our dental office or by a healthcare
provider for treatment; permitted or required disclosures to, or
for disclosure requested and authorized by, a patient;
disclosures to HHS for compliance reviews or complaint
investigations; disclosures required by law; or uses or
disclosures required for compliance with the HIPAA
Administrative Simplification Rules.
a) Routine or Recurring Requests or Disclosures – Our dental
office will follow the policies and procedures that we adopt to
limit our routine or recurring requests for our disclosures of
PHI to the minimum reasonably necessary for the purpose.
b) Non-Routine or Non-Recurring Requests or Disclosures – No
non-routine or non-recurring request for or disclosure of PHI
will be made until it has been reviewed on a patient-by-patient
basis against our criteria to ensure that only the minimum
necessary PHI for the purpose is requested or disclosed.
c) Other’s Requests – Our dental office will rely, if reasonable
for the situation, on a request to disclose PHI being for the
minimum necessary, if the requester is: (a) a covered entity;
(b) a professional (including an attorney or accountant) who
provides professional services to our practice, either as a
member of our workforce or as our Business Associate, and who
represents that the requested information is the minimum
necessary; (c) a public official who represents that the
information requested is the minimum necessary; or (d) a
researcher presenting appropriate documentation or making
appropriate representations that the research satisfies the
applicable requirements of the Privacy Rules.
d) Entire Record – Our dental office will not use, disclose, or
request an entire record, except as permitted in these Policies
& Procedures or standard protocols that we adopt reflecting
situations when it is necessary.
e) Minimum Necessary Workforce Use – Our dental office will use
only the minimum necessary PHI needed to perform our duties.
Back to Top
8. Business Associates
Our dental office will obtain satisfactory assurance in the form
of a written contract that our Business Associates will
appropriately safeguard and limit their use and disclosure of
the protected health information (PHI) we disclose to them.
These Business Associate requirements are not applicable to our
disclosures to a healthcare provider for treatment purposes. The
Business Associate Contract Terms document contains the terms
that federal law requires be included in each Business Associate
Contract.
a.) Breach by Business Associate – If our dental office learns
that a Business Associate has materially breached or violated
its Business Associate Contract with us, we will take prompt,
reasonable steps to see that the breach or violation is cured.
If the Business Associate does not promptly and effectively cure
the breach or violation, we will terminate our contract with the
Business Associate, or if contract termination is not feasible,
report the Business Associate’s breach or violation to the U.S.
Department of Health and Human Services (HHS).
9. Notice of Privacy Practices
Our dental office will maintain a Notice of Privacy Practices as
required by the Privacy Rules.
a) Our Notice – Our dental office will use and disclose PHI only
in conformance with the contents of our Notice of Privacy
Practices. We will promptly revise a Notice of Privacy Practices
whenever there is a material change to our uses or disclosures
of PHI to legal duties, to the patients’ rights or to other
privacy practices that render the statements in that Notice no
longer accurate.
Form 1, Notice of Privacy Practices, found in this Privacy Kit,
contains the terms that federal law requires.
b) Distribution of Our Notice – Our dental office will provide
our Notice of Privacy Practices to any person who requests it,
and to each patient no later than the date of our first service
delivery after April 14, 2003.
Our dental office will have our Notice of Privacy Practices
available for patients to take with them. We will also post our
Notice of Privacy Practices in a clear and prominent location
where it is reasonable to expect patients seeking services from
us will be able to read the Notice.
c) Acknowledgement of Notice – Our dental office will make a
good faith effort to obtain from the patient a written
Acknowledgement of receipt of our Notice of Privacy Practices.
Our dental office shall use Form 2, Acknowledgement of Receipt
of Notice of Privacy Practices, found in this Privacy Kit, to
obtain the Acknowledgement. If we cannot obtain written
Acknowledgement from the patient, we will use the form to
document our attempt and the reason why written Acknowledgement
was not signed by the patient.
Back to Top
10. Patients’ Rights
Our dental office will honor the rights of patients regarding
their PHI.
a) Access – With rare exceptions, our dental office must permit
patients to request access to the PHI we or our Business
Associates hold.
No PHI will be withheld from a patient seeking access unless we
confirm that the information may be withheld according to the
Privacy Rules. We may offer to provide a summary of the
information in the chart. The patient must agree in advance to
receive a summary and to any fee we will charge for providing
the summary. Our dental office will contact our Business
Associates to retrieve any PHI they may have on the patient.
b) Amendment – Patients have the right to request to amend their
PHI and other records for as long as our dental office maintains
them.
Our dental office may deny a request to amend PHI or records if:
(a) we did not create the information (unless the patient
provides us a reasonable basis to believe that the originator is
not available to act on a request to amend); (b) we believe the
information is accurate and complete; or (c) we do not have the
information.
Our dental office will follow all procedures required by the
Privacy Rules for denial or approval of amendment requests. We
will not, however, physically alter or delete existing notes in
a patient’s chart. We will inform the patient when we agree to
make an amendment, and we will contact our Business Associates
to help assure that any PHI they have on the patient is
appropriately amended. We will contact any individuals whom the
patient requests we alert to any amendment to the patient’s PHI.
We will also contact any individuals or entities of which we are
aware that we have sent erroneous or incomplete information and
who may have acted on the erroneous or incomplete information to
the detriment of the patient.
When we deny a request for an amendment, we will mark any future
disclosures of the contested information in a way acknowledging
the contest.
c) Disclosure Accounting – Patients have the right to an
accounting of certain disclosures our dental office made of
their PHI within the 6 years prior to their request. Each
disclosure we make, that is not for treatment payment or
healthcare operations, must be documented showing the date of
the disclosure, what was disclosed, the purpose of the
disclosure, and the name and (if known) address of each person
or entity to whom the disclosure was made. The Authorization or
other documentation must be included in the patient’s record. We
use the patient’s chart to track each disclosure of PHI as
needed to enable us to fulfill our obligation to account for
these disclosures.
We are not required to account for disclosures we made: (a)
before April 14, 2003; (b) to the patient (or the patient’s
personal representative); (c) to or for notification of persons
involved in a patient’s healthcare or payment for healthcare;
(d) for treatment, payment, or healthcare operations; (e) for
national security or intelligence purposes; (f) to correctional
institutions or law enforcement officials regarding inmates; or
(g) according to an Authorization signed by the patient or the
patient’s representative; (h) incident to another permitted or
required use disclosure.
We will temporarily suspend the accounting of any disclosure
when requested to do so pursuant according to the Privacy Rules
by health oversight agencies or law enforcement officials. We
may charge for any accounting that is more frequent than every
12 months, provided the patient is informed of the fee before
the accounting is provided. We will contact our Business
Associates to assure we include in the accounting any
disclosures made by them for which we must account.
d) Restriction on Use or Disclosure – Patients have the right to
request our dental office to restrict use or disclosure of their
PHI, including for treatment, payment, or healthcare operations.
We have no obligation to agree to the request, but if we do, we
will comply with our agreement (except in an appropriate
dental/medical emergency).
We may terminate an agreement restricting use or disclosure of
PHI by a written notice of termination to the patient. We will
contact our Business Associates whenever we agree to such a
restriction to inform the Business Associate of the restriction
and its obligations to abide by the restriction. We will
document in the patient’s chart any such agreed to restrictions.
e) Alternative Communications – Patients have the right to
request us to use alternative means or alternative locations
when communicating PHI to them. Our dental office will
accommodate a patient’s request for such alternative
communications if the request is reasonable and in writing.
Our dental office will inform the patient of our decision to
accommodate or deny such a request. If we agree to such a
request, we will inform our Business Associates of the agreement
and provide them with the information necessary to comply with
the agreement.
f) Applicability – Our dental office will be aware of and
respect these patients’ rights regarding their PHI, even though
in most situations patients are unlikely to exercise them.
Back to Top
11. Staff Training and Management, Complaint Procedures, Data
Safeguards, Administrative Practices
a) Staff Training and Management
* Training – Our dental office will train all members of our
workforce in these Privacy Policies & Procedures, as necessary
and appropriate for them to carry out their functions. We will
complete the privacy training of our existing workforce by April
14, 2003.
After April 14, 2003, our dental office will train each new
staff member within a reasonable time after the member starts.
We will also retain each staff member whose functions are
affected either by a material change in our Privacy Policies and
Procedures or in the member’s job functions, within a reasonable
time after the change.
Form 7, Staff Review of Policies and Procedures, can be used to
have workforce members acknowledge they have received and read a
copy of these Policies and Procedures.
*Discipline and Mitigation – Our dental office will develop,
document, disseminate, and implement appropriate discipline
policies for staff members who violate our Privacy Policies &
Procedures, the Privacy Rules, or other applicable federal or
state privacy law.
Staff members who violate our Privacy Policies & Procedures, the
Privacy Rules or other applicable federal or state privacy law
will be subject to disciplinary action, possibly up to and
including termination of employment.
b) Complaints – Our dental office will implement procedures for
patients to complain about our compliance with our Privacy
Policies and Procedures or the Privacy Rules. We will also
implement procedures to investigate and resolve such complaints.
The Complaint form can be used by the patient to lodge the
complaint. Each complaint received must be referred to
management immediately for investigation and resolution. We will
not retaliate against any patient or workforce member who files
a Complaint in good faith.
c) Data Safeguards – Our dental office will "add to" and
strengthen these Privacy Policies & Procedures with such
additional data security policies and procedures as are needed
to have reasonable and appropriate administrative, technical,
and physical safeguards in place to ensure the integrity and
confidentiality of the PHI we maintain.
Our dental office will take reasonable steps to limit incidental
uses and disclosures of PHI made according to an otherwise
permitted or required use or disclosure.
d) Documentation and Record Retention – Our dental office will
maintain in written or electronic form all documentation
required by the Privacy Rules for six years from the date of
creation or when the document was last in effect, whichever is
greater.
e) Privacy Policies & Procedures – Only Dr. Michael Leach may
change these Privacy Policies & Procedures.
Back to Top
12. State Law Compliance
Our dental office will comply with the privacy laws of each
state that has jurisdiction over our practice, or its actions
involving protected health information (PHI), that provide
greater protections or rights to patients than the Privacy
Rules.
13. HHS Enforcement
Our dental office will give the U.S. Department of Health and
Human Services (HHS) access to our facilities, books, records,
accounts, and other information sources (including individually
identifiable health information without patient authorization or
notice) during normal business hours (or at other times without
notice if HHS presents appropriate lawful administrative or
judicial process).
We will cooperate with any compliance review or complaint
investigation by HHS, while preserving the rights of our
practice.
14. Designated Personnel
Our dental office will designate a Privacy Officer and other
responsible persons as required by the Privacy Rules.
Return to Top
of Page
|
