HIPAA NOTICE OF PRIVACY PRACTICES
for the Healthcare Facility of:
Worcester Cosmetic & Restorative Dentisitry
One West Boylston Street Suite #203
Worcester, MA 01605
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION under the HIPAA Omnibus Rule of 2013.
For purposes of this Notice “us” “we” and “our” refers to the Name of this Healthcare Facility: _Worcester Cosmetic & Restorative Dentistry_ and “you” or “your” refers to our patients (or their legal representatives as determined by us in accordance with state informed consent law). When you receive healthcare services from us, we will obtain access to your medical information (i.e. your health history). We are committed to maintaining the privacy of your health information and we have implemented numerous procedures to ensure that we do so.
The Federal Health Insurance Portability & Accountability Act of 2013, HIPAA Omnibus Rule, (formally HIPAA 1996 & HI TECH of 2004) require us to maintain the confidentiality of all your healthcare records and other identifiable patient health information (PHI) used by or disclosed to us in any form, whether electronic, on paper, or spoken. HIPAA is a Federal Law that gives you significant new rights to understand and control how your health information is used. Federal HIPAA Omnibus Rule and state law provide penalties for covered entities, business associates, and their subcontractors and records owners, respectively that misuse or improperly disclose PHI.
Starting April 14, 2003, HIPAA requires us to provide you with the Notice of our legal duties and the privacy practices we are required to follow when you first come into our office for health-care services. If you have any questions about this Notice, please ask to speak to our HIPAA Privacy Officer.
Our doctors, clinical staff, employees, Business Associates (outside contractors we hire), their subcontractors and other involved parties follow the policies and procedures set forth in this Notice
OUR RULES ON HOW WE MAY USE AND DISCLOSE YOUR PROTECTED HEALTH INFORMATION
Under the law, we must have your signature on a written, dated Consent Form and/or an Authorization Form of Acknowledgement of this Notice, before we will use or disclose your PHI for certain purposes as detailed in the rules elow.
Documentation – You will be asked to sign an Authorization / Acknowledgement form when you receive this Notice of Privacy Practices. If you did not sign such a form or need a copy of the one you signed, please contact our Privacy Officer. You may take back or revoke your consent or authorization at any time (unless we already have acted based on it) by submitting our Revocation Form in writing to us at our address listed above. Your revocation will take effect when we actually receive it.
General Rule – If you do not sign our authorization/ acknowledgement form or if you revoke it, as a general rule (subject to exceptions described below under “Healthcare Treatment, Payment and Operations Rule” and “Special Rules”), we cannot in any manner use or disclose to anyone (excluding you, but including payers and Business Associates) your PHI or any other information in your medical record. By law, we are unable to submit claims to payers under assignment of benefits without your signature on our authorization/ acknowledgement form. You will however be able to restrict disclosures to your insurance carrier for services for which you wish to pay “out of pocket” under the new Omnibus Rule. We will not condition treatment on you signing an authorization / acknowledgement, but we may be forced to decline you as a new patient or discontinue you as an active patient if you choose not to sign the authorization/ acknowledgement or revoke it.
Healthcare Treatment, Payment and Operations Rule
With your signed consent, we may use or disclose your PHI in order:
· To provide you with or coordinate healthcare treatment and services. For example, we may review your health history form to form a diagnosis and treatment plan or consult with other doctors about your care..
· To bill or collect payment from you, an insurance company, a managed-care organization, a health benefits plan or another third party. ; Remember, you will be able to restrict disclosures to your insurance carrier for services for which you wish to pay “out of pocket” under this new Omnibus Rule.
· To run our office, assess the quality of care our patients receive and provide you with customer service. We may call you by name from the waiting room, or our Privacy Officer may review your records to assist you with complaints.
· New HIPAA Omnibus Rule does not require that we provide the above notice regarding Appointment Reminders, Treatment Information or Health Benefits, but we are including these as a courtesy so you understand our business practices with regards to your (PHI) protected health information.
Notwithstanding anything else contained in this Notice, only in accordance with applicable HIPAA Omnibus Rule, and under strictly limited circumstances, we may use or disclose your PHI without your permission, consent or authorization for the following purposes:
· When required under federal, state or local law
· When necessary in emergencies to prevent a serious threat to your health and safety or the health and safety of other persons
· For Worker’s Compensation purposes (i.e. we may disclose your PHI if you have claimed health benefits for a work-related injury or illness)
· To family members, friends and others, but only if you are present and verbally give permission. We give you an opportunity to object and if you do not, we reasonably assume, based on our professional judgment and the surrounding circumstances, that you do not object.
Minimum Necessary Rule
Our staff will not use or access your PHI unless it is necessary to do their jobs (i.e. doctors uninvolved in your care will not access your PHI; ancillary clinical staff caring for you will not access your billing information; billing staff will not access your PHI except as needed to complete the claim form for the latest visit; janitorial staff will not access your PHI). All of our team members are trained in HIPAA Privacy rules and sign strict Confidentiality Contracts with regards to protecting and keeping private your PHI. So do our Business Associates and their
Subcontractors. Know that your PHI is protected several layers deep with regards to our business relations. Also, we disclose to others outside our staff, only as much of your PHI as is necessary to accomplish the recipient’s lawful purposes. Still in certain cases, we may use and disclose the entire contents of your medical record:
· To you (and your legal representatives as stated above) and anyone else you list on a Consent or Authorization to receive a copy of your records
· To healthcare providers for treatment purposes (i.e. making diagnosis and treatment decisions or agreeing with prior recommendations in the medical record)
· To the U.S. Department of Health and Human Services (i.e. in connection with a HIPAA complaint)
· To others as required under federal or state law
· To our privacy officer and others as necessary to resolve your complaint or accomplish your request under HIPAA (i.e. clerks who copy records need access to your entire medical record)
In accordance with HIPAA law, we presume that requests for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to accomplish the requestor’s purpose. Our Privacy Officer will individually review unusual or non-recurring requests for PHI to determine the minimum necessary amount of PHI and disclose only that. For non-routine requests or disclosures, our Privacy Officer will make a minimum necessary determination based on, but not limited to, the following factors:
· The amount of information being disclosed
· The number of individuals or entities to whom the information is being disclosed
· The importance of the use or disclosure
· The likelihood of further disclosure
· Whether the same result could be achieved with de-identified information
· The technology available to protect confidentiality of the information
The cost to implement administrative, technical and security procedures to protect confidentiality. If we believe that a request from others for disclosure of your entire medical record is unnecessary, we will ask the requestor to document why this is needed, retain that documentation and make it available to you upon request.
Incidental Disclosure Rule
We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose it (i.e. we shred all paper containing PHI, require employees to speak with privacy precautions when discussing PHI with you, we use computer passwords and change them periodically (i.e. when an employee leaves us), we use firewall and router protection to the federal standard, we back up our PHI data off-site and encrypted to federal standard, we do not allow unauthorized access to areas where PHI is stored or filed and/or we have any unsupervised business associates sign Business Associate Confidentiality Agreements).
However, in the event that there is a breach in protecting your PHI, we will follow Federal Guide Lines to HIPAA Omnibus Rule Standard to first evaluate the breach situation using the Omnibus Rule, 4-Factor Formula for Breach Assessment. Then we will document the situation, retain copies of the situation on file, and report all breaches (other than low probability as prescribed by the Omnibus Rule) to the US Department of Health and Human Services at:
We will also make proper notification to you and any other parties of significance as required by HIPAA Law.
Business Associate Rule
Business Associates are defined as: an entity, (non-employee) that in the course of their work will directly / indirectly use, transmit, view, transport, hear, interpret, process or offer PHI for this Facility.
Business Associates and other third parties (if any) that receive your PHI from us will be prohibited from re-disclosing it unless required to do so by law or you give prior express written consent to the re-disclosure. Nothing in our Business Associate agreement will allow our Business Associate to violate this re-disclosure prohibition. Under Omnibus Rule, Business Associates will sign a strict confidentiality agreement binding them to keep your PHI protected and report any compromise of such information to us, you and the [COUNTY] Department of Health and Human Services, as well as other required entities. Our Business Associates will also follow Omnibus Rule and have any of their Subcontractors that may directly or indirectly have contact with your PHI, sign Confidentiality Agreements to Federal Omnibus Standard.
Super-confidential Information Rule
If we have PHI about you regarding communicable diseases, disease testing, alcohol or substance abuse diagnosis and treatment, or psychotherapy and mental health records (super-confidential information under the law), we will not disclose it under the General or Healthcare Treatment, Payment and Operations Rules.
Changes to Privacy Policies Rule
We reserve the right to change our privacy practices (by changing the terms of this Notice) at any time as authorized by law. The changes will be effective immediately upon us making them. Also, upon request, you will be given a copy of our current Notice.
We will not use or disclose your PHI for any purpose or to any person other than as stated in the rules above without your signature on our specifically worded, written Authorization / Acknowledgement Form (not a Consent or an Acknowledgement). If we need your Authorization, we must obtain it via a specific Authorization Form, which may be separate from any Authorization / Acknowledgement we may have obtained from you. We will not condition your treatment here on whether you sign the Authorization (or not).
Marketing and Fund Raising Rules
WCRD does not participate in such practices.
Improvements to Requirements for Authorizations Related to Research
Under HIPAA Omnibus Rule, we may seek authorizations from you for the use of your PHI for future research. However, we would have to make clear what those uses are in detail.
YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION
If you got this Notice via email or website, you have the right to get, at any time, a paper copy by asking our Privacy Officer. Also, you have the following additional rights regarding PHI we maintain about you:
To Inspect and Copy
You have the right to see and get a copy of your PHI including, but not limited to, medical and billing records by submitting a written request to our Privacy Officer. Original records will not leave the premises, will be available for inspection only during our regular business hours, and only if our Privacy Officer is present at all times. You may ask us to give you the copies in a format other than photocopies (and we will do so unless we determine that it is impractical) or ask us to prepare a summary in lieu of the copies. We may charge you a fee not to exceed state law to recover our costs (including postage, supplies, and staff time as applicable, but excluding staff time for search and retrieval) to duplicate or summarize your PHI. We will not condition release of the copies on summary of payment of your outstanding balance for professional services if you have one). We will comply with Federal Law to provide your PHI in an electronic format within the 30 days, to Federal specification, when you provide us with proper written request. Paper copy will also be made available.
To Request Amendment / Correction
If another doctor involved in your care tells us in writing to change your PHI, we will do so as expeditiously as possible upon receipt of the changes and will send you written confirmation that we have made the changes. If you think PHI we have about you is incorrect, or that something important is missing from your records, you may ask us to amend or correct it (so long as we have it) by submitting a “Request for Amendment / Correction” form to our Privacy Officer. We may deny your request under certain circumstances.
To an Accounting of Disclosures
You may ask us for a list of those who got your PHI from us by submitting a “Request for Accounting of Disclosures” form to us.
To Request Restrictions
You may ask us to limit how your PHI is used and disclosed (i.e. in addition to our rules as set forth in this Notice) by submitting a written “Request for Restrictions on Use, Disclosure” form to us (i.e. you may not want us to disclose your surgery to family members or friends involved in paying for our services or providing your home care
To Request Alternative Communications
You may ask us to communicate with you in a different way or at a different place by submitting a written “Request for Alternative Communication” Form to us. We will not ask you why and we will accommodate all reasonable requests (which may include: to send appointment reminders in closed envelopes rather than by postcards, to send your PHI to a post office box instead of your home address, to communicate with you at a telephone number other than your home number). You must tell us the alternative means or location you want us to use and explain to our satisfaction how payment to us will be made if we communicate with you as you request.
To Complain or Get More Information
We will follow our rules as set forth in this Notice. If you want more information or if you believe your privacy rights have been violated (i.e. you disagree with a decision of ours about inspection / copying, amendment / correction, accounting of disclosures, restrictions or alternative communications), we want to make it right. We never will penalize you for filing a complaint. To do so, please file a formal, written complaint within 180 days with:
The U.S. Department of Health & Human Services
Office of Civil Rights
200 Independence Ave., S.W.
Washington, DC 20201 877.696.6775
Or, submit a written Complaint form to us at the following address:
Worcester Cosmetic & Restorative Dentistry
One West Boylston St. Suite #203
Worcester, MA 01605
Email: [email protected]
These privacy practices are in accordance with the original HIPAA enforcement effective April 14, 2003, and undated to Omnibus Rule effective March 26, 2013 and will remain in effect until we replace them as specified by Federal and/or State Law.