The following privacy policies have been adopted and shall be utilized as a basis for our office/facility in handling, protecting and disclosing Protected Health Information (PHI). Any reference to Boston Dental Group or to the dentistry practice or office should be defined as Aliante Dental, Boston Dental, Brighton Dental, Fenway Dental, Happy Dental, Hola Dental, Friendly Dental, Discount Dental and / or Affordable Dental.
The privacy of patient information is very important to our patients and our office. It is important that we reasonably protect the patient’s health information in a way that helps keep the information within our facility yet allows our business to operate reasonably and efficiently so we may provide high-quality service to our clients. To that end, we adopt the following policies and will follow the policies to help ensure that our office does not improperly use and/or disclose protected information.Protected Health Information means and refers to any individually identifiable health information related to the patient. A patient is a current patient or former patient. Protected Health Information has a broad meaning and includes the name, as well as other demographic information, about the patient as well as health history and physical information, financial information and any other information related to the patient when this information can be used to identify the patient.
Our office has implemented a system that stores protected information in a manner that reasonably keeps it away from unauthorized personnel. We will use passwords on our computers and we will use screen savers that will blank the screen or remove from view protected information when we are not present at the computer or within a specific period of time. We will keep paper records closed so that protected information is not easily viewable by others in our office. Reports, papers with protected information and other documents are to be reasonably kept in a fashion that does not easily allow viewing by others.
For the privacy of our patients we either use a privacy protected sign in sheet or no sign in sheet.
Each of our employees that have access to Protected Health Information will be trained using our internal training procedures. The employees shall abide by the privacy rules. All new employees shall go through privacy training. Each employee that will have access to Protected Health Information, as described in 45 CFR 164, shall sign a document indicating completion of training. Each employee shall review these policies. We will train each employee within a reasonable time after the employee starts working in our office.DISCIPLINE: We will maintain a policy that, when and if an employee violates these policies or applicable rules we promulgate in our office to supplement these policies, the employee will be disciplined by receiving notice of the infraction and/or violation. We will then take the action necessary to correct the problem with the employee, which may include termination of employment. We believe that compliance with Federal Privacy Regulations is important to our office and to our patients and we will take appropriate disciplinary action when an employee fails to abide by the regulations and these policies.
We shall appoint a privacy officer. The officer will ensure that these policies are followed. We will be using a software based Privacy Manager system and the privacy officer will work to ensure that the software is used to manage the privacy process. The officer shall also ensure that each employee is properly trained, as specified in paragraph 4. This officer, or a separate person, shall act as a complaint manager as well. Complaints received regarding any privacy violations shall be tracked and handled by the officer. Our privacy and complaint officer is Connie Trofibio.
All patients shall review and receive upon request a notice of their rights under HIPAA, except for minor patients. For minor patients that have not been emancipated, a copy of the privacy rights shall be provided to the parent or legal guardian. The patient shall be notified of their rights under the law as well as a statement about our privacy practices. The patient shall acknowledge receipt of the notice or we shall record, electronically or otherwise, that such acknowledgement was requested, but the patient would not sign it. A record shall be kept noting the patient has received the notice of rights and the acknowledgement form.
Unless provided for in these policies or by applicable Federal law, we will not disclose Protected Health Information without the authorization of or specific consent of the patient.We will notify each patient of their Privacy Rights pursuant to our Notice of Privacy Practices and Rights and attempt to receive acknowledgement of these rights from the patient before we use or disclose his or her Protected Health Information for Treatment, Payment or Operation purposes as described below. Our policy is to disclose only the minimum necessary information for payment and operation reasons when such use or disclosure is required. We may rely on the representations of our Business Associates, as described below, when determining what information is required when disclosing for purposes of payment or operations.If there are additional state requirements governing how we must protect, use, disclose or notify patients in regard to their rights, we will provide such information in additional to the information provided for in these policies.We need not obtain consent from the patient to use or disclose for Treatment, Payment or Operations (TPO) reasons, as described below. However, we will ensure that the patient has received a Notice of Privacy Practices and Rights as well the opportunity to acknowledge receipt of the Notice.In the event we need to receive consent from a patient for use or disclosure not provided for pursuant to these policies, we will do so by providing the patient with our consent form. We will not disclose information that is not allowed to be disclosed under these policies or applicable state or federal law without the patient’s consent.We may also seek authorization from a patient that provides us with the ability to use and disclose information without specific consent for each disclosure. An authorization must be in writing and must set forth-specific circumstances for which we may use or disclose Protected Health Information.A patient may revoke their consent in writing. When we have received notice of the revocation, we will no longer disclose following receipt of the revocation. The patient properly authorized anything disclosed prior to the revocation.ORAL AGREEMENT: In certain circumstances, we may not be able to obtain consent or authorization from the patient as described above. In these rare circumstances, we may rely on the patient’s oral agreement for disclosure of Protected Health Information. Sometimes, in emergency circumstances, a patient may not be able to give consent or is unavailable to provide consent. In these circumstances, we will use our best professional judgment before acting on behalf of the patient. If the patient requests to see their PHI, we may provide that information to them. We may disclose, to a patient’s personal representative, PHI that is relevant to the representative in their capacity as representative.We may need to determine the identity of a patient to verify the patient may give consent or authorization. In these rare circumstances, we may obtain appropriate identification before allowing consent or authorization for disclosure.IN OUR OFFICE WHEN OTHERS ARE PRESENT: If others are present in our office, such as when services are being performed and others may be able to hear information about treatment, we will obtain oral consent from the patient and offer the patient a private area for discussion prior to discussing Protected Health Information related to treatment options, condition or diagnosis. We will notify the patient that we may be discussing these areas of information and specifically ask if the patient would like a private area to discuss the information, when practical.
MARKETING AND FUNDRAISING: We will not disclose information for fundraising purposes with the patient’s authorization or consent. We will only provide marketing communications when we believe the communication is provided for purposes of the patient’s treatment.
TREATMENT, PAYMENT and OPERATION DISCLOSURES: We may, without consent of the patient, disclose Protected Health Information for activities related to treatment, payment or healthcare operations. Treatment disclosures shall mean and refer to disclosures for treatment purposes, including coordinating and managing care of the patient, to another healthcare provider. Payment disclosures shall mean and refer to disclosures for payment purposes such as billing service organizations, health plans and other organizations that may provide services or products that relate to payment for services and products provided by our office. Operation disclosures shall mean and refer to disclosures that relate to the management and direct operations of our business so it may provide care to patients. These services may include, but are not limited to, training programs, computer services, attorneys and accountants.
For TREATMENT disclosures to another entity covered by the Federal privacy regulations (45 CFR 160 and 164), our office may make disclosures without an agreement with the other covered entity treatment provider. This is because the other provider is already covered by these regulations. With respect to treatment disclosures, our office is not subject to the minimum necessary rule. In some circumstances, we may obtain a Business Associate agreement with other treatment providers ensuring that the provider will comply with these policies and the Federal privacy regulations.
For PAYMENT disclosures, our office will disclose only the minimum necessary information for the payment associate entity to do its job for us. We will ensure that a Business Associate agreement, as defined below, is obtained prior to making any PAYMENT disclosure, when such an agreement is required under the law or pursuant to these policies.
For OPERATIONS disclosures, our office will disclose only the minimum necessary information to the other entity in order for the entity to do its job. We will ensure that a Business Associate agreement, as defined below, is obtained prior to making any OPERATION disclosure.
OTHER DISCLOSURES WE MAY MAKE: We may make disclosures, without consent or authorization, in certain circumstances. These circumstances include those defined above as well as: 1) for public health purposes; 2) to avoid a potential serious public health crisis; 3) to employers regarding work-related illness or injury; 4) to federal officials for lawful intelligence or counterintelligence activities; 5) to correctional institutions regarding inmates; 6) in response to subpoenas or other valid legal process; 7) to law enforcement officials, subject to the privacy rules governing such disclosures; 8.) to report abuse, neglect or domestic violence; 9) for worker’s compensation purposes; 10) as part of authorized research projects; or 11) as otherwise required by law. In making any of the aforementioned disclosures, all requirements set forth in the Federal privacy laws will be met prior to disclosure.
REGULATORY AND AUDIT DISCLOSURES: We may be required to provide information to authorized enforcement and regulatory agencies from time to time. Such information will be provided subject to the law and pursuant to the requests of the authorized agency. We may disclose information for audit purposes and for complaint management, upon request, to the United States Department of Health and Human Services.
MINIMUM NECESSARY INFORMATION ONLY: We will make reasonable efforts to disclose only the minimum necessary information to the receiving party pursuant to applicable state and federal requirements. We are not required to apply the minimum necessary rule to disclosures made for Treatment, as described above, for disclosures to the patient, disclosures to the Department of Health and Human Services for compliance reviews or complaint investigations, disclosures required by law or use or disclosures required to comply with the federal Health Insurance Portability and Accountability Act provisions. Within our office, we will also follow the minimum necessary rule in our use of a patient’s Protected Health Information.
BUSINESS ASSOCIATES: In the event our office utilizes the services of Business Associates that will use or that we will disclose Protected Health Information to, we will obtain satisfactory assurances, in the form of written contracts, from those Associates with respect to their use and/or disclosure of Protected Health Information. We will prepare Business Associate agreements and track the agreements. Prior to releasing Protected Health Information to a Business Associate, other than to another Healthcare Provider that is a covered-entity under the HIPAA Privacy Regulations, we will obtain the appropriate assurances through the Business Associate agreement. We may not be able to obtain Business Associate agreements in very rare circumstances, such as emergency situations, prior to disclosing Protected Health Information. However, we will obtain the assurances as soon as reasonably possible in such situations.
If our office learns that a Business Associate is not following its obligations pursuant to our agreement with them, we will take prompt, reasonable action to ensure the breach is stopped. We may even terminate our agreement in certain circumstances and take appropriate action by reporting the Business Associate’s actions to the United States Department of Health and Human Services.
Our office will provide a Notice of Privacy Practices and Rights to each patient we provide services to prior to providing the service to the patient. If we are disclosing information about a patient after April 14, 2003 and we have not yet provided a notice to that patient, we will do so prior to the disclosure of Protected Health Information. We will provide the notice in writing to the patient. We will allow the patient to request copies of the notice as well. We will provide each patient with an Acknowledgement of Receipt of the Notice that they will be asked to sign. If they refuse or cannot sign the acknowledgement, we will note such status in the Privacy Management system we utilize or keep a copy of the refusal or notes regarding inability to acknowledge in our files.
ACCESS: Pursuant to the Privacy Regulations, our office will provide patients access to their Protected Health Information for review and copying. We will charge reasonable fees for time and photocopying of records. We may also provide the information in other forms, as long as reasonable and practical, upon the patient’s request. Reasonable fees for preparation of the information will be charged to the patient. We may also be asked to provide access to Protected Health Information held by our Business Associates. In such case, we will, in a reasonable period, obtain this information and make it available to the patient for review in our office or we will provide copies of the information. In all cases, reasonable fees for preparation and photocopying may be charged to the patient. In some cases, we may not allow access to information. We will only restrict or withhold access when required or allowed by Federal law.AMENDMENT: Pursuant to the Privacy Regulations, patients may request that we amend their records. We will make a decision regarding the amendment based on the documentation provided by the patient. Amendment does not require us to delete information from the record. We may allow the patient to add information to the record or, if we believe it is appropriate, we may change the record based on the request of the patient. If we did not create the information (unless the entity that did is not available to allow the amendment), we believe the information is accurate and complete or if we do not have the information, we may deny the patient’s request to amend.We will follow the Federal Privacy regulations when determining if it is appropriate to allow or deny a patient’s amendment request. As noted above, we will not physically delete or alter information already contained in the patient’s record. We will, however, allow information to be added, when appropriate under the rules and within our professional judgment, as noted above. In the event we agree to make an amendment, we will notify our Business Associates that may have the patient’s PHI, of the amendment, so they may adjust their records as well. If we sent out information that was erroneous or incorrect in regard to the PHI, we will reasonably notify any entity that may have received the erroneous information. In the event we deny a patient’s request for amendment, in any future disclosure of PHI, we will note in the record that we denied a request for amendment.DISCLOSURE ACCOUNTING: We will provide accountings of disclosures as required by law. Under the law, we are required to keep track of certain disclosures we make of a patient’s PHI. The rules do not require us to track disclosures for purposes of Treatment, Payment or Operations, as described above. We do not need to track disclosures related to national security, to correctional institutions regarding inmates or when provided for in an Authorization by the patient or his/her personal representative. We may suspend accounting if required to do so or allowed for under the Privacy Rules or authorized regulatory agency. We will use the software based tracking system to account for the disclosures that we make. We may charge for an accounting that is more frequent than every twelve (12) months. The patient will be notified of the fees for such an accounting. We are also required to provide an accounting of disclosures made by our Business Associates. Upon request by the Patient, we will notify our Business Associates of the requirement that they provide an accounting of any permissible disclosures they have made.REQUEST TO RESTRICT DISCLOSURE: Patients may request that we restrict disclosures that we make of their Protected Health Information. We have no obligation to comply with these requests, but if we do, we will comply with the restriction. Any request must be made in writing. If we do agree to the request, we may still disclose the information if it is required in an emergency situation. If we agree to a restriction, we will promptly notify any affected Business Associate. We may terminate the restriction by giving written notice to the patient of our decision to do so. We will use the software based management system to track any restrictions.ALTERNATIVE COMMUNICATIONS: Patients have the right to ask us to use alternative ways or locations when communicating PHI to them. Our office will accommodate such requests when made in writing and when such request is reasonable. Our office will notify the patient of our decision to accommodate any of this type of request. We will notify the patient of what will be required in order for us to meet their request. In some cases, there may be a fee associated with meeting a patient in an alternate location. The fee will be reasonable and we will only accommodate when such request and location are reasonable.
We will utilize our software based Privacy Manager to document our privacy practices and actions. Our internal policy to use the Privacy Manager to track information and to assist in our management of privacy related activities. It shall be the duty of the designated Privacy Officer to ensure employees are following these policies and using the Privacy Management software to track our privacy related activities.
We will do an initial privacy assessment using our Privacy Management Software and will take steps to ensure that our office meets the Federal regulations, including those that may not be included in the Privacy Manager, in becoming Privacy compliant. We will conduct this assessment in a reasonable period of time to ensure we are compliant in accordance with the Privacy regulations.In the event our state has laws that are more stringent than the Federal regulations, we will incorporate policies that supplement these policies to ensure we meet state requirements as well.
We will manage complaints made by patients with respect to Privacy. Complaints will be directed to the privacy officer who shall attempt to resolve the complaint after determining the type, validity and circumstances contained in the complaint. In the event the complaint is made to DHHS, the designated complaint manager (privacy officer) shall work with the Department to resolve the issues. Should the resolution require modification of these policies or changes in operation and/or personnel, appropriate action will be taken. A patient that requests the address of DHHS shall be immediately provided with that information. This office shall not retaliate against any patient or person making a complaint pursuant to the Privacy or any other governing regulations.