HIPAA NOTICE OF PRIVACY PRACTICES
For the facility of:
|Ridgetop Dental Sterling
21631 Ridgetop Cr. Suite 240
Sterling, VA 20147
|Ridgetop Dental Reston
1939 Roland Clarke Pl. Suite 120
Reston, VA 20191
This information is made available on request by a patient
THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION UNDER THE HIPAA OMNIBUS RULE OF 2013.
Please review it carefully.
This notice applies to all of the records of your care generated by the practice.
For purposes of this Notice “us” “we” and “our” refers to the Name of this Healthcare Facility: Ridgetop Dental and “you” or “your” refers to our patients (or their legal representatives as determined by us in accordance with state informed consent law). When you receive healthcare services from us, we will obtain access to your medical information (i.e. your health history). We are committed to maintaining the privacy of your health information and we have implemented numerous procedures to ensure that we do so.
This notice describes our Practice’s policies, which extend to:
- Any health care professional authorized to enter information into your chart (including dentists, dental assistants, hygienists, office staff, etc.)
- All areas of the Practice (front desk, administration, billing and collection, etc.)
- All employees, staff and other personnel that work for or with our Practice
- Our business associates (including facilities to which we refer patients)
Our Rules On How We May Use And Disclose Your Protected Health Information:
As our patient, we create paper and electronic health records about your health, our care for you, and the services and/or items we provide to you as our patient. This Notice describes how we may use and disclose your protected health information to carry out treatment, payment or health care operations and for other purposes that are permitted or required by law. It also describes your rights to access and control your protected health information.
We are required by law to:
- Maintain the privacy of your protected health information;
- Give you this Notice of our legal duties and privacy practices with respect to that information; and
- Abide by the terms of our Notice that is currently in effect.
Our Rules On How We May Use And Disclose Your Protected Health Information
Under the law, we must have your signature on a written, dated Consent Form and/or an Authorization Form of Acknowledgement of this Notice, before we will use or disclose your PHI for certain purposes as detailed in the rules below.
Documentation – You will be asked to sign an Authorization / Acknowledgement form when you receive this Notice of Privacy Practices. If you did not sign such a form or need a copy of the one you signed, please contact our Privacy Officer. You may take back or revoke your consent or authorization at any time (unless we already have acted based on it) by submitting our Revocation Request in writing to us at our address listed above. Your revocation will take effect when we actually receive it. We cannot give it retroactive effect, so it will not affect any use or disclosure that occurred in our reliance on your Consent or Authorization prior to revocation.
General Rule – If you do not sign our authorization/ acknowledgement form or if you revoke it, as a general rule (subject to exceptions described below under “Healthcare Treatment, Payment and Operations Rule” and “Special Rules”), we cannot in any manner use or disclose to anyone (excluding you, but including payers and Business Associates) your PHI or any other information in your medical record. By law, we are unable to submit claims to payers under assignment of benefits without your signature on our authorization/ acknowledgement form. You will however be able to restrict disclosures to your insurance carrier for services for which you wish to pay “out of pocket” under the new Omnibus Rule. We will not condition treatment on you signing an authorization / acknowledgement, but we may be forced to decline you as a new patient or discontinue you as an active patient if you choose not to sign the authorization/ acknowledgement or revoke it.
Healthcare Treatment, Payment and Operations Rule
The following categories describe different ways that we use and disclose the health information that we have and share with others. Not every use or disclosure in a category is either listed or actually in place. The explanation is provided for your general information only. With your signed consent, we may use or disclose your PHI in order:
- To provide you with dental treatment or services, such as cleaning or examining your teeth or performing dental procedures. We may disclose health information about you to dental specialists, physicians, or other health care professionals involved in your care.
- To bill or collect payment from you, an insurance company, a managed–care organization, a health benefits plan or another third party. We may use and disclose health information about you in connection with health care operations necessary to run our practice, including review of our treatment and services, training, evaluating the performance of our staff and health care professionals, quality assurance, financial or billing audits, legal matters, and business planning and development.
- To run our office, assess the quality of care our patients receive and provide you with customer service. For example, to improve efficiency and reduce costs associated with missed appointments, we may contact you by telephone, mail or otherwise remind you of scheduled appointments, we may leave messages with whomever answers your telephone or email to contact us (but we will not give out detailed PHI), we may call you by name from the waiting room, we may ask you to put your name on a sign-in sheet, (we will cover your name just after checking you in), we may tell you about or recommend health-related products and complementary or alternative treatments that may interest you, we may review your PHI to evaluate our staff’s performance, or our Privacy Officer may review your records to assist you with complaints. If you prefer that we not contact you with appointment reminders or information about treatment alternatives or health-related products and services, please notify us in writing at our address listed below and we will not use or disclose your PHI for these purposes.
- New HIPAA Omnibus Rule does not require that we provide the above notice regarding Appointment Reminders, Treatment Information or Health Benefits, but we are including these as a courtesy so you understand our business practices with regards to your (PHI) protected health information.
Notwithstanding anything else contained in this Notice, only in accordance with applicable HIPAA Omnibus Rule, and under strictly limited circumstances, we may use or disclose your PHI without your permission, consent or authorization for the following purposes:
- When required under federal, state or local law
- When necessary in emergencies to prevent a serious threat to your health and safety or the health and safety of other persons
- When necessary for public health reasons (i.e. prevention or control of disease, injury or disability, reporting information such as adverse reactions to anesthesia, ineffective or dangerous medications or products, suspected abuse, neglect or exploitation of children, disabled adults or the elderly, or domestic violence)
- For federal or state government health-care oversight activities (i.e. civil rights laws, fraud and abuse investigations, audits, investigations, inspections, licensure or permitting, government programs, etc.)
- For judicial and administrative proceedings and law enforcement purposes (i.e. in response to a warrant, subpoena or court order, by providing PHI to coroners, medical examiners and funeral directors to locate missing persons, identify deceased persons or determine cause of death)
- For Worker’s Compensation purposes (i.e. we may disclose your PHI if you have claimed health benefits for a work-related injury or illness)
- For intelligence, counterintelligence or other national security purposes (i.e. Veterans Affairs, U.S. military command, other government authorities or foreign military authorities may require us to release PHI about you)
- For organ and tissue donation (i.e. if you are an organ donor, we may release your PHI to organizations that handle organ, eye or tissue procurement, donation and transplantation)
- For research projects approved by an Institutional Review Board or a privacy board to ensure confidentiality (i.e. if the researcher will have access to your PHI because involved in your clinical care, we will ask you to sign an authorization)
- To create a collection of information that is “de-identified” (i.e. it does not personally identify you by name, distinguishing marks or otherwise and no longer can be connected to you)
- To family members, friends and others, but only if you are present and verbally give permission. We give you an opportunity to object and if you do not, we reasonably assume, based on our professional judgment and the surrounding circumstances, that you do not object (i.e. you bring someone with you into the operatory or exam room during treatment or into the conference area when we are discussing your PHI); we reasonably infer that it is in your best interest (i.e. to allow someone to pick up your records because they knew you were our patient and you asked them in writing with your signature to do so); or it is an emergency situation involving you or another person (i.e. your minor child or ward) and, respectively, you cannot consent to your care because you are incapable of doing so or you cannot consent to the other person’s care because, after a reasonable attempt, we have been unable to locate you. In these emergency situations we may, based on our professional judgment and the surrounding circumstances, determine that disclosure is in the best interests of you or the other person, in which case we will disclose PHI, but only as it pertains to the care being provided and we will notify you of the disclosure as soon as possible after the care is completed. As per HIPAA law 164.512(j) (i)… (A) Is necessary to prevent or lessen a serious or imminent threat to the health and safety of a person or the public and (B) Is to person or persons reasonably able to prevent or lessen that threat.
Minimum Necessary Rule
Our staff will not use or access your PHI unless it is necessary to do their jobs. All of our team members are trained in HIPAA Privacy rules and sign strict Confidentiality Contracts with regards to protecting and keeping private your PHI. So do our Business Associates and their Subcontractors. Also, we disclose to others outside our staff, only as much of your PHI as is necessary to accomplish the recipient’s lawful purposes. Still in certain cases, we may use and disclose the entire contents of your medical record:
- To you (and your legal representatives as stated above) and anyone else you list on a Consent or Authorization to receive a copy of your records
- To healthcare providers for treatment purposes (i.e. making diagnosis and treatment decisions or agreeing with prior recommendations in the medical record)
- To the U.S. Department of Health and Human Services (i.e. in connection with a HIPAA complaint)
- To others as required under federal or state law
- To our privacy officer and others as necessary to resolve your complaint or accomplish your request under HIPAA (i.e. clerks who copy records need access to your entire medical record)
In accordance with HIPAA law, we presume that requests for disclosure of PHI from another Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to accomplish the requestor’s purpose. Our Privacy Officer will individually review unusual or non-recurring requests for PHI to determine the minimum necessary amount of PHI and disclose only that. For non-routine requests or disclosures, our Privacy Officer will make a minimum necessary determination based on, but not limited to, the following factors:
- The amount of information being disclosed
- The number of individuals or entities to whom the information is being disclosed
- The importance of the use or disclosure
- The likelihood of further disclosure
- Whether the same result could be achieved with de-identified information
- The technology available to protect confidentiality of the information
- The cost to implement administrative, technical and security procedures to protect confidentiality
If we believe that a request from others for disclosure of your entire medical record is unnecessary, we will ask the requestor to document why this is needed, retain that documentation and make it available to you upon request.
Incidental Disclosure Rule
We will take reasonable administrative, technical and security safeguards to ensure the privacy of your PHI when we use or disclose it (i.e. we shred all paper containing PHI, require employees to speak with privacy precautions when discussing PHI with you, we use computer passwords and change them periodically (i.e. when an employee leaves us), we use firewall and router protection to the federal standard, we back up our PHI data off-site and encrypted to federal standard, we do not allow unauthorized access to areas where PHI is stored or filed and/or we have any unsupervised business associates sign Business Associate Confidentiality Agreements).
However, in the event that there is a breach in protecting your PHI, we will follow Federal Guide Lines to HIPAA Omnibus Rule Standard to first evaluate the breach situation using the Omnibus Rule, 4-Factor Formula for Breach Assessment. Then we will document the situation, retain copies of the situation on file, and report all breaches (other than low probability as prescribed by the Omnibus Rule) to the US Department of Health and Human Services at:
We will also make proper notification to you and any other parties of significance as required by HIPAA Law.
Business Associate Rule
Business Associates are defined as: an entity, (non-employee) that in the course of their work will directly / indirectly use, transmit, view, transport, hear, interpret, process or offer PHI for this Facility.
Business Associates and other third parties (if any) that receive your PHI from us will be prohibited from re-disclosing it unless required to do so by law or you give prior express written consent to the re-disclosure. Nothing in our Business Associate agreement will allow our Business Associate to violate this re-disclosure prohibition. Under Omnibus Rule, Business Associates will sign a strict confidentiality agreement binding them to keep your PHI protected and report any compromise of such information to us, you and the United States Department of Health and Human Services, as well as other required entities. Our Business Associates will also follow Omnibus Rule and have any of their Subcontractors that may directly or indirectly have contact with your PHI, sign Confidentiality Agreements to Federal Omnibus Standard.
Super-confidential Information Rule
If we have PHI about you regarding communicable diseases, disease testing, alcohol or substance abuse diagnosis and treatment, or psychotherapy and mental health records (super-confidential information under the law), we will not disclose it under the General or Healthcare Treatment, Payment and Operations Rules (see above) without your first signing and properly completing our Consent form (i.e. you specifically must initial the type of super-confidential information we are allowed to disclose). If you do not specifically authorize disclosure by initialing the super-confidential information, we will not disclose it unless authorized under the Special Rules (see above) (i.e. we are required by law to disclose it). If we disclose super-confidential information (either because you have initialed the consent form or the Special Rules authorizing us to do so), we will comply with state and federal law that requires us to warn the recipient in writing that re-disclosure is prohibited.
Changes to Privacy Policies Rule
We reserve the right to change our privacy practices (by changing the terms of this Notice) at any time as authorized by law. The changes will be effective immediately upon us making them. They will apply to all PHI we create or receive in the future, as well as to all PHI created or received by us in the past (i.e. to PHI about you that we had before the changes took effect). If we make changes, we will post the changed Notice, along with its effective date, in our office and on our website. Also, upon request, you will be given a copy of our current Notice.
We will not use or disclose your PHI for any purpose or to any person other than as stated in the rules above without your signature on our specifically worded, written Authorization / Acknowledgement Form (not a Consent or an Acknowledgement). If we need your Authorization, we must obtain it via a specific Authorization Form, which may be separate from any Authorization / Acknowledgement we may have obtained from you. We will not condition your treatment here on whether you sign the Authorization (or not).
Marketing and Fund Raising Rules
Limitations on the disclosure of PHI regarding Remuneration
The disclosure or sale of your PHI without authorization is prohibited. Under the new HIPAA Omnibus Rule, this would exclude disclosures for public health purposes, for treatment / payment for healthcare, for the sale, transfer, merger, or consolidation of all or part of this facility and for related due diligence, to any of our Business Associates, in connection with the business associate’s performance of activities for this facility, to a patient or beneficiary upon request, and as required by law. In addition, the disclosure of your PHI for research purposes or for any other purpose permitted by HIPAA will not be considered a prohibited disclosure if the only reimbursement received is “a reasonable, cost-based fee” to cover the cost to prepare and transmit your PHI which would be expressly permitted by law. Notably, under the Omnibus Rule, an authorization to disclose PHI must state that the disclosure will result in remuneration to the Covered Entity.
Limitation on the Use of PHI for Paid Marketing
We will, in accordance with Federal and State Laws, obtain your written authorization to use or disclose your PHI for marketing purposes, (i.e.: to use your photo in ads) but not for activities that constitute treatment or healthcare operations. To clarify, Marketing is defined by HIPAA’s Omnibus Rule, as “a communication about a product or service that encourages recipients to purchase or use the product or service.” Under the Omnibus Rule, we will obtain a written authorization from you prior to recommending you to an alternative therapist, or non-associated Healthcare Covered Entity.Face-to-face marketing communications, such as sharing with you, a written product brochure or pamphlet, is permissible under current HIPAA Law.
Flexibility on the Use of PHI for Fundraising
Under the HIPAA Omnibus Rule use of PHI does not require your authorization should we choose to include you in any fund raising efforts attempted at this facility. However, we will offer the opportunity for you to “opt out” of receiving future fundraising communications. Simply let us know that you want to “opt out” of such situations. There will be a statement on your HIPAA Patient Acknowledgement Form where you can choose to “opt out”. Our commitment to care and treat you will in no way effect your decision to participate or not participate in our fund raising efforts.
You have the following rights with respect to certain health information that we have about you (information in a Designated Record Set as defined by HIPAA). To exercise any of these rights, you must submit a written request to our Privacy Officer listed on the last page of this notice.
1. To review and copy
You may request to access and review a copy of your PHI by submitting a written request to our Privacy Officer. The request form has to be dated and signed. We will provide a copy of your health information in a format you request if it is readily producible. If not readily producible, we will provide it in a hard copy format or other format that is mutually agreeable. We may charge a reasonable fee to cover our cost to provide you with copies of your health information. We may deny your request under certain circumstances. You will receive written notice of a denial and can appeal it. If we deny your request, you may ask for a review of that decision. If required by law, we will select a licensed health–care professional (other than the person who denied your request initially) to review the denial and we will follow his or her decision.
2. To Request Amendment / Correction
If you believe that your PHI is incorrect or incomplete, you may request that we amend it. Your request for amendment has to submitted in writing, along with your intended amendment, reason for amendment, dated and signed. We may deny your request under certain circumstances (i.e. it is not in writing, it does not give a reason why you want the change, we did not create the PHI you want changed (and the entity that did can be contacted), it was compiled for use in litigation, or we determine it is accurate and complete). You will receive written notice of a denial and can file a statement of disagreement that will be included with your health information that you believe is incorrect or incomplete.
3. To an Accounting of Disclosures
You may ask us for a list of those who got your PHI from us by submitting us a request in writing that is dated and signed . The list will not cover certain disclosures (i.e. PHI given to you, given to your legal representative, given to others for treatment, payment or health–care–operations purposes). Your request must state in what form you want the list (i.e. paper or electronically) and the time period you want us to cover, which may be up to but not more than the last six years. If we maintain your PHI in an electronic health record, then we must provide you with routine disclosures of PHI, including disclosures of treatment, payment or healthcare operations, for the 3–year period prior to the date of the request. If you ask us for this list more than once in a 12-month period, we may charge you a reasonable, cost-based fee to respond, in which case we will tell you the cost before we incur it and let you choose if you want to withdraw or modify your request to avoid the cost.
4. To an Accounting of Disclosures
You may request that we restrict uses of your health information to carry out treatment, payment, or health care operations or to your family member or friend involved in your care or the payment for your care. We may not (and are not required to) agree to your requested restrictions, with one exception: If you pay out of your pocket in full for a service you receive from us and you request that we not submit the claim for this service to your health insurer or health plan for reimbursement, we must honor that request.
5. To Request Restrictions
You may ask us to limit how your PHI is used and disclosed (i.e. in addition to our rules as set forth in this Notice) by submitting a written request for Restrictions on Use, Disclosures to us. In your request you indicate what information you want to limit, whether you want to limit our use, disclosure or both, and · to whom you want the limits to apply, (e.g., disclosures to your children, parents, spouse, etc. If we agree to these additional limitations, we will follow them except in an emergency where we will not have time to check for limitations. Also, in some circumstances we may be unable to grant your request (e.g. we are required by law to use or disclose your PHI in a manner that you want restricted).
6. To Request Alternative Communications
You may request to receive communications of PHI by alternative means or at an alternative location. We will accommodate a request if it is reasonable and you indicate that communication by regular means could endanger you. When you submit a written request to the Privacy Official you need to provide an alternative method of contact or alternative address and indicate how payment for services will be handled.
7. To Request to a Paper Copy of this Notice
You have the right to a paper copy of this Notice. You may ask us to give you a paper copy of the Notice at any time (even if you have agreed to receive the Notice electronically). To obtain a paper copy, ask the Privacy Official.
8. To Complain or Get More Information
We will follow our rules as set forth in this Notice. If you want more information or if you believe your privacy rights have been violated (i.e. you disagree with a decision of ours about inspection / copying, amendment / correction, accounting of disclosures, restrictions or alternative communications), we want to make it right. We never will penalize you for filing a complaint. To do so, please file a formal, written complaint within 180 days with:
The U.S. Department of Health & Human Services Office of Civil Rights
200 Independence Ave., S.W., Washington, DC 20201
Or, submit a written Complaint form to us at the following address:
Our Privacy Officer: Devika Rampure
21631 Ridgetop Cr., Suite 240, Sterling, VA 20166
Phone: 703 444 9900 Oﬃce Fax: 703 433 0155
Email Address: firstname.lastname@example.org