This web site is
provided for information and education purposes only. No
doctor/patient relationship is established by your use of this
site. No diagnosis or treatment is being provided. The
information contained here should be used in consultation with a
dentist of your choice. No guarantees or warranties are made
regarding any of the information contained within the web site.
This web site is not intended to offer specific medical or dental
advice to anyone. Edward L. Rick, D.D.S., MS, PC. is licensed to
practice in the state of Illinois and this web site is not
intended to solicit patients from other states. Further, this web
site and Dr. Rick take no responsibility for web sites
hyper-linked to this site and such hyper-linking does not imply
any relationships or endorsements.
Information and names within this web site may be subject to
copyright and trademark protection with all rights reserved.
Duplication or use without the expressed written permission by
Edward L. Rick, D.D.S, MS, PC., subjects the violator to both
civil and criminal penalties.
HEALTH INFORMATION PRIVACY
POLICIES & PROCEDURES
These Health Information
Privacy Policies & Procedures implement our obligations to protect
the privacy of individually identifiable health information that
we create, receive, or maintain as a healthcare provider.
We implement these Health
Information Privacy Policies and Procedures as a matter of sound
business practice; to protect the interests of our patients; and
to fulfill our legal obligations under the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA"), its
implementing regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg
82462 (Dec. 28, 2000)) ("Privacy Rules"), as amended (67 Fed. Reg.
53182 [Aug. 14, 2002]), and state law that provides greater
protection or rights to patients than the Privacy Rules.
As a member of our workforce
or as our Business Associate, you are obligated to follow these
Health Information Privacy Policies & Procedures faithfully.
Failure to do so can result in disciplinary action, including
termination of your employment or affiliation with us.
These Policies & Procedures
address the basics of HIPAA and the Privacy Rules that apply in
our dental practice. They do not attempt to cover everything in
the Privacy Rules. The Policies & Procedures sometimes refer to
forms we use to help implement the policies and to the Privacy
Rules themselves when added detail may be needed.
Please note that while the
Privacy Rules speak in terms of "individual" rights and actions,
these Policies & Procedures use the more familiar word "patient"
instead; "patient" should be read broadly to include prospective
patients, patients of record, former patients, their authorized
representatives, and any other "individuals" contemplated in the
If you have questions or
doubts about any use or disclosure of individually identifiable
health information or about your other obligations under these
Health Information Privacy Policies & Procedures, the Privacy
Rules or other federal or state law, please contact our office.
This policy was adopted effective 4/14/03
1. General Rule: No Use or
Our dental office must not
use or disclose protected health information (PHI), except
as these Privacy Policies & Procedures permit or require.
2. Acknowledgement and
Our dental office will make a
good faith effort to obtain a written acknowledgement of receipt
of our Notice of Privacy Practices (see Section 9) from a
patient before we use or disclose his or her protected health
information (PHI) for treatment, to obtain payment for that
treatment, or for our healthcare operations (TPO).
Our dental office’s use or
disclosure of PHI for our payment activities and healthcare
operations may be subject to the minimum necessary requirements
(see Section 7).
Our dental office will become
familiar with our state’s privacy laws. If required by our state
law, or as directed by the dentist, we will also seek Consent
from a patient before we use or disclose PHI for TPO purposes – in
addition to obtaining an Acknowledgement of receipt of our
Notice of Privacy Practices.
a) Obtaining Consent
– If consent is to be
obtained, upon the individual’s first visit as a patient (or
next visit if already a patient), our dental office will request
and obtain the patient’s written Consent for our use and
disclosure of the patient’s PHI for treatment, payment, and
Any consent we obtain must
be on our Consent form, which we may not alter in any
way. Our dental office will include the signed Consent
form in the patient’s chart.
Exceptions – Our dental office does not have to obtain
the patient’s Consent in emergency treatment situations; when
treatment is required by law; or when communications barriers
Consent Revocation – A patient from whom we obtain
consent may revoke it at any time by written notice. Our dental
office will include the revocation in the patient’s chart. There
is space at the bottom of our Consent form where the
patient can revoke the consent.
– Consent for use or disclosure of PHI should not be confused with
informed consent for dental treatment. This section applies to our
In some cases we must have
proper, written Authorization from the patient (or the
patient’s personal representative) before we use or disclose a
patient’s PHI for any purpose (except for TPO purposes) or as
permitted or required without consent or authorization (see
Sections 3, 4, or 5).
Our dental office will use
the Authorization form. We will always act in strict
accordance with an
Authorization Revocation – A patient may revoke an
authorization at any time by written notice. Our dental office
will not rely on an Authorization we know has been revoked.
Authorization from Another Provider – Our dental office
will use or disclose PHI as permitted by a valid Authorization
we receive from another healthcare provider.
Our dental office may rely on
that covered entity to have requested only the minimum necessary
protected PHI. Therefore, our dental office will not make our own
"minimum necessary" determination, unless we know that the
Authorization is incomplete, contains false information, has
been revoked, or has expired.
Authorization Expiration – Our dental office will not rely
on an Authorization we know has expired.
4. Oral Agreement
Our dental office may use or
disclose a patient’s PHI with the patient’s Oral Agreement
or if the patient is unavailable subject to all applicable
Our dental office may use
professional judgment and our experience with common practice to
make reasonable inferences of the patient’s best interest in
allowing a person to act on behalf of the patient to pick up
dental/medical supplies, X-rays, or other similar forms of PHI.
5. Permitted Without
Acknowledgement, Consent Authorization or Oral Agreement
Our dental office may use or
disclose a patient’s PHI in certain situations, without
Authorization or Oral Agreement. In our dental office,
these disclosures are not likely to be frequent.
a) Verification of Identity
– Our dental office will always verify the identity of any
patient, and the identity and authority of any patient’s personal
representative, government or law enforcement official, or other
person, unknown to us, who requests PHI before we will disclose
the PHI to that person.
Our dental office will obtain
appropriate identification and, if the person is not the patient,
evidence of authority. Examples of appropriate identification
include photographic identification card, government
identification card or badge, and appropriate document on
government letterhead. Our dental office will document the
incident and how we responded.
Uses or Disclosures Permitted under this Section 5 – The
situations in which our dental office is permitted to use or
disclose PHI in accordance with the procedures set out in this
Section 5 are listed below.
For public health
To health oversight
To coroners, medical
examiners, and funeral directors;
To employers regarding
work-related illness or injury;
To the military;
To federal officials for
lawful intelligence, counterintelligence, and national security
institutions regarding inmates;
In response to subpoenas
and other lawful judicial processes;
To law enforcement
To report abuse, neglect,
or domestic violence;
As required by law;
As part of research
As authorized by state
worker’s compensation laws.
6. Required Disclosures
Our dental office will
disclose protected health information (PHI) to a patient (or to
the patient’s personal representative) to the extent that the
patient has a right of access to the PHI (see Section 10); and to
the U.S. Department of Health and Human Services (HHS) on request
for complaint investigation or compliance review.
Our dental office will use
the disclosure log to document each disclosure we make to HHS.
7. Minimum Necessary
Our dental office will make
reasonable efforts to disclose, or request of another covered
entity, only the minimum necessary protected health
information (PHI) to accomplish the intended purpose.
There is no minimum
necessary requirement for disclosures to or requests by one
another in our dental office or by a healthcare provider for
treatment; permitted or required disclosures to, or for disclosure
requested and authorized by, a patient; disclosures to HHS for
compliance reviews or complaint investigations; disclosures
required by law; or uses or disclosures required for compliance
with the HIPAA Administrative Simplification Rules.
a) Routine or Recurring
Requests or Disclosures
– Our dental office will follow the policies and procedures that
we adopt to limit our routine or recurring requests for our
disclosures of PHI to the minimum reasonably necessary for the
b) Non-Routine or
Non-Recurring Requests or Disclosures
– No non-routine or non-recurring request for or disclosure of PHI
will be made until it has been reviewed on a patient-by-patient
basis against our criteria to ensure that only the minimum
necessary PHI for the purpose is requested or disclosed.
c) Other’s Requests
– Our dental office will rely, if reasonable for the situation, on
a request to disclose PHI being for the minimum necessary, if the
requester is: (a) a covered entity; (b) a professional (including
an attorney or accountant) who provides professional services to
our practice, either as a member of our workforce or as our
Business Associate, and who represents that the requested
information is the minimum necessary; (c) a public official who
represents that the information requested is the minimum
necessary; or (d) a researcher presenting appropriate
documentation or making appropriate representations that the
research satisfies the applicable requirements of the Privacy
d) Entire Record
– Our dental office will not use, disclose, or request an entire
record, except as permitted in these Policies & Procedures or
standard protocols that we adopt reflecting situations when it is
e) Minimum Necessary
Workforce Use –
Our dental office will use only the minimum necessary PHI needed
to perform our duties.
8. Business Associates
Our dental office will obtain
satisfactory assurance in the form of a written contract that our
Business Associates will appropriately safeguard and limit
their use and disclosure of the protected health information (PHI)
we disclose to them.
These Business Associate
requirements are not applicable to our disclosures to a healthcare
provider for treatment purposes. The Business Associate
Contract Terms document contains the terms that federal law
requires be included in each Business Associate Contract.
Business Associate – If our dental office learns that a
Business Associate has materially breached or violated its
Business Associate Contract with us, we will take prompt,
reasonable steps to see that the breach or violation is cured.
If the Business Associate
does not promptly and effectively cure the breach or violation, we
will terminate our contract with the Business Associate, or
if contract termination is not feasible, report the Business
Associate’s breach or violation to the U.S. Department of
Health and Human Services (HHS).
9. Notice of Privacy
Our dental office will
maintain a Notice of Privacy Practices as required by the
a) Our Notice
– Our dental office will use and disclose PHI only in conformance
with the contents of our Notice of Privacy Practices. We
will promptly revise a Notice of Privacy Practices whenever
there is a material change to our uses or disclosures of PHI to
legal duties, to the patients’ rights or to other privacy
practices that render the statements in that Notice no longer
Form 1, Notice of Privacy
Practices, found in this Privacy Kit, contains the terms that
federal law requires.
b) Distribution of Our Notice
– Our dental office will provide our Notice of Privacy
Practices to any person who requests it, and to each patient
no later than the date of our first service delivery after April
Our dental office will have
our Notice of Privacy Practices available for patients to
take with them. We will also post our Notice of Privacy
Practices in a clear and prominent location where it is
reasonable to expect patients seeking services from us will be
able to read the Notice.
c) Acknowledgement of Notice
– Our dental office will make a good faith effort to obtain from
the patient a written Acknowledgement of receipt of our Notice
of Privacy Practices.
Our dental office shall use
Form 2, Acknowledgement of Receipt of Notice of Privacy
Practices, found in this Privacy Kit, to obtain the
Acknowledgement. If we cannot obtain written Acknowledgement from
the patient, we will use the form to document our attempt and the
reason why written Acknowledgement was not signed by the patient.
10. Patients’ Rights
Our dental office will honor
the rights of patients regarding their PHI.
– With rare exceptions, our dental office must permit patients to
request access to the PHI we or our Business Associates
No PHI will be withheld from
a patient seeking access unless we confirm that the information
may be withheld according to the Privacy Rules. We may offer to
provide a summary of the information in the chart. The patient
must agree in advance to receive a summary and to any fee we will
charge for providing the summary. Our dental office will contact
our Business Associates to retrieve any PHI they may have
on the patient.
– Patients have the right to request to amend their PHI and other
records for as long as our dental office maintains them.
Our dental office may deny a
request to amend PHI or records if: (a) we did not create the
information (unless the patient provides us a reasonable basis to
believe that the originator is not available to act on a request
to amend); (b) we believe the information is accurate and
complete; or (c) we do not have the information.
Our dental office will follow
all procedures required by the Privacy Rules for denial or
approval of amendment requests. We will not, however, physically
alter or delete existing notes in a patient’s chart. We will
inform the patient when we agree to make an amendment, and we will
contact our Business Associates to help assure that any PHI
they have on the patient is appropriately amended. We will contact
any individuals whom the patient requests we alert to any
amendment to the patient’s PHI. We will also contact any
individuals or entities of which we are aware that we have sent
erroneous or incomplete information and who may have acted on the
erroneous or incomplete information to the detriment of the
When we deny a request for an
amendment, we will mark any future disclosures of the contested
information in a way acknowledging the contest.
Accounting – Patients have the right to an accounting of
certain disclosures our dental office made of their PHI within the
6 years prior to their request. Each disclosure we make, that is
not for treatment payment or healthcare operations, must be
documented showing the date of the disclosure, what was disclosed,
the purpose of the disclosure, and the name and (if known) address
of each person or entity to whom the disclosure was made. The
Authorization or other documentation must be included in the
patient’s record. We use the patient’s chart to track each
disclosure of PHI as needed to enable us to fulfill our obligation
to account for these disclosures.
We are not required to
account for disclosures we made: (a) before April 14, 2003; (b) to
the patient (or the patient’s personal representative); (c) to or
for notification of persons involved in a patient’s healthcare or
payment for healthcare; (d) for treatment, payment, or healthcare
operations; (e) for national security or intelligence purposes;
(f) to correctional institutions or law enforcement officials
regarding inmates; or (g) according to an Authorization signed by
the patient or the patient’s representative; (h) incident to
another permitted or required use disclosure.
We will temporarily suspend
the accounting of any disclosure when requested to do so pursuant
according to the Privacy Rules by health oversight agencies or law
enforcement officials. We may charge for any accounting that is
more frequent than every 12 months, provided the patient is
informed of the fee before the accounting is provided. We will
contact our Business Associates to assure we include in the
accounting any disclosures made by them for which we must account.
d) Restriction on Use or
Patients have the right to request our dental office to restrict
use or disclosure of their PHI, including for treatment, payment,
or healthcare operations. We have no obligation to agree to the
request, but if we do, we will comply with our agreement (except
in an appropriate dental/medical emergency).
We may terminate an agreement
restricting use or disclosure of PHI by a written notice of
termination to the patient. We will contact our Business
Associates whenever we agree to such a restriction to inform
the Business Associate of the restriction and its
obligations to abide by the restriction. We will document in the
patient’s chart any such agreed to restrictions.
e) Alternative Communications
– Patients have
the right to request us to use alternative means or alternative
locations when communicating PHI to them. Our dental office will
accommodate a patient’s request for such alternative
communications if the request is reasonable and in writing.
Our dental office will inform
the patient of our decision to accommodate or deny such a request.
If we agree to such a request, we will inform our Business
Associates of the agreement and provide them with the information
necessary to comply with the agreement.
– Our dental office will be aware of and respect these patients’
rights regarding their PHI, even though in most situations
patients are unlikely to exercise them.
11. Staff Training and
Management, Complaint Procedures, Data Safeguards, Administrative
a) Staff Training and
– Our dental office will train all members of our workforce in
these Privacy Policies & Procedures, as necessary and appropriate
for them to carry out their functions. We will complete the
privacy training of our existing workforce by April 14, 2003.
After April 14, 2003, our
dental office will train each new staff member within a reasonable
time after the member starts. We will also retain each staff
member whose functions are affected either by a material change in
our Privacy Policies and Procedures or in the member’s job
functions, within a reasonable time after the change.
Form 7, Staff Review of
Policies and Procedures, can be used to have workforce members
acknowledge they have received and read a copy of these Policies
*Discipline and Mitigation
– Our dental office will develop, document, disseminate, and
implement appropriate discipline policies for staff members who
violate our Privacy Policies & Procedures, the Privacy Rules, or
other applicable federal or state privacy law.
Staff members who violate our
Privacy Policies & Procedures, the Privacy Rules or other
applicable federal or state privacy law will be subject to
disciplinary action, possibly up to and including termination of
– Our dental office will implement procedures for patients to
complain about our compliance with our Privacy Policies and
Procedures or the Privacy Rules. We will also implement procedures
to investigate and resolve such complaints.
The Complaint form can
be used by the patient to lodge the complaint. Each complaint
received must be referred to management immediately for
investigation and resolution. We will not retaliate against any
patient or workforce member who files a Complaint in good
c) Data Safeguards
– Our dental office will "add to" and strengthen these Privacy
Policies & Procedures with such additional data security policies
and procedures as are needed to have reasonable and appropriate
administrative, technical, and physical safeguards in place to
ensure the integrity and confidentiality of the PHI we maintain.
Our dental office will take
reasonable steps to limit incidental uses and disclosures of PHI
made according to an otherwise permitted or required use or
d) Documentation and Record
Retention – Our
dental office will maintain in written or electronic form all
documentation required by the Privacy Rules for six years from the
date of creation or when the document was last in effect,
whichever is greater.
e) Privacy Policies &
Procedures – Only
Dr. Edward L. Rick may change these Privacy Policies & Procedures.
12. State Law Compliance
Our dental office will comply
with the privacy laws of each state that has jurisdiction over our
practice, or its actions involving protected health information
(PHI), that provide greater protections or rights to patients than
the Privacy Rules.
13. HHS Enforcement
Our dental office will give
the U.S. Department of Health and Human Services (HHS) access to
our facilities, books, records, accounts, and other information
sources (including individually identifiable health information
without patient authorization or notice) during normal business
hours (or at other times without notice if HHS presents
appropriate lawful administrative or judicial process).
We will cooperate with any
compliance review or complaint investigation by HHS, while
preserving the rights of our practice.
14. Designated Personnel
Our dental office will
designate a Privacy Officer and other responsible persons as
required by the Privacy Rules.
Back to Top