Urban Smiles Dental
Dr Sadaf Alam, D.D.S
Notice of Privacy Practices
This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.
A.4 HIPAA Compliance
Urban Smiles Dental states all patient information is confidential. This policy is to ensure confidentiality and patient privacy and prevent loss, tampering and unauthorized access.
​
Training of Employees
-
All employees will receive training yearly.
-
New employees hired will receive training during their orientation.
-
If an employee’s job function changes and the change affects the employee’s access or use of PHI, appropriate training in privacy policies and procedures will be provided to the employee.
-
Urban Smiles Dental will keep documentation of all employee training for life of employment and then for six years
Employee Discipline and mitigation for violations
-
A breach of confidentiality occurs when an employee violates Urban Smiles Dental privacy policies and procedures. Health records are highly confidential and must be treated with great respect and care by any individual with access to this information. An employee who breaches this office’s privacy policies and procedures is subject to formal disciplinary action, up to and including termination.
-
Examples of breaches of confidentiality include (but NOT LIMITED TO):
-
Leaving a copy of patient medical information in a public area;
-
Posting patient information on social media;
-
Accessing or reviewing ANY patient’s record for any reason, or requesting that another individual do so, without a permissible purpose;
-
Accessing or reviewing confidential information of another employee that is also a patient, without a permissible purpose; OR
-
Failing to comply with the requirements relating to technical security, including the use of passwords, access to databases, and logging out of the system.
-
Whistleblowers
Urban Smiles Dental employees will not be disciplined or prevented from reporting violations of HIPAA. An employee of Urban Smiles Dental may disclose PHI for “whistleblower” purposes, without violating HIPAA if the workforce member:
- Believes in good faith that Urban Smiles Dental has engaged in conduct that is unlawful or violates professional or clinical standards, or that the care, services, or conditions potentially endangers one or more patients, workers, or the public;
Urban Smiles Dental employees may, if they choose to, report first to the Privacy Officer.
Patient’s Right to request access to PHI
This office will comply with a patient’s request to access the patient’s own health records
and PHI, as specified in the process outlined below. It is the responsibility of the Dentist
or Office Manager to receive and process requests for access. If access is denied the
patient has the right to review the reason for denial.
Writing requirement:
-
Patient requests for access to their own PHI must be in writing.
-
Written requests for access to PHI will be acted on within 14 business days.
-
If patient requests PHI in a non-electronic format, PHI should be in the format requested when possible, or in a readable hard copy (another format is acceptable if agreed to by the patient).
-
If patient requests PHI in an electronic format, we will provide the PHI in the electronic format as requested by the patient unless
-
The electronic PHI is not readily producible in the electronic format requested by the patient, this office will provide PHI in a readable electronic format agreed to by the patient (e.g., Microsoft Word or Excel, text, HTML or text-based PDF).
-
-
Urban Smiles Dental may choose to provide a summary rather than the complete record if acceptable to the patient.
-
Urban Smiles Dental must transmit the PHI (whether paper or electronic) to a person or covered entity designated by the patient, if the request is in writing, signed by the patient and clearly identifies the designated recipient (an electronic signature is acceptable).
-
Urban Smiles Dental may charge a reasonable, cost-based fee in accordance with state law to cover labor costs of copying the PHI, supplies for creating the paper copy or electronic media, if patient requests the records be provided on portable media; and/or postage, if applicable.
-
If the charge for a summary is extra, patients must be informed in advance and agree to the charge.
Right to request restrictions on the use or disclosure of PHI
Urban Smiles Dental will respond to a patient’s request to restrict disclosures of PHI as outlined in the process below. Urban Smiles Dental is not required to comply with all such requests.
Writing requirement:
-
All requests by patients to restrict disclosure of PHI beyond what is required by law or otherwise noted in Urban Smiles Dental policies must be in writing.
-
Examples of such restriction requests would be: requesting that PHI not be disclosed to an outside healthcare provider involved in the patient’s treatment or requesting that PHI not be disclosed to a particular employee for billing purposes.
Complying with requests for restriction:
-
Urban Smiles Dental is not required to comply with all requests (i.e., those that may result in office’s inability to treat the patient or bill for services rendered).
-
One exception: Urban Smiles Dental must comply with an individual’s request to restrict the disclosure of PHI to a dental plan for payment or health care operations when the PHI pertains solely to a health care item or service for which the individual has paid Urban Smiles Dental out of pocket in full. Urban Smiles Dental may ask the patient for payment up front before implementing the restriction.
-
-
If Urban Smiles Dental agrees to a restriction, it will be bound by the agreement, unless the patient requests or agrees to the removal of the restriction in writing, or Urban Smiles Dental terminates the restriction as provided below.
Denying requests for restriction:
The Office may not give approval to any restrictions of disclosure under the following circumstances:
PHI disclosures required by law, including but not limited to disclosures that are:
-
-
-
Related to mandatory reporting
-
Required by court order or to coroners or medical examiners
-
-
Termination of restrictions:
-
The patient may terminate the restrictions on PHI disclosure in writing
Right to request confidential communications
Urban Smiles Dental will honor all reasonable requests made by a patient for alternative
methods of communication.
-
A patient has a right to request that Urban Smiles Dental use alternative methods for communicating the patient’s PHI.
-
An employee may not make an inquiry of the patient as to the reason for the request for alternative methods of communication.
Writing requirement:
-
Requests for alternative methods of communication must be made in writing by the patient.
-
All requests are forwarded to Dentist or Business Office Manager for review.
-
If the request for alternative method(s) of communication affects Urban Smiles Dental ability to collect payment for services, we will clarify with the patient how payments will be handled.
-
If the patient does not clarify how payments will be handled or does not give an alternate address, we may refuse the request.
-
If the patient requests not to use the address on file, Urban Smiles Dental will obtain an alternate address from the patient.
-
After review and approval by the Dentist/Office Manager, the request must be noted in the patient’s record and appropriate revisions will be made to the patient’s contact information as necessary.
Right to request an amendment of PHI
Patient requests for amendment of a health record must be made in writing and state the reason for the request. This office will respond to the request within 30 calendar days from receipt of the request.
Process for approving/denying amendment:
-
The Dentist/Office Manager is responsible for receiving and processing requests for amendments to health records.
-
Urban Smiles Dental has the right to refuse the amendment request under the following circumstances:
-
This office determines the information in the health record is accurate and complete;
-
The health record was not created by us, unless the patient provides a reasonable basis to believe that the creator of the PHI is no longer available to act on the request for amendment;
-
The PHI the patient wishes to amend is not part of the health record; or
-
-
If Urban Smiles Dental grants the request for amendment in whole or part:
-
The patient should be informed that the amendment is accepted.
-
Dentist/Office Manager will review & the dentist, will make the amendment to the health record. (The amendment may be added to the record itself, or the record may be flagged with information on where to locate the amended information).
-
If this office denies an amendment the patient must receive a written reason for denial within 30 calendar days. It will include information regarding how the patient may complain to the Privacy Officer, including the name and telephone number of the Privacy Officer.
The patient also has the right to request that Urban Smiles Dental include the amendment and denial with any future disclosures of PHI.
Complaints
-
All complaints related to HIPAA should be directed to the Privacy Officer within 24 hours of receipt.
-
Complaints that are given verbally should be summarized in written form by the individual taking the complaint and forwarded to the Privacy Officer within 24 hours of receipt.
-
Complaints will be handled by the Privacy Officer, in consultation with the office manager and dentist.
-
All complaints and their disposition will be documented by the Privacy Officer.
-
Urban Smiles Dental and its employees will not intimidate, threaten, coerce, discriminate against or otherwise retaliate against any patient filing a complaint.
Office’s Notice and acknowledgement of privacy practices
A written notice of the uses and disclosures of PHI by Urban Smiles Dental (a “Notice of Privacy Practices” or “Notice”) will be provided to every patient with whom this office has a direct treatment relationship. The Notice will also describe the patient’s rights and this office’s legal duties with respect to PHI.
Distributing notices of privacy practices
-
This office will provide a copy of the Notice of Privacy Practices to every patient before or at the time of their first visit.
-
Persons who receive a copy of the privacy notice via electronic mail are also entitled to receive a paper copy upon request.
-
Urban Smiles Dental will post the privacy notice on their web page
Patient acknowledgement of Notice of Privacy Practices
This office will make a good faith effort to obtain written acknowledgment from the patient that the patient received a copy of the notice. We will keep the acknowledgement with the patient’s health record.
-
If the patient refuses or is unable to acknowledge receipt of the copy of the Notice Urban Smiles Dental shall document the good faith effort to obtain acknowledgment and the reason that it was not obtained.
-
The acknowledgement and/or documentation of the good faith effort must be retained according to the policy on Retention of Documents.
-
Urban Smiles Dental may continue to treat the patient even though the patient has refused or is unable to acknowledge receipt of the Notice.
In an emergency treatment situation, the Notice may be delayed until a reasonable time after the emergency ends.
Changes to the notice of privacy practices:
-
Urban Smiles Dental reserves the right to change its notice of privacy practices. The Privacy Officer will update the notice and is responsible for posting the revised notice and educating staff, as appropriate.
-
Updated notices of privacy practices will be distributed to patients who have previously received a notice, upon their next visit, as well as all new patients.
Permitted uses and disclosures
Urban Smiles Dental will use and disclose PHI as necessary for purposes of treatment, payment and health care operations both within and outside of this office. When required this office will use and disclose only the minimum necessary information to accomplish the purpose of the use or disclosure, as permitted by HIPAA and applicable state law.
-
Treatment, payment, and health care operations. Urban Smiles Dental may use and disclose PHI as necessary for its own treatment purposes, payment purposes, and its health care operations.
-
Treatment includes coordination, and management of care, consultations relating to a patient, or referrals to another health care provider.
-
Payment includes activities (including billing and collection) to obtain or provide reimbursement for the provision of health care.
-
Health care operations include many of the activities necessary to operate office, including health record storage, quality assurance, conducting training programs, conducting or arranging for medical review, legal services, audits, business planning and development, and general administrative activities.
-
-
“Incidental disclosures” are not considered violations of the Privacy Rule These are disclosures that occur as an incident to a use or disclosure that is otherwise permitted or required by the Privacy Rule, so long as this office also complies with the minimum necessary requirements and the requirement of implementing appropriate safeguard:
-
Technical safeguards. Example: Passwords, firewalls, encryption, etc.
-
-
If an employee has questions as to whether or not the requested disclosure qualifies under this policy, the Privacy Officer should be consulted prior to the disclosure being made.
Patient consent/authorization
-
HIPAA requires patient authorization for disclosures of PHI for purposes other than those specifically permitted by the Privacy Rule.
-
When a patient requests disclosure of PHI in person, the authorization form should be completed and signed.
-
When a patient requests disclosure of PHI by telephone, they should be offered the option to have an authorization form mailed, emailed, or faxed to them to complete and return, or the patient may come in personally to complete the form.
-
Third parties requesting disclosure of PHI should be informed that an authorization from the patient must be obtained.
-
A copy of the signed authorization must be given to the requestor.
-
If the employee has concerns over the authorization form used or the PHI requested for disclosure, they should check with the Privacy Officer for approval prior to disclosing the information.
-
Patients have the right to revoke an authorization in writing at any time, and the revocation prevents further disclosures of PHI.
-
Authorizations must be documented and retained in patient’s chart.
Limiting disclosure of PHI
“Minimum necessary” means that the minimum amount of PHI that is necessary to achieve the specified goal based on health records practices and other reasonable considerations.
Process:
-
Any employee, provider or contracted worker who needs access to PHI to perform his or her assigned job duties have been identified by Urban Smiles Dental.
-
Providers, clinical staff, contract workers and all employees involved in the provision or supervision of patient care will have access to the complete medical record for treatment purposes.
-
For all other purposes, the individuals who need access to PHI for their job duties will limit any use or disclosure of PHI to the minimum necessary required to perform the assigned duties.
-
When fulfilling a request for disclosure of PHI employees should make a reasonable effort to disclose only the minimum amount of information necessary required to accomplish the purpose of the disclosure.
-
Routine and/or recurring requests for disclosure of PHI (e.g., for payment purposes) shall be handled in such a way as to disclose the minimum amount of information necessary to accomplish the purpose of the disclosure.
-
Non-routine disclosures must be reviewed to determine the minimum amount of information necessary to accomplish the purpose of the disclosure.
-
When Urban Smiles Dental requests PHI from another covered entity, this office will request only the minimum necessary information, except where such requirements do not apply, as described above.
Typical reports and disclosures that do not require authorization
In addition to disclosures for treatment, payment and health care operations, PHI may be disclosed without an authorization from the patient for the following purposes:
-
Public health activities, or authorized agencies for disease reporting, vital statistics and other public health reasons as required by state law.
-
​​Child or adult abuse or neglect.
-
Coroners and funeral directors.
-
ID and authority verification
-
If a patient has consented to or authorized the disclosure of their PHI, it will be mailed to the address specified by the patient. If the patient insists the PHI be physically picked up, employees must check the verification of the ID of the person to whom the disclosure is made to ensure that the disclosure of the PHI is appropriate.
-
If the PHI is requested by the patient, employees must check the verification of the patient’s ID to ensure that the disclosure of the PHI is appropriate.
-
In the case of a subpoena or similar administrative request or court order, the matter should be immediately referred to the Privacy Officer and dentist who may refer the question to their legal counsel.
-
If a public official requests PHI for a purpose not requiring authorization (e.g., for a disease registry), the ID of the official should be verified.
-
If an individual states that he or she has legal authority to act on a patient’s behalf (such as a guardian or conservator), Urban Smiles Dental will require documentation of that authority and refer the individual to the Privacy Officer.
-
If an employee has reason to suspect the ID or authority of anyone making a request for disclosure of PHI, the matter should be discussed with the Compliance Officer and the employee should not make the disclosure without dentist approval.
Minors
Urban Smiles Dental will follow state law related to the uses and disclosures of the PHI of minors. For purposes of this policy, “minors” refers to individuals under the age of 18, or as otherwise defined by state law.
Parents/legal guardians generally are permitted by state law to act on behalf of their minor children in making health care decisions, and disclosures of the minor’s PHI.
A minor may make his/her own health care decisions, and the parents/legal guardians
should not be considered the minor’s personal representative, under the following circumstances:
- the minor has the right to consent and no other consent is required under state law (emancipated minor).
Marketing
Marketing activities that do not involve uses or disclosures of PHI are not subject to HIPAA privacy regulations.
Urban Smiles Dental will obtain a specific HIPAA-compliant authorization for uses and disclosures of PHI for marketing purposes.
Sale of PHI
Urban Smiles Dental will not sell PHI except as permitted by HIPAA.
Urban Smiles Dental shall not sell PHI unless it obtains a HIPAA-compliant authorization from the patients who are the subject the PHI being sold. The authorization must include a statement that Urban Smiles Dental is receiving remuneration in exchange for the PHI
Business associate agreements
PHI will not be disclosed to business associates of Urban Smiles Dental unless a current and valid business associate agreement is in place.
That business associates must understand Urban Smiles Dental privacy policies and agrees to take reasonable steps to maintain the confidentiality of PHI that they may have access to in the course of doing business on behalf of Urban Smiles Dental
Definition:
-
A “business associate” is a person or covered Urban Smiles Dental who, on behalf of Urban Smiles Dental creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy and/or Security Rules, including but not limited to: claims processing, utilization review, quality assurance, patient safety activities, billing, Provides of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services to or for Urban Smiles Dental, where the provision of the service involves the disclosure of PHI from Urban Smiles Dental.
-
A Health Information Organization, E-prescribing Gateway or other person that provides data transmission services with respect to PHI to Urban Smiles Dental and that requires access on a routine basis to such PHI;
-
A business associate does NOT include a health care provider with respect to disclosures by Urban Smiles Dental to the health care provider concerning the treatment of an individual.
It is the responsibility of Privacy Officer and/or Office Manager/dentist to determine which persons or entities are “business associates”.
Urban Smiles Dental will execute a valid business associate agreement with each business associate prior to permitting the business associate to access, use or disclose PHI and at all times during the term of the contract with the business associate.
Identifying a breach of unsecured protected health information
Urban Smiles Dental will identify all breaches of unsecured protected health information in order to notify the appropriate parties.
Definition: A Breach” is the acquisition, access, use or disclosure of unsecured PHI that is not permitted by the Privacy Rule that compromises the security or privacy of the PHI.
Process:
-
Urban Smiles Dental will determine whether there has been an acquisition, access, use or disclosure of unsecured PHI that is not permitted by the Privacy Rule.
-
Any such acquisition, access, use or disclosure of unsecured PHI that is not permitted by the Privacy Rule will be presumed to be a “breach” requiring notification under these policies.
-
The nature and extent of the PHI involved, including the types of identifiers
-
E.g., financial information and social security numbers, list of patient names, addresses etc.
-
Whether the PHI was actually acquired or viewed; and whether forensic analysis reveals that the PHI on the laptop stolen and later recovered was not accessed, viewed, transferred or otherwise compromised.
-
Notification of breach to individual(s)
Urban Smiles Dental will notify each individual whose unsecured PHI has been, or is reasonably believed by Urban Smiles Dental to have been, accessed, acquired, used or disclosed as a result of a breach by this office or one of its business associates, in accordance with the procedures for notifying individuals.
Process:
-
Urban Smiles Dental will notify the individual in writing of the breach without unreasonable delay, and in no case later than 60 days after the date of discovery of the breach.
-
The date of discovery of the breach is the first day that this office knew about the breach, or would have known about the breach if they had exercised reasonable diligence in implementing effective internal policies for discovering breaches of unsecured PHI.
-
If any employee or agent of this office (besides the person who committed the breach) knew of the breach, then the date of discovery is the date the employee or agent learned of the breach Urban Smiles Dental will contact an attorney
-
-
The notice to the individual (whether in written or substitute form, as described below) will include the following elements, to the extent possible:
-
A brief description of what happened, including the date of discovery of the breach, if known; A description of the types of unsecured PHI that were involved in the breach (such as whether the individual’s full name, social security number, date of birth, home address).
-
Any steps the individual should take to protect the individual from potential harm resulting from the breach.
-
A brief description of what Urban Smiles Dental is doing to investigate the breach, mitigate harm to individuals, and protect against any further breaches.
-
Contact procedures for the individual to ask questions or learn additional information, which will include a toll-free telephone number, e-mail address, website or postal address.
-
Urban Smiles Dental will send the written notification by first-class mail to the individual at the last known address of the individual, or to the individual’s email address, if the individual has previously agreed to electronic notice.
-
If the individual is deceased, this office will send the written notification to the next of kin or personal representative of the individual, if this office has contact information for the next of kin or personal representative.
-
Additional notification maybe necessary based on legal counsel and state law. This may include media notification and public announcement.
-
Urban Smiles Dental will provide notification of all breaches of unsecured PHI to the Secretary of Health and Human Services.
-
Urban Smiles Dental shall maintain a log of all breaches of unsecured PHI
-
-
The log shall include the following information regarding each breach to the extent possible:
-
Date of the breach;
-
Date of discovery of the breach;
-
Approximate number of individuals affected by the breach;
-
Type of breach;
-
Location of the breached PHI;
-
Type of PHI involved in the breach;
-
Brief description of the breach;
-
Safeguards in place prior to the breach;
-
Dates the individual notice was provided;
-
Whether substitute notice was required;
-
Whether media notice was required; and
-
Actions taken in response to the breach.
-
Physical and Electronic Handling of PHI
Storage and document retention
Urban Smiles Dental will use its best efforts to ensure that documents and other information that is considered PHI is properly maintained and stored.
Process:
On-site storage. Any health records or other forms of PHI that are stored on-site at this office will be protected from unauthorized use, disclosure, or access.
Urban Smiles Dental will take reasonable steps to ensure that there is no authorized access to the information.
-
Document retention. This office will retain the documents for at least 10 years following the date of the last visit. Except for minors who’s files will be retained till the age of 28.
The documents above may be retained in either written or electronic format.
Electronic media. This office will dispose of electronic media containing PHI by clearing or purging all confidential information, including PHI, on any electronic storage media/device in accordance with the HHS guidance prior to the removal or sale of such devices.
Paper, film or other hard copy media. This office will dispose of any paper, film or other hard copy media containing PHI by shredding or destroying it such that it cannot be read or otherwise reconstructed. If a outside company is used this office will enter into a Business Associate Agreement the shredding or destruction company.
Documentation of records destruction. This office will appropriately document
destruction of electronic and hard copy media containing PHI.
Email. Urban Smiles Dental may communicate with patients via encrypted email if appropriate and if the patient consents to such communication (either in writing or orally, followed by documentation). If Urban Smiles Dental communicates with a patient using unencrypted email, Urban Smiles Dental must first notify the patient that there may be some level of risk that the PHI in the unencrypted email could be read by a third party.
Personnel must ensure that the patient’s email address is correct and that PHI is not
inappropriately sent to third parties.
Telephone messages. This office may leave information on a voicemail system, answering machine, or with a person who answers the phone at a number provided by the patient. The information should be limited to the minimum amount necessary. In most cases, it is not be appropriate to leave medical information. Personnel should use discretion, and should not disclose medical information.
Computer passwords, access, and other security
Urban Smiles Dental shall ensure that its computer and electronic security processes are reasonable and compliant with HIPAA. This includes cyber security, password management, firewalls and system review yearly.
-
Employees who need access to electronic PHI on Urban Smiles Dental databases to perform their job functions will be given password access to such databases.
-
If an employee has reason to believe his or her password is compromised, the employee must notify the Security Officer immediately.
-
Employees are not permitted to share their passwords or use another employee’s account login and password in any circumstance.
-
All employees will comply with all security and safe measures in place at this office.