HIPAA PRIVACY PROGRAM POLICY/PROCEDURE FOR PRIVACY OFFICER

1.      Purpose:

To comply with the Administrative Safeguards of HIPAA Privacy, to secure and maintain the confidentiality of Protected Health Information, maintain sensitive organizational information at Mark L. Civin, D.D.S., P.A. and prevent and detect inappropriate and illegal uses and disclosures.

2.      Policy:

Mark L. Civin, D.D.S., P.A. shall be responsible for implementation of the administrative requirements under the Federal HIPAA Privacy Rule.

Mark L. Civin, D.D.S., P.A. will designate a privacy official to be responsible for the development and implementation of the policies and procedures of Mark L. Civin, D.D.S., P.A..

  1. Definitions:
    1. HIPAA: Health Insurance Portability and Accountability Act of 1996.
    2. Individually Identifiable Health Information (IIHI): Under Section 160.103 of HIPAA, IIHI is defined as information that is a subset of health information, including demographic information collected from an individual, and:
      1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse.
      2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
  • That identifies the individual.
  1. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
  2. IIHI includes identifiers of the patient, relatives, employers, or household members such as the following (§164.514):
    1. Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code (except for the initial 3 digits of a zip code if, according to the current publicly available data from the Bureaus of the Census all zip codes with the same 3 initial digits contains more than 20,000 people).
    2. All elements of dates (except year) directly related to an individual, including birth date, admission date, discharge date, date of death, all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
    3. Telephone numbers.
    4. Fax numbers.
    5. Email addresses.
    6. Social security numbers.
    7. Medical record numbers.
    8. Health plan beneficiary numbers.
    9. Account numbers.
    10. Certificate/license numbers.
    11. Vehicle identifiers and serial numbers, including license plate numbers.
    12. Device identifiers and serial numbers.
    13. Biometric identifiers, including finger and voice prints.
    14. Full face photographic images and any comparable images.
    15. Any other unique identifying number, characteristic, or code.
  3. Protected Health Information (PHI): Under Section 164.501 of HIPAA, PHI means IIHI that is transmitted and maintained in electronic media or in any other form or medium.
  4. Designated Record Set: In compliance with §164.524 contained within the Privacy Rule of the Administrative Simplification provisions of HIPAA, Mark L. Civin, D.D.S., P.A. maintains a designated record set (DRS). The designated record set includes medical and billing records that patients and/or their personal representatives have the right to access, inspect, and copy.  Records include any item, collection, or grouping of information that includes PHI and is maintained, collected, used, or disseminated by or for a  provider (§164.501).
  5. Individual: For purposes of HIPAA, an individual is the patient and his/her legal Personal Representative (§164.502(g)).
  6. Personal Representative: A person, who under law, has the authority to act on behalf of a patient in making decisions related to health care (i.e. a parent, guardian, or legal custodian). Personal Representatives may have access to and/or request amendment of PHI relevant to their representative capacity unless there is a reasonable belief that the patient has been or may be subjected to domestic violence, abuse, or neglect by such person, the release could endanger the patient, or in the exercise of professional judgment it is decided that it is not in the best interest of the patient to treat the person as the patient’s personal representative [§164.502(g)].
  7. Treatment: The provision, coordination, or management of health care and related services, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another (§164.501).
  8. Payment: Activities undertaken by Mark L. Civin, D.D.S., P.A. to obtain or provide reimbursement for the provision of health care.  Activities for payment include eligibility of coverage determination, billing, claims management, collection activities, utilization review including precertification, preauthorization, concurrent, and retrospective review of services, and specified disclosures to consumer reporting agencies (§164.501).
  9. Health Care Operations: Quality assessment and improvement activities; reviewing the competence, qualifications, performance of health care professionals, conducting training programs, accreditation, certification, licensing, credentialing, underwriting, premium rating, and other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits; conducting or arranging for medical review, legal services, and audition functions; business planning and development; business management (§164.501).
  10. Provider: Under Section 160.103 of HIPAA, a provider of medical or health services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u) and 1861(s) of the Act, 42 U.S.C. 1395x(s)) and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Providers are those contracted, subcontracted, or employed by Mark L. Civin, D.D.S., P.A. who provide services on behalf of Mark L. Civin, D.D.S., P.A..
  1. Procedures:
    1. Mark L. Civin, D.D.S., P.A. is committed to complying with the HIPAA Privacy Rule and maintaining the confidentiality of patients’ PHI through appropriate, authorized access, uses, and disclosures.
    2. Mark L. Civin, D.D.S., P.A. and its business affiliates create, store, maintain, use, transmit, collect and disseminate PHI in an environment that promotes confidentiality and integrity without compromising PHI.
    3. Confidentiality policies and procedures are reinforced throughout Mark L. Civin, D.D.S., P.A. and followed by all physicians, employees, and business associates.
    4. The Office Manager oversees the HIPAA Privacy program.
    5. The Office Manager is responsible for the following functions which support compliance with the HIPAA Privacy Rule, patient confidentiality, access laws and Mark L. Civin, D.D.S., P.A. policies and procedures pertaining to them:
      1. Maintain working knowledge of legislative and regulatory initiatives. Interpret and translate requirements for implementation.
      2. Establish and maintain written policies and procedures that place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI from intentional or unintentional uses and disclosures.
        • Update policies and procedures as necessary and appropriate, and in compliance with Mark L. Civin, D.D.S., P.A. Notice of Privacy Practices, to comply with changes in the law.
        • Make necessary changes to Mark L. Civin, D.D.S., P.A. Notice of Privacy Practices.
        • Maintain policies and procedures (including any changes made) in written or electronic form for six years from the date of its creation or the date when it last was in effect, whichever is later.
        • Make all reasonable efforts to limit incidental uses and disclosures.
        • Provide training, for anyone coming into contact with PHI, on the established policies and procedures as necessary and appropriate to carry out their job functions and document the training provided.
          • To each employee by no later than the compliance date for Mark L. Civin, D.D.S., P.A..
          • To new employees during their first month of employment.
          • To existing employees annually.
          • To existing employees whose functions are affected by a change in the policies and procedures, within a month after the change comes into effect.
        • Maintain a program encouraging employees and patients to report complaints concerning compliance of the law and Mark L. Civin, D.D.S., P.A. policies and procedures to Office Manager.
        • Promptly and properly investigate and address reported violations, taking steps to prevent recurrence.
        • Document all complaints and follow up documentation [164.530(d)(2)].
        • Assure there will be no intimidation, threats, coercion, discrimination against, or any other retaliatory action as a consequence to anyone who makes reports or participates in an investigation of violations in good faith [164.530(g)].
        • Mitigate, to the extent practicable, any harmful effect that is known to the Mark L. Civin, D.D.S., P.A. of a use or disclosure of PHI in violation of its policies and procedures or the requirements of the law by Mark L. Civin, D.D.S., P.A. or its business associate [164.530(f)].
        • Consistently enforce the law and Mark L. Civin, D.D.S., P.A. policies and procedures through appropriate disciplinary mechanisms [164.530(e)].
        • Document and file all actions taken against employees who failed to comply with the policies and procedures [164.530(e)(2)].
        • Monitor, audit, and reinforce compliance with the law and Mark L. Civin, D.D.S., P.A. policies and procedures.
        • Cooperate with the Office of Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.
        • Provide assistance to patients and employees about the law and Mark L. Civin, D.D.S., P.A. policies and procedures [§164.530(a)(1)(ii)].
        • Ensure that there are no attempts to require individuals to waive their legal rights as a condition of the provision of treatment or payment [164.530(h)].
        • Implement, Distribute and Maintain the Notice of Privacy Practices [164.520(a-e)].
          • Maintain a copy of the Notice (including changes made) for six years from the date when it was last in effect.
          • Update the Notice to reflect changes in the law or Mark L. Civin, D.D.S., P.A. policies and procedures.
          • Distribute the Notice.
          • Direct questions regarding the Notice to Office Manager.
        • Mark L. Civin, D.D.S., P.A. will implement, monitor and maintain Business Associate Agreements with affiliate business entities when required by law.
  • Documentation:
    1. All documentation related to and/or required by HIPAA, including but not limited to compliance enforcement activities such as training, policies and procedures, complaint investigations, designated record sets, etc. are maintained for six years from the date of creation, or the date it was last in effect, whichever is later [164.530(j)]. Documentation may be maintained in written or electronic form [§164.530(j)(1)(ii)].

For any questions regarding this policy please contact us:

Dentist in Palm Beach Gardens

Mark L. Civin, D.D.S., P.A.
5600 PGA. Boulevard #102
Palm Beach Gardens, FL 33418
(561) 258-9037

Read our Paitent Bill of Rights