ElderCare Dental, PLC
PO Box 27106
Minneapolis, MN 55427
Effective January, 1, 2016
Notice of Privacy Practices Regarding Protected Health Information
To our clients: We are required to give this notice to you under the federal Health Insurance Portability and Accounting Act of 1996 (HIPAA). This notice describes how dental /medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.
Eldercare Dental, PLC (“the Company”) is a Business Associate pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”).
Members of the Company’s workforce may have access to protected health information (PHI) received from covered entities.
Protected Health Information. Protected health information means information that is created or received from a covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. Protected health information includes information of persons living or deceased.
No third-party rights are intended to be created by this Policy. The Company reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA or HITECH, the Policy shall be aspirational and shall not be binding upon the Company. To the extent this Policy is in conflict with the HIPAA privacy rules, the HIPAA privacy rules shall govern.
B. THE COMPANY’S RESPONSIBILITIES AS A BUSINESS ASSOCIATE
I. Privacy Official and Contact Person
II. Workforce Training
It is the Company’s policy to train all members of its workforce who have access to PHI on the Company’s Policy and Procedures. The Privacy Official is charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their Company functions in compliance with HIPAA and HITECH.
III. Safeguards and Firewall
The Company will establish appropriate administrative, technical, and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards include implementing procedures for use and disclosure of PHI.
Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets.
Firewalls will ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for Company administrative functions, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.
V. Mitigation of Inadvertent Disclosure of PHI
The Company shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual’s PHI in violation of HIPAA or the policies and procedures set forth in this Policy. As a result, if an employee or business associate becomes aware of an unauthorized use or disclosure of PHI, either by an employee or a business associate, the employee or business associate must immediately contact the Privacy Official so that appropriate steps to mitigate harm to the participant can be taken.
VI. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.
The Company’s privacy policies and procedures shall be documented and maintained for at least six years from the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.
The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. The Company will maintain such documentation for at least six years.
VIII. Workforce Must Comply With Company’s Policy and Procedures
All members of the Company’s workforce (described at the beginning of this Policy and referred to herein as “employees”) who have access to PHI must comply with this Policy.
IX. Breach Notification Requirements
The Company will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if the Company or one of its business associates discovers a breach of unsecured PHI.13055475.3