ElderCare Dental, PLC
PO Box 27106
Minneapolis, MN 55427
Effective January, 1, 2016

 

Notice of Privacy Practices Regarding Protected Health Information


To our clients:
 We are required to give this notice to you under the federal Health Insurance Portability and Accounting Act of 1996 (HIPAA). This notice describes how dental /medical information about you may be used and disclosed, and how you can get access to this information. Please review it carefully.

A. INTRODUCTION

Eldercare Dental, PLC (“the Company”) is a Business Associate pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”).

Members of the Company’s workforce may have access to protected health information (PHI) received from covered entities.

Protected Health Information. Protected health information means information that is created or received from a covered entity and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify the individual. Protected health information includes information of persons living or deceased.

It is the Company’s policy to comply with HIPAA’s requirements for the privacy of PHI. To that end, all members of the Company’s workforce who have access to PHI must comply with this Privacy Policy. For the purposes of this Policy, the Company’s workforce includes individuals who would be considered part of the workforce under HIPAA such as employees, volunteers, trainees, and other persons whose work performance is under the direct control of the Company, whether or not they are paid by the Company. The term “employee” includes all of these types of workers.

No third-party rights are intended to be created by this Policy. The Company reserves the right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy establishes requirements and obligations above and beyond those required by HIPAA or HITECH, the Policy shall be aspirational and shall not be binding upon the Company. To the extent this Policy is in conflict with the HIPAA privacy rules, the HIPAA privacy rules shall govern.

B. THE COMPANY’S RESPONSIBILITIES AS A BUSINESS ASSOCIATE

I. Privacy Official and Contact Person

Robert Gaylord, President will be the Privacy Official for the Company. The Privacy Official will be responsible for the development and implementation of policies and procedures relating to privacy of the Company’s PHI, including but not limited to this Privacy Policy. The Privacy Official will also serve as the contact person for individuals who have questions, concerns, or complaints about the privacy of their PHI.

The Privacy Official is responsible for ensuring that the Company complies with the provisions of the HIPAA privacy rules regarding business associates, including the requirement that a HIPAA-compliant Business Associate Agreement is in place with covered entities. The Privacy Official shall also be responsible for monitoring compliance with the HIPAA privacy rules and this Privacy Policy.

II. Workforce Training

It is the Company’s policy to train all members of its workforce who have access to PHI on the Company’s Policy and Procedures. The Privacy Official is charged with developing training schedules and programs so that all workforce members receive the training necessary and appropriate to permit them to carry out their Company functions in compliance with HIPAA and HITECH.

III. Safeguards and Firewall

The Company will establish appropriate administrative, technical, and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements. Administrative safeguards include implementing procedures for use and disclosure of PHI.

Technical safeguards include limiting access to information by creating computer firewalls. Physical safeguards include locking doors or filing cabinets.

Firewalls will ensure that only authorized employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary for Company administrative functions, and that they will not further use or disclose PHI in violation of HIPAA’s privacy rules.

IV. Sanctions for Violations of Privacy Policy

Sanctions for using or disclosing PHI in violation of HIPAA or this HIPAA Privacy Policy will be imposed in accordance with the Company’s discipline policy, up to and including termination.

V. Mitigation of Inadvertent Disclosure of PHI

The Company shall mitigate, to the extent possible, any harmful effects that become known to it from a use or disclosure of an individual’s PHI in violation of HIPAA or the policies and procedures set forth in this Policy. As a result, if an employee or business associate becomes aware of an unauthorized use or disclosure of PHI, either by an employee or a business associate, the employee or business associate must immediately contact the Privacy Official so that appropriate steps to mitigate harm to the participant can be taken.

VI. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy

No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

VII. Documentation

The Company’s privacy policies and procedures shall be documented and maintained for at least six years from the date last in effect. Policies and procedures must be changed as necessary or appropriate to comply with changes in the law, standards, requirements and implementation specifications (including changes and modifications in regulations). Any changes to policies or procedures must be promptly documented.

The documentation of any policies and procedures, actions, activities and designations may be maintained in either written or electronic form. The Company will maintain such documentation for at least six years.

VIII. Workforce Must Comply With Company’s Policy and Procedures

All members of the Company’s workforce (described at the beginning of this Policy and referred to herein as “employees”) who have access to PHI must comply with this Policy.

IX. Breach Notification Requirements

The Company will comply with the requirements of the HITECH Act and its implementing regulations to provide notification to affected individuals, HHS, and the media (when required) if the Company or one of its business associates discovers a breach of unsecured PHI.13055475.3