This web site is provided for
information and education purposes only. No doctor/patient
relationship is established by your use of this site. No
diagnosis or treatment is being provided. The information
contained here should be used in consultation with a dentist of
your choice. No guarantees or warranties are made regarding any
of the information contained within the web site. This web site
is not intended to offer specific medical or dental advice to
anyone. Mary Shannon,D.D.S. & William D. Harrison, D.D.S., are
licensed to practice in the state of California and this web
site is not intended to solicit patients from other states.
Further, this web site and Mary Shannon,D.D.S. & William D.
Harrison, D.D.S. take no responsibility for web sites
hyper-linked to this site and such hyper-linking does not imply
any relationships or endorsements.
Copyright: Information and names
within this web site may be subject to copyright and trademark
protection with all rights reserved. Duplication or use without
the expressed written permission by Mary Shannon,D.D.S. &
William D. Harrison, D.D.S., subjects the violator to both civil
and criminal penalties.
HEALTH INFORMATION PRIVACY
POLICIES & PROCEDURES
These Health Information Privacy Policies &
Procedures implement our obligations to protect the privacy of
individually identifiable health information that we create,
receive, or maintain as a healthcare provider.
We implement these Health Information Privacy
Policies and Procedures as a matter of sound business practice;
to protect the interests of our patients; and to fulfill our
legal obligations under the Health Insurance Portability and
Accountability Act of 1996 ("HIPAA"), its implementing
regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg 82462 (Dec.
28, 2000)) ("Privacy Rules"), as amended (67 Fed. Reg. 53182
[Aug. 14, 2002]), and state law that provides greater protection
or rights to patients than the Privacy Rules.
As a member of our workforce or as our
Business Associate, you are obligated to follow these Health
Information Privacy Policies & Procedures faithfully. Failure to
do so can result in disciplinary action, including termination
of your employment or affiliation with us.
These Policies & Procedures address the
basics of HIPAA and the Privacy Rules that apply in our dental
practice. They do not attempt to cover everything in the Privacy
Rules. The Policies & Procedures sometimes refer to forms we use
to help implement the policies and to the Privacy Rules
themselves when added detail may be needed.
Please note that while the Privacy Rules
speak in terms of "individual" rights and actions, these
Policies & Procedures use the more familiar word "patient"
instead; "patient" should be read broadly to include prospective
patients, patients of record, former patients, their authorized
representatives, and any other "individuals" contemplated in the
If you have questions or doubts about any use
or disclosure of individually identifiable health information or
about your other obligations under these Health Information
Privacy Policies & Procedures, the Privacy Rules or other
federal or state law, please contact our office. This policy was
adopted effective 4/14/03
Back to Top
1. General Rule: No Use or Disclosure
Our dental office must not use or disclose
protected health information (PHI), except as these Privacy
Policies & Procedures permit or require.
2. Acknowledgement and Optional Consent
Our dental office will make a good faith
effort to obtain a written acknowledgement of receipt of our
Notice of Privacy Practices (see Section 9) from a patient
before we use or disclose his or her protected health
information (PHI) for treatment, to obtain payment for that
treatment, or for our healthcare operations (TPO).
Our dental office’s use or disclosure of PHI
for our payment activities and healthcare operations may be
subject to the minimum necessary requirements (see Section 7).
Our dental office will become familiar with
our state’s privacy laws. If required by our state law, or as
directed by the dentist, we will also seek Consent from a
patient before we use or disclose PHI for TPO purposes – in
addition to obtaining an Acknowledgement of receipt of our
Notice of Privacy Practices.
a) Obtaining Consent – If consent is to be
obtained, upon the individual’s first visit as a patient (or
next visit if already a patient), our dental office will
request and obtain the patient’s written Consent for our use
and disclosure of the patient’s PHI for treatment, payment,
and healthcare operations.
Any consent we obtain must be on our
Consent form, which we may not alter in any way. Our dental
office will include the signed Consent form in the patient’s
b) Exceptions – Our dental office does not
have to obtain the patient’s Consent in emergency treatment
situations; when treatment is required by law; or when
communications barriers prevent consent.
c) Consent Revocation – A patient from whom
we obtain consent may revoke it at any time by written notice.
Our dental office will include the revocation in the patient’s
chart. There is space at the bottom of our Consent form where
the patient can revoke the consent.
d) Applicability – Consent for use or
disclosure of PHI should not be confused with informed consent
for dental treatment. This section applies to our practice.
In some cases we must have proper, written
Authorization from the patient (or the patient’s personal
representative) before we use or disclose a patient’s PHI for
any purpose (except for TPO purposes) or as permitted or
required without consent or authorization (see Sections 3, 4, or
Our dental office will use the Authorization
form. We will always act in strict accordance with an
a) Authorization Revocation – A patient may
revoke an authorization at any time by written notice. Our
dental office will not rely on an Authorization we know has been
b) Authorization from Another Provider – Our
dental office will use or disclose PHI as permitted by a valid
Authorization we receive from another healthcare provider.
Our dental office may rely on that covered
entity to have requested only the minimum necessary protected
PHI. Therefore, our dental office will not make our own "minimum
necessary" determination, unless we know that the Authorization
is incomplete, contains false information, has been revoked, or
c) Authorization Expiration – Our dental
office will not rely on an Authorization we know has expired.
4. Oral Agreement
Our dental office may use or disclose a
patient’s PHI with the patient’s Oral Agreement or if the
patient is unavailable subject to all applicable requirements.
Our dental office may use professional
judgment and our experience with common practice to make
reasonable inferences of the patient’s best interest in allowing
a person to act on behalf of the patient to pick up
dental/medical supplies, X-rays, or other similar forms of PHI.
Back to Top
5. Permitted Without Acknowledgement, Consent
Authorization or Oral Agreement
Our dental office may use or disclose a
patient’s PHI in certain situations, without Authorization or
Oral Agreement. In our dental office, these disclosures are not
likely to be frequent.
a) Verification of Identity – Our dental
office will always verify the identity of any patient, and the
identity and authority of any patient’s personal representative,
government or law enforcement official, or other person, unknown
to us, who requests PHI before we will disclose the PHI to that
Our dental office will obtain appropriate
identification and, if the person is not the patient, evidence
of authority. Examples of appropriate identification include
photographic identification card, government identification card
or badge, and appropriate document on government letterhead. Our
dental office will document the incident and how we responded.
b) Uses or Disclosures Permitted under this
Section 5 – The situations in which our dental office is
permitted to use or disclose PHI in accordance with the
procedures set out in this Section 5 are listed below.
For public health activities;
To health oversight agencies;
To coroners, medical examiners, and funeral
To employers regarding work-related illness
To the military;
To federal officials for lawful
intelligence, counterintelligence, and national security
To correctional institutions regarding
In response to subpoenas and other lawful
To law enforcement officials;
To report abuse, neglect, or domestic
As required by law;
As part of research projects; and
As authorized by state worker’s
6. Required Disclosures
Our dental office will disclose protected
health information (PHI) to a patient (or to the patient’s
personal representative) to the extent that the patient has a
right of access to the PHI (see Section 10); and to the U.S.
Department of Health and Human Services (HHS) on request for
complaint investigation or compliance review.
Our dental office will use the disclosure log
to document each disclosure we make to HHS.
Back to Top
7. Minimum Necessary
Our dental office will make reasonable
efforts to disclose, or request of another covered entity, only
the minimum necessary protected health information (PHI) to
accomplish the intended purpose.
There is no minimum necessary requirement for
disclosures to or requests by one another in our dental office
or by a healthcare provider for treatment; permitted or required
disclosures to, or for disclosure requested and authorized by, a
patient; disclosures to HHS for compliance reviews or complaint
investigations; disclosures required by law; or uses or
disclosures required for compliance with the HIPAA
Administrative Simplification Rules.
a) Routine or Recurring Requests or
Disclosures – Our dental office will follow the policies and
procedures that we adopt to limit our routine or recurring
requests for our disclosures of PHI to the minimum reasonably
necessary for the purpose.
b) Non-Routine or Non-Recurring Requests or
Disclosures – No non-routine or non-recurring request for or
disclosure of PHI will be made until it has been reviewed on a
patient-by-patient basis against our criteria to ensure that
only the minimum necessary PHI for the purpose is requested or
c) Other’s Requests – Our dental office will
rely, if reasonable for the situation, on a request to disclose
PHI being for the minimum necessary, if the requester is: (a) a
covered entity; (b) a professional (including an attorney or
accountant) who provides professional services to our practice,
either as a member of our workforce or as our Business
Associate, and who represents that the requested information is
the minimum necessary; (c) a public official who represents that
the information requested is the minimum necessary; or (d) a
researcher presenting appropriate documentation or making
appropriate representations that the research satisfies the
applicable requirements of the Privacy Rules.
d) Entire Record – Our dental office will not
use, disclose, or request an entire record, except as permitted
in these Policies & Procedures or standard protocols that we
adopt reflecting situations when it is necessary.
e) Minimum Necessary Workforce Use – Our
dental office will use only the minimum necessary PHI needed to
perform our duties.
Back to Top
8. Business Associates
Our dental office will obtain satisfactory
assurance in the form of a written contract that our Business
Associates will appropriately safeguard and limit their use and
disclosure of the protected health information (PHI) we disclose
These Business Associate requirements are not
applicable to our disclosures to a healthcare provider for
treatment purposes. The Business Associate Contract Terms
document contains the terms that federal law requires be
included in each Business Associate Contract.
a.) Breach by Business Associate – If our
dental office learns that a Business Associate has materially
breached or violated its Business Associate Contract with us, we
will take prompt, reasonable steps to see that the breach or
violation is cured.
If the Business Associate does not promptly
and effectively cure the breach or violation, we will terminate
our contract with the Business Associate, or if contract
termination is not feasible, report the Business Associate’s
breach or violation to the U.S. Department of Health and Human
9. Notice of Privacy Practices
Our dental office will maintain a Notice of
Privacy Practices as required by the Privacy Rules.
a) Our Notice – Our dental office will use
and disclose PHI only in conformance with the contents of our
Notice of Privacy Practices. We will promptly revise a Notice of
Privacy Practices whenever there is a material change to our
uses or disclosures of PHI to legal duties, to the patients’
rights or to other privacy practices that render the statements
in that Notice no longer accurate.
Form 1, Notice of Privacy Practices, found in
this Privacy Kit, contains the terms that federal law requires.
b) Distribution of Our Notice – Our dental
office will provide our Notice of Privacy Practices to any
person who requests it, and to each patient no later than the
date of our first service delivery after April 14, 2003.
Our dental office will have our Notice of
Privacy Practices available for patients to take with them. We
will also post our Notice of Privacy Practices in a clear and
prominent location where it is reasonable to expect patients
seeking services from us will be able to read the Notice.
c) Acknowledgement of Notice – Our dental
office will make a good faith effort to obtain from the patient
a written Acknowledgement of receipt of our Notice of Privacy
Our dental office shall use Form 2,
Acknowledgement of Receipt of Notice of Privacy Practices, found
in this Privacy Kit, to obtain the Acknowledgement. If we cannot
obtain written Acknowledgement from the patient, we will use the
form to document our attempt and the reason why written
Acknowledgement was not signed by the patient.
Back to Top
10. Patients’ Rights
Our dental office will honor the rights of
patients regarding their PHI.
a) Access – With rare exceptions, our dental
office must permit patients to request access to the PHI we or
our Business Associates hold.
No PHI will be withheld from a patient
seeking access unless we confirm that the information may be
withheld according to the Privacy Rules. We may offer to provide
a summary of the information in the chart. The patient must
agree in advance to receive a summary and to any fee we will
charge for providing the summary. Our dental office will contact
our Business Associates to retrieve any PHI they may have on the
b) Amendment – Patients have the right to
request to amend their PHI and other records for as long as our
dental office maintains them.
Our dental office may deny a request to amend
PHI or records if: (a) we did not create the information (unless
the patient provides us a reasonable basis to believe that the
originator is not available to act on a request to amend); (b)
we believe the information is accurate and complete; or (c) we
do not have the information.
Our dental office will follow all procedures
required by the Privacy Rules for denial or approval of
amendment requests. We will not, however, physically alter or
delete existing notes in a patient’s chart. We will inform the
patient when we agree to make an amendment, and we will contact
our Business Associates to help assure that any PHI they have on
the patient is appropriately amended. We will contact any
individuals whom the patient requests we alert to any amendment
to the patient’s PHI. We will also contact any individuals or
entities of which we are aware that we have sent erroneous or
incomplete information and who may have acted on the erroneous
or incomplete information to the detriment of the patient.
When we deny a request for an amendment, we
will mark any future disclosures of the contested information in
a way acknowledging the contest.
c) Disclosure Accounting – Patients have the
right to an accounting of certain disclosures our dental office
made of their PHI within the 6 years prior to their request.
Each disclosure we make, that is not for treatment payment or
healthcare operations, must be documented showing the date of
the disclosure, what was disclosed, the purpose of the
disclosure, and the name and (if known) address of each person
or entity to whom the disclosure was made. The Authorization or
other documentation must be included in the patient’s record. We
use the patient’s chart to track each disclosure of PHI as
needed to enable us to fulfill our obligation to account for
We are not required to account for
disclosures we made: (a) before April 14, 2003; (b) to the
patient (or the patient’s personal representative); (c) to or
for notification of persons involved in a patient’s healthcare
or payment for healthcare; (d) for treatment, payment, or
healthcare operations; (e) for national security or intelligence
purposes; (f) to correctional institutions or law enforcement
officials regarding inmates; or (g) according to an
Authorization signed by the patient or the patient’s
representative; (h) incident to another permitted or required
We will temporarily suspend the accounting of
any disclosure when requested to do so pursuant according to the
Privacy Rules by health oversight agencies or law enforcement
officials. We may charge for any accounting that is more
frequent than every 12 months, provided the patient is informed
of the fee before the accounting is provided. We will contact
our Business Associates to assure we include in the accounting
any disclosures made by them for which we must account.
d) Restriction on Use or Disclosure –
Patients have the right to request our dental office to restrict
use or disclosure of their PHI, including for treatment,
payment, or healthcare operations. We have no obligation to
agree to the request, but if we do, we will comply with our
agreement (except in an appropriate dental/medical emergency).
We may terminate an agreement restricting use
or disclosure of PHI by a written notice of termination to the
patient. We will contact our Business Associates whenever we
agree to such a restriction to inform the Business Associate of
the restriction and its obligations to abide by the restriction.
We will document in the patient’s chart any such agreed to
e) Alternative Communications – Patients have
the right to request us to use alternative means or alternative
locations when communicating PHI to them. Our dental office will
accommodate a patient’s request for such alternative
communications if the request is reasonable and in writing.
Our dental office will inform the patient of
our decision to accommodate or deny such a request. If we agree
to such a request, we will inform our Business Associates of the
agreement and provide them with the information necessary to
comply with the agreement.
f) Applicability – Our dental office will be
aware of and respect these patients’ rights regarding their PHI,
even though in most situations patients are unlikely to exercise
Back to Top
11. Staff Training and Management, Complaint
Procedures, Data Safeguards, Administrative Practices
a) Staff Training and Management
* Training – Our dental office will train all
members of our workforce in these Privacy Policies & Procedures,
as necessary and appropriate for them to carry out their
functions. We will complete the privacy training of our existing
workforce by April 14, 2003.
After April 14, 2003, our dental office will
train each new staff member within a reasonable time after the
member starts. We will also retain each staff member whose
functions are affected either by a material change in our
Privacy Policies and Procedures or in the member’s job
functions, within a reasonable time after the change.
Form 7, Staff Review of Policies and
Procedures, can be used to have workforce members acknowledge
they have received and read a copy of these Policies and
*Discipline and Mitigation – Our dental
office will develop, document, disseminate, and implement
appropriate discipline policies for staff members who violate
our Privacy Policies & Procedures, the Privacy Rules, or other
applicable federal or state privacy law.
Staff members who violate our Privacy
Policies & Procedures, the Privacy Rules or other applicable
federal or state privacy law will be subject to disciplinary
action, possibly up to and including termination of employment.
b) Complaints – Our dental office will
implement procedures for patients to complain about our
compliance with our Privacy Policies and Procedures or the
Privacy Rules. We will also implement procedures to investigate
and resolve such complaints.
The Complaint form can be used by the patient
to lodge the complaint. Each complaint received must be referred
to management immediately for investigation and resolution. We
will not retaliate against any patient or workforce member who
files a Complaint in good faith.
c) Data Safeguards – Our dental office will
"add to" and strengthen these Privacy Policies & Procedures with
such additional data security policies and procedures as are
needed to have reasonable and appropriate administrative,
technical, and physical safeguards in place to ensure the
integrity and confidentiality of the PHI we maintain.
Our dental office will take reasonable steps
to limit incidental uses and disclosures of PHI made according
to an otherwise permitted or required use or disclosure.
d) Documentation and Record Retention – Our
dental office will maintain in written or electronic form all
documentation required by the Privacy Rules for six years from
the date of creation or when the document was last in effect,
whichever is greater.
e) Privacy Policies & Procedures – Only
Mary Shannon,D.D.S. & William
D. Harrison, D.D.S.. may change these
Privacy Policies & Procedures.
Back to Top
12. State Law Compliance
Our dental office will comply with the
privacy laws of each state that has jurisdiction over our
practice, or its actions involving protected health information
(PHI), that provide greater protections or rights to patients
than the Privacy Rules.
13. HHS Enforcement
Our dental office will give the U.S.
Department of Health and Human Services (HHS) access to our
facilities, books, records, accounts, and other information
sources (including individually identifiable health information
without patient authorization or notice) during normal business
hours (or at other times without notice if HHS presents
appropriate lawful administrative or judicial process).
We will cooperate with any compliance review
or complaint investigation by HHS, while preserving the rights
of our practice.
14. Designated Personnel
Our dental office will designate a Privacy
Officer and other responsible persons as required by the Privacy
Back to Top