This web site is provided for
information and education purposes only. No doctor/patient
relationship is established by your use of this site. No
diagnosis or treatment is being provided. The information
contained here should be used in consultation with a dentist
of your choice. No guarantees or warranties are made
regarding any of the information contained within the web
site. This web site is not intended to offer specific medical
or dental advice to anyone. Dr. Frank Ferrara is
licensed to practice in the state of New York and this web
site is not intended to solicit patients from other states.
Further, this web site and Dr. Frank Ferrara take no
responsibility for web sites hyper-linked to this site and
such hyper-linking does not imply any relationships or
Copyright: Information and names
within this web site may be subject to copyright and trademark
protection with all rights reserved. Duplication or use
without the expressed written permission by Frank Ferrara, D.M.D., subjects the violator to both civil and
HEALTH INFORMATION PRIVACY
POLICIES & PROCEDURES
These Health Information Privacy Policies &
Procedures implement our obligations to protect the privacy of
individually identifiable health information that we create,
receive, or maintain as a healthcare provider.
We implement these Health Information
Privacy Policies and Procedures as a matter of sound business
practice; to protect the interests of our patients; and to
fulfill our legal obligations under the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA"), its
implementing regulations at 45 CFR Parts 160 and 164 (65 Fed.
Reg 82462 (Dec. 28, 2000)) ("Privacy Rules"), as amended (67
Fed. Reg. 53182 [Aug. 14, 2002]), and state law that provides
greater protection or rights to patients than the Privacy
As a member of our workforce or as our
Business Associate, you are obligated to follow these Health
Information Privacy Policies & Procedures faithfully. Failure
to do so can result in disciplinary action, including
termination of your employment or affiliation with us.
These Policies & Procedures address the
basics of HIPAA and the Privacy Rules that apply in our dental
practice. They do not attempt to cover everything in the
Privacy Rules. The Policies & Procedures sometimes refer to
forms we use to help implement the policies and to the Privacy
Rules themselves when added detail may be needed.
Please note that while the Privacy Rules
speak in terms of "individual" rights and actions, these
Policies & Procedures use the more familiar word "patient"
instead; "patient" should be read broadly to include
prospective patients, patients of record, former patients,
their authorized representatives, and any other "individuals"
contemplated in the Privacy Rules.
If you have questions or doubts about any
use or disclosure of individually identifiable health
information or about your other obligations under these Health
Information Privacy Policies & Procedures, the Privacy Rules
or other federal or state law, please contact our office. This
policy was adopted effective 4/14/03
Back to Top
1. General Rule: No Use or Disclosure
Our dental office must not use or
disclose protected health information (PHI), except as
these Privacy Policies & Procedures permit or require.
2. Acknowledgement and Optional Consent
Our dental office will make a good faith
effort to obtain a written acknowledgement of receipt of our
Notice of Privacy Practices (see Section 9) from a
patient before we use or disclose his or her protected health
information (PHI) for treatment, to obtain payment for that
treatment, or for our healthcare operations (TPO).
Our dental office’s use or disclosure of
PHI for our payment activities and healthcare operations may
be subject to the minimum necessary requirements (see Section
Our dental office will become familiar with
our state’s privacy laws. If required by our state law, or as
directed by the dentist, we will also seek Consent from
a patient before we use or disclose PHI for TPO purposes – in
addition to obtaining an Acknowledgement of receipt of our
Notice of Privacy Practices.
a) Obtaining Consent
– If consent is to be obtained, upon the
individual’s first visit as a patient (or next visit if
already a patient), our dental office will request and
obtain the patient’s written Consent for our use and
disclosure of the patient’s PHI for treatment, payment, and
Any consent we obtain must be on our
Consent form, which we may not alter in any way. Our
dental office will include the signed Consent form in
the patient’s chart.
Exceptions – Our dental office does not have to obtain
the patient’s Consent in emergency treatment situations;
when treatment is required by law; or when communications
barriers prevent consent.
Consent Revocation – A patient from whom we obtain
consent may revoke it at any time by written notice. Our
dental office will include the revocation in the patient’s
chart. There is space at the bottom of our Consent
form where the patient can revoke the consent.
– Consent for use or disclosure of PHI should not be confused
with informed consent for dental treatment. This section
applies to our practice.
In some cases we must have proper, written
Authorization from the patient (or the patient’s
personal representative) before we use or disclose a patient’s
PHI for any purpose (except for TPO purposes) or as permitted
or required without consent or authorization (see Sections 3,
4, or 5).
Our dental office will use the
Authorization form. We will always act in strict
accordance with an Authorization.
Authorization Revocation – A patient may revoke an
authorization at any time by written notice. Our dental office
will not rely on an Authorization we know has been
Authorization from Another Provider – Our dental office
will use or disclose PHI as permitted by a valid
Authorization we receive from another healthcare provider.
Our dental office may rely on that covered
entity to have requested only the minimum necessary protected
PHI. Therefore, our dental office will not make our own
"minimum necessary" determination, unless we know that the
Authorization is incomplete, contains false information,
has been revoked, or has expired.
Authorization Expiration – Our dental office will not rely
on an Authorization we know has expired.
4. Oral Agreement
Our dental office may use or disclose a
patient’s PHI with the patient’s Oral Agreement or if
the patient is unavailable subject to all applicable
Our dental office may use professional
judgment and our experience with common practice to make
reasonable inferences of the patient’s best interest in
allowing a person to act on behalf of the patient to pick up
dental/medical supplies, X-rays, or other similar forms of
Back to Top
5. Permitted Without Acknowledgement,
Consent Authorization or Oral Agreement
Our dental office may use or disclose a
patient’s PHI in certain situations, without Authorization
or Oral Agreement. In our dental office, these
disclosures are not likely to be frequent.
a) Verification of Identity
– Our dental office will always verify the identity of any
patient, and the identity and authority of any patient’s
personal representative, government or law enforcement
official, or other person, unknown to us, who requests PHI
before we will disclose the PHI to that person.
Our dental office will obtain appropriate
identification and, if the person is not the patient, evidence
of authority. Examples of appropriate identification include
photographic identification card, government identification
card or badge, and appropriate document on government
letterhead. Our dental office will document the incident and
how we responded.
b) Uses or
Disclosures Permitted under this Section 5 – The
situations in which our dental office is permitted to use or
disclose PHI in accordance with the procedures set out in this
Section 5 are listed below.
For public health activities;
To health oversight agencies;
To coroners, medical examiners, and
To employers regarding work-related
illness or injury;
To the military;
To federal officials for lawful
intelligence, counterintelligence, and national security
To correctional institutions regarding
In response to subpoenas and other lawful
To law enforcement officials;
To report abuse, neglect, or domestic
As required by law;
As part of research projects; and
As authorized by state worker’s
6. Required Disclosures
Our dental office will disclose protected
health information (PHI) to a patient (or to the patient’s
personal representative) to the extent that the patient has a
right of access to the PHI (see Section 10); and to the U.S.
Department of Health and Human Services (HHS) on request for
complaint investigation or compliance review.
Our dental office will use the disclosure
log to document each disclosure we make to HHS.
Back to Top
7. Minimum Necessary
Our dental office will make reasonable
efforts to disclose, or request of another covered entity,
only the minimum necessary protected health information
(PHI) to accomplish the intended purpose.
There is no minimum necessary
requirement for disclosures to or requests by one another in
our dental office or by a healthcare provider for treatment;
permitted or required disclosures to, or for disclosure
requested and authorized by, a patient; disclosures to HHS for
compliance reviews or complaint investigations; disclosures
required by law; or uses or disclosures required for
compliance with the HIPAA Administrative Simplification Rules.
a) Routine or Recurring Requests or
Disclosures – Our dental office
will follow the policies and procedures that we adopt to limit
our routine or recurring requests for our disclosures of PHI
to the minimum reasonably necessary for the purpose.
b) Non-Routine or Non-Recurring Requests or
Disclosures – No non-routine or
non-recurring request for or disclosure of PHI will be made
until it has been reviewed on a patient-by-patient basis
against our criteria to ensure that only the minimum necessary
PHI for the purpose is requested or disclosed.
c) Other’s Requests
– Our dental office will rely, if reasonable for the
situation, on a request to disclose PHI being for the minimum
necessary, if the requester is: (a) a covered entity; (b) a
professional (including an attorney or accountant) who
provides professional services to our practice, either as a
member of our workforce or as our Business Associate,
and who represents that the requested information is the
minimum necessary; (c) a public official who represents that
the information requested is the minimum necessary; or (d) a
researcher presenting appropriate documentation or making
appropriate representations that the research satisfies the
applicable requirements of the Privacy Rules.
d) Entire Record
– Our dental office will not use, disclose, or request an
entire record, except as permitted in these Policies &
Procedures or standard protocols that we adopt reflecting
situations when it is necessary.
e) Minimum Necessary Workforce Use
– Our dental office will use only the minimum necessary PHI
needed to perform our duties.
Back to Top
8. Business Associates
Our dental office will obtain satisfactory
assurance in the form of a written contract that our
Business Associates will appropriately safeguard and limit
their use and disclosure of the protected health information
(PHI) we disclose to them.
These Business Associate
requirements are not applicable to our disclosures to a
healthcare provider for treatment purposes. The Business
Associate Contract Terms document contains the terms that
federal law requires be included in each Business Associate
a.) Breach by
Business Associate – If our dental office learns that a
Business Associate has materially breached or violated its
Business Associate Contract with us, we will take
prompt, reasonable steps to see that the breach or violation
If the Business Associate does not
promptly and effectively cure the breach or violation, we will
terminate our contract with the Business Associate, or
if contract termination is not feasible, report the
Business Associate’s breach or violation to the U.S.
Department of Health and Human Services (HHS).
9. Notice of Privacy Practices
Our dental office will maintain a Notice
of Privacy Practices as required by the Privacy Rules.
a) Our Notice
– Our dental office will use and disclose PHI only in
conformance with the contents of our Notice of Privacy
Practices. We will promptly revise a Notice of Privacy
Practices whenever there is a material change to our uses
or disclosures of PHI to legal duties, to the patients’ rights
or to other privacy practices that render the statements in
that Notice no longer accurate.
Form 1, Notice of Privacy Practices, found
in this Privacy Kit, contains the terms that federal law
b) Distribution of Our Notice
– Our dental office will provide our Notice of Privacy
Practices to any person who requests it, and to each
patient no later than the date of our first service delivery
after April 14, 2003.
Our dental office will have our Notice
of Privacy Practices available for patients to take with
them. We will also post our Notice of Privacy Practices
in a clear and prominent location where it is reasonable to
expect patients seeking services from us will be able to read
c) Acknowledgement of Notice
– Our dental office will make a good faith effort to obtain
from the patient a written Acknowledgement of receipt of our
Notice of Privacy Practices.
Our dental office shall use Form 2,
Acknowledgement of Receipt of Notice of Privacy Practices,
found in this Privacy Kit, to obtain the Acknowledgement. If
we cannot obtain written Acknowledgement from the patient, we
will use the form to document our attempt and the reason why
written Acknowledgement was not signed by the patient.
Back to Top
10. Patients’ Rights
Our dental office will honor the rights of
patients regarding their PHI.
a) Access –
With rare exceptions, our dental office must permit patients
to request access to the PHI we or our Business Associates
No PHI will be withheld from a patient
seeking access unless we confirm that the information may be
withheld according to the Privacy Rules. We may offer to
provide a summary of the information in the chart. The patient
must agree in advance to receive a summary and to any fee we
will charge for providing the summary. Our dental office will
contact our Business Associates to retrieve any PHI
they may have on the patient.
– Patients have the right to request to amend their PHI and
other records for as long as our dental office maintains them.
Our dental office may deny a request to
amend PHI or records if: (a) we did not create the information
(unless the patient provides us a reasonable basis to believe
that the originator is not available to act on a request to
amend); (b) we believe the information is accurate and
complete; or (c) we do not have the information.
Our dental office will follow all
procedures required by the Privacy Rules for denial or
approval of amendment requests. We will not, however,
physically alter or delete existing notes in a patient’s
chart. We will inform the patient when we agree to make an
amendment, and we will contact our Business Associates
to help assure that any PHI they have on the patient is
appropriately amended. We will contact any individuals whom
the patient requests we alert to any amendment to the
patient’s PHI. We will also contact any individuals or
entities of which we are aware that we have sent erroneous or
incomplete information and who may have acted on the erroneous
or incomplete information to the detriment of the patient.
When we deny a request for an amendment, we
will mark any future disclosures of the contested information
in a way acknowledging the contest.
Accounting – Patients have the right to an accounting
of certain disclosures our dental office made of their PHI
within the 6 years prior to their request. Each disclosure we
make, that is not for treatment payment or healthcare
operations, must be documented showing the date of the
disclosure, what was disclosed, the purpose of the disclosure,
and the name and (if known) address of each person or entity
to whom the disclosure was made. The Authorization or
other documentation must be included in the patient’s record.
We use the patient’s chart to track each disclosure of PHI as
needed to enable us to fulfill our obligation to account for
We are not required to account for
disclosures we made: (a) before April 14, 2003; (b) to the
patient (or the patient’s personal representative); (c) to or
for notification of persons involved in a patient’s healthcare
or payment for healthcare; (d) for treatment, payment, or
healthcare operations; (e) for national security or
intelligence purposes; (f) to correctional institutions or law
enforcement officials regarding inmates; or (g) according to
an Authorization signed by the patient or the patient’s
representative; (h) incident to another permitted or required
We will temporarily suspend the accounting
of any disclosure when requested to do so pursuant according
to the Privacy Rules by health oversight agencies or law
enforcement officials. We may charge for any accounting that
is more frequent than every 12 months, provided the patient is
informed of the fee before the accounting is provided. We will
contact our Business Associates to assure we include in
the accounting any disclosures made by them for which we must
d) Restriction on Use or Disclosure
– Patients have the right to request our dental office to
restrict use or disclosure of their PHI, including for
treatment, payment, or healthcare operations. We have no
obligation to agree to the request, but if we do, we will
comply with our agreement (except in an appropriate
We may terminate an agreement restricting
use or disclosure of PHI by a written notice of termination to
the patient. We will contact our Business Associates
whenever we agree to such a restriction to inform the
Business Associate of the restriction and its obligations
to abide by the restriction. We will document in the patient’s
chart any such agreed to restrictions.
e) Alternative Communications –
Patients have the right to request us to use alternative means
or alternative locations when communicating PHI to them. Our
dental office will accommodate a patient’s request for such
alternative communications if the request is reasonable and in
Our dental office will inform the patient
of our decision to accommodate or deny such a request. If we
agree to such a request, we will inform our Business
Associates of the agreement and provide them with the
information necessary to comply with the agreement.
– Our dental office will be aware of and respect these
patients’ rights regarding their PHI, even though in most
situations patients are unlikely to exercise them.
Back to Top
11. Staff Training and Management,
Complaint Procedures, Data Safeguards, Administrative
a) Staff Training and Management
* Training –
Our dental office will train all members of our workforce in
these Privacy Policies & Procedures, as necessary and
appropriate for them to carry out their functions. We will
complete the privacy training of our existing workforce by
April 14, 2003.
After April 14, 2003, our dental office
will train each new staff member within a reasonable time
after the member starts. We will also retain each staff member
whose functions are affected either by a material change in
our Privacy Policies and Procedures or in the member’s job
functions, within a reasonable time after the change.
Form 7, Staff Review of Policies and
Procedures, can be used to have workforce members
acknowledge they have received and read a copy of these
Policies and Procedures.
*Discipline and Mitigation
– Our dental office will develop, document, disseminate, and
implement appropriate discipline policies for staff members
who violate our Privacy Policies & Procedures, the Privacy
Rules, or other applicable federal or state privacy law.
Staff members who violate our Privacy
Policies & Procedures, the Privacy Rules or other applicable
federal or state privacy law will be subject to disciplinary
action, possibly up to and including termination of
– Our dental office will implement procedures for patients to
complain about our compliance with our Privacy Policies and
Procedures or the Privacy Rules. We will also implement
procedures to investigate and resolve such complaints.
The Complaint form can be used by
the patient to lodge the complaint. Each complaint received
must be referred to management immediately for investigation
and resolution. We will not retaliate against any patient or
workforce member who files a Complaint in good faith.
c) Data Safeguards
– Our dental office will "add to" and strengthen these Privacy
Policies & Procedures with such additional data security
policies and procedures as are needed to have reasonable and
appropriate administrative, technical, and physical safeguards
in place to ensure the integrity and confidentiality of the
PHI we maintain.
Our dental office will take reasonable
steps to limit incidental uses and disclosures of PHI made
according to an otherwise permitted or required use or
d) Documentation and Record Retention
– Our dental office will maintain in written or electronic
form all documentation required by the Privacy Rules for six
years from the date of creation or when the document was last
in effect, whichever is greater.
e) Privacy Policies & Procedures
– Only Dr. Frank Ferrara may change these Privacy
Policies & Procedures.
Back to Top
12. State Law Compliance
Our dental office will comply with the
privacy laws of each state that has jurisdiction over our
practice, or its actions involving protected health
information (PHI), that provide greater protections or rights
to patients than the Privacy Rules.
13. HHS Enforcement
Our dental office will give the U.S.
Department of Health and Human Services (HHS) access to our
facilities, books, records, accounts, and other information
sources (including individually identifiable health
information without patient authorization or notice) during
normal business hours (or at other times without notice if HHS
presents appropriate lawful administrative or judicial
We will cooperate with any compliance
review or complaint investigation by HHS, while preserving the
rights of our practice.
14. Designated Personnel
Our dental office will designate a Privacy
Officer and other responsible persons as required by the
Return to Top of