THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
PLEASE READ IT CAREFULLY.
NOTICE OF PRIVACY POLICY
Effective February 22, 2013
The following is the privacy policy (“Privacy Policy”) of Vivek Doppalapudi DDS MS PC (“Covered “Entity”) as described in the Health Insurance Portability and Accountability Act of 1996 and regulations promulgated thereunder, commonly known as HIPAA. HIPAA requires Covered Entity by law to maintain the privacy of your personal health information and to provide you with notice of Covered Entity’s legal duties and privacy policies with respect to your personal health information. We are required by law to abide by the terms of this Privacy Notice.
Your Personal Health Information
We collect personal health information from you through treatment, payment and related healthcare operations, the application and enrollment process, and/or healthcare providers or health plans, or through other means, as applicable. Your personal health information that is protected by law broadly includes any information, oral, written or recorded, that is created or received by certain health care entities, including health care providers, such as physicians and hospitals, as well as, health insurance companies or plans. The law specifically protects health information that contains data, such as your name, address, social security number, and others, that could be used to identify you as the individual patient who is associated with that health information.
Uses or Disclosures of Your Personal Health Information
Generally, we may not use or disclose your personal health information without your permission. Further, once your permission has been obtained, we must use or disclose your personal health information in accordance with the specific terms that permission. The following are the circumstances under which we are permitted by law to use or disclose your personal health information.
Without Your Consent
Without your consent, we may use or disclose your personal health information in order to provide you with services and the treatment you require or request, or to collect payment for those services, and to conduct other related health care operations otherwise permitted or required by law. Also, we are permitted to disclose your personal health information within and among our workforce in order to accomplish these same purposes. However, even with your permission, we are still required to limit such uses or disclosures to the minimal amount of personal health information that is reasonably required to provide those services or complete those activities.
Examples of treatment activities include: (a) the provision, coordination, or management of health care and related services by health care providers; (b) consultation between health care providers relating to a patient; or (c) the referral of a patient for health care from one health care provider to another.
Examples of payment activities include: (a) billing and collection activities and related data processing; (b) actions by a health plan or insurer to obtain premiums or to determine or fulfill its responsibilities for coverage and provision of benefits under its health plan or insurance agreement, determinations of eligibility or coverage, adjudication or subrogation of health benefit claims; (c) medical necessity and appropriateness of care reviews, utilization review activities; and (d) disclosure to consumer reporting agencies of information relating to collection of premiums or reimbursement.
Examples of health care operations include:
(a) development of clinical guidelines; (b) contacting patients with information about treatment alternatives or communications in connection with case management or care coordination; (c) reviewing the qualifications of and training health care professionals; (d) underwriting and premium rating; (e) medical review, legal services, and auditing functions; and (f) general administrative activities such as customer service and data analysis.
As Required By Law
We may use or disclose your personal health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. Examples of instances in which we are required to disclose your personal health information include: (a) public health activities including, preventing or controlling disease or other injury, public health surveillance or investigations, reporting adverse events with respect to food or dietary supplements or product defects or problems to the Food and Drug Administration, medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury in order to comply with Federal or state law; (b) disclosures regarding victims of abuse, neglect, or domestic violence including, reporting to social service or protective services agencies; (c) health oversight activities including, audits, civil, administrative, or criminal investigations, inspections, licensure or disciplinary actions, or civil, administrative, or criminal proceedings or actions, or other activities necessary for appropriate oversight of government benefit programs; (d) judicial and administrative proceedings in response to an order of a court or administrative tribunal, a warrant, subpoena, discovery request, or other lawful process; (e) law enforcement purposes for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, or reporting crimes in emergencies, or reporting a death; (f) disclosures about decedents for purposes of cadaveric donation of organs, eyes or tissue; (g) for research purposes under certain conditions; (h) to avert a serious threat to health or safety; (i) military and veterans activities; (j) national security and intelligence activities, protective services of the President and others; (k) medical suitability determinations by entities that are components of the Department of State; (l) correctional institutions and other law enforcement custodial situations; (m) covered entities that are government programs providing public benefits, and for workers’ compensation.
All Other Situations, With Your Specific Authorization
Except as otherwise permitted or required, as described above, we may not use or disclose your personal health information without your written authorization. Further, we are required to use or disclose your personal health information consistent with the terms of your authorization. You may revoke your authorization to use or disclose any personal health information at any time, except to the extent that we have taken action in reliance on such authorization, or, if you provided the authorization as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy.
Miscellaneous Activities, Notice
We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you. We may contact you to raise funds for Covered Entity. If we are a group health plan or health insurance issuer or HMO with respect to a group health plan, we may disclose your personal health information to be sponsor of the plan.
Your Rights With Respect to Your Personal Health Information
Under HIPAA, you have certain rights with respect to your personal health information. The following is a brief overview of your rights and our duties with respect to enforcing those rights.
Right To Request Restrictions On Use Or Disclosure
You have the right to request restrictions on certain uses and disclosures of your personal health information about yourself. You may request restrictions on the following uses or disclosures: to carry out treatment, payment, or healthcare operations; (b) disclosures to family members, relatives, or close personal friends of personal health information directly relevant to your care or payment related to your health care, or your location, general condition, or death; (c) instances in which you are not present or your permission cannot practicably be obtained due to your incapacity or an emergency circumstance; (d) permitting other persons to act on your behalf to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of personal health information; or (e) disclosure to a public or private entity authorized by law or by its charter to assist in disaster relief efforts.
While we are not required to agree to any requested restriction, if we agree to a restriction, we are bound not to use or disclose your personal healthcare information in violation of such restriction, except in certain emergency situations. We will not accept a request to restrict uses or disclosures that are otherwise required by law.
Right To Receive Confidential Communications
You have the right to receive confidential communications of your personal health information. We may require written requests. We may condition the provision of confidential communications on you providing us with information as to how payment will be handled and specification of an alternative address or other method of contact. We may require that a request contain a statement that disclosure of all or a part of the information to which the request pertains could endanger you. We may not require you to provide an explanation of the basis for your request as a condition of providing communications to you on a confidential basis. We must permit you to request and must accommodate reasonable requests by you to receive communications of personal health information from us by alternative means or at alternative locations. If we are a health care plan, we must permit you to request and must accommodate reasonable requests by you to receive communications of personal health information from us by alternative means or at alternative locations if you clearly state that the disclosure of all or part of that information could endanger you.
Right To Inspect And Copy Your Personal Health Information
Your designated record set is a group of records we maintain that includes Medical records and billing records about you, or enrollment, payment, claims adjudication, and case or medical management records systems, as applicable. You have the right of access in order to inspect and obtain a copy your personal health information contained in your designated record set, except for (a) psychotherapy notes, (b) information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, and (c) health information maintained by us to the extent to which the provision of access to you would be prohibited by law. We may require written requests. We must provide you with access to your personal health information in the form or format requested by you, if it is readily producible in such form or format, or, if not, in a readable hard copy form or such other form or format. We may provide you with a summary of the personal health information requested, in lieu of providing access to the personal health information or may provide an explanation of the personal health information to which access has been provided, if you agree in advance to such a summary or explanation and agree to the fees imposed for such summary or explanation. We will provide you with access as requested in a timely manner, including arranging with you a convenient time and place to inspect or obtain copies of your personal health information or mailing a copy to you at your request. We will discuss the scope, format, and other aspects of your request for access as necessary to facilitate timely access. If you request a copy of your personal health information or agree to a summary or explanation of such information, we may charge a reasonable cost-based fee for copying, postage, if you request a mailing, and the costs of preparing an explanation or summary as agreed upon in advance. We reserve the right to deny you access to and copies of certain personal health information as permitted or required by law. We will reasonably attempt to accommodate any request for personal health information by, to the extent possible, giving you access to other personal health information after excluding the information as to which we have a ground to deny access. Upon denial of a request for access or request for information, we will provide you with a written denial specifying the legal basis for denial, a statement of your rights, and a description of how you may file a complaint with us. If we do not maintain the information that is the subject of your request for access but we know where the requested information is maintained, we will inform you of where to direct your request for access.
Right To Amend Your Personal Health Information
You have the right to request that we amend your personal health information or a record about you contained in your designated record set, for as long as the designated record set is maintained by us. We have the right to deny your request for amendment, if: (a) we determine that the information or record that is the subject of the request was not created by us, unless you provide a reasonable basis to believe that the originator of the information is no longer available to act on the requested amendment, (b) the information is not part of your designated record set maintained by us, (c) the information is prohibited from inspection by law, or (d) the information is accurate and complete. We may require that you submit written requests and provide a reason to support the requested amendment. If we deny your request, we will provide you with a written denial stating the basis of the denial, your right to submit a written statement disagreeing with the denial, and a description of how you may file a complaint with us or the Secretary of the U.S. Department of Health and Human Services (“DHHS”). This denial will also include a notice that if you do not submit a statement of disagreement, you may request that we include your request for amendment and the denial with any future disclosures of your personal health information that is the subject of the requested amendment. Copies of all requests, denials, and statements of disagreement will be included in your designated record set. If we accept your request for amendment, we will make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by you as having received personal health information of yours prior to amendment and persons that we know have the personal health information that is the subject of the amendment and that may have relied, or could foreseeably rely, on such information to your detriment. All requests for amendment shall be sent to Vivek Doppalapudi DDS MS PC. 102 Elden St, Ste 19, Herndon, VA 20170
Right To Receive An Accounting Of Disclosures Of Your Personal Health Information
Beginning April 14, 2003, you have the right to receive a written accounting of all disclosures of your personal health information that we have made within the six (6) year period immediately preceding the date on which the accounting is requested. You may request an accounting of disclosures for a period of time less than six (6) years from the date of the request. Such disclosures will include the date of each disclosure, the name and, if known, the address of the entity or person who received the information, a brief description of the information disclosed, and a brief statement of the purpose and basis of the disclosure or, in lieu of such statement, a copy of your written authorization or written request for disclosure pertaining to such information. We are not required to provide accountings of disclosures for the following purposes: (a) treatment, payment, and healthcare operations, (b) disclosures pursuant to your authorization, (c) disclosures to you, (d) for a facility directory or to persons involved in your care, (e) for national security or intelligence purposes, (f) to correctional institutions, and (g) with respect to disclosures occurring prior to 4/14/03. We reserve our right to temporarily suspend your right to receive an accounting of disclosures to health oversight agencies or law enforcement officials, as required by law. We will provide the first accounting to you in any twelve (12) month period without charge, but will impose a reasonable cost-based fee for responding to each subsequent request for accounting within that same twelve (12) month period. All requests for an accounting shall be sent to Vivek Doppalapudi DDS MS PC 102 Elden Street, Ste 19, Herndon, VA 20170
Complaints
You may file a complaint with us and with the Secretary of DHHS if you believe that your privacy rights have been violated. You may submit your complaint in writing by mail or electronically to our privacy officer, Dr. Vivek Doppalapudi at 102 Elden St, Ste 19, Herndon, VA 20170. (703) 464-0900 or email [email protected]. A complaint must name the entity that is the subject of the complaint and describe the acts or omissions believed to be in violation of the applicable requirements of HIPAA or this Privacy Policy. A complaint must be received by us or filed with the Secretary of DHHS within 180 days of when you knew or should have known that the act or omission complained of occurred. You will not be retaliated against for filing any complaint.
Amendments to this Privacy Policy
We reserve the right to revise or amend this Privacy Policy at any time. These revisions or amendments may be made effective for all personal health information we maintain even if created or received prior to the effective date of the revision or amendment. We will provide you with notice of any revisions or amendments to this Privacy Policy, or changes in the law affecting this Privacy Notice, by mail or electronically within 60 days of the effective date of such revision, amendment, or change.
On-going Access to Privacy Policy
We will provide you with a copy of the most recent version of this Privacy Policy at any time upon your written request sent to Vivek Doppalapudi DDS MS PC, 102 Elden St. Ste 19, Herndon, VA 20170 or email : [email protected] or FAx (703) 481-1742. For any other requests or for further information regarding the privacy of your personal health information, and for information regarding the filing of a complaint with us, please contact our privacy officer Dr. Vivek Doppalapudi at the address, telephone number, or e-mail address listed above.
—————–
Full HIPAA POLICY’
Introduction
Vivek Doppalapudi, DDS MS PC
102 Elden Street, Suite 19
Herndon, VA 20170
Health Insurance Portability and Accountability Act of 1996
Including
HIPAA Privacy and Security Policies and Procedures
HITECH Act
Omnibus Rule of 2013
These procedures are not a substitute for engaging the assistance from legal, accounting, or other professional
services. This information is advisory only. Final interpretation is the responsibility of the regulatory or
accrediting body administering the standard or regulation referenced.
Disclaimer
Important Note: All references to “Vivek Doppalapudi, DDS MS PC, or the “organization” in this Manual refer
to Vivek Doppalapudi, DDS MS PC and/or its affiliates, as applicable.
This Manual is a “living document” that Vivek Doppalapudi, DDS MS PC may update and revise periodically
and unilaterally. This Manual, and the material contained therein, are not intended and should not be construed
as creating an implied or express contract of employment, or any other contractual relationship. Unless
otherwise stated or predicated on agreements, representations, or documents separate and distinct from this
Manual, your employment with Vivek Doppalapudi, DDS MS PC is “at will” and either you or Vivek
Doppalapudi, DDS MS PC may terminate the employment relationship at any time with or without cause. No
representative of Vivek Doppalapudi, DDS MS PC has the authority to make a commitment of guaranteed or
continuing employment to you unless it is in writing and signed by the President of Vivek Doppalapudi, DDS MS
PC. This Manual does not give legal advice. This Manual does not create an attorney-client relationship
between you and any Total Compliance Solutions employee, member, staff, affiliate or consultant, and you
should not act or rely on any information or material without seeking the advice of a qualified attorney. This
Manual has been tailored to your particular circumstances. Ongoing assessment and education are integral
parts of an effective compliance program under the guidelines promulgated by the Office of Inspector General
of the Department of Health and Human Services. The failure to implement any element of this compliance
program (such as training and education) may undermine the design and effectiveness of the program. As you
implement and administer your compliance program going forward, Total Compliance Solutions strongly
recommends that you consult with qualified compliance professionals and attorneys if you have any questions
or need any assistance.
These materials are intended for general informational purposes only, may not have been updated to reflect the
most recent developments in this area, and are not intended to be relied upon for any specific purpose or
action. The information contained in these materials does not constitute and is not intended to be legal advice
and should not be so interpreted. If you have questions regarding a specific situation or are seeking legal
advice, you should consult an attorney licensed in the appropriate jurisdiction.
Total Compliance Solutions makes no representations or warranties whatsoever regarding the accuracy of
these materials, which have been prepared and/or published by third parties other than Total Compliance
Solutions. To the extent these materials provide information received from or opinions provided by third parties,
the provision of these materials by Total Compliance Solutions does not constitute an endorsement by Total
Compliance Solutions. Total Compliance Solutions specifically disclaims any responsibility for the accuracy of
these materials or any such opinions or views.
PRIVACY POLICIES AND PROCEDURES
INTRODUCTION TO THE HIPAA PRIVACY
STANDARDS
The privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to all
protected health information (PHI) created or maintained by the practice. Under the HIPAA law, the Department
of Health and Human Services (HHS) is responsible for issuing the final privacy rules. The final HIPAA
Omnibus Rule was released on January 17, 2013, and became effective on March 26, 2013, with September
23, 2013 as the compliance deadline. All providers must be in compliance with the new rules by September 23,
2013. The Office for Civil Rights (OCR) is the federal entity responsible for administering and enforcing the
privacy rules.
The privacy rules are designated to provide basic, federal protections for an individual’s protected health
information. Each state has existing privacy laws that may still apply and with which the practice may already
be complying. State laws are included within this manual as an addendum.
Following are the policies and procedures required under the HIPAA Privacy Rule that define the practice’s
basic privacy practices.
HIPAA POLICIES AND PROCEDURES
IMPLEMENTATION PLAN
1. Review the findings from the on-site survey/Security Risk Analysis and rectify deficiencies identified.
2. Each policy will have some or all of the following sections:
3. Approval Date – should be completed by the Privacy Officer/Security Official;
4. Approved By – should be completed by the Privacy Officer/Security Official;
5. Definitions – provides definitions of certain words used in the policy (note: there is a master “Definition”
section of terms);
6. Policy – details the specific requirements under the law;
7. Procedure – provides a general outline of how the policy can be implemented;
8. Place the updated Notice of Privacy Practices in the waiting room(s), at patient intake areas, and on the
practice website (if applicable).
9. The entire HIPAA policy and procedure manual should be reviewed. Note: don’t just routinely adopt
policies without checking them. If the practice is ever audited by a governmental agency, they will expect
you to be following your own written policies.
10. Consider adopting the Facsimile Cover sheet provided, or replace with the practice’s cover sheet.
11. Adopt the patient consent for use of e-mail if the practice is allowing communications with patients via email.
12. Review and implement the authorization form for use and disclosure of PHI. This is a legally valid form
and should be the one the practice uses for releases of information.
13. Implement a process for requests to disclose immunization records to schools as required by law.
14. Consider implementing the Patient Record Request Form to include the provision of electronic copies.
15. Implement Business Associate Agreements with all identified business associates. (See the Business
Associates and Agreements section of the HIPAA manual for additional information.)
16. Ensure that business associates are entering into written contracts with their sub-contractors, who now
must have HIPAA-compliant policies and procedures.
17. Complete the “Employee Access to Protected Health Information Grid” form. This is required under
HIPAA rule.
18. Consider putting the “Employee Sanctions” policy into the employee handbook. Be sure all new
employees receive a copy at the start of employment.
19. Consider adopting the Exit Interview form. We also recommends asking staff to complete these during
their annual performance appraisal and/or using the questions as an agenda for an annual staff meeting.
20. Make sure that all staff, including providers and governing bodies, etc., receive training on the practice’s
privacy/security policies. This must be documented, and kept on file. All new staff should receive this
training at the beginning of employment.
21. Obtain signatures on the confidentiality agreements for staff and vendors who have access to protected
health information, but who are not business associates.
22. Make sure the Notice of Privacy Practices is posted in the location you have designated. The notice must
have an effective date; so don’t forget to include one. Implement a process of collecting patient
signatures if the practice is a direct care provider. Make sure it is available on the practice website, if
applicable. Read this document carefully and make sure that all uses and disclosures of PHI are covered
in this document and that all information is correct. If a change is made to this once it is posted, change
the effective date and provide new copies in the designated location and to patients. Keep old copies on
file for six years.
23. Make sure processes for patients to get access to and copies of their PHI have been implemented.
24. Make sure processes have been implemented for accounting for uses and disclosures of PHI (except for
uses and disclosures in treatment, payment, and operations). If you cannot log this information in a
common field in an information system, use the model log provided.
25. Make sure processes have been implemented for processing requests for amendment to PHI. Model
letters are provided, should you choose to use them.
26. Make copies of all the request forms for the five patient rights. They can be found in the Model
Documents section of the HIPAA Privacy manual. A request form is provided for each of the five rights.
They should be used with patients to document the request for the right.
27. Make sure there is a process in place to communicate restrictions on use and disclosure and confidential
communications to staff members who process releases of information. Model letters for patient requests
are included.
28. Review the transcription policy to ensure it is consistent with the practice’s current protocols if
transcription is used.
29. Complete the hardware inventory log to ensure that you have a complete list of IT and
telecommunications hardware, as required under the HIPAA Rules. This equipment stores PHI and
should be tracked to ensure that it is accounted for at all times.
30. Review the Breach Notification section of the manual for information from the HIPAA Omnibus Rule of
2013.
31. It is recommended that you have all staff review these policies and procedures. They should be familiar
with the contents of the manual and where to find information when needed.
DEFINITIONS
The HIPAA Privacy Rule includes several definitions that are important to understand in order to interpret the
rule and its application to the practice. Under § 164.501, the definitions are as follows:
Business Associate:
1. Except as provided in paragraph (4) of this definition, business associate means, with respect to a
covered entity, a person who:
2. On behalf of such covered entity or of an organized health care arrangement (as defined in this section)
in which the covered entity participates, but other than in the capacity of a member of the workforce of
such covered entity or arrangement, creates, receives, maintains, or transmits protected health
information for a function or activity regulated by this subchapter, including claims processing or
administration, data analysis, processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing;
or
3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial,
accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management,
administrative, accreditation, or financial services to or for such covered entity, or to or for an organized
health care arrangement in which the covered entity participates, where the provision of the service
involves the disclosure of protected health information from such covered entity or arrangement, or from
another business associate of such covered entity or arrangement, to the person.
4. A covered entity may be a business associate of another covered entity.
5. Business associate includes:
6. A Health Information Organization, E-prescribing Gateway, or other person that provides data
transmission services with respect to protected health information to a covered entity and that requires
access on a routine basis to such protected health information. (Courier services such as the U.S. Postal
Service or United Parcel Service and their electronic equivalents, such as internet service providers
(ISPs) providing data transmission services are excluded. A conduit transports information in digital or
hard copy form, but does not access it other than on a random or infrequent basis, as necessary to
perform the transportation service or as required by other law. Example: a telecommunications company
having random, occasional access to PHI when reviewing whether data transmitted over its network is
arriving at its destination.)
7. A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(Personal health record vendors are only considered business associates of the covered entity if they are
providing the records on behalf of the covered entity. If an individual has authorized that a personal
health record vendor receive their records, the vendor does not automatically become a business
associate.)
8. A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of
the business associate.
9. Business associate does not include:
10. A health care provider, with respect to disclosures by a covered entity to the health care provider
concerning the treatment of the individual.
11. A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or
HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of
§164.504(f) of this subchapter apply and are met.
12. A government agency, with respect to determining eligibility for, or enrollment in, a government health
plan that provides public benefits and is administered by another government agency, or collecting
protected health information for such purposes, to the extent such activities are authorized by law.
13. A covered entity participating in an organized health care arrangement that performs a function or activity
as described by paragraph (1)(i) of this definition for or on behalf of such organized health care
arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such
organized health care arrangement by virtue of such activities or services.
Correctional institution
Correctional institution means any penal or correctional facility, jail, reformatory, detention center, work farm,
halfway house, or residential community program center operated by, or under contract to, the United States, a
State, a territory, a political subdivision of a State or territory, or an Indian tribe, for the confinement or
rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody.
Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained
awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses,
or others awaiting charges or trial.
Covered entity
Covered entity means:
A health plan,
A health care clearinghouse, or
A health care provider who transmits any health information in electronic form in connection with a
transaction
Data aggregation
Data aggregation means, with respect to protected health information created or received by a business
associate in its capacity as the business associate of a covered entity, the combining of such protected
health information by the business associate with the protected health information received by the
business associate in its capacity as a business associate of another covered entity, to permit data
analyses that relate to the health care operations of the respective covered entities.
Designated record set
Designated record set means:
1. A group of records maintained by or for a covered entity that is:
2. The medical records and billing records about individuals maintained by or for a covered health care
provider;
3. The enrollment, payment, claims adjudication, and case or medical management record systems
maintained by or for a health plan; or
4. Used, in whole or in part, by or for the covered entity to make decisions about individuals.
5. For purposes of this paragraph, the term record means any item, collection, or grouping of information
that includes protected health information and is maintained, collected, used, or disseminated by or for a
covered entity.
Direct treatment relationship means a treatment relationship between an individual and a health care
provider that is not an indirect treatment relationship.
Disclosure means the release, transfer, provision of, access to, or divulging in any other manner, of
information outside the entity holding the information.
Family member means, with respect to an individual:
6. A dependent (as such term is defined in 45 CFR 144.103), of the individual; or
7. Any other person who is a first degree, second-degree, third-degree, or fourth-degree relative of the
individual or of a dependent of the individual.
8. Relatives by affinity (such as by marriage or adoption) are treated the same as relatives by consanguinity
(that is, relatives who share a common biological ancestor). In determining the degree of the relationship,
relatives by less than full consanguinity (such as half-siblings, who share only one parent) are treated the
same as relatives by full consanguinity (such as siblings who share both parents).
9. First-degree relatives include parents, spouses, siblings, and children.
10. Second-degree relatives include grandparents, grandchildren, aunts, uncles, nephews, and nieces.
11. Third-degree relatives include great-grandparents, great-grandchildren, great aunts, great uncles, and
first cousins.
12. Fourth-degree relatives include great-great grandparents, great-great grandchildren, and children of first
cousins.
Health care operations means any of the following activities of the covered entity to the extent that the
activities are related to covered functions:
13. Conducting quality assessment and improvement activities, including outcomes evaluation and
development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the
primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42
CFR 3.20); population-based activities relating to improving health or reducing health care costs,
protocol development, case management and care coordination, contacting of health care providers and
patients with information about treatment alternatives; and related functions that do not include
treatment;
14. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and
provider performance, health plan performance, conducting training programs in which students,
trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills
as health care providers, training of non-health care professionals, accreditation, certification, licensing,
or credentialing activities;
15. Except as prohibited under §164.502(a)(5)(i), underwriting, enrollment, premium rating, and other
activities related to the creation, renewal, or replacement of a contract of health insurance or health
benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health
care (including stop-loss insurance and excess of loss insurance), provided that the requirements of §
164.514(g) are met, if applicable;
16. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and
abuse detection and compliance programs;
17. Business planning and development, such as conducting cost-management and planning related
analyses related to managing and operating the entity, including formulary development and
administration, development or improvement of methods of payment or coverage policies; and
18. Business management and general administrative activities of the entity, including, but not limited to:
19. Management activities relating to implementation of and compliance with the requirements of this
subchapter;
20. Customer service, including the provision of data analyses for policy holders, plan sponsors, or other
customers, provided that protected health information is not disclosed to such policy holder, plan
sponsor, or customer.
21. Resolution of internal grievances;
22. The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity,
or an entity that following such activity will become a covered entity and due diligence related to such
activity; and;
23. Consistent with the applicable requirements of § 164.514, creating de-identified health information or a
limited data set, and fundraising for the benefit of the covered entity.
Health oversight agency means an agency or authority of the United States, a State, a territory, a
political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of
authority from or contract with such public agency, including the employees or agents of such public
agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law
to oversee the health care system (whether public or private) or government programs in which health
information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which
health information is relevant.
Indirect treatment relationship means a relationship between an individual and a health care provider
in which:
24. The health care provider delivers health care to the individual based on the orders of another health care
provider; and
25. The health care provider typically provides services or products, or reports the diagnosis or results
associated with the health care, directly to another health care provider, who provides the services or
products or reports to the individual.
Inmate means a person incarcerated in or otherwise confined to a correctional institution.
Marketing:
26. Except as provided in paragraph (2) of this definition, marketing means make a communication about a
product or service that encourages recipients of the communication to purchase or use the product or
service,
27. Marketing does not include a communication made:
28. To provide refill reminders or otherwise communicate about a drug or biologic that is currently being
prescribed for the individual, only if any financial remuneration received by the covered entity in
exchange for making the communication is reasonably related to the covered entity’s cost of making the
communication.
29. For the following treatment and health care operations purposes, except where the covered entity
receives financial remuneration in exchange for making the communication:
30. For treatment of an individual by a health care provider, including; case management or care
coordination for the individual, or to direct or recommend alternative treatments, therapies, health care
providers, or settings of care to the individual;.
31. To describe a health related product or service (or payment for such product or service) that is provided
by, or included in a plan of benefits of, the covered entity making the communication, including
communications about: the entities participating in a health care provider network or health plan network;
replacement of, or enhancements to, a health plan; and health-related products or services available
only to a health plan enrollee that add value to, but are not part of, a plan of benefits; or
32. For case management or care coordination, contacting of individuals with information about treatment
alternatives, and related functions to the extent these activities do not fall within the definition of
treatment.
Financial remuneration means direct or indirect payment from or on behalf of a third party whose
product or service is being described. Direct or indirect payment does not include any payment for
treatment of an individual.
Payment means:
33. The activities undertaken by:
34. Except as prohibited under §164.502(a)(5)(i), health plan to obtain premiums or to determine or fulfill its
responsibility for coverage and provision of benefits under the health plan; or
35. A health care provider or health plan to obtain or provide reimbursement for the provision of health care;
and
36. The activities in paragraph (1) of this definition relate to the individual to whom health care is provided
and include, but are not limited to:
37. Determinations of eligibility or coverage (including coordination of benefits or the determination of cost
sharing amounts), and adjudication or subrogation of health benefit claims;
38. Risk adjusting amounts due based on enrollee health status and demographic characteristics;
39. Billing, claims management, collection activities, obtaining payment under a contract for reinsurance
(including stop-loss insurance and excess of loss insurance), and related health care data processing;
40. Review of health care services with respect to medical necessity, coverage under a health plan,
appropriateness of care, or justification of charges;
41. Utilization review activities, including precertification and preauthorization of services, concurrent and
retrospective review of services; and
42. Disclosure to consumer reporting agencies of any of the following protected health information relating to
collection of premiums or reimbursement:
43. Name and address;
44. Date of birth;
45. Social security number;
46. Payment history;
47. Account number; and
48. Name and address of the health care provider and/or health plan.
Protected Health Information (“PHI”)
Protected Health Information (“PHI”) means information that is created, received, maintained, accessed, and/or
transmitted by a covered entity and relates to the past, present, or future physical or mental health or condition
of an individual; the provision of health care to an individual; or the past, present, or future payment for the
provision of health care to an individual; and that identifies the individual or for which there is a reasonable
basis to believe the information can be used to identify the individual. PHI includes information of persons living
or deceased.
Psychotherapy notes
Psychotherapy notes* means notes recorded (in any medium) by a health care provider who is a mental health
professional documenting or analyzing the contents of conversation during a private counseling session or a
group, joint, or family counseling session and that are separated from the rest of the individual’s medical record.
Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop
times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the
following items: Diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.
Public health authority
Public health authority means an agency or authority of the United States, a State, a territory, a political
subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from
or con-tract with such public agency, including the employees or agents of such public agency or its contractors
or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its
official mandate.
Research means a systematic investigation, including research development, testing, and evaluation,
designed to develop or contribute to generalizable knowledge.
Treatment means the provision, coordination, or management of health care and related services by one or
more health care providers, including the coordination or management of health care by a health care provider
with a third party; consultation between health care providers relating to a patient; or the referral of a patient for
health care from one health care provider to another.
Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the
performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid
by the covered entity. The term also includes the employees, volunteers, trainees, and other persons whose
conduct, in the performance of work for a business associate, is under the direct control of the business
associate.
USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION
USES AND DISCLOSURES OF PATIENT
INFORMATION POLICY
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC staff members. Vivek Doppalapudi, DDS MS PC
“staff members” includes all employees, volunteers, vendors, and subcontractors.
PURPOSE
Vivek Doppalapudi, DDS MS PC must establish policies and procedures that all staff are expected to adhere to
when using or disclosing patient health information. Vivek Doppalapudi, DDS MS PC personnel are required to
maintain the confidentiality of patient information in accordance with the regulations promulgated by the Health
Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for
Economic and Clinical Health Act (“HITECH”).
PROTECTED HEALTH INFORMATION
HIPAA and HITECH impose restrictions on the use and disclosure of protected health information (“PHI”). PHI
is defined as information that is created or received by a health care organization. PHI can be written or oral, it
can be recorded on paper, computer or removable or other media. PHI includes information that is individually
identifiable, such as name, address, telephone number, medical insurance number and social security number.
PHI relates to the past, present, or future physical or mental health or condition of an individual, the provision of
health care to an individual, or the past, present, or future payment for the provision of health care to an
individual.
USES AND DISCLOSURES OF PHI FOR PURPOSES OTHER
THAN TREATMENT, PAYMENT OR HEALTH CARE
OPERATIONS
Vivek Doppalapudi, DDS MS PC will only use or disclose PHI for purposes of treatment, payment or health
care operations, and the following:
1. Vivek Doppalapudi, DDS MS PC may disclose PHI to the patient.
2. Vivek Doppalapudi, DDS MS PC may disclose PHI to a patient’s personal (i.e. a person with legal
authority to make health care decisions on behalf of the patient; e.g. an executor or administrator of the
patient’s estate or other person who has legal authority to act on behalf of the patient or the patient’s
estate), a court appointed guardian, or an individual granted health care power of attorney), in
accordance with proper legal documentation (e.g. certificate of appointment, guardianship
documentation, power of attorney), and to a deceased person’s family provided Vivek Doppalapudi, DDS
MS PC had not obtained an objection to sharing his or her PHI from the deceased prior to death, and the
PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for services
rendered.
3. Vivek Doppalapudi, DDS MS PC may disclose PHI relating to a patient’s proof of immunization if
required by State or other law for school admittance with documented authorization. A written request is
not necessary, as an oral request is acceptable, but a model Patient Request Form is included in the
following pages for your use.
4. Vivek Doppalapudi, DDS MS PC may use and disclose PHI pursuant to a valid HIPAA authorization.
5. Vivek Doppalapudi, DDS MS PC may disclose PHI to a business associate, vendor, or subcontractor in
accordance with an applicable Business Associate Agreement.
6. Vivek Doppalapudi, DDS MS PC may disclose PHI to a public or private entity authorized by law or by its
obligation to assist in disaster relief efforts.
7. Vivek Doppalapudi, DDS MS PC may disclose PHI to the Department of Health and Human Services or
the State Department of Health for compliance reviews and investigations, as required by law.
8. Vivek Doppalapudi, DDS MS PC may use or disclose PHI for legal, employment and regulatory purposes
in accordance with Vivek Doppalapudi, DDS MS PC’s policies for such disclosure.
9. Vivek Doppalapudi, DDS MS PC may disclose PHI to the FDA for purposes related to a product
approved by the FDA for product recalls, tracking of products or incident reporting.
10. Vivek Doppalapudi, DDS MS PC may use or disclose PHI if Vivek Doppalapudi, DDS MS PC has
entered into a data use agreement with a recipient that meets the requirements of HIPAA regulations.
11. Vivek Doppalapudi, DDS MS PC may use or disclose PHI as is permitted or required by federal
regulations.
Vivek Doppalapudi, DDS MS PC must comply with the requirements of HIPAA with respect to the PHI of
a deceased individual for a period of 50 years following the death of the individual.
Vivek Doppalapudi, DDS MS PC must agree to a patient’s restriction on the disclosure of a patient’s PHI
to the patient’s health plan if the disclosure is for the purpose of carrying out payment or health care
operations, is not otherwise required by law, and the patient has paid Vivek Doppalapudi, DDS MS PC in
full for health care services provided.
SPECIFIC AUTHORIZATIONS AND RESTRICTIONS ON
USES AND DISCLOSURES OF PHI
Specific authorizations are required for the use and/or disclosure of the following:
12. Psychotherapy notes:
13. HIV-related information;
14. Alcohol and/or substance abuse records;
15. Sexually transmitted diseases;
16. Mental health records;
17. Genetic information;
18. Research;
19. Marketing involving direct or indirect remuneration to Vivek Doppalapudi, DDS MS PC for the PHI;
20. Fundraising activities, unless the use or disclosure is only the patient’s name, address, other contact
information, age, gender, date of birth, dates of health care provided, department of service information,
treating physician, outcome information, and/or health insurance status; and,
21. Sale of PHI involving direct or indirect remuneration to Vivek Doppalapudi, DDS MS PC for the PHI.
Vivek Doppalapudi, DDS MS PC shall not use or disclose genetic information for underwriting purposes
as defined in 45 C.F.R. § 164.502.
Vivek Doppalapudi, DDS MS PC shall not sell PHI for direct or indirect remuneration from or on behalf of
the recipient of the PHI in exchange for the PHI. This does not include the exchange of PHI:
22. For public health purposes;
23. For research purposes, if Vivek Doppalapudi, DDS MS PC receives only a cost-based fee to prepare and
transmit the patient information;
24. For treatment or payment for treatment;
25. For the sale, transfer, merger or consolidation of Vivek Doppalapudi, DDS MS PC; and,
26. To a business associate, if Vivek Doppalapudi, DDS MS PC only receives remuneration for the
performance of health care related activities.
Uses and Disclosures of Protected Health Information Policies and Procedures
Vivek Doppalapudi, DDS MS PC policy for communicating PHI with a patients’ family, friends or others involved
in the patient’s care are as follows:
@COMPHIFAM@
Any questions concerning this policy should be directed to Dr. Vivek Doppalapudi, the Privacy Officer or Dr.
Vivek Doppalapudi, the Security Officer.
AUTHORIZATION AND EXCEPTIONS FOR USES
AND DISCLOSURES OF PHI
DEFINITIONS:
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information
outside the entity holding the information.
Financial Remuneration means direct or indirect payment from or on behalf of a third party whose product or
service is being described. Direct or indirect payment does not include payment for treatment of an individual.
Individually identifiable health information is information that is a subset of health information, including
demographic information collected from an individual that identifies the individual; and is created or received by
a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or
future physical or mental health or condition of an individual; the provision of health care to an individual; or the
past, present, or future payment for the provision of health care to an individual.
Law enforcement official is an officer or employee of any agency or authority of the United States, a state, a
territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to investigate
or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil,
or administrative proceeding arising from an alleged violation of law.
Use means, with respect to individually identifiable health information, the sharing, employment, application,
utilization, examination, or analysis of such information within an entity that maintains such information.
POLICY:
Vivek Doppalapudi, DDS MS PC complies with the Health Insurance Portability and Accountability Act of 1996
and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable
patient information.
Vivek Doppalapudi, DDS MS PC is permitted to use or disclose protected health information (“PHI”) if the
disclosure is to the patient themselves; a patient’s personal representative; a deceased person’s personal
representative or family provided Vivek Doppalapudi, DDS MS PC had not obtained an objection to sharing his
or her PHI and the PHI disclosed pertains to the individual’s involvement in the deceased’s care or payment for
services rendered; to a school if the PHI disclosed is related to a patient’s proof of immunization if required by
state or other law for school admittance and the authorization to disclose such records is documented; a valid
HIPAA authorization form (see Authorization for Use and Disclosure of PHI form); to a business associate,
vendor or subcontractor in accordance with an applicable Business Associate Agreement; to the Department of
Health and Human Services or the State Department of Health for compliance reviews, investigations, or as
otherwise required by law; and to a recipient with which Vivek Doppalapudi, DDS MS PC has entered into a
data use agreement that meets the requirements of HIPAA regulations.
Vivek Doppalapudi, DDS MS PC must have authorization from individuals before using or disclosing protected
health information (PHI) for a purpose not otherwise permitted or required by this rule. Specifically, except for
psychotherapy notes, Vivek Doppalapudi, DDS MS PC is not required to obtain the patient’s (or an individual
acting as the patient’s legal representative) authorization to use or disclose PHI to carry out treatment,
payment, and health care operations.
PHI may be used or disclosed to an authorized public or private disaster relief agency for the purpose of
helping such entity notify a patient’s family member, personal representative, or another person responsible for
the patient’s care, of the individual’s location, general condition, or death.
The HIPAA rule does not require Vivek Doppalapudi, DDS MS PC to obtain the individual’s authorization for
uses and disclosures of PHI for uses and disclosures requiring an opportunity for the individual to agree or to
object (e.g., this pertains to hospital and facility patient directories and information for clergy) or uses and
disclosures for which consent, an authorization, or opportunity to agree to object is not required, for disclosures
to the individual, or for required disclosures to the Secretary of the Department of Health and Human Services.
There is an exception to the above. If a health plan requests a PHI disclosure of a patient for purposes of
carrying out payment or health care operations (not treatment), and the patient has paid for the health care item
or service out-of-pocket in full, and the disclosure is not otherwise required by law, then Vivek Doppalapudi,
DDS MS PC may not disclose the PHI. However, the patient’s request for such restriction will only be applicable
to that particular service. The patient will have to request a restriction for each service thereafter.
Vivek Doppalapudi, DDS MS PC is bound to comply with statements provided on the authorization form. Uses
or disclosures by Vivek Doppalapudi, DDS MS PC for purposes not specified in the authorization are violations
of the HIPAA law. Vivek Doppalapudi, DDS MS PC must comply with the requirements of HIPAA with respect to
the PHI of a deceased individual for a period of 50 years following the death of the individual.
Required Authorizations
Uses and disclosures for which the practice must have the individual’s authorization include, but are not limited
to, the following activities:
1. Marketing
2. Genetic information
3. Sale of PHI
4. Employment determinations
5. Conditioning the provisions of care
6. Fundraising
7. Psychotherapy notes/mental health records
8. Research (see regulations for specifics)
9. HIV-related information
10. Alcohol and/or substance abuse records
11. Sexually transmitted diseases
Authorizations should not be construed to waive, directly or indirectly, any privilege granted under
federal, state, or local laws or procedures. Vivek Doppalapudi, DDS MS PC should consult State law
regarding additional protections for sensitive health information such as HIV/AIDS treatment, alcohol
and/or substance abuse records, sexually transmitted disease treatment, mental or behavioral health
treatment, and genetic health information.
1. Marketing
Vivek Doppalapudi, DDS MS PC must obtain an authorization for any use or disclosure of PHI for marketing
except for communications in the form of a face-to-face communication made by Vivek Doppalapudi, DDS MS
PC to the individual or a promotional gift or nominal value provided by Vivek Doppalapudi, DDS MS PC. If the
marketing involves direct or indirect financial remuneration to Vivek Doppalapudi, DDS MS PC from a third
party, the authorization must state that such remuneration is involved.
2. Genetic Information for Underwriting
Vivek Doppalapudi, DDS MS PC cannot use or disclose PHI that is genetic information to a health plan for
underwriting purposes. “Underwriting purpose” means, with respect to a health plan, rule for determination of
eligibility for or determination of benefits under the plan, coverage or policy; the computation of premium or
contribution amounts under the plan, coverage or policy; the application of any pre-existing condition exclusion
under the plan, coverage or policy; and other activities related to the creation, renewal, or replacement of a
contract of health insurance or health benefits. “Underwriting purposes” does not include determinations of
medical appropriateness where an individual seeks a benefit under the plan, coverage or policy.
3. Sale of PHI
“Sale of PHI” means the disclosure of PHI by a covered entity, where the covered entity directly or indirectly
receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. “Sale of PHI” does
NOT include a disclosure of PHI for public health purposes; for research purposes where the only remuneration
received by the covered entity is a reasonable cost-based fee to cover the cost to prepare and transmit the PHI
for such purposes; for treatment and payment purposes; for the sale, transfer, merger or consolidation of all or
part of Vivek Doppalapudi, DDS MS PC and for related due diligence; to a business associate for activities that
the business associate undertakes on behalf of a covered entity, and the only remuneration received by the
covered entity is for the performance of such activities; to an individual as requested by such individual under
45 CFR § 164.524 or 164.528; as required by law; or for any other purpose permitted where the only
remuneration received by Vivek Doppalapudi, DDS MS PC is a reasonable, cost-based fee to cover the cost to
prepare and transmit the PHI for such purpose or a fee otherwise expressly permitted by other law.
Vivek Doppalapudi, DDS MS PC must obtain an authorization for any disclosure of PHI which is a sale of PHI
as defined here. The authorization must state that the disclosure will result in remuneration to Vivek
Doppalapudi, DDS MS PC.
4. Employment Determinations
Vivek Doppalapudi, DDS MS PC must obtain the individual’s authorization to use or disclose PHI for
employment determinations. For example, a covered health care provider must obtain the individual’s
authorization to disclose the results of a pre-employment physical to the individual’s employer.
5. Conditioning the Provision of Care
Vivek Doppalapudi, DDS MS PC may condition the provision of health care that is solely for the purpose of
creating PHI for disclosure to a third party, on the provision of authorization for the disclosure of the information
to the third party.
Vivek Doppalapudi, DDS MS PC prohibits conditioning treatment or payment on the provision by the individual
of an authorization, except when the authorization was requested in connection with a clinical trial. In the case
of authorization for use or disclosure of psychotherapy notes or research information unrelated to treatment,
Vivek Doppalapudi, DDS MS PC prohibits conditioning treatment, payment, or enrollment in a health plan on
obtaining such an authorization.
This prohibition is intended to prevent coercing individuals into signing an authorization for a use or disclosure
that is not necessary to carry out the primary services that Vivek Doppalapudi, DDS MS PC provides to the
individual. For example, a health care provider could not refuse to treat an individual because the individual
refused to authorize a disclosure to a pharmaceutical manufacturer for the purpose of marketing a new product.
Finally, when Vivek Doppalapudi, DDS MS PC provides treatment for the sole purpose of providing information
to a third party, the covered entity may condition the treatment on the receipt of an authorization to use or
disclose PHI related to that treatment. For example, a covered health care provider may have a contract with
an employer to provide fitness-for-duty exams to the employer’s employees. The provider may refuse to
conduct the exam if an individual refuses to authorize the provider to disclose the results of the exam to the
employer.
6. Fundraising
A patient’s authorization is not required when Vivek Doppalapudi, DDS MS PC uses or discloses demographic
information (name, address, other contact information, age, gender, date of birth) and information about the
dates of health care provided to an individual, as well as the department of service information, treating
physician, outcome information, and health insurance status, for the purpose of raising funds for its own
benefit, nor when it discloses such information to an institutionally related foundation to raise funds for the
covered entity.
However, Vivek Doppalapudi, DDS MS PC must ensure that with each fundraising communication made, the
patient has the opportunity to opt-out of receiving any further fundraising communications. The patient’s ability
to opt-out should not cost the patient more than a nominal amount. Vivek Doppalapudi, DDS MS PC must also
provide the patient with the opportunity to opt back in to receive such communications if the patient should
choose to do so.
Any use or disclosure for fundraising purposes that does not meet these requirements and does not fall within
the definition of health care operations requires authorization. Specifically, Vivek Doppalapudi, DDS MS PC
must obtain the individual’s authorization to use or disclose PHI to raise funds for any entity other than Vivek
Doppalapudi, DDS MS PC. For example, Vivek Doppalapudi, DDS MS PC must have the individual’s
authorization to use PHI about the individual to solicit funds for a non-profit organization that engages in
research, education, and awareness efforts about a particular disease.
7. Psychotherapy Notes
With a few exceptions, Vivek Doppalapudi, DDS MS PC must obtain the individual’s authorization to use or
disclose psychotherapy notes to carry out treatment, payment, or health care operations. Vivek Doppalapudi,
DDS MS PC must obtain the individual’s consent, but not an authorization, for the person who created the
psychotherapy notes to use the notes to carry out treatment, and for the covered entity to use or disclose
psychotherapy notes for conducting training programs in which students, trainees, or practitioners in mental
health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
Vivek Doppalapudi, DDS MS PC may also use psychotherapy notes to defend a legal action or other
proceeding brought by the individual pursuant to consent, without a specific authorization.
An authorization is not required for use or disclosure of psychotherapy notes when required for enforcement
purposes; when mandated by law; when needed for oversight of the health care provider who created the
psychotherapy notes; when needed by a coroner or medical examiner; or when needed to avert a serious and
imminent threat to health or safety.
8. Authorizations for Uses and Disclosures of PHI Created for Research
that Includes Treatment of Individuals
Vivek Doppalapudi, DDS MS PC is required to obtain an authorization for the use or disclosure of PHI that
Vivek Doppalapudi, DDS MS PC creates for the purpose of research that includes treatment of individuals.
The practice seeking authorization to use or disclose PHI created for the purpose of research that includes
treatment of individuals, including clinical trials, must include in the authorization (in addition to the applicable
elements required above) a description of the extent to which some or all of the protected health information
created for the research will also be used or disclosed for purposes of treatment, payment, and health care.
Research that involves the delivery of treatment to participants sometimes relies on existing health information,
such as to determine eligibility for the trial. Vivek Doppalapudi, DDS MS PC may combine the research-related
authorization with any other authorization for the use or disclosure of protected health information (other than
psychotherapy notes), provided that Vivek Doppalapudi, DDS MS PC does not condition the provision of
treatment on the individual signing the authorization.
Vivek Doppalapudi, DDS MS PC will almost always, if not always, condition the provision of research-related
treatment on the individual signing an authorization for use or disclosure of PHI created for the research.
Therefore, providers who wish to use or disclose PHI about an individual that will be created for research that
includes treatment and wish to use existing PHI about that individual for the research that includes treatment,
will be required to obtain two authorizations from the individual: (1) an authorization for the use and disclosure
of protected health information to be created for the research that involves treatment of the individual, and (2)
an authorization for the use of existing protected health information for the research that includes treatment of
the individual.
Core Elements and Requirements of an Authorization
1. An authorization form must contain the following elements:
A description of the information to be used or disclosed with sufficient specificity to allow the covered entity
to know which information the authorization references;
The name of the covered entity, or class of entities or persons, authorized to make the use or disclosure. If
an authorization permits a class of the practice to disclose information to an authorized person, the class
must be stated with sufficient specificity so that a covered entity presented with the authorization will know
with reasonable certainty that the individual intended the covered entity to release protected health
information;
The name or types of recipient(s) of the information. The authorization must identify these persons with
sufficient specificity to reasonably permit a covered entity responding to the authorization to identify the
authorized user or recipient of the protected health information;
An expiration date or expiration event. This expiration date or event must either be a specific date, a
specific time period (e.g., one year from the date of signature), or an event directly relevant to the
individual or the purpose of the use or disclosure (e.g., for the duration of the individual’s enrollment with
the health plan that is authorized to make the use or disclosure). The expiration date or event is subject to
otherwise applicable and more stringent law;
The individual’s signature and date of signature;
If signed by a representative, a description of the representative’s authority or relationship to the individual;
A statement regarding the individual’s right to revoke the authorization. The authorization must include
instructions on how the individual may revoke the authorization. For example, the person obtaining the
authorization from the individual can include an address where the individual can send a written request for
revocation;
A statement that when the information is used or disclosed pursuant to the authorization, it may be subject
to re-disclosure by the recipient and may no longer be protected by the HIPAA rule;
Authorization forms must be written in plain language.
Before Vivek Doppalapudi, DDS MS PC can use or disclose protected health information of an individual
pursuant to a request Vivek Doppalapudi, DDS MS PC made, Vivek Doppalapudi, DDS MS PC is required
to obtain an authorization containing the minimum elements described above and the following additional
elements:
Except for authorizations requested for clinical trials, a statement that Vivek Doppalapudi, DDS MS PC will
not condition treatment or payment on the individual’s authorization;
A description of the purpose of the requested use or disclosure. Vivek Doppalapudi, DDS MS PC prohibits
the use of broad or blanket authorizations requesting the use or disclosure of protected health information
for a wide range of unspecified purposes;
A statement that the individual may inspect or copy the information to be used or disclosed and may refuse
to sign the authorization;
If the use or disclosure of the requested information will result in financial gain to Vivek Doppalapudi, DDS
MS PC a statement that such gain will result.
Vivek Doppalapudi, DDS MS PC may request only the minimum amount of information necessary to
accomplish the purpose for which the request was made. Vivek Doppalapudi, DDS MS PC must provide
the individual with a copy of the executed authorization.
In some instances, Vivek Doppalapudi, DDS MS PC may be reluctant to undertake the effort to review the
record and select portions relevant to the request (or redact portions not relevant). In such circumstances,
Vivek Doppalapudi, DDS MS PC may provide the entire record to the individual, who may then redact and
release the more limited information to the requestor. This rule does not require a covered entity to
disclose information pursuant to an individual’s authorization.
If Vivek Doppalapudi, DDS MS PC seeks the individual’s written legal permission to obtain PHI about the
individual from another covered entity for any purpose, it must obtain the individual’s authorization for the
covered entity that maintains the PHI to make the disclosure. If the authorization is for the purpose of
obtaining PHI for purposes other than treatment, payment, or health care operations, the authorization
need only contain the core elements.
If the authorization, however, is for the purpose of obtaining PHI to carry out treatment, payment, or health
care operations, the authorization must include the core requirements and also describe each purpose of
the requested disclosure.
2. Valid and Defective Authorizations
An authorization must contain the following required elements to be considered a valid authorization under the
HIPAA law. A valid authorization may contain additional, non-required elements, provided that these elements
are not inconsistent with the required elements. An authorization is not considered valid if:
The expiration date or expiration event has passed;
The expiration event must, however, be related to the individual or the purpose of the use or disclosure;
The form had not been filled out completely;
The covered entity knew the authorization had been revoked;
The completed form lacks a required element; or
An employee of Vivek Doppalapudi, DDS MS PC knows that the information on the authorization form is
false;
Authorizations that are not completely filled out with respect to the required elements are defective;
An authorization that an employee of Vivek Doppalapudi, DDS MS PC knows has been revoked is not a
valid authorization. If Vivek Doppalapudi, DDS MS PC does not know of the revocation, a release is not a
violation of the HIPAA rule by acting pursuant to the authorization.
3. Compound Authorizations
Except for authorizations requested in connection with a clinical trial, Vivek Doppalapudi, DDS MS PC cannot
combine an authorization for use or disclosure of PHI for purposes other than treatment, payment, or health
care operations with an authorization or consent for treatment (e.g., an informed consent to receive care) or
payment (e.g., an assignment of benefits) or any other written legal permission from the individual.
There are three exceptions to this prohibition:
1. An authorization for the use or disclosure of PHI created for research study may be combined with any
other type of written permission for the same or another research study. This exception includes
combining an authorization for the use of disclosure of PHI for a research study with another
authorization for the same research study, with an authorization for the creation or maintenance of a
research database or repository, or with a consent to participate in research. However, if Vivek
Doppalapudi, DDS MS PC conditioned the provision of research related treatment on the provision of
one of the authorizations, any compound authorization created must clearly differentiate between the
conditioned and unconditioned components and provide the patient with an opportunity to opt in to the
research activities described in the unconditioned authorization.
2. Authorizations for the use or disclosure of psychotherapy notes for multiple purposes may be combined
in a single document, but may not be combined with authorizations for the use or disclosure of other PHI.
3. Authorizations for the use or disclosure of PHI other than psychotherapy notes may be combined,
provided that Vivek Doppalapudi, DDS MS PC has not conditioned the provision of treatment, payment,
enrollment, or eligibility on obtaining the authorization.
4. Revocation of Authorizations
An individual may revoke an authorization at any time, except to the extent that Vivek Doppalapudi, DDS MS
PC had taken action in reliance on the authorization. The individual must revoke the authorization in writing.
When an individual revokes an authorization, Vivek Doppalapudi, DDS MS PC must stop making uses and
disclosures pursuant to the authorization to the greatest extent practical. Vivek Doppalapudi, DDS MS PC may
continue to use and disclose PHI in accordance with the authorization only to the extent Vivek Doppalapudi,
DDS MS PC has taken action in reliance on the authorization. For example, Vivek Doppalapudi, DDS MS PC is
not required to retrieve information that has already been disclosed in accordance with the authorization.
Individuals do not have the right to revoke an authorization if the authorization was obtained as a condition of
obtaining insurance coverage, and other applicable law provides the insurer that obtained the authorization with
the right to contest a claim under the policy.
AUTHORIZATION EXCEPTIONS:
45 C.F.R. § 164.512 outlines all the exceptions to the requirement to obtain an individual’s authorization for use
or disclosure of PHI. These exceptions fall into the following categories:
1. Incidental Use and Disclosure
2. Uses and disclosures required by law,
3. Uses and disclosures for public health activities,
4. Disclosure to a school about a patient who is a student, or prospective student, of the school if the PHI
disclosed is limited to proof of immunization, the school is required by State or other law to have such
proof of immunization prior to admitting the student, and consent from a parent, guardian, or other
person acting in loco parentis, or from the patient themselves if the patient is an adult or emancipated
minor is provided,
5. Disclosures about victims of abuse, neglect or domestic violence,
6. Uses and disclosures for health oversight activities,
7. Disclosures for judicial and administrative proceedings,
8. Disclosures for law enforcement purposes,
9. Uses and disclosures about decedents,
10. Uses and disclosures for organ, eye, or tissue donation purposes,
11. Uses and disclosures for research purposes,
12. Uses and disclosures to avert a serious threat to health or safety,
13. Uses and disclosures for specialized government functions,
14. Disclosures for Workers’ Compensation.
Vivek Doppalapudi, DDS MS PC may use or disclose PHI without the written consent or authorization of
the individual, or the opportunity for the individual to agree or object, in the situations described above,
subject to the applicable requirements of each section.
1. Incidental Use and Disclosure
The HIPAA final rule acknowledges that uses or disclosures that are incidental to an otherwise permitted use or
disclosure may occur, and such incidental uses or disclosures are not considered a violation of the rule
provided that the covered entity has met the reasonable safeguards and minimum necessary requirements. For
example, if these requirements are met, doctors’ offices may use waiting room sign-in sheets, hospitals may
keep patient charts at bedside, doctors can talk to patients in semi-private rooms, and doctors can confer at
nurses’ stations without fear of violating the rule if overheard by a passerby.
2. Uses and Disclosures Required by Law
Vivek Doppalapudi, DDS MS PC may use or disclose PHI if the use or disclosure is required by law, and the
use or disclosure complies with and is limited to the relevant requirements of the law. Vivek Doppalapudi, DDS
MS PC must meet the following requirements found below in the appropriate section for disclosures about
victims of abuse, neglect, or domestic violence; disclosures for judicial and administrative proceedings, or,
disclosures for law enforcement purposes.
3. Uses and Disclosures for Public Health Activities
Vivek Doppalapudi, DDS MS PC may disclose PHI for the public health activities and purposes described
below to:
1. A public health authority authorized by law to collect or receive information for the purpose of
preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of
disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public
health investigations, and public health interventions; or, at the direction of a public health authority, to an
official of a foreign government agency that is acting in collaboration with a public health authority.
2. A public health authority or other government authority authorized by law to receive **reports of child
abuse or neglect.**
3. A person subject to the jurisdiction of the Food and Drug Administration (FDA):
4. To report adverse events (or similar reports with respect to food or dietary supplements), product defects,
or problems (including problems with the use or labeling of a product), or biological product deviations if
the disclosure is made to the person required or directed to report such information to the FDA;
5. To track products if the disclosure is made to a person required or directed by the FDA to track the
product;
6. To enable product recalls, repairs, or replacement (including locating and notifying individuals who have
received products of product recalls, withdrawals, or other problems);
7. To conduct post marketing surveillance to comply with requirements or at the direction of the FDA.
8. A person who may have been exposed to a communicable disease or may otherwise be at risk of
contracting or spreading a disease or condition, if Vivek Doppalapudi, DDS MS PC or public health
authority is authorized by law to notify such person as necessary in the conduct of a public health
intervention or investigation; or
9. An employer, about an individual who is a member of the workforce of the employer:
10. If Vivek Doppalapudi, DDS MS PC provides health care to the individual at the request of the employer;
to conduct an evaluation relating to medical surveillance of the workplace; or to evaluate whether the
individual has a work-related illness or injury;
11. The PHI that is disclosed may only consist of findings concerning a work-related illness or injury or a
workplace-related medical surveillance;
12. Vivek Doppalapudi, DDS MS PC must need such findings in order to comply with its obligations, under
OSHA law and rule (29 CFR parts 1904 through 1928), or under state law having a similar purpose, to
record such illness or injury or to carry out responsibilities for workplace medical surveillance;
13. Vivek Doppalapudi, DDS MS PC provides written notice to the individual that PHI relating to the medical
surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer by
giving a copy of the notice of patient privacy practices to the individual at the time the health care is
provided; or if the health care is provided on the worksite of the employer, by posting the notice of patient
privacy practices in a prominent place at the location where the health care is provided.
4. Disclosures about Victims of Abuse, Neglect or Domestic Violence
Vivek Doppalapudi, DDS MS PC may disclose PHI about an individual whom a health care provider reasonably
believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social
service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic
violence to the extent the disclosure is required by law and the disclosure complies with and is limited to the
relevant requirements of such law; if the individual agrees to the disclosure; or to the extent the disclosure is
expressly authorized by statute or regulation and a health care provider in the exercise of professional
judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential
victims; or if the individual is unable to agree because of incapacity, a law enforcement or other public official
authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be
used against the individual and that an immediate enforcement activity that depends upon the disclosure would
be adversely affected by waiting until the individual is able to agree to the disclosure.
If Vivek Doppalapudi, DDS MS PC makes a disclosure as described above, it must promptly inform the
individual that such a report has been or will be made, except if a health care provider, in the exercise of
professional judgment, believes informing the individual would place the individual at risk of serious harm; or
Vivek Doppalapudi, DDS MS PC would be informing a personal representative, and the covered entity
reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that
informing such person would not be in the best interests of the individual as determined by the covered entity,
in the exercise of professional judgment.
5. Uses and Disclosures for Health Oversight Activities
Vivek Doppalapudi, DDS MS PC may disclose PHI to a health oversight agency for oversight activities
authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or
disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for
appropriate oversight of the health care system; government benefit programs for which health information is
relevant to beneficiary eligibility; entities subject to government regulatory programs for which health
information is necessary for determining compliance with program standards; or entities subject to civil rights
laws for which health information is necessary for determining compliance.
A health oversight activity does not include an investigation or other activity in which the individual is the
subject of the investigation or activity and such investigation or other activity does not arise out of and is not
directly related to the receipt of health care, a claim for public benefits related to health, or qualification for, or
receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or
services.
If a health oversight activity or investigation is conducted in conjunction with an oversight activity or
investigation relating to a claim for public benefits not related to health, the joint activity or investigation is
considered a health oversight activity.
6. Disclosures for Proof of Immunization
Vivek Doppalapudi, DDS MS PC may disclose proof of a patient’s immunization to a school, about a patient
who is a student or prospective student of the school, as required by State or other law, if a parent, guardian, or
other person acting in loco parentis, or a patient who is an adult or emancipated minor, authorizes Vivek
Doppalapudi, DDS MS PC to do so. Vivek Doppalapudi, DDS MS PC does not need to obtain a written
authorization for such disclosure. Oral authorization that is documented by Vivek Doppalapudi, DDS MS PC will
satisfy the requirements under HIPAA. However, as a best practice, Vivek Doppalapudi, DDS MS PC should
implement a system that tracks authorization in a written form to best protect Vivek Doppalapudi, DDS MS PC.
Vivek Doppalapudi, DDS MS PC should consult State law for specific immunization records requirements for
school admittance. (See the Patient Proof of Immunization Record Request form).
7. Disclosures for Judicial and Administrative Proceedings
Vivek Doppalapudi, DDS MS PC may disclose PHI in the course of any judicial or administrative proceeding in
response to an order of a court or administrative tribunal, provided that Vivek Doppalapudi, DDS MS PC
discloses only the PHI expressly authorized by such order.
Vivek Doppalapudi, DDS MS PC may disclose PHI in response to a subpoena, discovery request, or other
lawful process that is not accompanied by an order of a court or administrative tribunal, if Vivek Doppalapudi,
DDS MS PC receives satisfactory assurance from the party seeking the information that reasonable efforts
have been made by such party to ensure that the individual who is the subject of the PHI that has been
requested has been given notice of the request, or Vivek Doppalapudi, DDS MS PC receives satisfactory
assurance from the party seeking the information that reasonable efforts have been made by such party to
secure a qualified protective order.
Vivek Doppalapudi, DDS MS PC receives satisfactory assurances from a party seeking PHI if the covered
entity receives from such party a written statement and accompanying documentation demonstrating that the
party requesting such information has made a good faith attempt to provide written notice to the individual (or, if
the individual’s location is unknown, to mail a notice to the individual’s last known address); that the notice
included sufficient information about the litigation or proceeding in which the PHI is requested to permit the
individual to raise an objection to the court or administrative tribunal, and the time for the individual to raise
objections to the court or administrative tribunal has elapsed, and no objections were filed, or all objections filed
by the individual have been resolved by the court or the administrative tribunal and the disclosures being
sought are consistent with such resolution.
Also, Vivek Doppalapudi, DDS MS PC receives satisfactory assurances from a party seeking PHI, if the
covered entity receives from such party a written statement and accompanying documentation demonstrating
that the parties to the dispute giving rise to the request for information have agreed to a qualified protective
order and have presented it to the court or administrative tribunal with jurisdiction over the dispute, or the party
seeking the PHI has requested a qualified protective order from such court or administrative tribunal.
A qualified protective order means, with respect to PHI requested an order of a court or of an administrative
tribunal or a stipulation by the parties to the litigation or administrative proceeding that prohibits the parties from
using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information
was requested; and requires the return to the covered entity or destruction of the PHI (including all copies
made) at the end of the litigation or proceeding.
Vivek Doppalapudi, DDS MS PC may disclose PHI in response to lawful process if Vivek Doppalapudi, DDS
MS PC makes reasonable efforts to provide notice to the individual or to seek a qualified protective order.
The provisions of this section do not supersede other provisions of this section that otherwise permit or restrict
uses or disclosures of protected health information.
8. Disclosures for Law Enforcement Purposes
Vivek Doppalapudi, DDS MS PC may disclose PHI for a law enforcement purpose to law enforcement officials
under the following conditions:
1. Vivek Doppalapudi, DDS MS PC may disclose protected health information as required by law, including
laws that require the reporting of certain types of wounds or other physical injuries; or in compliance with
and as limited by the requirements of a court order or court-ordered warrant, or a subpoena or summons
issued by a judicial officer, grand jury subpoena, or an administrative request, including an administrative
subpoena or summons, a civil or an authorized investigative demand, or similar process authorized
under law, provided that the information sought is relevant and material to a legitimate law enforcement
inquiry, the request is specific and limited in scope to the extent reasonably practicable in light of the
purpose for which the information is sought, and de-identified information could not reasonably be used.
2. Vivek Doppalapudi, DDS MS PC may disclose PHI in response to a law enforcement official’s request for
such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing
person, provided that the covered entity may disclose only the following information:
3. Name and address;
4. Date and place of birth;
5. Social Security number;
6. ABO blood type and rh factor;
7. Type of injury;
8. Date and time of treatment;
9. Date and time of death, if applicable; and
10. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and
eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
Vivek Doppalapudi, DDS MS PC may not disclose, for the purposes of identification, any PHI related to
the individual’s DNA or DNA analysis, dental records, or typing, or samples or analysis of body fluids or
tissue.
11. Vivek Doppalapudi, DDS MS PC may disclose protected health information in response to a law
enforcement official’s request for such information about an individual who is, or is suspected to be, a
victim of a crime if the individual agrees to the disclosure; or if Vivek Doppalapudi, DDS MS PC is unable
to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided
that the law enforcement official represents that such information is needed to determine whether a
violation of law by a person other than the victim has occurred, and such information is not intended to
be used against the victim; the law enforcement official represents that immediate law enforcement
activity that depends upon the disclosure would be materially and adversely affected by waiting until the
individual is able to agree to the disclosure; and the disclosure is in the best interests of the individual as
determined by the covered entity, in the exercise of professional judgment.
12. Vivek Doppalapudi, DDS MS PC may disclose PHI about an individual who has died to law enforcement
officials for the purpose of alerting law enforcement of the death of the individual if Vivek Doppalapudi,
DDS MS PC has a suspicion that such death may have resulted from criminal conduct.
13. Vivek Doppalapudi, DDS MS PC may disclose to a law enforcement official PHI that Vivek Doppalapudi,
DDS MS PC believes in good faith constitutes evidence of criminal conduct that occurred on the
premises of the covered entity.
14. A health care provider providing emergency health care in response to a medical emergency, other than
such emergency on the premises of Vivek Doppalapudi, DDS MS PC may disclose PHI to a law
enforcement official if such disclosure appears necessary to alert law enforcement to the commission
and nature of a crime, the location of such crime, or of the victim(s) of such crime, and the identity,
description, and location of the perpetrator of such crime.
If a covered health care provider believes that the medical emergency is the result of abuse, neglect, or
domestic violence of the individual in need of emergency health care, requirements found above under,
“Disclosures About Victims of Abuse, Neglect, or Domestic Violence” apply.
9. Decedents
A decedent’s health information is protected for a period of 50 years after the date of death. This does not
override State or other laws for sensitive information that may be stricter—such as HIV/AIDS, substance abuse,
or mental health information.
The practice is permitted to use or disclose protected health information (“PHI”) if the disclosure is to a
deceased person’s personal representative or family, provided the practice had not obtained an objection to
sharing his or her PHI and the PHI disclosed pertains to the individual’s involvement in the deceased’s care or
payment for services rendered.
A personal representative is a person with legal authority to act on behalf of the decedent of the estate (not
restricted to health care decisions), such as an Executor of the estate, next of kin or other family member, or
durable power of attorney.
This 50-year period of protection is not the same as a medical record retention requirement, which is governed
by State law. Records may be destroyed according to State law.
10. Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation
Purposes
Vivek Doppalapudi, DDS MS PC may use or disclose PHI to organ procurement organizations or other entities
engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of
facilitating organ, eye, or tissue donation and transplantation.
11. Uses and Disclosures for Research Purposes
In general, Vivek Doppalapudi, DDS MS PC may use or disclose PHI for research, regardless of the source of
funding of the research under defined circumstances. (See the policy entitled “Uses and Disclosures for
Research Purposes,” for specific information.)
12. Uses and Disclosures to Avert a Serious Threat to Health or Safety
Vivek Doppalapudi, DDS MS PC may, consistent with applicable law and standards of ethical conduct, use or
disclose PHI, if a health care provider, in good faith, believes the use or disclosure is necessary to prevent or
lessen a serious and imminent threat to the health or safety of a person or the public, and is to a person or
persons reasonably able to prevent or lessen the threat, including the target of the threat; or is necessary for
law enforcement authorities to identify or apprehend an individual because of a statement by an individual
admitting participation in a violent crime that the covered entity reasonably believes may have caused serious
physical harm to the victim; or where it appears from all the circumstances that the individual has escaped from
a correctional institution or from lawful custody.
A use or disclosure pursuant to PHI necessary for law enforcement individuals to identify or apprehend an
individual may not be made if the information is learned by Vivek Doppalapudi, DDS MS PC in the course of
treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure, or
counseling or therapy; or through a request by the individual to initiate or to be referred for the treatment,
counseling, or therapy.
A disclosure made to law enforcement individuals to identify or apprehend an individual shall contain only the
statement from the individual admitting participation in a violent crime that the covered entity reasonably
believes may have caused serious physical harm to the victim and the following PHI:
1. Name and address;
2. Date and place of birth;
3. Social Security number;
4. ABO blood type and rh factor;
5. Type of injury;
6. Date and time of treatment;
7. Date and time of death, if applicable; and
8. A description of distinguishing physical characteristics, including height, weight, gender, race, hair and
eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
If Vivek Doppalapudi, DDS MS PC uses or discloses PHI pursuant to disclosures to avert a serious
threat to health or safety is presumed to have acted in good faith with regard to a good faith belief, if the
belief is based upon a health care provider’s actual knowledge or in reliance on a credible representation
by a person with apparent knowledge or authority.
13. Uses and Disclosures For Specialized Government Functions
Vivek Doppalapudi, DDS MS PC may use and disclose the PHI of individuals who are Armed Forces personnel
for activities deemed necessary by appropriate military command authorities to assure the proper execution of
the military mission, if the appropriate military authority has published by notice in the Federal Register the
following information: appropriate military command authorities; and the purposes for which the PHI may be
used or disclosed.
Vivek Doppalapudi, DDS MS PC may use and disclose the PHI of individuals who are foreign military personnel
to their appropriate foreign military authority for the same purposes for which uses and disclosures are
permitted for Armed Forces personnel.
Vivek Doppalapudi, DDS MS PC may disclose PHI to authorized federal officials for the conduct of lawful
intelligence, counter-intelligence, and other national security activities authorized by the National Security Act
(50 U.S.C. 401, et seq.) and implementing authority (Executive Order 12333).
Vivek Doppalapudi, DDS MS PC may disclose PHI to authorized federal officials for the provision of protective
services to the President or other persons authorized by 18 U.S.C. 3056, or to foreign heads of state or other
persons authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871
and 879.
Vivek Doppalapudi, DDS MS PC may disclose to a correctional institution, or a law enforcement official having
lawful custody of an inmate or other individual, PHI about such inmate or individual, if the correctional institution
or such law enforcement official represents that such PHI is necessary for the provision of health care to such
individuals, the health and safety of such individual or other inmates, the health and safety of the officers or
employees of or others at the correctional institution, the health and safety of such individuals and officers or
other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting
to another, law enforcement on the premises of the correctional institution; and the administration and
maintenance of the safety, security, and good order of the correctional institution.
For the purposes of this provision, an individual is no longer an inmate when released on parole, probation,
supervised release, or otherwise is no longer in lawful custody.
14. Disclosures for Workers’ Compensation
Vivek Doppalapudi, DDS MS PC may disclose PHI as authorized by and to the extent necessary to comply with
laws relating to Workers’ Compensation, or other similar programs, established by law, that provide benefits for
work-related injuries or illness without regard to fault.
Procedure
1. When requests are made for access to an individual’s protected health information under circumstances
identified above, first read the appropriate section to make sure that all requirements of the HIPAA rule
are maintained.
2. Except in circumstances where the HIPAA rule or other law forbids informing the individual of the release
of their PHI, a member of the clinical staff should advise the patient that such release is being or has
been made.
3. Prepare the information to be released following the “minimum necessary requirements.” That is, release
only the specific information required to fulfill the purpose of the release. Note: some sections above
have very specific requirements about the information that can be released. Read that section carefully
before completing the release. When in doubt, get a second opinion from Vivek Doppalapudi, DDS MS
PC’s manager or medical director. If you are still uncertain about the content of the release, confer with
Vivek Doppalapudi, DDS MS PC’s legal counsel before a release is made.
4. With the exception of uses and disclosures for practice treatment, payment, or health care operations,
document the release on an Authorization for Use and Disclosure form and file the form in the patient’s
record. A patient’s accounting will be comprised of any completed authorization for use and disclosure
forms that have been filed in the patient’s record over a six-year period.
5. If documents are provided for the release, e.g., a court order, subpoena, or other document authorizing
the release, make a copy and keep the documents scanned into the patients chart.
=
Please refer to the “Forms” section to find the
“Patient Authorization for Use and Disclosure of
Protected Health Information” form.
=
Please refer to the “Forms” section to find the
“Patient Authorization Revocation/Fundraising Opt-
Out” form.
=
Please refer to the “Forms” section to find the
“Patient Proof of Immunization Record Request”
form.
USE AND DISCLOSURE OF PROTECTED HEALTH
INFORMATION FOR MARKETING POLICY
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC staff members. This includes all employees,
volunteers, vendors, and subcontractors.
STATEMENT OF POLICY
Vivek Doppalapudi, DDS MS PC marketing activities involving the use or disclosure of protected health
information may only be conducted after being approved by authorized marketing staff at Vivek Doppalapudi,
DDS MS PC who will ensure that requirements set forth in the Health Insurance Portability and Accountability
Act (“HIPAA”) of 1996 and the Health Information Technology for Economic and Clinical Health Act (“HITECH”)
for the use and disclosure of patient information have been met. Patient information or lists should not be used
or released before this approval has been obtained from authorized marketing staff, as there are legal
restrictions on marketing activities of Vivek Doppalapudi, DDS MS PC.
If Vivek Doppalapudi, DDS MS PC receives financial remuneration from a third party in exchange for patient
information, an authorization from the patient is required including an acknowledgement that remuneration is
being received. Financial remuneration means direct or indirect payment from or behalf of a third party whose
product or service is being described, not including payment for patient treatment.
IMPLEMENTATION OF POLICY
Marketing Activities Subject To This Policy
Marketing activities generally include all oral or written communications with a patient about a product or
service that encourage the patient to purchase or use that product or service. Vivek Doppalapudi, DDS MS PC
marketing activities may involve patient information because the marketing is directed at current or former
patients. Marketing also may include distributing patient information to another organization so that it may
market its own products and services if Vivek Doppalapudi, DDS MS PC receives direct or indirect payment in
exchange for the patient information.
Marketing Activities Not Subject To This Policy
Marketing activities not subject to this policy include:
Refill reminders or other drugs or biologics currently prescribed to a patient if any financial remuneration
received by Vivek Doppalapudi, DDS MS PC in exchange for making the communication is reasonably
related to Vivek Doppalapudi, DDS MS PC’s cost of making the communication;
Treatment and health care operations purposes where Vivek Doppalapudi, DDS MS PC does not receive
financial remuneration in exchange for making the communication, including:
Treatment by a health care provider;
Case management or care coordination;
Recommendations for alterative treatments, therapies, providers or settings of care;
Descriptions of a health related product or service (or payment for such product or service) that is provided
by, or included in a plan of benefits of Vivek Doppalapudi, DDS MS PC, including communications about
Vivek Doppalapudi, DDS MS PC participation in a health care provider or health plan network,
replacements and/or enhancements to health plans or health-related products or services available to a
health-plan enrollee that add value to, but are not part of, their plan or benefits.
Responsibility
It is the responsibility of Vivek Doppalapudi, DDS MS PC’s Privacy Officer, to implement processes to ensure
that the distribution of marketing materials adhere to this policy, HIPAA, and HITECH.
Contacting Privacy Officer
To obtain approval for marketing activities contact the Privacy Officer at @PRIVACYPHONE@.
VIOLATIONS
Vivek Doppalapudi, DDS MS PC’s Privacy Officer has general responsibility for implementation of this policy.
Anyone who violates this policy will be subject to disciplinary action up to and including termination of
employment or contract with Vivek Doppalapudi, DDS MS PC. Anyone who knows or has reason to believe that
another person has violated this policy should report the matter promptly to Vivek Doppalapudi, DDS MS PC’s
Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be
considered a violation of this policy that may result in disciplinary action up to and including termination of
employment or contract with Vivek Doppalapudi, DDS MS PC.
USE AND DISCLOSURE OF PROTECTED HEALTH
INFORMATION FOR FUNDRAISING POLICY
SCOPE OF POLICY
This policy applies to Vivek Doppalapudi, DDS MS PC staff members. Vivek Doppalapudi, DDS MS PC staff
members include all employees, volunteers, vendors, and subcontractors.
STATEMENT OF POLICY
Fundraising activities involving the use or disclosure of patient information may only be conducted by
authorized development staff at Vivek Doppalapudi, DDS MS PC who will ensure that all requirements for the
use and disclosure of such information have been met. Fundraising communications may only be sent to
individuals who have not opted out of receiving such communications. Vivek Doppalapudi, DDS MS PC may
not condition treatment or payment on the individual’s choice with respect to receipt of fundraising
communications.
IMPLEMENTATION OF POLICY
Fundraising Activities Subject To This Policy.
Fundraising activities include any activities undertaken to raise money, or other things of value, on behalf of
Vivek Doppalapudi, DDS MS PC or any of its affiliated organizations. This policy applies to any fundraising
activities undertaken by Vivek Doppalapudi, DDS MS PC, Vivek Doppalapudi, DDS MS PC staff (including
volunteers, vendors, subcontractors and other business associates). Examples of fundraising activities include:
Requests for general donations to benefit Vivek Doppalapudi, DDS MS PC;
Requests for special-purpose donations;
Requests for sponsorship of Vivek Doppalapudi, DDS MS PC events or activities; and
Auctions, rummage sales, or bake sales.
The fundraising activities are subject to this policy only if the activities involve the use or disclosure of
patient information. Vivek Doppalapudi, DDS MS PC may use or disclose to a business associate or to an
institutionally related foundation, the following patient information for purposes of fundraising on its own
behalf, without a patient authorization:
Name;
Address;
Other contact information;
Age;
Gender;
Date of birth;
Dates of health care provided;
Department of service;
Treating physician;
Outcome information; and
Health insurance status.
Approval by Development Staff
To obtain approval of fundraising activities by Vivek Doppalapudi, DDS MS PC’s development staff, contact the
Privacy Officer.
Opt-Out Requests
Individuals have the right to opt out of receiving fundraising communications. All fundraising communications
must contain clear and conspicuous language providing the individual the opportunity to opt-out of receiving
further fundraising communications without any undue burden or more than a nominal cost on the individual. All
individual’s requests to opt out of such communications should be forwarded to authorized development staff. If
an individual decides to opt-out, the request must be treated as a revocation of authorization under 164.508 of
the Privacy Rule. Requiring the patient to write a letter requesting an opt-out is considered an undue burden.
Filling out a pre-printed postcard or making a phone call is not. A model form “Patient Authorization
Revocation / Fundraising Opt-Out” is available for this purpose within this manual.
It is the responsibility of the Privacy Officer in connection with the development office, to implement processes
to ensure that individuals who have opted-out of receiving fundraising communications do not receive such
communications. However, the individual may be provided the opportunity to opt back in to receive fundraising
communications if they have previously elected to opt-out of such communications.
VIOLATIONS
Vivek Doppalapudi, DDS MS PC’s Privacy Officer has a general responsibility for implementation of this policy.
Anyone who violates this policy will be subject to disciplinary action up to and including termination of
employment or contract with Vivek Doppalapudi, DDS MS PC. Anyone who knows or has reason to believe that
another person has violated this policy should report the matter promptly to his or her supervisor or Vivek
Doppalapudi, DDS MS PC’s Privacy Officer. All reported matters will be investigated, and, where appropriate,
steps will be taken to remedy the situation. Any attempt to retaliate against a person for reporting a violation of
this policy will itself be considered a violation of this policy that may result in disciplinary action up to and
including termination of employment or contract with Vivek Doppalapudi, DDS MS PC.
QUESTIONS
If you have questions about this policy, please contact Vivek Doppalapudi, DDS MS PC’s Privacy Officer
immediately. It is important that all questions be resolved as soon as possible to ensure protected health
information is used and disclosed appropriately.
PERSONAL REPRESENTATIVES
REFERENCE: 45 CFR § 164.502(G)
POLICY:
Individuals Authorized to Act
In the final rule, the definition of “individual” is limited to the subject of the PHI, which includes unemancipated
minors and other individuals who may lack capacity to act on their own behalf. The rule removes from the
definition of “individual” the provisions regarding legal representatives.
Individual is defined as the subject of the protected health information, which includes unemancipated minors
and other individuals who may lack capacity to act on their own behalf.
Personal Representatives
With respect to adults or emancipated minors, a practice must treat a person as a personal representative of an
individual if such person is, under applicable law, authorized to act on behalf of the individual in making
decisions related to health care. This includes a court-appointed guardian and a person with a power of
attorney, but may also include other persons.
The authority of a personal representative under this rule is limited: the representative must be treated as the
individual only to the extent that PHI is relevant to the matters on which the personal representative is
authorized to represent the individual. For example, if a person’s authority to make health care decisions for an
individual is limited to decisions regarding treatment for cancer, such person is a personal representative and
must be treated as the individual with respect to PHI related to the cancer treatment of the individual. Such a
person is not the personal representative of the individual with respect to all PHI about the individual, and
therefore, the practice may not disclose PHI that is not relevant to the cancer treatment to the person, unless
otherwise permitted.
This provision applies to persons empowered under state or other law to make health related decisions for an
individual, whether or not the instrument or law granting such authority specifically addresses health
information.
Unemancipated Minors
In addition, with respect to an unemancipated minor, if under applicable law (state law should be consulted) a
parent may act on behalf of an unemancipated minor in making decisions related to health care, the practice
must treat such person as a personal representative with respect to PHI relevant to such personal
representation, with three exceptions. Under the general rule, in most circumstances the minor would not have
the capacity to act as the individual, and the parent would be able to exercise rights and authorities on behalf of
the minor. Under the exceptions to the rule on personal representatives of unemancipated minors, the minor,
and not the parent, would be treated as the individual and able to exercise the rights and authorities of an
individual. These exceptions occur if:
1. The minor consents to a health care service; no other consent to such health care service is required by
state or other law, regardless of whether the consent of another person has also been obtained; and the
minor has not requested that such person be treated as the personal representative;
2. The minor may lawfully obtain such health care service without the consent of a parent, and the minor, a
court, or another person authorized by law consents to such health care service; or
3. A parent assents to an agreement of confidentiality between a covered health care provider and the
minor with respect to such health care service.
Minors
A minor does not have the authority to act under the rule unless the state has given them the ability to obtain
health care without consent of a parent, or the parent has assented. In addition, we defer to state law where the
state authorizes or prohibits disclosure of protected health information to a parent. This rule does not affect
parental notification laws that permit or require disclosure of protected health information to a parent. However,
the rights of a minor under this rule are not otherwise affected by such notification.
Denials of Personal Authorization
Practices may elect not to treat a person as a personal representative in abusive situations. The practice need
not treat a person as a personal representative of an individual if the practice, in the exercise of professional
judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s
personal representative, and the practice has a reasonable belief that the individual has been or may be
subjected to domestic violence, abuse, or neglect by such person, or that treating such person as the personal
representative could endanger the individual.
Families and Others Involved in the Individual’s Care
The practice is permitted to use their discretion to disclose certain PHI to family members, relatives, close
friends, and other persons assisting in the care of an individual. Many health care decisions take place on an
informal basis, and the rule allows disclosures in certain circumstances to permit this practice to continue.
Health care providers may continue to use their discretion to address these informal situations.
Summary
The practice must treat a person that meets the requirements of a personal representative as the individual
(with the exceptions described above). The disclosure of PHI to a personal representative is mandatory under
this rule only if disclosure to the individual is mandatory. Further, as noted above, the personal representative’s
rights are limited by the scope of its authority under other law. Thus, this provision does not constitute a general
grant of authority to personal representatives.
Disclosure to a personal representative is mandatory to ensure that an individual’s rights are preserved even
when individuals are incapacitated or otherwise unable to act for themselves to the same degree as other
individuals. If the practice were to have the discretion to recognize a personal representative as the individual,
there could be situations in which no one could invoke an individual’s rights under these sections.
PROCEDURE:
1. It is the policy of the practice to verify the identity of all individuals seeking use or disclosure of an
individual’s PHI.
2. At the time that a written request is made to access, use, or disclose PHI, staff will verify the identity of
the individual making the request in the following manner:
If the individual is personally known to the practice as being authorized to request a use of disclosure of
PHI, a release may be completed. This includes personal knowledge of a parent or guardian of a minor
child.
If the individual is not personally known, s/he must provide a picture identification (e.g., driver’s license,
passport, military identification card, or other valid identification) for releases of his/her own PHI. Staff will
document the nature of the identification used and create a photocopy of the identification.
If the individual is not personally known to the practice and has requested information as an authorized
representative for another party, the individual must produce the legal documentation that verifies his/her
authority to act on behalf of the individual.
In any occasion where a question may arise as to the validity of an individual to make a request, please
contact the practice manager. Legal counsel may be consulted.
1. If an individual is requesting information as an authorized representative of another party, the use of
disclosure of the PHI must be the minimum necessary to meet the requirements of the release.
2. Care providers are permitted to use their discretion to disclose certain PHI to family members, relatives,
close friends, and other persons assisting in the care of an individual. Many health care decisions take
place on an informal basis, and the rule allows disclosures in certain circumstances to permit this
practice to continue. Health care providers may continue to use their discretion to address these informal
situations. Staff must seek a provider’s permission before releasing information to family members,
relatives, and others involved in an individual’s care.
3. A care provider may elect not to treat a person as a personal representative in abusive situations. The
provider need not treat a person as a personal representative of an individual if the practice, in the
exercise of professional judgment, decides that it is not in the best interest of the individual to treat the
person as the individual’s personal representative, and the practice has a reasonable belief that the
individual has been or may be subjected to domestic violence, abuse, or neglect by such person, or that
treating such person as the personal representative could endanger the individual.
4. All uses and disclosures of information conducted under a request from the individual or the individual’s
personal representative are approved by the individual’s primary care provider prior to the release being
performed to ensure that no circumstances exist that may result in a violation of the HIPAA rule or a
denial of the request.
INTERPRETATION:
Parents and Minors: The final rule clarifies that state law, or other applicable law, governs in the area of parents
and minors. Generally, the Privacy Rule provides parents with new rights to control the health information about
their minor children, with limited exceptions that are based on state or other applicable law and professional
practice. For example, where a state has explicitly addressed disclosure of a minor’s health information to a
parent, or access to a child’s medical record by a parent, the final rule clarifies that state law governs. In
addition, the final rule clarifies that, in special cases in which the minor controls his or her own health
information under such law and that law does not define the parents’ ability to access the child’s health
information, a licensed health care provider continues to be able to exercise discretion to grant or deny such
access as long as that decision is consistent with the state or other applicable law.
COMMUNICATING WITH A PATIENT’S FAMILY,
FRIENDS, OR OTHERS INVOLVED IN THE
PATIENT’S CARE
SOURCE:
Health and Human Services Office for Civil Rights
This guide explains when a health care provider is allowed to share a patient’s health information with the
patient’s family members, friends, or others identified by the patient as involved in the patient’s care under the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. HIPAA is a federal law that
sets national standards for how health plans, health care clearinghouses, and most health care providers are to
protect the privacy of a patient’s health information.
Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most
circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for
care. This guide is intended to clarify these HIPAA requirements so that health care providers do not
unnecessarily withhold a patient’s health information from these persons. This guide includes common
questions and a table that summarizes the relevant requirements.
COMMON QUESTIONS ABOUT HIPAA:
If the patient is present and has the capacity to make health care decisions, when does HIPAA allow a
health care provider to discuss the patient’s health information with the patient’s family, friends, or
others involved in the patient’s care or payment for care?
If the patient is present and has the capacity to make health care decisions, a health care provider may discuss
the patient’s health information with a family member, friend, or other person if the patient agrees, or when
given the opportunity, does not object. A health care provider also may share information with these persons if,
using professional judgment, he or she decides that the patient does not object. In either case, the health care
provider may share or discuss only the information that the person involved needs to know about the patient’s
care or payment for care.
Here are some examples:
An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient
asks that her friend come into the treatment room.
A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the
patient’s medical appointment and has questions about the charges.
A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has
accompanied the patient to a medical appointment.
A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the
patient home from the hospital.
A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is
going to do so, and the patient does not object.
BUT:
A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she
does not want her family to know about her condition.
If the patient is not present or is incapacitated, may a health care provider still share the patient’s
health information with family, friends, or others involved in the patient’s care or payment for care?
Yes. If the patient is not present or is incapacitated, a health care provider may share the patient’s
information with family, friends, or others as long as the health care provider determines, based on
professional judgment, that it is in the best interest of the patient. When someone other than a friend or
family member is involved, the health care provider must be reasonably sure that the patient asked the
person to be involved in his or her care or payment for care. The health care provider may discuss only the
information that the person involved needs to know about the patient’s care or payment. Here are some
examples: – A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the
patient’s condition while the patient is unconscious.
A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the
prescription.
A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about
charges to his mother’s account.
A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide
who calls the provider with questions about the particular prescription.
BUT:
A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s
current condition.
A health care provider is not required by HIPAA to share a patient’s information when the patient is not
present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the
disclosure.
Does HIPAA require that a health care provider document a patient’s decision to allow the provider
to share his or her health information with a family member, friend, or other person involved in the
patient’s care or payment for care?
No. HIPAA does not require that a health care provider document the patient’s agreement or lack of
objection. However, a health care provider is free to obtain or document the patient’s agreement, or lack of
objection, in writing, if he or she prefers. For example, a provider may choose to document a patient’s
agreement to share information with a family member with a note in the patient’s medical file.
May a health care provider discuss a patient’s health information over the phone with the patient’s
family, friends, or others involved in the patient’s care or payment for care?
Yes. Where a health care provider is allowed to share a patient’s health information with a person,
information may be shared face-to-face, over the phone, or in writing.
If a patient’s family member, friend, or other person involved in the patient’s care or payment for
care calls a health care provider to ask about the patient’s condition, does HIPAA require the health
care provider to obtain proof of who the person is before speaking with them?
No. If the caller states that he or she is a family member or friend of the patient, or is involved in the
patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case. However, a
health care provider may establish his or her own rules for verifying who is on the phone. In addition, when
someone other than a friend or family member is involved, the health care provider must be reasonably
sure that the patient asked the person to be involved in his or her care or payment for care.
Can a patient have a family member, friend, or other person pick up a filled prescription, medical
supplies, X-rays, or other similar forms of patient information, for the patient?
Yes. HIPAA allows health care providers to use professional judgment and experience to decide if it is in
the patient’s best interest to allow another person to pick up a prescription, medical supplies, X-rays, or
other similar forms of information for the patient.
For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific
prescription for a patient effectively verifies that he or she is involved in the patient’s care. HIPAA allows
the pharmacist to give the filled prescription to the relative or friend. The patient does not need to provide
the pharmacist with their names in advance.
May a health care provider share a patient’s health information with an interpreter to communicate
with the patient or with the patient’s family, friends, or others involved in the patient’s care or
payment for care?
Yes. HIPAA allows covered health care providers to share a patient’s health information with an interpreter
without the patient’s written authorization under the following circumstances:
A health care provider may share information with an interpreter who works for the provider (e.g., a
bilingual employee, a contract interpreter on staff, or a volunteer).
For example, an emergency room doctor may share information about an incapacitated patient’s condition
with an interpreter on staff who relays the information to the patient’s family.
A health care provider may share information with an interpreter who is acting on its behalf (but is not a
member of the provider’s workforce) if the health care provider has a written contract or other agreement
with the interpreter that meets HIPAA’s business associate contract requirements.
For example, many providers are required under Title VI of the Civil Rights Act of 1964 to take reasonable
steps to provide meaningful access to persons with limited English proficiency. These providers often have
contracts with private companies, community-based organizations, or telephone interpreter service lines to
provide language interpreter services. These arrangements must comply with the HIPAA business
associate agreement requirements at 45 C.F.R. 164.504(e).
A health care provider may share information with an interpreter who is the patient’s family member, friend,
or other person identified by the patient as his or her interpreter, if the patient agrees, or does not object, or
the health care provider determines, using his or her professional judgment, that the patient does not
object.
For example, health care providers sometimes see patients who speak a certain language, and the
provider has no employee, volunteer, or contractor who can competently interpret that language. If the
provider is aware of a telephone interpreter service that can help, the provider may have that interpreter
tell the patient that the service is available. If the provider decides, based on professional judgment, that
the patient has chosen to continue using the interpreter, the provider may talk to the patient using the
interpreter.
Where can I find additional information about HIPAA? The
Office for Civil Rights, part of the Department of Health
and Human Services, has more information about HIPAA
on its website. Visit www.hhs.gov/ocr/hipaa
(http://www.hhs.gov/ocr/hipaa) for a wide range of helpful
information, including the full text of the Privacy Rule, a
HIPAA Privacy Rule Summary, fact sheets, over 200
Frequently Asked Questions, as well as many other
resources to help health care providers and others
understand the law. HIPAA Privacy Rule Disclosures to a
Patient’s Family, Friends, or Others Involved in the
Patient’s Care or Payment for Care
PRIVACY POLICIES AND NOTICE OF PRIVACY PRACTICES
PRIVACY POLICY
Introduction
Vivek Doppalapudi, DDS MS PC hereby implements this Privacy Policy pursuant to the Health Insurance
Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and
Clinical Health Act of 2009 (“HITECH”) with respect to its activities when receiving protected health information
(“PHI”). The policies described within this document also have expanded policies elsewhere in this manual.
Members of Vivek Doppalapudi, DDS MS PC’s workforce may have access to PHI as defined by HIPAA.
Workforce member means employees, volunteers, trainees, and other persons whose conduct, in the
performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid
by the covered entity. The term also includes the employees, volunteers, trainees, and other persons whose
conduct, in the performance of work for a business associate, is under the direct control of the business
associate.
Protected health information (“PHI”) means information that is created or received from a covered entity and
relates to the past, present, or future physical or mental health or condition of an individual; the provision of
health care to an individual; or the past, present, or future payment for the provision of health care to an
individual; and that identifies the individual or for which there is a reasonable basis to believe the information
can be used to identify the individual. PHI includes information of persons living or deceased.
It is Vivek Doppalapudi, DDS MS PC’s policy to comply with HIPAA’s requirements for the privacy of PHI. To
that end, all members of Vivek Doppalapudi, DDS MS PC’s workforce who have access to PHI must comply
with this Privacy Policy. For the purposes of this Policy, Vivek Doppalapudi, DDS MS PC’s workforce includes
individuals who would be considered part of the workforce under HIPAA such as employees, trainees, and
other persons whose work performance is under the direct control of Vivek Doppalapudi, DDS MS PC, whether
or not they are paid by Vivek Doppalapudi, DDS MS PC. The term “employee” includes all of these types of
workers.
No third-party rights are intended to be created by this Policy. Vivek Doppalapudi, DDS MS PC reserves the
right to amend or change this Policy at any time (and even retroactively) without notice. To the extent this Policy
establishes requirements and obligations above and beyond those required by HIPAA or HITECH the Policy
shall be aspirational and shall not be binding upon Vivek Doppalapudi, DDS MS PC. To the extent this Policy is
in conflict with the HIPAA Privacy Rule, the HIPAA Privacy Rule shall govern.
COVERED ENTITY RESPONSIBILITIES
1. Privacy Officer and Contact Person
Dr. Vivek Doppalapudi will be the Privacy Officer for Vivek Doppalapudi, DDS MS PC. The Privacy Officer will
be responsible for the development and implementation of policies and procedures relating to privacy of PHI in
the possession of Vivek Doppalapudi, DDS MS PC, including but not limited to this Privacy Policy. The Privacy
Officer will also serve as the contact person for individuals who have questions, concerns, or complaints about
the privacy of PHI.
The Privacy Officer is responsible for ensuring that Vivek Doppalapudi, DDS MS PC complies with the
provisions of the HIPAA Privacy Rule regarding third-party business associate vendors or subcontractors,
including the requirement that a HIPAA-compliant Business Associate Agreement is in place with business
associate vendors or subcontractors of Vivek Doppalapudi, DDS MS PC. The Privacy Officer shall also be
responsible for monitoring compliance with the HIPAA Privacy Rule and this Privacy Policy.
2. Workforce Training
It is Vivek Doppalapudi, DDS MS PC’s policy to train all members of its workforce who have access to PHI on
Vivek Doppalapudi, DDS MS PC’s Policy and Procedures. The Privacy Officer is charged with developing
training schedules and programs so that all workforce members receive the training necessary and appropriate
to permit them to carry out Vivek Doppalapudi, DDS MS PC’s functions in compliance with HIPAA and HITECH.
3. Safeguards and Firewall
Vivek Doppalapudi, DDS MS PC will establish appropriate administrative, technical, and physical safeguards to
prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements.
Vivek Doppalapudi, DDS MS PC has implemented Security Policies that set forth the security measures in
place to protect the privacy of PHI.
4. Complaints
Dr. Vivek Doppalapudi will be the practice’s contact person for receiving complaints.
The Privacy Officer is responsible for creating a process for individuals to lodge complaints about the Plan’s
privacy procedures and for creating a system for handling such complaints. A copy of the complaint procedure
shall be provided to any participant upon request.
Vivek Doppalapudi, DDS MS PC procedure for handling complaints received from patients or others about
HIPAA Compliance is as follows:
@HIPAACOMPPROC@
5. Sanctions for Violations of Privacy Policy
Sanctions for using or disclosing PHI in violation of HIPAA or this HIPAA Privacy Policy will be imposed in
accordance with Vivek Doppalapudi, DDS MS PC’s discipline policy, up to and including termination.
Vivek Doppalapudi, DDS MS PC procedures regarding our employee sanctions policy for employee misconduct
are as follows:
@SANCEMPMIS@
6. Mitigation of Inadvertent Disclosures of PHI
Vivek Doppalapudi, DDS MS PC shall mitigate, to the extent possible, any harmful effects that become known
to it from a use or disclosure of an individual’s PHI in violation of HIPAA or the policies and procedures set forth
in this Policy. As a result, if an employee or business associate vendor or subcontractor becomes aware of an
unauthorized use or disclosure of PHI, either by an employee or a business associate vendor or subcontractor,
the employee or business associate vendor or subcontractor must immediately contact the Privacy Officer so
that appropriate steps to mitigate harm to the patient can be taken.
7. No Intimidating or Retaliatory Acts; No Waiver of HIPAA Privacy
No employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against
individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any
improper practice under HIPAA.
8. Documentation
Vivek Doppalapudi, DDS MS PC’s privacy policies and procedures shall be documented and maintained for at
least six years from the date last in effect. Policies and procedures must be changed as necessary or
appropriate to comply with changes in the law, standards, requirements and implementation specifications
(including changes and modifications in regulations). Any changes to policies or procedures must be promptly
documented.
The documentation of any policies and procedures, actions, activities and designations may be maintained in
either written or electronic form. Vivek Doppalapudi, DDS MS PC will maintain such documentation for at least
six years.
MedSafe will archive all your policy and procedures for 6 years as long as you are current clients.
9. Workforce Must Comply With Vivek Doppalapudi, DDS MS PC’s Policy
and Procedures
All members of Vivek Doppalapudi, DDS MS PC’s workforce (described at the beginning of this Policy and
referred to herein as “employees”) who have access to PHI must comply with this Policy.
10. Breach Notification Requirements
Vivek Doppalapudi, DDS MS PC will comply with the requirements of the HITECH Act and its implementing
regulations to provide notification to affected individuals, HHS, and the media (when required) if Vivek
Doppalapudi, DDS MS PC or one of its business associate vendors or subcontractors discovers a breach of
unsecured PHI.
11. Mandatory Disclosures of PHI
PHI must be disclosed in the following situations:
The disclosure is to the individual who is the subject of the information;
The disclosure is required by law; or
The disclosure is made to HHS for purposes of enforcing HIPAA.
12. Other Permitted Disclosures of PHI
PHI may be disclosed in the following situations without the patient’s authorization, when specific requirements
are satisfied. The requirements include prior approval of the Privacy Officer. Permitted are disclosures—
about victims of abuse, neglect or domestic violence;
for treatment purposes;
for judicial and administrative proceedings;
for law enforcement purposes;
for public health activities;
for health oversight activities;
about decedents;
for cadaveric organ-, eye- or tissue-donation purposes;
for certain limited research purposes;
to avert a serious threat to health or safety;
for specialized government functions; and
that relate to workers’ compensation programs.
13. Disclosure of Sensitive Information
At no time may a patient’s sensitive information, including HIV/Aids, drug and/or alcohol, genetic, mental health,
sexually transmitted diseases or family planning be disclosed without the patient’s consent.
14. Complying With the “Minimum-Necessary” Standard
Minimum Necessary When Disclosing PHI. Vivek Doppalapudi, DDS MS PC, when disclosing PHI subject to
the minimum necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum
amount of PHI that is necessary for the requestor is disclosed. All disclosures not discussed in this Policy must
be reviewed on an individual basis with the Privacy Officer to ensure that the amount of information disclosed is
the minimum necessary to accomplish the purpose of the disclosure.
Minimum Necessary When Requesting PHI. Vivek Doppalapudi, DDS MS PC, when requesting PHI subject to
the minimum-necessary standard, shall take reasonable and appropriate steps to ensure that only the minimum
amount of PHI necessary for Vivek Doppalapudi, DDS MS PC is requested. All requests must be reviewed on
an individual basis with the Privacy Officer to ensure that the amount of information requested is the minimum
necessary to accomplish the purpose of the disclosure.
To the extent practicable, Vivek Doppalapudi, DDS MS PC will limit its use and/or disclosure of PHI to a Limited
Data Set. If it is not practicable for Vivek Doppalapudi, DDS MS PC to limit its use and/or disclosure of PHI to a
Limited Data Set, Vivek Doppalapudi, DDS MS PC will use the “minimum necessary” PHI to accomplish the
purpose of the use or disclosure.
A Limited Data Set is PHI that excludes the following identifiers of the individual or of relatives, employers, or
household members of the individual:
1. Names;
2. Postal address information, other than town or city, State, and zip code;
3. Telephone numbers;
4. Fax numbers;
5. Electronic mail addresses;
6. Social security numbers;
7. Medical record numbers;
8. Health plan beneficiary numbers;
9. Account numbers;
10. Certificate/license numbers;
11. Vehicle identifiers and serial numbers, including license plate numbers;
12. Device identifiers and serial numbers;
13. Web Universal Resource Locators (URLs);
14. Internet Protocol (IP) address numbers;
15. Biometric identifiers, including finger and voice prints; and
16. Full face photographic images and any comparable images.
15. Disclosures of PHI to Business Associates
Employees may disclose PHI to Vivek Doppalapudi, DDS MS PC’s business associate vendors or
subcontractors and allow Vivek Doppalapudi, DDS MS PC’s business associate vendors or subcontractors to
create or receive PHI on its behalf. However, prior to doing so, Vivek Doppalapudi, DDS MS PC must first
obtain assurances from the business associate vendor or subcontractor that it will appropriately safeguard the
information. Before sharing PHI with outside consultants or contractors who meet the definition of a “business
associate,” employees must contact the Privacy Officer and verify that a Business Associate Agreement is in
place.
Business Associate is an entity that:
performs or assists in performing function or activity involving the use and disclosure of PHI; or
provides legal, accounting, actuarial, consulting, data aggregation, management, accreditation, or financial
services, where the performance of such services involves giving the service provider access to PHI.
16. Disclosures of De-Identified Information
Vivek Doppalapudi, DDS MS PC may freely use and disclose information that has been “de-identified” in
accordance with the HIPAA Privacy Rule. De-identified information is health information that does not identify
an individual and with respect to which there is no reasonable basis to believe that the information can be used
to identify an individual.
17. Accounting
An individual has the right to obtain an accounting and an Access Report of certain access and disclosures of
his or her own PHI. This right to an accounting extends to disclosures made in the last six years, (except for
disclosures of electronic disclosures of Electronic Health Records—-EHRs—the specifics to be determined by
future rulemaking). Exceptions to the right to an accounting extends:
to carry out treatment, payment, or health care operations (except in the case of EHRs, for which this
exception does not apply);
to individuals about their own PHI;
incident to an otherwise permitted use or disclosure;
pursuant to an authorization;
to persons involved in the individual’s care or payment for the individual’s care or for certain other
notification purposes;
to correctional institutions or law enforcement when the disclosure was permitted without authorization;
as part of a limited data set;
for specific national security or law enforcement purposes; or
disclosures that occurred prior to the compliance date.
Vivek Doppalapudi, DDS MS PC shall respond to an accounting request within 60 days. If Vivek
Doppalapudi, DDS MS PC is unable to provide the accounting within 60 days, it may extend the period by
30 days, provided that it gives the participant notice (including the reason for the delay and the date the
information will be provided) within the original 60-day period.
The accounting must include the date of the disclosure, the name of the receiving party, a brief description
of the information disclosed, and a brief statement of the purpose of the disclosure that reasonably informs
the individual of the basis for the disclosure (or a copy of the written request for disclosure, if any). If a brief
purpose statement is included in the accounting, it must be sufficient to reasonably inform the individual of
the basis of the disclosure.
The first accounting in any 12-month period shall be provided free of charge. The Privacy Officer may
impose reasonable production and mailing costs for subsequent accountings.
NOTICE OF PRIVACY PRACTICES POLICY
REFERENCE: 45 C.F.R. 164.502(I)
POLICY:
Vivek Doppalapudi, DDS MS PC is required to have a notice and may not use or disclose PHI in a manner
inconsistent with such notice. A covered entity that is required to include a specific statement in its notice if it
intends to engage in an activity may not use or disclose PHI for such activities, unless the required statement is
included in the notice.
PROCEDURE:
1. Vivek Doppalapudi, DDS MS PC will maintain an up-to-date Notice of Privacy Practices. That Notice will
be posted in the main reception area and @NPPPOSTED@.
2. Vivek Doppalapudi, DDS MS PC will use and disclose PHI only in a manner identified in the Notice.
3. A copy of the Notice will be provided to every patient at his or her first visit with Vivek Doppalapudi, DDS
MS PC. Staff will make a good faith effort to have the patient sign to attest that they have received a
copy of the notice. Care must be given even if the patient refuses to sign the Notice.
INTERPRETATIONS:
4. The Rule requires practices to provide patients with notice of the patient’s privacy rights and the privacy
practices of Vivek Doppalapudi, DDS MS PC. The strengthened Notice requires direct treatment
providers to make a good faith effort to obtain a patients’ written acknowledgement of the Notice of
Privacy Practices. The final rule promotes access to care by removing mandatory consent requirements
that would inhibit patient access to health care while providing the practice with the option of developing
a consent process that works for that entity.
5. A health care provider that has a direct treatment relationship with a patient (e.g., a direct treatment
relationship is one in which the health care provider is providing care or service directly to a patient, such
as a doctor or a pharmacist who provides advice on the proper use of a drug and anticipated adverse
effects) must give a copy of the practice’s Notice to the patient at the first delivery of service starting on
or after April 14, 2003.
6. A health care provider that has an indirect treatment relationship with a patient (e.g., provides services
on the orders of another health care provider and delivers care and services to the patient through the
referring provider, i.e., a laboratory would draw blood from a patient on the orders of a doctor and return
the results to the doctor to give to the patient) need only give the organization’s Notice to the patient if it
is requested by the patient.
7. If the first delivery of care to a patient is over the telephone, the practice must provide a copy of the
Notice to the patient on that day, either electronically, if the patient agrees, or by mail. Scheduling an
appointment is not considered a service delivery.
8. Practices are permitted to send the Notice to patients electronically only if the patient agrees to receive
the document electronically. The patient’s agreement can be indirect. For example, if the patient provides
an e-mail address to the practice, the practice can interpret that as a willingness of the patient to receive
the Notice by e-mail.
9. If a copy of the Notice is sent to patients electronically, a paper copy of the Notice must still be provided if
the patient requests one.
10. If unable to give the Notice to the patient because of an emergency situation or because they are not
currently able to acknowledge receipt, the Notice must be given as soon thereafter as is “reasonably
practical.”
11. If the patient is a minor or incompetent, a copy must be provided to the patient’s parent or legal guardian.
12. Vivek Doppalapudi, DDS MS PC Notice of Privacy Practices is posted @NPPPOSTED@.
13. If a significant revision is made to the Notice, a copy must be made available to the patient on or after the
expiration date if the patient asks. The new Notice must be posted.
NOTICE OF PRIVACY PRACTICES
Effective Date: April 14, 2003 Last Modified: May 12, 2013
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
We are required by law to protect the privacy of health information that may reveal your identity, and to provide
you with a copy of this notice, which describes the health information privacy practices of our medical group, its
medical staff and affiliated health care providers who jointly perform health care services with our medical
group, including physicians and physician groups who provide services at our facilities. A copy of our current
notice will always be posted at all registration and/or admission points, including @NPPPOSTED@. You will
also be able to obtain your own copies by calling the Privacy Officer at (703) 464–900.
If you have any questions about this notice or would like further information, please contact the above
referenced individual.
WHAT HEALTH INFORMATION IS PROTECTED
We are committed to protecting the privacy of information we gather about you while providing health-related
services. Some examples of protected health information include information indicating that you are a patient of
our medical group or receiving health-related services from our facilities, information about your health
condition, genetic information, or information about your health care benefits under an insurance plan, each
when combined with identifying information, such as your name, address, social security number or phone
number.
REQUIREMENT FOR WRITTEN AUTHORIZATION
Generally, we will obtain your written authorization before using your health information or sharing it with others
outside of our medical group. There are certain situations where we must obtain your written authorization
before using your health information or sharing it, including:
Most Uses of Psychotherapy Notes, when appropriate.
Marketing. We may not disclose any of your health information for marketing purposes if our medical group will
receive direct or indirect financial payment not reasonably related to our medical group’s cost of making the
communication.
Sale of Protected Health Information. We will not sell your protected health information to third parties. The
sale of protected health information, however, does not include a disclosure for public health purposes, for
research purposes where our medical group will only receive payment for our costs to prepare and transmit the
health information, for treatment and payment purposes, for the sale, transfer, merger or consolidation of all or
part of our medical group, for a business associate or its subcontractor to perform health care functions on our
medical group’s behalf, or for other purposes as required and permitted by law.
WRITTEN AUTHORIZATION
If you provide us with written authorization, you may revoke that written authorization at any time, except to the
extent that we have already relied upon it. To revoke a written authorization, please write to the Privacy Officer
at our medical group. You may also initiate the transfer of your records to another person by completing a
written authorization form.
HOW WE MAY USE AND DISCLOSE YOUR HEALTH
INFORMATION WITHOUT YOUR WRITTEN AUTHORIZATION
There are some situations when we do not need your written authorization before using your health information
or sharing it with others, including:
1. Treatment, Payment and Health Care Operations.
Treatment. We may share your health information with providers at the medical group who are involved
in taking care of you, and they may in turn use that information to diagnose or treat you. A provider in our
medical group may share your health information with another provider to determine how to diagnose or
treat you. Your provider may also share your health information with another provider to whom you have
been referred for further health care.
Payment. We may use your health information or share it with others so that we may obtain payment for
your health care services. For example, we may share information about you with your health insurance
company in order to obtain reimbursement after we have treated you. In some cases, we may share
information about you with your health insurance company to determine whether it will cover your
treatment.
Health Care Operations. We may use your health information or share it with others in order to conduct
our business operations. For example, we may use your health information to evaluate the performance
of our staff in caring for you, or to educate our staff on how to improve the care they provide for you.
2. Appointment Reminders, Treatment Alternatives, Benefits and Services. In the course of providing
treatment to you, we may use your health information to contact you with a reminder that you have an
appointment for treatment, services or refills or in order to recommend possible treatment alternatives or
health-related benefits and services that may be of interest to you.
3. Business Associates. We may disclose your health information to contractors, agents and other
“business associates” who need the information in order to assist us with obtaining payment or carrying
out our business operations. For example, we may share your health information with a billing company
that helps us to obtain payment from your insurance company, or we may share your health information
with an accounting firm or law firm that provides professional advice to us. Business associates are
required by law to abide by the HIPAA regulations. If we do disclose your health information to a
business associate, we will have a written contract to ensure that our business associate also protects
the privacy of your health information. If our business associate discloses your health information to a
subcontractor or vendor, the business associate will have a written contract to ensure that the
subcontractor or vendor also protects the privacy of the information.
4. Friend and Family Designated to be Involved in Your Care. If you have not voiced an objection, we
may share your health information with a family member, relative, or close personal friend who is
involved in your care or payment for your care, including following your death.
5. Proof of Immunization. We may disclose proof a child’s immunization to a school, about a child who is
a student or prospective student of the school, as required by State or other law, if a parent, guardian,
other person acting in loco parentis, or an emancipated minor, authorizes us to do so, but we do not
need written authorization. The authorization may be oral.
6. Emergencies or Public Need.
Emergencies or as Required by Law. We may use or disclose your health information if you need
emergency treatment or if we are required by law to treat you. We may use or disclose your health
information if we are required by law to do so, and we will notify you of these uses and disclosures if
notice is required by law.
Public Health Activities. We may disclose your health information to authorized public health officials
(or a foreign government agency collaborating with such officials) so they may carry out their public
health activities under law, such as controlling disease or public health hazards. We may also disclose
your health information to a person who may have been exposed to a communicable disease or be at
risk for contracting or spreading the disease if permitted by law. We may disclose a child’s proof of
immunization to a school, if required by State or other law, if we obtain and document the agreement for
disclosure (which may be oral) from the parent, guardian, person acting in loco parentis, an emancipated
minor or an adult. And finally, we may release some health information about you to your employer if
your employer hires us to provide you with a physical exam and we discover that you have a work
related injury or disease that your employer must know about in order to comply with employment laws.
Victims of Abuse, Neglect or Domestic Violence. We may release your health information to a public
health authority authorized to receive reports of abuse, neglect or domestic violence.
Health Oversight Activities. We may release your health information to government agencies
authorized to conduct audits, investigations, and inspections of our facilities. These government
agencies monitor the operation of the health care system, government benefit programs such as
Medicare and Medicaid, and compliance with government regulatory programs and civil rights laws.
Lawsuits and Disputes. We may disclose your health information if we are ordered to do so by a court
or administrative tribunal that is handling a lawsuit or other dispute. We may also disclose your
information in response to a subpoena, discovery request, or other lawful request by someone else
involved in the dispute, but only if required judicial or other approval or necessary authorization is
obtained.
Law Enforcement. We may disclose your health information to law enforcement officials for certain
reasons, such as complying with court orders, assisting in the identification of fugitives or the location of
missing persons, if we suspect that your death resulted from a crime, or if necessary, to report a crime
that occurred on our property or off-site in a medical emergency.
To Avert a Serious and Imminent Threat to Health or Safety. We may use your health information or
share it with others when necessary to prevent a serious and imminent threat to your health or safety, or
the health or safety of another person or the public. In such cases, we will only share your information
with someone able to help prevent the threat. We may also disclose your health information to law
enforcement officers if you tell us that you participated in a violent crime that may have caused serious
physical harm to another person (unless you admitted that fact while in counseling), or if we determine
that you escaped from lawful custody (such as a prison or mental health institution).
National Security and Intelligence Activities or Protective Services. We may disclose your health
information to authorized federal officials who are conducting national security and intelligence activities
or providing protective services to the President or other important officials.
Military and Veterans. If you are in the Armed Forces, we may disclose health information about you to
appropriate military command authorities for activities they deem necessary to carry out their military
mission. We may also release health information about foreign military personnel to the appropriate
foreign military authority.
Inmates and Correctional Institutions. If you are an inmate or you are detained by a law enforcement
officer, we may disclose your health information to the prison officers or law enforcement officers if
necessary to provide you with health care, or to maintain safety, security and good order at the place
where you are confined. This includes sharing information that is necessary to protect the health and
safety of other inmates or persons involved in supervising or transporting inmates.
Workers’ Compensation. We may disclose your health information for workers’ compensation or similar
programs that provide benefits for work-related injuries.
Coroners, Medical Examiners and Funeral Directors. In the event of your death, we may disclose
your health information to a coroner or medical examiner. We may also release this information to funeral
directors as necessary to carry out their duties.
Organ and Tissue Donation. In the event of your death or impending death, we may disclose your
health information to organizations that procure or store organs, eyes or other tissues so that these
organizations may investigate whether donation or transplantation is possible under applicable laws.
7. Completely De-identified or Partially De-identified Information. We may use and disclose your
health information if we have removed any information that has the potential to identify you so that the
health information is “completely de-identified.” We may also use and disclose “partially de-identified”
health information about you if the person who will receive the information signs an agreement to protect
the privacy of the information as required by federal and state law. Partially de-identified health
information will not contain any information that would directly identify you (such as your name, street
address, social security number, phone number, fax number, electronic mail address, website address,
or license number).
8. Incidental Disclosures. While we will take reasonable steps to safeguard the privacy of your health
information, certain disclosures of your health information may occur during or as an unavoidable result
of our otherwise permissible uses or disclosures of your health information. For example, during the
course of a treatment session, other patients in the treatment area may see, or overhear discussion of,
your health information.
9. Fundraising. We may use or disclose your demographic information, including, name, address, other
contact information, age, gender, and date of birth, dates of health service information, department of
service information, treating physician, outcome information, and health insurance status for fundraising
purposes. With each fundraising communication made to you, you will have the opportunity to opt-out of
receiving any further fundraising communications. We will also provide you with an opportunity to opt
back in to receive such communications if you should choose to do so.
10. Changes to This Notice. We reserve the right to change this notice at any time and to make the revised
or changed notice effective in the future.
YOUR RIGHTS TO ACCESS AND CONTROL YOUR
HEALTH INFORMATION
You have the following rights to access and control your health information:
11. Right to Inspect and Copy Records. You have the right to inspect and obtain a copy of any of your
health information that may be used to make decisions about you and your treatment for as long as we
maintain this information in our records, including medical and billing records. To inspect or obtain a copy
of your health information, please submit your request in writing to the Privacy Officer. If you request a
copy of the information, we may charge a fee for the costs of copying, mailing or other supplies we use
to fulfill your request. If you would like an electronic copy of your health information, we will provide you a
copy in electronic form and format as requested as long as we can readily produce such information in
the form requested. Otherwise, we will cooperate with you to provide a readable electronic form and
format as agreed. In some limited circumstances, we may deny the request.
12. Right to Amend Records. If you believe that the health information we have about you is incorrect or
incomplete, you may ask us to amend the information for as long as the information is kept in our records
by writing to us. Your request should include the reasons why you think we should make the amendment.
If we deny part or all of your request, we will provide a written notice that explains our reasons for doing
so. You will have the right to have certain information related to your requested amendment included in
your records.
13. Right to an Accounting of Disclosures. You have a right to request an “accounting of disclosures,”
which is a list with information about how we have shared your health information with others. To obtain a
request form for an accounting of disclosures, please write to the Privacy Officer. You have a right to
receive one list every 12-month period for free. However, we may charge you for the cost of providing
any additional lists in that same 12-month period.
14. Right to Receive Notification of a Breach. You have the right to be notified within sixty (60) days of the
discovery of a breach of your unsecured protected health information if there is more than a low
probability the information has been compromised. The notice will include a description of what
happened, including the date, the type of information involved in the breach, steps you should take to
protect yourself from potential harm, a brief description of the investigation into the breach, mitigation of
harm to you and protection against further breaches and contact procedures to answer your questions.
15. Right to Request Restrictions. You have the right to request that we further restrict the way we use and
disclose your health information to treat your condition, collect payment for that treatment, run our normal
business operations or disclose information about you to family or friends involved in your care. You also
have the right to request that your health information not be disclosed to a health plan if you have paid
for the services out of pocket and in full, and the disclosure is not otherwise required by law. The request
for restriction will only be applicable to that particular service. You will have to request a restriction for
each service thereafter. To request restrictions, please write to the Privacy Officer. We are not required to
agree to your request for a restriction, and in some cases the restriction you request may not be
permitted under law. However, if we do agree, we will be bound by our agreement unless the information
is needed to provide you with emergency treatment or comply with the law. Once we have agreed to a
restriction, you have the right to revoke the restriction at any time. Under some circumstances, we will
also have the right to revoke the restriction as long as we notify you before doing so.
16. Right to Request Confidential Communications. You have the right to request that we contact you
about your medical matters in a more confidential way, such as calling you at work instead of at home,
by notifying the registration associate who is assisting you. We will not ask you the reason for your
request, and we will try to accommodate all reasonable requests.
17. Right to Have Someone Act on Your Behalf. You have the right to name a personal representative
who may act on your behalf to control the privacy of your health information. Parents and guardians will
generally have the right to control the privacy of health information about minors unless the minors are
permitted by law to act on their own behalf.
18. Right to Obtain a Copy of Notices. If you are receiving this Notice electronically, you have the right to a
paper copy of this Notice. We may change our privacy practices from time to time. If we do, we will
revise this Notice and post any revised Notice in our registration area and @NPPPOSTED@.
19. Right to File a Complaint. If you believe your privacy rights have been violated, you may file a
complaint with us by calling the Privacy Officer at (703) 464–900, or with the Secretary of the
Department of Health and Human Services. We will not withhold treatment or take action against you for
filing a complaint.
20. Use and Disclosures Where Special Protections May Apply. Some kinds of information, such as HIVrelated
information, alcohol and substance abuse treatment information, mental health information,
psychotherapy information, and genetic information, are considered so sensitive that state or federal
laws provide special protections for them. Therefore, some parts of this general Notice of Privacy
Practices may not apply to these types of information. If you have questions or concerns about the ways
these types of information may be used or disclosed, please speak with your health care provider.
Vivek Doppalapudi, DDS MS PC
102 Elden Street, Suite 19
Herndon, VA 20170
(703) 464–900
(703) 481-1742
These procedures are not a substitute for engaging the assistance from legal, accounting, or other
professional services. This information is advisory only. Final interpretation is the responsibility of the
regulatory or accrediting body administering the standard or regulation referenced.
=
Please refer to the “Forms” section to find the
“Notice of Privacy Practices Acknowledgement and
Consent” form.
PRIVACY HIPAA AND HITECH DOCUMENTATION
Purpose:
This policy is designed to give guidance for compliance with provisions of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996, the Health Information Technology for Economic and Clinical Health Act of
2009 (HITECH) and implementing regulations requiring covered entities to maintain documentation of policies,
procedures and other administrative documents.
Policy:
1. Vivek Doppalapudi, DDS MS PC will implement policies and procedures with respect to protected health
information (“PHI”) designed to comply with the standards, implementation specifications, or other
requirements of the HIPAA Privacy regulations.
2. Vivek Doppalapudi, DDS MS PC will maintain documentation, in written or electronic form, of policies,
procedures, communications, and other administrative documents as required by 45 C.F.R §164.530 (i)
and (j), for a period of at least six years from the date of creation or the date when last in effect,
whichever is later.
3. Vivek Doppalapudi, DDS MS PC will incorporate any changes in law into its policies, procedures, and
other administrative documents, as necessary.
Procedures:
4. Vivek Doppalapudi, DDS MS PC’s policies have been reasonably designed to take into account the size
and type of activities undertaken by the facility with respect to PHI.
5. The following documentation will be maintained in an organized manner:
Policies and procedures related to the use or disclosure of PHI;
Policies and procedures related to sanctions for a violation of policies and procedures;
Policies and procedures related to requests of individuals for an accounting of disclosures and Access
Report;
Requests for the use or disclosure of PHI;
Policies and procedures related to minimum necessary disclosure;
Policies and procedures related to fundraising and marketing of PHI.
ENFORCEMENT
REFERENCES: 45 CFR PARTS 160 AND___________________
**HITECH SECTIONS 13409, 13410 AND 13411**__
DEFINITIONS:
According to the “HIPAA Omnibus Rule,” of 2013 the following definitions apply:
Reasonable cause (amended) means an act or omission in which a covered entity or business associate
knew, or by exercising reasonable diligence would have known, that the act or omission violated an
administrative simplification provision, but in which the covered entity or business associate did not act with
willful neglect.
Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a
legal requirement under similar circumstances.
Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the
administrative simplification provision violated.
POLICY
Vivek Doppalapudi, DDS MS PC is aware of, and complies with, the Enforcement provisions of the HIPAA
Omnibus Rule of 2013. The purpose of the Rule is to amend HIPAA’s enforcement regulations relating to the
imposition of civil monetary penalties, to incorporate the following items of the HITECH Act:
Categories of violations,
Tiered ranges of civil monetary penalty amounts, and
Revised limitations on the Secretary’s authority to impose civil monetary penalties for established violations
of HIPAA’s Administrative Simplification Rules (HIPAA Rules).
Vivek Doppalapudi, DDS MS PC will comply with all the HIPAA provisions, and will quickly and voluntarily
correct any acts or omissions that may possibly be violations of the HIPAA rules. Any individual person
associated with Vivek Doppalapudi, DDS MS PC who wrongfully obtains, uses, or discloses individually
identifiable health information may be subject to criminal penalties. These penalties can include fines,
imprisonment, or both. It should be noted that both individuals and organizations who violate the Rule may
be subject to both civil and criminal penalties.
The provisions of the Rule apply to covered entities and business associates, who are now considered
covered entities under many sections of the HITECH Act.
Improved Enforcement
The following penalty amounts of the HIPAA Enforcement Rule explain HHS’ implementation of authority
regarding violations that occur on or after February 18, 2009, when ARRA became law. Under the HITECH Act,
the HHS Secretary’s civil monetary penalty authority was strengthened. The revisions significantly increase the
penalty amounts the HHS Secretary can impose for violations of the HIPAA Rules, and encourages the
establishment of compliance programs that effectively prevent, detect, and quickly correct violations of the
HIPAA Rules.
Penalty tiers are different, depending on whether the violations occurred before or after the enactment date of
HITECH—February 18, 2009. For violations prior to this date, HHS is allowed to issue civil penalties of not
more than $100 for each violation, with a total maximum amount of $25,000 for identical violations per calendar
year, and they are not allowed if:
1. The covered entity could prove that they did not know of the violation (and by using reasonable diligence
would not have known); or
2. The violation was due to reasonable cause, and not to willful neglect—and was corrected within 30 days
(or other period based on circumstances, determined by HHS) after the covered entity knew of the
violation, (or with reasonable diligence should have known).
For violations that have occurred after February 18, 2009, the Omnibus Rule establishes the following
civil penalties for covered entities:
3. For violations where the entity did not have knowledge of the violation (and by using reasonable
diligence would NOT have known), penalty amounts can range from $100 to $55,010 for each violation,
or can be up to $1,650,300 for identical violations during a calendar year;
4. For violations due to reasonable cause, and not to willful neglect, penalties can range from $1,000 to
$55,010 for each violation;
5. For violations due to willful neglect, and timely corrected within 30 days after the entity knew of the
violation, penalties can range from $10,000 to $55,010 for each violation, or not more than $1,650,300
for identical violations during a calendar year;
6. For violations due to willful neglect, and NOT timely corrected within 30 days after the entity knew of the
violation, minimum penalties of $55,010 for each violation, or not more than $1,650,300 for identical
violations during a calendar year.
When determining the amount of a penalty for a violation, HHS will base the decision on the nature and
extent of the violation, the nature and extent of the harm resulting from the violation, and possibly other
factors such as the entity’s prior compliance with the HIPAA Rules.
It may be possible to avoid penalties if the covered entity can establish with HHS that an “affirmative
defense” exists. Further information may be obtained from counsel.
Civil Actions
The HITECH Act, Section 13410(e), Enforcement Through State Attorneys General, states that the State
Attorney General must bring actions against a covered entity for a violation on behalf of the state’s residents. If
the action is successful, reasonable attorney’s fees and the cost of the action may be imposed upon the
covered entity. Civil penalties may be waived by the Secretary of the Department of Health and Human
Services in whole or in part, under certain circumstances.
Business Associates
Under the federal common law of agency, covered entities may be held liable for the acts of their business
associates. Practice counsel will be consulted about whether a particular business associate is considered an
agent of the practice.
According to the preamble of the Omnibus Rule:
“An analysis of whether a business associate is an agent will be fact specific, taking into account the terms of a
business associate agreement as well as the totality of the circumstances involved in the ongoing relationship
between the parties. The essential factor in determining whether an agency relationship exists between a
covered entity and its business associate (or business associate and its subcontractor) is the right or authority
of a covered entity to control the business associate’s conduct in the course of performing a service on behalf
of the covered entity.”
“The right or authority to control the business associate’s conduct also is the essential factor in determining
whether an agency relationship exists between a business associate and its business associate subcontractor.”
Covered entities or business associates are not liable for the acts of third parties that are not under their
control, because such third parties are not their agents.
PROCEDURE
1. All employees are required to inform the Privacy Officer of any known or suspected violations of Vivek
Doppalapudi, DDS MS PC HIPAA policies and procedures.
2. The Privacy Officer will evaluate the violation and whether there was more than low probability that the
PHI was compromised, and determine the appropriate course of action according to the HITECH Breach
Notification Rule. All such violations and associated efforts to mitigate the harmful effects will be
documented. Mitigation may include, but is not limited to:
Taking operational and procedural corrective measures to remedy violations;
Taking employment actions to re-train, reprimand, or discipline employees as necessary, up to and
including termination;
Addressing problems with business associates once Vivek Doppalapudi, DDS MS PC is aware of a breach
of privacy;
Incorporating mitigation solutions into Vivek Doppalapudi, DDS MS PC’s policies as necessary and
appropriate.
1. All violations of HIPAA policy and procedure that affect an individual will be documented in the
accounting of disclosures form. The patient may not necessarily be notified if the Privacy Officer
determines, using a risk assessment according to the Breach Notification Rule, that there was a low
probability that the PHI was compromised, given the nature of the violation. In cases where the
probability of compromise is more than low, the patient will be notified of the violation and Vivek
Doppalapudi, DDS MS PC’s efforts to mitigate the resulting harm. In some cases, HHS and the
media may also need to be notified, depending on the number of individuals affected by the breach.
ENFORCEMENT
The Privacy Officer is responsible for enforcing this Policy. Employees who violate this policy are subject to
discipline, up to and including termination from employment, in accordance with Vivek Doppalapudi, DDS
MS PC’s Sanctions policy. Under HITECH Section 13409, any individual person associated with the
practice who wrongfully obtains, uses, or discloses individually identifiable health information may be
subject to criminal penalties. These penalties can include fines, imprisonment, or both.
RIGHT TO REQUEST RESTRICTIONS ON USE AND DISCLOSURE OF PROTECTED HEALTH
INFORMATION
PATIENT’S RIGHTS: RESTRICTIONS ON USES AND
DISCLOSURES / CONFIDENTIAL
COMMUNICATIONS
REFERENCE: 45 C.F.R. 164.522
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC staff members and health care professionals. Vivek
Doppalapudi, DDS MS PC staff members include all employees, volunteers, consultants, contractors, vendors,
subcontractors and business associates of Vivek Doppalapudi, DDS MS PC.
STATEMENT OF POLICY
Vivek Doppalapudi, DDS MS PC complies with the Health Insurance Portability and Accountability Act of 1996
and Department of Health and Human Services rule that is designed to preserve the privacy of identifiable
patient information. HITECH Section 13405, “Restrictions on Certain Disclosures and Sales of Health
Information,” is followed regarding PHI in electronic form.
From time to time, patients may request certain additional privacy protections for their health information. For
example, patients may request restrictions on the way Vivek Doppalapudi, DDS MS PC uses and discloses
their protected health information. They may also request that we communicate with them by an alternative
means or methods that are more confidential for them. Vivek Doppalapudi, DDS MS PC must permit an
individual to request that Vivek Doppalapudi, DDS MS PC restrict uses or disclosures of PHI about the
individual to carry out treatment, payment, or health care operations, and disclosures to individuals involved in
the patient’s care.
It is Vivek Doppalapudi, DDS MS PC’s policy to respond to all patient requests in a respectful manner. Under
the law, special procedures must be followed when handling such requests. Patients requesting additional
privacy protections should therefore be directed to submit their requests to the Privacy Officer.
Under HITECH Section 13405, “Accounting of Certain Protected Health Information Disclosures Required if
Covered Entity Uses Electronic Health Records,” this part of the HIPAA Rule is clarified, and now the covered
entity must comply with the requested restriction if:
1. Except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out
payment or health care operations (and is not for purposes of carrying out treatment); and
2. The protected health information pertains solely to a health care item or service for which the health care
provider involved has been paid out-of-pocket in full, by the patient or other person on behalf of the
patient.
Stated another way, if a health plan, or the business associate of the health plan, requests a PHI
disclosure of a patient for purposes of carrying out payment or health care operations (not treatment),
and the patient has paid for the health care item or service out-of-pocket in full, then the practice may not
disclose the PHI if the individual has requested a restriction on disclosure and the practice is not
otherwise required by law.
Refer the Patient to the Privacy Officer
If a patient requests additional privacy protections, Vivek Doppalapudi, DDS MS PC staff should direct
the patient to submit his or her request to the Privacy Officer, who is the only person authorized to grant
or deny the requests. Vivek Doppalapudi, DDS MS PC staff should never grant a patient’s request, nor
provide any assurances that the request will be granted, unless the Privacy Officer has specifically
approved the request. The patient’s request for additional privacy protections should never be denied
outright by a staff member without requesting that the patient submit his or her request to the Privacy
Officer.
On those occasions when Vivek Doppalapudi, DDS MS PC agrees to a restriction, staff of Vivek
Doppalapudi, DDS MS PC may not use or disclose PHI in violation of the restriction, except that, if the
individual who requested the restriction is in need of emergency treatment, and the restricted PHI is
needed to provide the emergency treatment, practice clinicians may use the restricted PHI, or may
disclose such information to a health care provider, to provide such treatment to the individual. If
restricted PHI is disclosed to a health care provider for emergency treatment, Vivek Doppalapudi, DDS
MS PC must request that such health care provider not further use or disclose the information.
The practice is not required to notify downstream providers (such as physician specialists referrals made
on behalf of the patient), but may do so if they wish. If the patient desires to restrict use and disclosures
with other providers, it is his / her responsibility to do so.
A restriction agreed to by Vivek Doppalapudi, DDS MS PC is not effective to prevent uses or disclosures
permitted or required for the individual’s right to access to PHI or right to an accounting of uses and
disclosures of PHI; uses and disclosures for facility directories; or uses and disclosures that do not
require permission (e.g., as required by law).
Terminating a Restriction
Vivek Doppalapudi, DDS MS PC may modify or terminate its agreement to a restriction, if:
1. The individual agrees to or requests the termination or modification in writing,
2. Vivek Doppalapudi, DDS MS PC informs the individual that it is terminating its agreement to a restriction,
except that such termination is only effective with respect to PHI created or received after it has so
informed the individual.
PROCEDURE:
3. All requests for a restriction on use and disclosure of PHI must be made in writing by the individual. A
model patient request form is available on the following pages.
4. The requirement for requests to be made in writing will be reflected in the Notice of Privacy Practices.
5. The restriction also applies to the Business Associates of a health plan.
6. All requests for restriction must be reviewed and approved by Dr. Vivek Doppalapudi, the practice’s
Privacy Officer.
7. One of three decisions may be reached:
The request is granted,
The request is granted only in part,
The request is denied.
1. Decisions on requests for restriction must be communicated to the patient. A model Decision Letter is
available on the following pages. A copy of this document must be retained in the individual’s record in
accordance with step 7 below.
2. If Vivek Doppalapudi, DDS MS PC agrees to a restriction, the agreement must be documented in a
written or electronic form. Vivek Doppalapudi, DDS MS PC will retain the documentation required for six
years from the date of its creation or the date when it last was in effect, whichever is later.
3. All restrictions must be documented and filed in a conspicuous location within the individual’s record and
communicated to appropriate staff to ensure that the agreed upon restrictions are honored.
4. All agreed upon restrictions on use and disclosure will be documented in one of two manners:
5. A note will be placed on the outside of the patient record — “Restrictions on Uses and Disclosures.” The
Privacy Officer will document the actual restriction on the inside cover of the patient record.
6. If the capability exists, a note will be placed in a general notes field, attached to the patient’s name in the
practice’s information system.
7. If Vivek Doppalapudi, DDS MS PC denies the restriction, a timely written denial is provided to the patient
(see Model Documents). The denial meets the following requirements:
8. Written in plain language,
9. Includes the reason or basis for the denial,
10. Includes a statement of the individual’s right to have the decision reviewed and a description of how the
individual can exercise that right,
11. A description of how the individual may complain to the covered entity or to the Secretary of HHS. The
description must include the name, or title, and telephone number of the contact person or office
designated where the complaint is made.
12. The restriction remains effective until:
13. The patient agrees to remove the restriction, or requests the removal of the restriction in writing,
14. The patient orally agrees to the termination and the oral agreement is documented,
15. Vivek Doppalapudi, DDS MS PC unilaterally terminates the restriction by telling the patient, and the
termination applies only to PHI collected or created after the termination date.
Confidential Communications
Vivek Doppalapudi, DDS MS PC must permit individuals to request and receive communications of PHI by
alternative means or at alternative locations, and must accommodate reasonable requests by individuals.
1. Vivek Doppalapudi, DDS MS PC requires individuals to make requests for confidential communication in
writing.
2. If the patient’s confidential communication involves restricting information to be released to his/her
insurer in lieu of self-pay, Vivek Doppalapudi, DDS MS PC may condition the provision of a reasonable
accommodation on full payment by the patient for the particular services rendered. Vivek Doppalapudi,
DDS MS PC requires that the individual provide payment for necessary labor and expenses necessary to
facilitate a requested confidential communication if expenses are incurred.
3. Vivek Doppalapudi, DDS MS PC will not require an explanation from the individual as to the basis for the
request as a condition of providing communications on a confidential basis.
4. If a request for confidential communications is approved, that request must be documented and placed in
a conspicuous location in the patient’s file and communicated to appropriate staff to ensure that the
request is honored.
5. All agreed upon confidential communications will be documented in one of two manners:
6. A note will be placed on the outside of the patient record — “Confidential Communications.” The Privacy
Officer will document the actual restriction on the inside cover of the patient’s record.
7. If the capability exists, a note will be placed in a general notes field, attached to the patient’s name in the
practice’s information system. This will ensure uniform communication of the restriction to staff that need
to know.
8. The restriction remains effective until:
9. The patient agrees to remove the restriction, or requests the removal of the restriction in writing,
10. The patient orally agrees to the termination and the oral agreement is documented,
11. Vivek Doppalapudi, DDS MS PC unilaterally terminates the restriction by telling the patient, and the
termination applies only to PHI collected or created after the termination date.
VIOLATIONS
All Vivek Doppalapudi, DDS MS PC staff are expected to review a patient’s medical record for possible
restrictions on the use or disclosure of the patient’s information. Restrictions will be posted in the
appropriate section of the patient’s medical record. All restrictions must be followed.
Vivek Doppalapudi, DDS MS PC has general responsibility for implementation of this policy. Staff
members who violate this policy will be subject to disciplinary action up to and including termination of
employment or affiliation with Vivek Doppalapudi, DDS MS PC.
INTERPRETATION(S):
The final rule retains an individual’s right to request restrictions on uses or disclosures of PHI for
treatment, payment, or health care operations, and prohibits a practice from using or disclosing PHI in a
way that is inconsistent with an agreed upon restriction between Vivek Doppalapudi, DDS MS PC and
the patient.
=
Please refer to the “Forms” section to find the
“Patient Request to Restrict Disclosure of
Protected Health Information to Health Plan” form.
=
Please refer to the “Forms” section to find the
“Patient Request to Restrict Disclosure of
Protected Health Information to Health Plan” form.
=
Please refer to the “Forms” section to find the
“Request fo Confidential Communication” form.
ACCESS TO PROTECTED HEALTH INFORMATION
PATIENT ACCESS TO PROTECTED HEALTH
INFORMATION POLICY
REFERENCE: 45 CFR § 164.524
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC staff members in the Patient Records Department,
Billing Department, other designated departments, and the Privacy Officer, who are authorized to respond to
requests for access to patient health information.
STATEMENT OF POLICY
Patients generally have a right to access their own health information contained in records that may be used to
make decisions about them (called “designated record sets”). It is Vivek Doppalapudi, DDS MS PC’s policy to
treat all patient requests in a respectful manner. Patients should be directed to submit any requests for access
to medical records, billing records or any other records (whether or not they contain Patient health information)
to the Privacy Officer.
IMPLEMENTATION OF POLICY
1. Right To Access Records
Who Can Access: A patient, a patient’s guardian or a patient’s personal representative may access a record
after submitting a written request to physically inspect the medical record. A patient or patient’s personal
representative is any patient, parent, guardian, or committee of an incompetent. (A model letter for this purpose
is contained on the following pages.)
What Information: Vivek Doppalapudi, DDS MS PC’s patients have the right to inspect and obtain a copy of
the protected health information that Vivek Doppalapudi, DDS MS PC, or one of its business associates,
maintains in “designated record sets.” “Designated record sets” are sets of records that may be used to make
decisions about the patients or their treatment.
The designated record set for each patient generally includes the patient’s medical record.
For How Long: A patient, a patient’s guardian or personal representative may access a record. Patients must
submit a written request to physically inspect the medical record. Patients have the right to access their
protected health information for as long as the information is contained in their designated record set.
In Writing: All requests for access must be made in writing.
Proper Identification: In the interest of protecting the confidentiality of the record, the person requesting
access should present identification such as a government issued picture card, a driver’s license or ID card that
carries a valid signature. Individuals requesting access in the capacity of guardian or conservator of the person
should send a copy of their appointment papers when requesting copies or present such papers at the time of
inspection. The signature will be compared with the signature on the consent for treatment and any
discrepancy clarified.
2. Response Time
The Privacy Officer must respond to a patient’s requests for access to their protected health information (by
either granting or denying the request) as soon as possible after the request is received. When possible, the
request will be granted within 30 days of the day of request. If it cannot be granted within this time frame, a
one-time 30-day extension may be used. The patient will be notified if this is necessary.
3. Granting Requests For Inspection Of Records
If Vivek Doppalapudi, DDS MS PC is granting a patient’s request to inspect his or her protected health
information, the Privacy Officer will arrange an appointment with the individual to review their records. Copies
may be provided in lieu of inspection.
Proper Identification: The person requesting access must present a government-issued picture
identification, such as a driver’s license or ID card which carries a valid signature. Individuals requesting
access in the capacity of guardian or conservator of the person should send a copy of their appointment
papers when requesting copies or present such papers at the time of inspection. The signature will be
compared with the signature on the consent for treatment and any discrepancy clarified.
Assisting Patient With Review: The Privacy Officer may ask the patient whether a staff member may
assist the patient in reviewing the information requested. The patient is free to refuse any assistance, and
cannot be penalized or denied access for doing so.
Supervising Patient’s Independent Review: If the patient is not reviewing his or her information jointly
with a staff member, the Privacy Officer will be present in the room at all times to ensure that the integrity
of the records is maintained. The Privacy Officer should remain in view of the patient to prevent
inappropriate tampering, but far enough away so that the patient is afforded appropriate privacy when
reviewing the content of his or her records. The Privacy Officer will not answer any questions regarding the
content of the record. If the patient wishes to be completely alone, he or she must request copies of the
records.
Miscellaneous: A patient’s review of his or her information should take place only where the patient will
not be able to view information or records concerning other patients. A patient may be accompanied by a
family member or other individual and may view their records with that companion.
4. Requests for Copies
The patient must submit a valid authorization form to obtain paper or electronic copies of medical records. (A
model letter for this purpose is contained on the following pages.) If the patient requests an electronic
copy of their medical records, Vivek Doppalapudi, DDS MS PC must provide the patient a copy in the electronic
form and format as requested, as long as Vivek Doppalapudi, DDS MS PC can readily produce such
information in the form requested. Otherwise, Vivek Doppalapudi, DDS MS PC should cooperate with the
patient to provide a readable electronic form and format of the records as agreed between Vivek Doppalapudi,
DDS MS PC and the patient.
Copies should be delivered to the patient in the method specified on the patient’s request form or letter. The
patient may visit Vivek Doppalapudi, DDS MS PC to pick up the copies or request that the copies be delivered
by mail to the address provided on the authorization form. The patient may also request that the practice
transmit electronic copies directly to the patient’s designee. The choice of designee must be clear, conspicuous
and specific.
A nominal fee may be charged for supplies, postage, and labor for copying, whether in paper or electronic form,
in accordance with state law.
5. Denying Access
Reasons for Denial: In the following circumstances, a patient’s request to access his or her health information
should be denied if the request is not in writing.
The right to access does not pertain to:
Psychotherapy notes;
Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or
proceeding;
PHI maintained by a covered entity that is subject to the Clinical Laboratory Improvements Amendments of
1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law, or
exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2);
When Vivek Doppalapudi, DDS MS PC is acting under the direction of a correctional institution it may
deny, in whole or in part, an inmate’s request to obtain a copy of PHI, if obtaining such copy would
jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the
safety of any officer, employee, or other person at the correctional institution who is responsible for the
transporting of the inmate;
An individual’s access to PHI created or obtained by a covered health care provider in the course of
research that includes treatment may be temporarily suspended for as long as the research is in progress,
provided that the individual has agreed to the denial of access when consenting to participate in the
research that includes treatment, and Vivek Doppalapudi, DDS MS PC has informed the individual that the
right of access will be reinstated upon completion of the research;
A individual’s access to PHI that is contained in records that are subject to the Privacy Act, 5 U.S.C. §
552a, may be denied, if the denial of access under the Privacy Act would meet the requirements of that
law;
An individual’s access may be denied if the PHI was obtained from someone other than a health care
provider under a promise of confidentiality and the access requested would be reasonably likely to reveal
the source of the information.
Vivek Doppalapudi, DDS MS PC may deny an individual access, provided that the individual is given a
right to have such denials reviewed, in the following circumstances:
A licensed health care professional has determined, in the exercise of professional judgment, that the
access requested is reasonably likely to endanger the life or physical safety of the individual or another
person;
The PHI makes reference to another person (unless such other person is a health care provider) and a
licensed health care professional has determined, in the exercise of professional judgment, that the access
requested is reasonably likely to cause substantial harm to such other person;
The request for access is made by the individual’s personal representative, and a licensed health care
professional has determined, in the exercise of professional judgment, that the provision of access to such
personal representative is reasonably likely to cause substantial harm to the individual or another person.
If access is denied on a ground permitted under the aforementioned circumstances, the individual has the
right to have the denial reviewed by Vivek Doppalapudi, DDS MS PC’s Privacy Officer as long as that
individual did not participate in the original decision to deny.
Notice of Denial: If the patient’s request is being denied, the patient must be notified. (A model letter for
this purpose is contained on the following pages.)
The patient has the right to request a review of a denial by Vivek Doppalapudi, DDS MS PC’s privacy
officer, or to register a complaint. The review request must be in writing and submitted to the privacy
officer: Dr. Vivek Doppalapudi, Vivek Doppalapudi, DDS MS PC, 102 Elden Street, Suite 19, Herndon, VA
20170. The Privacy Officer or his/her designee will review the request. Alternatively, the patient may
register a complaint with the Secretary of the United States Department of Health and Human Services.
The complaint can be filed in writing, either on paper or electronically. The complaint must be filed within
180 days of when the patient knew or should have known that the act or omission complained of occurred,
unless the Secretary for good cause shown waives this time limit.
6. Requests For Access By A Patient’s Personal Representative
If a patient’s personal representative requests access to the patient’s records, the Privacy Officer generally
should grant or deny access according to the procedures in this policy as though the patient’s personal
representative were the patient, unless one of the following exceptions applies.
Patient Lacking Capacity: When a patient lacks capacity to make health care decisions and the patient’s
personal representative must be given access to the patient’s information in order to make health care
decisions on behalf of the patient, the Privacy Officer should grant such access to the patient’s personal
representative.
Patients Who have Expired: The final OMNIBUS HIPAA rule adopts the proposal to amend § 164.510(b)
to permit covered entities to disclose a decedent’s protected health information to family members and
others who were involved in the care or payment for care of the decedent prior to death, unless doing so is
inconsistent with any prior expressed preference of the individual that is known to the covered entity. The
right to inspect and obtain copies of patient information is extinguished with the death of the qualified
person. A duly appointed or qualified estate representative of the individual has the right of access to the
medical record.
For example, a covered health care provider could describe the circumstances that led to an individual’s
passing with the decedent’s sister who is asking about her sibling’s death. A covered health care provider
could also disclose billing information to a family member of a decedent who is assisting with wrapping up
the decedent’s estate. However, in both of these cases, the provider generally should not share
information about past, unrelated medical problems. These disclosures are permitted and not required—a
covered entity that questions the relationship of the person to the decedent or otherwise believes, based
on the circumstances, that disclosure of the decedent’s protected health information would not be
appropriate, is not required to make the disclosure.
The amended HIPAA regulations have changed the definition of PHI to exclude a person who has been
deceased for more than 50 years.
Documentation: The Privacy Officer must keep the documentation in connection with any request by a
patient or a patient’s personal representative to access protected health information. These documents
must be maintained by Vivek Doppalapudi, DDS MS PC for six (6) years from the date of their creation.
When possible, these documents will be kept in the patient’s medical record.
VIOLATIONS
Vivek Doppalapudi, DDS MS PC’s staff and medical professionals who violate this policy will be subject to
disciplinary action up to and including termination of employment or staff privileges with Vivek
Doppalapudi, DDS MS PC. Anyone who knows or has reason to believe that another person has violated
this policy should report the matter promptly to his or her supervisor or Vivek Doppalapudi, DDS MS PC’s
Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this policy will itself be
considered a violation of this policy that may result in disciplinary action up to and including termination of
employment.
=
Please refer to the “Forms” section to find the
“Patient Record Request” form.
=
Please refer to the “Forms” section to find the
“Letter—Decision on Request for Access or Copy
of Medical Records” form.
EMPLOYEE ACCESS TO PROTECTED HEALTH
INFORMATION
REFERENCE: 45 CFR § 164.514(d)(2)(i)(a)-(b)
Vivek Doppalapudi, DDS MS PC complies with the Health Insurance Portability and Accountability Act of 1996
and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable
patient information.
C.F.R. Section 164.514 (d)(2)(i)(A)—(B) requires that a covered entity must identify those persons or classes of
persons, as appropriate, in its workforce who need access to protected health information (PHI) to carry out
their duties; and for each such person or class of persons, the category or categories of protected health
information to which access is needed and any conditions appropriate to such access.
Vivek Doppalapudi, DDS MS PC must make reasonable efforts to limit the access of such persons or classes
to protected health information (PHI).
The “Employee Access to Protected Health Information Grid” is used to identify employees of Vivek
Doppalapudi, DDS MS PC and the classes of PHI to which they are permitted access in order to carry out their
duties. (A model form for this purpose is contained on the following pages.) All employees of Vivek
Doppalapudi, DDS MS PC must sign a confidentiality agreement that reminds all employees that they are
obligated to access only PHI that is necessary for them to complete their job responsibilities. It is a violation of
practice policy to knowingly access protected health information in circumstances where that information is not
required for an individual to complete their job responsibilities. Violation of this policy will result in disciplinary
action that may include termination.
In addition, under HITECH Section 13409, any individual person associated with the practice who wrongfully
obtains, uses, or discloses individually identifiable health information may be subject to criminal penalties.
These penalties can include fines, imprisonment, or both.
PROCEDURE:
1. The practice defines, for each employee, the protected health information that an individual, or class of
individuals, is authorized to use and disclose.
2. Each individual or class of individuals is identified on the “Employee Access to Protected Health
Information Grid” in the following manner:
3. Employee Name — enter Last Name, First Name
4. Job Title — enter job title, in general terms, e.g., Clinician (MD, DO, NP, PA, RT, RN, PT, etc.), Medical
Assistant, Billing, and Administrative Support
5. Job Responsibilities — in general terms, e.g., billing, clinical care, administrative support, clinical support
6. Categories of PHI permitted: Enter one of the following:
7. Entire record
8. Demographics and encounter notes for billing
9. Demographic information and forms/faxes with PHI for administrative support.
10. Restrictions: Identify any restrictions, e.g., no encounter information, etc.
All employees are required to review the HIPAA Policies and Procedures, and sign an acknowledgement
form stating that they understand their duties regarding patient privacy. (A model form “Staff Member
Confidentiality & Non-Disclosure Agreement” is available on the following pages.)
Please refer to the “Forms” section to find a
printable verison of the “Employee Access to
Protected Health Information Grid” as well.
STAFF CONFIDENTIALITY AND NON-DISCLOSURE
AGREEMENT POLICY
POLICY
The purpose of this policy is to maintain an adequate level of security to protect Vivek Doppalapudi, DDS MS
PC’s protected health information (“PHI”) and personal information from unauthorized access, use or
disclosure. This policy applies to all Vivek Doppalapudi, DDS MS PC staff members. Staff members include all
employees, volunteers, and consultants at Vivek Doppalapudi, DDS MS PC. Users who are granted access
to PHI and personal information will be required to sign this Staff Confidentiality and Non-Disclosure
Agreement. This policy is not intended, and should not be construed, to limit or prevent an employee from
exercising rights under the National Labor Relations Act.
PROCEDURE
Only authorized users are granted access to PHI. Such access is limited to specific, defined, documented and
approved applications and level of access rights.
As a condition to receiving passwords and user ID codes, or access rights to PHI (either by electronic or hard
copy access), each employee, volunteer, consultant and user must agree, in writing, to comply with established
terms and conditions included here, and within the Acceptable Use of Information Policy (contained within the
HIPAA Policy Manual). Failure to comply with such terms and conditions may result in the denial and/or
immediate suspension of access to PHI.
A violation of the terms of the confidentiality and non-disclosure agreement may be grounds for disciplinary
action, including termination of employment or contract, loss of privileges, legal action for monetary damages or
injunction, or both, or any other remedy available to Vivek Doppalapudi, DDS MS PC.
=
Please refer to the “Forms” section to find the
“Staff Member Confidentiality and Non-Disclosure
Agreement” form.
=
Please refer to the “Forms” section to find the
“Employee Exit Interview” form.
=
Please refer to the “Forms” section to find the
“Employee Exit/Termination Checklist” form.
AMENDMENT TO PROTECTED HEALTH INFORMATION
PATIENT REQUESTS TO AMEND PROTECTED
HEALTH INFORMATION
REFERENCE: 45 CFR § 164.526
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC’s staff members and health care professionals. Vivek
Doppalapudi, DDS MS PC staff members include all employees, trainees, volunteers, consultants, and health
care professionals at Vivek Doppalapudi, DDS MS PC.
STATEMENT OF POLICY
Patients generally have a legal right to request that Vivek Doppalapudi, DDS MS PC amend protected health
information (“PHI”) contained in “designated record sets” maintained by Vivek Doppalapudi, DDS MS PC or its
business associates. (A model form is available for this purpose on the following pages.)
Designated record sets are defined by HIPAA as:
Medical records maintained by Vivek Doppalapudi, DDS MS PC or a business associate of Vivek
Doppalapudi, DDS MS PC;
Billing records maintained by Vivek Doppalapudi, DDS MS PC or a business associate of Vivek
Doppalapudi, DDS MS PC; and,
Any enrollment, payment, claims adjudication, and case or medical management records maintained for a
health plan or insurer by Vivek Doppalapudi, DDS MS PC or a business associate of Vivek Doppalapudi,
DDS MS PC.
It is Vivek Doppalapudi, DDS MS PC’s policy to treat all patient requests in a respectful manner. If a patient
asks questions about amending his or her record, the patient is to submit his or her request directly to the
Privacy Officer. The Privacy Officer will enlist the assistance of the provider, who will determine whether to
grant the request. The Privacy Officer will also be responsible for updating Vivek Doppalapudi, DDS MS
PC’s records if a requested amendment is granted.
PROCEDURE
Vivek Doppalapudi, DDS MS PC will act on the individual’s request for an amendment no later than 60
days after receipt of such a request. If Vivek Doppalapudi, DDS MS PC is unable to act on the amendment
within the time required, Vivek Doppalapudi, DDS MS PC may extend the time for such action by no more
than 30 days, provided that:
Vivek Doppalapudi, DDS MS PC, within the time limit described above, provides the individual with a
written statement of the reasons for the delay and the date by which Vivek Doppalapudi, DDS MS PC will
complete its action on the request;
Under HIPAA rule, Vivek Doppalapudi, DDS MS PC may have only one such extension of time for action
on a request for an amendment.
Denials of Requests
Vivek Doppalapudi, DDS MS PC may deny an individual’s request for amendment, if a provider determines
that:
The PHI, or record that is the subject of the request, was not created by the covered entity, unless the
individual provides a reasonable basis to believe that the originator of PHI is no longer available to act on
the requested amendment.
The PHI or record that is the subject of the request is not part of the designated record set.
The PHI, or record that is the subject of the request, would not be available because access has been
denied (see policy on Patient Right to Access).
The PHI, or record that is the subject of the request, is accurate and complete.
1. If Vivek Doppalapudi, DDS MS PC accepts the requested amendment, in whole or in part, Vivek
Doppalapudi, DDS MS PC will comply with the following requirement:
Vivek Doppalapudi, DDS MS PC will make the appropriate amendment to the PHI or record that the data is
the subject of the request for amendment and at a minimum, identify the records in the designated record
set that are affected by the amendment and append or otherwise provide a link to the location of the
amendment.
1. Vivek Doppalapudi, DDS MS PC will inform the individual in a timely fashion that the amendment is
accepted and obtain the individual’s identification of and agreement to have the covered entity notify the
relevant persons with which the amendment needs to be shared.
2. Vivek Doppalapudi, DDS MS PC will make reasonable efforts to inform and provide the amendment
within a reasonable time to:
Persons identified by the individual as having received PHI about the individual and needing the
amendment; and
Persons, including business associates, that the covered entity knows have the PHI that is the subject of
the amendment and that may have relied, or could foreseeably rely, on such information to the detriment of
the individual.
1. Vivek Doppalapudi, DDS MS PC will document the amendment using the form found in the Model
Documents section of this manual.
2. If the individual’s primary care provider denies the requested amendment, in whole or in part, Vivek
Doppalapudi, DDS MS PC must comply with the following requirements:
The covered entity must provide the individual with a timely, written denial (see Model Documents). The
denial must use plain language and contain:
3. The basis for the denial,
4. The individual’s right to submit a written statement disagreeing with the denial and how the individual
may file such a statement,
5. A statement that, if the individual does not submit a statement of disagreement, the individual may
request that Vivek Doppalapudi, DDS MS PC provide the individual’s request for amendment and the
denial with any future disclosures of the PHI that is the subject of the amendment,
6. A description of how the individual may complain to the covered entity or to the Secretary of HHS. The
description will include the name, or title, and telephone number of Vivek Doppalapudi, DDS MS PC’s
Privacy Officer.
7. Vivek Doppalapudi, DDS MS PC will permit the individual to submit to Vivek Doppalapudi, DDS MS PC a
written statement disagreeing with the denial of all or part of a requested amendment and the basis of
such disagreement. Vivek Doppalapudi, DDS MS PC may reasonably limit the length of a statement of
disagreement.
8. Vivek Doppalapudi, DDS MS PC may prepare a written rebuttal to the individual’s statement of
disagreement. Whenever such a rebuttal is prepared, Vivek Doppalapudi, DDS MS PC must provide a
copy to the individual who submitted the statement of disagreement.
9. Vivek Doppalapudi, DDS MS PC will, as appropriate, identify the record or PHI in the designated record
set that is the subject of the disputed amendment and append or otherwise link the individual’s request
for an amendment, Vivek Doppalapudi, DDS MS PC’s denial of the request, the individual’s statement of
disagreement, if any, and Vivek Doppalapudi, DDS MS PC’s rebuttal, if any, to the designated record set.
10. For risk management purposes, it is Vivek Doppalapudi, DDS MS PC’s policy never to delete medical
information. Medical information should be amended, and the prior information should be noted as being
amended, but not deleted. Some state laws prohibit information in the medical records from being
changed or deleted.
11. If a statement of disagreement has been submitted by the individual, Vivek Doppalapudi, DDS MS PC
will include the material appended or, at the election of Vivek Doppalapudi, DDS MS PC, an accurate
summary of any such information, with any subsequent disclosure of the PHI to which the disagreement
relates.
12. If the individual has not submitted a written statement of disagreement, Vivek Doppalapudi, DDS MS PC
will include the individual’s request for amendment and its denial, or an accurate summary of such
information, with any subsequent disclosure of the PHI only if the individual has requested such action.
13. When a subsequent disclosure of PHI is made using a standard transaction (e.g., a standard electronic
transaction defined in C.F.R. Section 162 of the HIPAA rule) that does not permit the additional material
to be included with the disclosure, Vivek Doppalapudi, DDS MS PC may separately transmit the material
required, as applicable, to the recipient of the standard transaction.
14. All documentation related to requests, approvals, denials, disagreements and rebuttals will be
documented in a written or electronic form. Vivek Doppalapudi, DDS MS PC will retain the
documentation required for six years from the date of its creation or the date when it last was in effect,
whichever is later.
Amendments to Information Agreed to by Other Covered
Providers
If Vivek Doppalapudi, DDS MS PC is informed by another covered entity of an amendment to an
individual’s PHI, Vivek Doppalapudi, DDS MS PC must amend the PHI in designated record sets as
provided above.
VIOLATIONS
The Privacy Officer has general responsibility for implementation of this policy. Anyone who violates this
policy will be subject to disciplinary action up to and including termination of employment. Anyone who
knows or has reason to believe that another person has violated this policy should report the matter
promptly to Vivek Doppalapudi, DDS MS PC. Any attempt to retaliate against a person for reporting a
violation of this policy will itself be considered a violation of this policy that may result in disciplinary
action up to and including termination of employment with Vivek Doppalapudi, DDS MS PC.
=
Please refer to the “Forms” section to find the
“Patient Request for Amendment of Records” form.
=
Please refer to the “Forms” section to find the
“Documentation of Request for Amendment of
Protected Health Information” form.
=
Please refer to the “Forms” section to find the
“Letter for Communicating Denial of Request for
Amendment of PHI” form.
ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION
ACCOUNTING OF DISCLOSURES
REFERENCE: 45 CFR § 164.528
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC’s employees, volunteers, vendors, subcontractors,
and business associates of Vivek Doppalapudi, DDS MS PC.
STATEMENT OF POLICY
All patients whose information has been received by Vivek Doppalapudi, DDS MS PC, and who’s information is
maintained by Vivek Doppalapudi, DDS MS PC, have a right to an “accounting of disclosures,” which includes
information about many disclosures of the patient’s protected health information (“PHI”) that Vivek Doppalapudi,
DDS MS PC has made to third parties. It is Vivek Doppalapudi, DDS MS PC’s policy to treat all patient requests
in a respectful manner. If a patient asks questions about obtaining an accounting of disclosures, the patient
should be directed to make his or her request to the Privacy Officer.
MAINTENANCE OF DISCLOSURE LOG
Vivek Doppalapudi, DDS MS PC is responsible to maintain a log of all PHI that is disclosed when an
authorization has not been received, which must be maintained and kept for six (6) years from the date of the
last access or disclosure for paper records and three (3) years for electronic records. At the time the patient or
the patient’s personal representative requests an Accounting of Disclosures, the Privacy Officer will be
responsible to document if any disclosure has been made related to the request.
IMPLEMENTATION OF THIS POLICY
Because a patient may request an accounting of disclosures at any time, Vivek Doppalapudi, DDS MS PC staff
must record, on an ongoing basis, all information that is needed to respond to a patient’s request regarding
disclosures of information. Certain information must be recorded about each disclosure. The authorized
personnel who disclose a patient’s PHI without the patient’s written authorization MUST maintain a retrievable
accounting.
Each and every Vivek Doppalapudi, DDS MS PC staff member will be expected to comply with this policy of
recording disclosures. Violations may be subject to disciplinary action, up to and including termination.
Vivek Doppalapudi, DDS MS PC is required to keep records of certain disclosures of a patient’s PHI and to
provide an accounting of those disclosures to patients who request such an accounting. Disclosure means a
release, transfer, provision of access to or divulging in any other way of information outside Vivek Doppalapudi,
DDS MS PC.
Types of Disclosures Which Must Be Recorded
All disclosures made to:
Third-party requests allowable by law that do not require patient authorization;
Federal and/or state inquiries required by law (i.e. CMS or Department of Health);
Disclosure made without authorization.
Types of Disclosures Which Do Not Have To Be Recorded
1. Sharing protected health information with Vivek Doppalapudi, DDS MS PC staff and the treating health
care providers are not considered disclosures and therefore need not be recorded.
2. _All _disclosures of a patient’s protected health information made by Vivek Doppalapudi, DDS MS PC, or
its business associate vendors or subcontractors, except:
To carry out treatment, payment, and health care operations,
To individuals of PHI about themselves,
For the facility’s directory,
To persons involved in the individual’s care,
For national security or intelligence purposes,
To correctional institutions or law enforcement officials,
That occurred prior to the compliance date for the covered entity.
IMPLEMENTATION OF THIS POLICY
The Privacy Officer will respond to patient requests for accounting of disclosures in accordance with the
following procedures.
1. Patient Requests
All patient requests for accounting of disclosures must be made in writing.
2. Response Time
The Privacy Officer is expected to provide the patient with the requested accounting within a reasonable
timeframe. At the very latest, the Privacy Officer must provide the accounting within 60 days from the
date Vivek Doppalapudi, DDS MS PC received the request.
In rare circumstances, the Privacy Officer may be unable to provide the accounting within 60 days. If so,
the Privacy Officer may extend the time for responding by another 30 days. However, under no
circumstances may Vivek Doppalapudi, DDS MS PC provide the accounting later than 90 days from the
date the patient’s request was received.
If the 30-day extension is needed, the Privacy Officer must notify the patient in writing within the first 60
days to explain the reason for the delay and the date when Vivek Doppalapudi, DDS MS PC expects to
provide the accounting.
1. Content of the Accounting
The Privacy Officer must prepare the content of an accounting as follows:
The Privacy Officer will determine the period of accounting, which will be covered in the accounting.
Patients may request an accounting of disclosures made during any period of time falling within six years
before the date of the request.
When preparing an accounting, the following information must be included for each disclosure:
The date of the disclosure;
The name of the person or organization that received the information;
The address of the person or organization that received the information (if known);
A brief description of the protected health information disclosed (with dates of treatment when
possible); and
At least one of the following items –
A brief statement explaining the purpose of the disclosure and why the disclosure is permitted under Vivek
Doppalapudi, DDS MS PC’s policies, or
A copy of a written request made by a person or organization to whom the disclosure was made where the
information was disclosed for one of the public policy reasons.
1. Collection of Fees
Vivek Doppalapudi, DDS MS PC must provide a patient with one free accounting every twelve (12)
months. If a patient requests an additional accounting within the same twelve (12) month period, the
Privacy Officer may prepare an estimate of a reasonable fee that will recover the costs of producing the
accounting.
2. Documentation
Documentation relating to a patient’s request for an accounting must be maintained by Vivek
Doppalapudi, DDS MS PC for six years from the date of their creation.
VIOLATIONS
Anyone who violates this policy will be subject to disciplinary action up to and including termination of
employment. Anyone who knows or has reason to believe that another person has violated this policy
should report the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for
reporting a violation of this policy will itself be considered a violation of this policy that may result in
disciplinary action up to and including termination of employment or contract with Vivek Doppalapudi,
DDS MS PC.
=
Please refer to the “Forms” section to find the
“Request for Accounting of Uses and Disclosures”
form.
=
Please refer to the “Forms” section to find the
“Account of Uses and Disclosures of PHI” form.
ADMINISTRATIVE SAFEGUARDS
PRIVACY ADMINISTRATIVE SAFEGUARDS
REFERENCE: **45 C.F.R. 164.530**
POLICY:
Vivek Doppalapudi, DDS MS PC must implement policies and procedures with respect to PHI that are designed
to comply with the standards, implementation specifications, or other requirements of HIPAA rules. The policies
and procedures must be reasonably designed, taking into account the size and type of activities that relate to
PHI undertaken by Vivek Doppalapudi, DDS MS PC, to ensure such compliance. This standard is not to be
construed to permit or excuse an action that violates any other standard, implementation specification, or other
requirement of this subpart.
If a practice has not reserved its right to change a privacy practice that is stated in the Notice, Vivek
Doppalapudi, DDS MS PC is bound by the privacy practices as stated in the Notice with respect to PHI created
or received while such Notice is in effect. A practice may change a privacy practice that is stated in the Notice,
and the related policies and procedures, without having reserved the right to do so, provided that such change
meets the implementation of the requirements in this procedure; and such change is effective only with respect
to PHI created or received after the effective date of the Notice.
PROCEDURES
1. Vivek Doppalapudi, DDS MS PC maintains written policies and procedures that outline Vivek
Doppalapudi, DDS MS PC’s privacy and confidentiality policies in accordance with legal requirements
mandated by the HIPAA law of 1996.
2. Vivek Doppalapudi, DDS MS PC will change its policies and procedures as necessary and appropriate to
comply with changes in the law, including the standards, requirements, and implementation
specifications of the HIPAA rule.
3. When Vivek Doppalapudi, DDS MS PC changes a privacy practice that is stated in the Notice of Privacy
Practices, and makes corresponding changes to its policies and procedures, it may make the changes
effective for PHI that it created or received prior to the effective date of the Notice revision if the covered
entity has included in the Notice a statement reserving its right to make such a change in its privacy
practices.
4. Vivek Doppalapudi, DDS MS PC may make any other changes to policies and procedures at any time,
provided that the changes are documented and implemented in accordance with this procedure.
5. Whenever there is a change in law that necessitates a change to Vivek Doppalapudi, DDS MS PC’s
policies or procedures, Vivek Doppalapudi, DDS MS PC will promptly document and implement the
revised policy or procedure. If the change in law materially affects the content of the Notice of Privacy
Practices, Vivek Doppalapudi, DDS MS PC will promptly make the appropriate revisions to the Notice.
Nothing in this paragraph may be used by Vivek Doppalapudi, DDS MS PC to excuse a failure to comply
with the law.
6. To implement a change as described above, Vivek Doppalapudi, DDS MS PC will:
7. Ensure that the policy or procedure, as revised to reflect a change in Vivek Doppalapudi, DDS MS PC’s
privacy practice as stated in its Notice of Privacy Practices, complies with the standards, requirements,
and implementation specifications identified in this procedure.
8. Document the policy or procedure, as revised, as required in a written or electronic form. Vivek
Doppalapudi, DDS MS PC will retain the documentation required for six years from the date of its
creation, or the date when it last was in effect, whichever is later.
9. Revise the Notice to state the changed practice and make the revised Notice available as required. Vivek
Doppalapudi, DDS MS PC will not implement a change to a policy or procedure prior to the effective date
of the revised Notice.
10. A practice may change, at any time, a policy or procedure that does not materially affect the content of
the Notice of Privacy Practices, provided that the policy or procedure, as revised, complies with the
standards, requirements, and implementation specifications of this procedure; and prior to the effective
date of the change, the policy or procedure, as revised, is documented in a written or electronic form.
11. Vivek Doppalapudi, DDS MS PC will retain the documentation required for six years from the date of its
creation, or the date when it last was in effect, whichever is later.
INTERPRETATION:
The policies and procedures of small providers may be more limited under the Rule than those of a large
hospital or health plan, based on the volume of health information maintained and the number of
interactions with those within and outside of the health care system.
PERSONNEL DESIGNATIONS POLICY
REFERENCE: 45 CFR § 164.530
POLICY:
Vivek Doppalapudi, DDS MS PC must designate a Privacy Officer who is responsible for the development and
implementation of the policies and procedures of the entity.
The Privacy Officer will serve as the contact person who is responsible for receiving complaints, and who is
able to provide further information about matters covered by the Notice of Privacy Practices.
Vivek Doppalapudi, DDS MS PC must document the personnel designations in a written or electronic form.
Vivek Doppalapudi, DDS MS PC will retain the documentation required for six years from the date of its
creation, or the date when it last was in effect, whichever is later.
The Privacy Officer will maintain all documentation relating to the Privacy and Security Rules for a period of six
years from the date of creation, or the last effective date, whichever is later.
PROCEDURE:
1. Vivek Doppalapudi, DDS MS PC’s Privacy Officer is Dr. Vivek Doppalapudi. This person is responsible
for oversight of development and implementation of Vivek Doppalapudi, DDS MS PC’s privacy
standards, and will also review all complaints and requests for review of denials.
2. Vivek Doppalapudi, DDS MS PC’s privacy contact is Dr. Vivek Doppalapudi. This person is responsible
for inquiries and questions regarding Vivek Doppalapudi, DDS MS PC’s Notice of Privacy Practices.
3. This policy, Vivek Doppalapudi, DDS MS PC’s Notice of Privacy Practices, and any other applicable
policies and procedures will be updated whenever there is a change to the Privacy Officer or privacy
contact.
INTERPRETATIONS:
The Privacy Officer at a small physician practice may be the office manager, who will have other non-privacy
related duties; the Privacy Officer at a large health plan may be a full-time position, and may have the regular
support and advice of a privacy staff or board.
PRIVACY OFFICER RESPONSIBILITIES
Vivek Doppalapudi, DDS MS PC will identify the Privacy Officer who is responsible for the development and
implementation of the policies and procedures required under the HIPAA Privacy Rule. The Privacy Officer will
have the following responsibilities:
1. Provides guidance and assists in the identification, implementation, and maintenance of organization
privacy policies and procedures in coordination with practice management and legal counsel.
1. Ensures the performance of initial and periodic information privacy risk assessments, and
conducts related ongoing compliance monitoring activities in coordination with Vivek Doppalapudi,
DDS MS PC’s other compliance and operational assessment functions.
2. Works with legal counsel and management to ensure Vivek Doppalapudi, DDS MS PC has and
maintains appropriate privacy authorization forms, and information notices and materials reflecting
current organization and legal practices and requirements.
3. Oversees, directs, delivers, or ensures delivery of initial and privacy training and orientation to all
employees, volunteers, medical and professional staff, contractors, alliances, business associates,
and other appropriate third parties.
4. Participates in the development, implementation, and ongoing compliance monitoring of all trading
partner and business associate agreements to ensure all privacy concerns, requirements, and
responsibilities are addressed.
5. Establishes with management a mechanism to track access to PHI, within the purview of Vivek
Doppalapudi, DDS MS PC and as required by law, and to allow qualified individuals to review or
receive a report on such activity.
6. Ensures Vivek Doppalapudi, DDS MS PC honors patient rights to inspect, amend, and restrict
access to PHI when appropriate.
7. Establishes and administers a process for receiving, documenting, tracking, investigating, and
taking action on all complaints concerning the organization’s privacy policies and procedures in
coordination and collaboration with other similar functions and, when necessary, legal counsel.
8. Ensures compliance with privacy practices and consistent application of sanctions for failure to
comply with privacy policies for all individuals in Vivek Doppalapudi, DDS MS PC’s workforce,
extended workforce, and for all business associates in cooperation with legal counsel as
applicable.
9. Initiates, facilitates, and promotes activities to foster information privacy awareness within the
organization and related entities.
10. Serves as a member of, or liaison to, the organization’s Institutional Review Board or Privacy
Committee, should one exist. Also serves as the information privacy liaison for users of clinical
and administrative systems.
11. Reviews all system-related information security plans to ensure alignment between security and
privacy practices.
12. Works with all practice personnel involved with any aspect of release of PHI, to ensure full
coordination and cooperation under the organization’s policies and procedures and legal
requirements.
13. Maintains current knowledge of applicable federal and state privacy laws and accreditation
standards as applicable, and monitors advancements in information privacy technologies to
ensure organizational adaptation and compliance.
14. Serves as information privacy consultant to Vivek Doppalapudi, DDS MS PC and appropriate
entities.
15. Cooperates with the Office for Civil Rights, other legal entities, and organization officers in any
compliance reviews or investigations.
QUALIFICATIONS:
Knowledge of state and federal privacy laws;
Experience with practice operations and privacy practices;
Ability to develop working relationships with practice staff and practice management.
This description is intended to serve as a scalable framework for organizations in development of a
position description for the Privacy Officer. Under the HIPAA Security Rule, the Security Officer and the
Privacy Officer may be the same individual, or different individuals.
FAX POLICY
REFERENCE: 45 CFR § 164.530
PURPOSE: While it is recognized that fax equipment, associated software, and the mechanism of faxing
information can significantly enhance the operations of Vivek Doppalapudi, DDS MS PC, the general operation
of faxing can also introduce risk. These risks can be caused by a failure to follow precautions that cause
information to be misdirected or received by individuals other than for whom it was intended. This policy is
intended to ensure that the privacy of any information that is faxed is appropriately protected and maintained,
including protected health information (“PHI”), financial information, and confidential and proprietary information
(“Confidential Information”).
POLICY:
General
1. Only authorized users are permitted to receive faxes containing Confidential Information. The sender of
Confidential Information has the responsibility to verify that the intended recipient receives the fax.
2. All faxes are to be sent only under those conditions that allow for reasonable safeguards to exist prior to
the fax being sent, so that the protection of Confidential Information can be assured.
3. Safeguards include, but are not limited to, ensuring and verifying that the fax number being used is
correct, ensuring that the fax machine being used by the sender is in a secure location not viewable by
public traffic, ensuring that the fax will only be received by the intended recipient, and determining a
mechanism to verify receipt of said fax.
4. Fax machine numbers including those used by AutoFax processes and preprogrammed numbers should
be verified on a scheduled basis not less that once every six months to ensure that numbers have not
changed.
5. Vivek Doppalapudi, DDS MS PC’s fax machines that transmit or receive Confidential Information as
outlined in this Policy should be placed in areas that are not accessible by the public, and whenever
possible, they should be placed in areas that require some form of access mechanism such as keys,
badges, or similar mechanisms to restricted areas.
6. The use of pre-programmed numbers should be employed whenever possible to minimize accidental
keying of wrong numbers. The pre-programmed numbers must be independently verified prior to keying
the numbers into the fax machine. The pre-programmed number must be verified in the fax machine
memory prior to use to ensure it is correct.
7. The use of audit controls including but not limited to, fax transmittal and confirmation sheets should be
employed. Whenever possible, these documents should be safely stored and available for review to
ensure that unauthorized use or access has not taken place.
8. Faxes should be transmitted in such a way that is commensurate with the classification of the
information.
9. Under all circumstances and/or conditions, faxes should be transmitted as to protect against any
accidental or intentional disclosure, use, or manipulation of Confidential Information.
10. All misdirected faxes containing Confidential Information must be brought to the attention of the Privacy
Officer for review. “Misdirected faxes” include sending a fax to a wrong number or recipient, or receiving
a fax that was intended for another recipient. The employee sending the fax must account for the
disclosure, and it must be recorded on the “Accounting of Disclosure” form. The fax cover sheets or
activity report should be kept on file within Vivek Doppalapudi, DDS MS PC.
Fax Cover Sheets
1. All faxes sent outside of Vivek Doppalapudi, DDS MS PC containing any type of information that could
be considered Confidential Information, including PHI should be sent utilizing a fax coversheet.
2. The cover sheet should contain the following:
Vivek Doppalapudi, DDS MS PC’s Name
Sender’s name
Sender’s telephone number
Sender’s fax number
Intended recipient name
Intended recipient telephone number
Intended recipient fax number
Date
Number of pages sent
Special instructions, if necessary.
1. The following statement, or a similar one covering the same points, must be attached to all outgoing
faxes:
“The information contained in this transmittal may include privileged or confidential material intended
solely for the individual to whom it is addressed. The material may also include information of a
proprietary nature that is exempt from disclosure under applicable State and Federal laws. Such
disclosure is expressly prohibited without the prior, written authorization of Vivek Doppalapudi, DDS MS
PC. If the recipient of this transmittal is not the intended person(s), you are notified that any unauthorized
dissemination, distribution, or duplication of this material is strictly prohibited. If you have received this
communication in error, please notify the sender immediately.”
“The recipient of patient information is prohibited from disclosing the information to any other party and is
required to destroy the information after the need for the information has been fulfilled.”
Faxing of Confidential Information
Faxes, in general, should only be utilized by Vivek Doppalapudi, DDS MS PC when standard, mail-delivered
copies will not meet the needs of immediate patient care.
1. Faxes may only be utilized to transmit Confidential Information when warranted by an urgent need or
when required by a third party. Except as authorized for treatment, payment, practice operations, or
federal or state law, a properly completed and signed authorization must be obtained before releasing
PHI. The following types of medical information are protected by federal and/or State statute, and may
NOT be faxed or photocopied without specific written patient authorization, unless required by law.
Confidential details of:
Psychotherapy (records of treatment by a psychiatrist, licensed psychologist or psychiatric clinical nurse
specialist;
Other professional services of a licensed psychologist;
Social work counseling/therapy;
Domestic violence victims’ counseling;
Sexual assault counseling;
HIV test results (patient authorization required for EACH release request);
Records pertaining to sexually-transmitted diseases;
Alcohol and drug abuse records protected by federal confidentiality rules (42 CFR Part 2).
1. Faxes should be limited to transmitting the minimum necessary information to meet the requestor’s
needs;
2. Except as authorized by law, a properly completed and signed authorization must be obtained before
releasing patient information.
3. In the event of a medical emergency, an authorization is not required to transmit a fax to a physician or
other health care provider.
Failure to Comply
Failure to comply with this policy shall result in disciplinary action up to and including termination of
employment.
=
Please refer to the “Forms” section to find the “Fax
Cover Sheet” form.
=
Please refer to the “Forms” section to find the
“Misdirected Fax Cover Sheet” form.
E-MAIL POLICY
REFERENCE: 45 CFR § 164.530
PURPOSE:
As a productivity enhancement tool, Vivek Doppalapudi, DDS MS PC encourages the business use of
electronic communications, specifically e-mail. While understanding the need for this type of access, it is also
important for Vivek Doppalapudi, DDS MS PC to set policies governing the use of the e-mail tool. All e-mail
users of Vivek Doppalapudi, DDS MS PC are expected to be familiar, understand, and comply with this policy.
This policy outlines acceptable e-mail usage.
POLICY:
General Rules
1. Email containing PHI must be treated with the same degree of privacy and confidentiality as the patient’s
medical record.
2. Vivek Doppalapudi, DDS MS PC will make all email messages sent or received, concerning the
treatment of a patient, part of the patient’s medical record.
3. Vivek Doppalapudi, DDS MS PC personnel may not send or forward any PHI outside the practice
network via email unless specifically authorized by the patient.
4. When using email, Vivek Doppalapudi, DDS MS PC employees must limit the information transmitted to
the minimum necessary to meet the requester’s needs.
5. In addition, all external disclosures of PHI through email must be in compliance with the policies on uses
and disclosures and patient authorization.
6. Prior to personnel using email to correspond with patients, the patient must consent to the use of email
for transmitting confidential PHI by signing a “Patient Consent for Use of Electronic Mail” form. It is the
responsibility of each practice staff member to make sure the patient has provided consent to correspond
through email before doing so.
7. Email should not be used to replace a clinical visit, (e.g., initial patient visit, etc.) The health care provider
should use “due care” in corresponding with the patient through email for treatment.
Authorized Usage
Business Activities only. Vivek Doppalapudi, DDS MS PC’s electronic communications systems shall be
used for proper business use only, or those activities which management has approved.
Personal Use. Incidental personal use is permissible as long as: (a) it does not consume more than a
trivial amount of resources, (b) does not interfere with worker productivity, (c) does not preempt any
business activity. Users are expressly prohibited from using Vivek Doppalapudi, DDS MS PC’s electronic
communication systems for charitable endeavors, private business activities, or amusement /
entertainment purposes.
Use of Resources. The use of Vivek Doppalapudi, DDS MS PC’s resources, including electronic
communications, shall not create either the appearance or the reality of inappropriate use.
Subscription to Newsgroups. While Vivek Doppalapudi, DDS MS PC recognizes that subscription to
Newsgroups that are industry related are beneficial and even necessary, users are reminded to be
cautious about providing e-mail addresses, and subscribing. Many providers willfully sell e-mail
addresses, and can cause a great deal of damage by excessive messaging known as spam. Users
receiving excessive, frivolous messages from sources other than those they subscribe to are required to
report this activity to the Helpdesk, so a resolution can be found. Additionally, subscriptions to
newsgroups and mailing lists are only permitted for Vivek Doppalapudi, DDS MS PC’s business related
purposes. All other subscriptions are expressly prohibited.
Use of Outside e-mail Accounts. Vivek Doppalapudi, DDS MS PC’s users are prohibited from using non-
Vivek Doppalapudi, DDS MS PC’s e-mail accounts to conduct Vivek Doppalapudi, DDS MS PC’s
business activities. This includes the automatic forwarding of messages to outside e-mail from Vivek
Doppalapudi, DDS MS PC accounts, and the accessing of non-Vivek Doppalapudi, DDS MS PC
accounts via Vivek Doppalapudi, DDS MS PC’s resources.
Content Filtering and Scanning of Attachments. All Vivek Doppalapudi, DDS MS PC e-mail will be
scanned with content filtering software approved by the Privacy Officer for the presence of viruses,
worms, Trojans, and any other harmful attachment or condition. All e-mail and/or attachments found to
contain harmful code is to be quarantined by specified and approved procedures and policies as to
prevent further infection to Vivek Doppalapudi, DDS MS PC resources. Additionally, all e-mail shall be
scanned so as to identify all non-business related attachments, and/or those attachments that could
cause potential harm such as GIFs, JPEGs, EXEs, and similar type attachments. These attachments will
be quarantined and/or deleted from all Vivek Doppalapudi, DDS MS PC’s e-mail as part of the scan,
unless specifically authorized by the Security Officer.
Default Privileges
Least Privilege. Employee privileges on electronic communication systems shall be assigned such that
only those capabilities necessary to perform a job are granted.
Non-Administrators. Those users not classified as Administrators shall not have the capabilities and or
permissions to reprogram or manage electronic mail system software.
Broadcast Facilities. Only with Vivek Doppalapudi, DDS MS PC management approval can broadcast
facilities be utilized.
Those groups that are created to send electronic messaging to all users shall be restricted to only
authorized users, which have been approved by Vivek Doppalapudi, DDS MS PC management.
User Accountability
Unique Login IDs. E-mail systems shall employ personal login IDs and passwords to allow access so
that communications of different users can be isolated. All users shall logon with the login ID that was
assigned to them, and the sharing of login IDs, or using another user’s login ID is expressly prohibited.
All users are completely accountable for all actions performed with the login ID that is assigned to them.
All e-mail accounts that are established on the practice’s systems will utilize the name that is used in the
Vivek Doppalapudi, DDS MS PC HR system. The use of nicknames is not permitted unless it is the same
name that is entered in the HR system; i.e., the legal name.
Passwords. Passwords shall never be shared or revealed to anyone else other than the authorized
user. The sharing of passwords and/or login IDs is strictly prohibited. To prevent unauthorized parties
from obtaining access to electronic communications, users shall choose passwords that are difficult to
guess.
User Identity. Misrepresenting, obscuring, suppressing, or replacing a user’s identity on an electronic
communications system is expressly forbidden. The user name, electronic mail message, organizational
affiliation, and related information included with electronic messages or postings shall reflect the actual
originator of the messages or postings.
Generic Type Users. The use of a generic login IDs that is not assigned to any one, specific user is
expressly forbidden on any Vivek Doppalapudi, DDS MS PC e-mail system. The only exception
permitted is a generic type mailbox set up for the specific use of an area or area of responsibility, and the
SO as well as appropriate Vivek Doppalapudi, DDS MS PC Management must approve this. This type of
mailbox shall not be permitted to send e-mail, only receive it.
Privacy of Communications
No Default Protection. The external sending of proprietary data, passwords, trade secrets, medical and
or patient information, or any other data that could be considered confidential via e-mail, is expressly
prohibited unless prior written authorization is obtained from appropriate Vivek Doppalapudi, DDS MS
PC management. If approval is to be granted, the use of encryption techniques shall be employed.
Additionally, all users must recognize that since errors can occur, precautions should be taken when
sending information of this type over the internal Vivek Doppalapudi, DDS MS PC network, so that only
authorized parties receive information that is considered confidential.
Respecting Privacy Rights. Except for monitoring activities authorized by management, no user may
intentionally intercept or disclose, or assist in intercepting or disclosing, electronic communications.
No Expectations of Privacy. The Vivek Doppalapudi, DDS MS PC resources and user accounts are
issued to users to assist them in the performance of their jobs, and as such, remain the property of Vivek
Doppalapudi, DDS MS PC. Users do not have an expectation of privacy in anything users create, store,
send, or receive on Vivek Doppalapudi, DDS MS PC resources. Resources belong to Vivek
Doppalapudi, DDS MS PC and are to be used solely for the purpose of Vivek Doppalapudi, DDS MS PC
business, the user’s usual duties, and or other purposes authorized by management.
Message Monitoring. The content of electronic communications may be monitored and the usage of
electronic communications systems will be monitored as required, to support operational maintenance,
auditing, security, and investigative activities. Electronic communications should be structured in
recognition of the fact that Vivek Doppalapudi, DDS MS PC will from to time examine the content of
electronic communications without prior notice.
Incidental Disclosure. It may be necessary for authorized technical support personnel to review the
content of an individual employee’s communications during the course of problem resolution.
Public Representations
Vivek Doppalapudi, DDS MS PC Representations. No media advertisement, Internet home page,
electronic bulletin board posting, electronic mail message, voice mail message, or any other public
representation about Vivek Doppalapudi, DDS MS PC may be issued unless it has been first approved
by proper practice management.
Vivek Doppalapudi, DDS MS PC Affiliations. When sending electronic mail, an employee’s affiliation
with Vivek Doppalapudi, DDS MS PC is often implied by the electronic mail address or explicitly
indicated by adding certain words in messages. Personal opinions should be clearly identified as their
own, and not necessarily those of Vivek Doppalapudi, DDS MS PC. Before sending any material, Vivek
Doppalapudi, DDS MS PC users must consider whether the communication could put the practice at a
disadvantage, or could cause public relations problems for Vivek Doppalapudi, DDS MS PC.
Statistical Data
Collection of Data. Consistent with generally accepted business practice, Vivek Doppalapudi, DDS MS
PC collects statistical data about electronic communications. For example, call detail reporting
information collected by telephone switching systems indicates the numbers dialed, the duration of calls,
the time of day when calls are placed, etc. Using such information, technical support personnel monitor
the use of electronic communications to ensure the ongoing availability and reliability of these systems.
Message Content
Common Sense Approach. Users shall not use profanity, obscenities, or derogatory remarks in
electronic mail messages discussing employees, customers and / or patients, competitors, or others.
Such remarks – even when made in jest – may create legal problems such as trade libel and defamation
of character. Special caution is warranted because back-up and archival copies of electronic mail may
actually be more permanent and more readily accessed than traditional paper communications (See also
Section H).
Think Before Sending. Users must carefully choose words when creating e-mails. Responding to emails
when upset could create e-mails that may have words not normally sent, and can’t be taken back.
Users should be encouraged to think carefully before sending out e-mails.
Express Prohibitions
8. User activity that violates the principles in this policy.
9. The distribution of “junk mail” such as chain letters, marketing, fund-raising, advertisements, or any other
frivolous communications.
10. The transmission or solicited receipt of any type of communication that could be construed by any other
user as harassment, vulgar, obscene, discriminatory, defamatory or offensive based on race, national
origin, sex, age, disability, religious affiliation, or any other characteristic protected by federal, state, or
local law, or is potentially damaging to Vivek Doppalapudi, DDS MS PC.
11. Excessive or abusive volume of personal communications.
12. Distribution, retrieval, or reproduction of intellectual property without documented permission from the
copyright or patent holder.
13. Any electronic communication that includes published material for which copyrights, trademarks or
contractual agreements prohibit duplication without consent.
14. Communications which imply that any type of contractual agreement is being entered into, unless prior
authorization is first obtained from appropriate Vivek Doppalapudi, DDS MS PC management.
15. Communications that promote or imply unlawful activity or activities contrary to Vivek Doppalapudi, DDS
MS PC’s mission.
16. Any activity that attempts to bypass the security controls of the system
17. Any activity that puts the system at risk.
18. Any activity that does not have prior Vivek Doppalapudi, DDS MS PC management approval.
19. Some information that is transmitted via electronic communications is intended for specific individuals,
and therefore, should not be shared with others. Users should exercise caution when forwarding
communications to other Vivek Doppalapudi, DDS MS PC users. Vivek Doppalapudi, DDS MS PC
information that is sensitive in nature may not be forwarded to external parties without the expressed
permission of senior management.
20. The use of the system to create, harbor, or transport viruses. Additionally, all users must not disable any
anti-virus software.
21. Subscriptions to newsgroups, mailing lists, etc., that are not Vivek Doppalapudi, DDS MS PC business
related.
22. The external transmission of any Protected Health Information that is considered to be protected by any
Federal or State statute, unless it is sent in encrypted form, and the transmission method has been
approved by the Privacy Officer.
23. The use of any form of Instant Messaging, unless authorized by Vivek Doppalapudi, DDS MS PC
management and the Privacy Officer.
24. The use of backgrounds, stationary, or other graphics in e-mail due to the excessive amount of storage
that is wasted.
25. The downloading or copying of any software or applications without prior authorization or license.
26. Access or downloading of any pornography or other illegal materials or illegal activity such as gambling.
27. Storing personal files or electronic information.
28. As a condition to receiving passwords and user ID codes, or access rights to information (either by
electronic or hard copy access), each employee and user must agree in writing to comply with
established terms and conditions. Failure to comply with such terms and conditions may result in the
denial and/or immediate suspension of access to employee or company information.
Message Retention
Purging Messages. Messages no longer needed for business purposes shall be periodically purged by
users from their personal electronic storage areas. Most electronic mail should be purged after it is
opened and read. Those messages, which are required for business decisions or reference, shall be
stored appropriately and/or backed up.
Space Limitations. All e-mail users will have a threshold set on the amount of space that may be
utilized for their use as defined by Vivek Doppalapudi, DDS MS PC Management. It is each user’s
responsibility to monitor the amount of messages being retained so that the allocation is not exceeded. If
the allocated space is exceeded, a user’s privileges to send and/or receive e-mail may be temporarily
suspended until the user can delete a sufficient number of messages to lower the amount of space
occupied.
Security Reporting
Incident Handling. Users shall promptly report all virus and security alerts, warnings, suspected
vulnerabilities, and the like to the Privacy Officer. Users are prohibited from forwarding any security
problems to any other users, whether those users are internal or external, unless specifically instructed
to do so by the Privacy Officer.
Violation of Policy
Failure to comply with the Vivek Doppalapudi, DDS MS PC E-Mail Policy may result in disciplinary action
up to and including termination, as well as the possibility of appropriate legal action including, but not
limited to, the right to seek compensation and / or prosecution.
The Privacy Officer will deny or revoke communication privileges if there is a reasonable belief that a
violation has occurred.
=
Please refer to the “Forms” section to find the
“Patient Consent for Use of Electronic Mail” form.
SOCIAL MEDIA POLICY
REFERENCE: 45 CFR § 164.530
Use of Social Media
“Social Media” means any Internet-based content created through public or social interaction, where users
primarily produce and contribute to (rather than just read) the content. Social Media include, but are not limited
to, social or professional networking websites, wikis, blogs, virtual worlds, personal websites, photo-sharing
websites, and video-sharing websites (such as, for example, Facebook, Twitter, YouTube, etc.). The lack of
reference to specific Social Media websites in this policy does not limit the extent or application of this policy.
Vivek Doppalapudi, DDS MS PC acknowledges the growing popularity of Social Media as a means for sharing
experiences, ideas, and opinions. However, Vivek Doppalapudi, DDS MS PC also strives to protect itself, its
employees, and third parties such as patients, subsidiaries, affiliates, vendors, and business partners from
damages and potential criminal liability resulting from improper or unlawful use of Social Media. Indeed,
because of the nature of Vivek Doppalapudi, DDS MS PC’s practice, including the fact that Vivek Doppalapudi,
DDS MS PC is subject to the stringent regulations found in the Health Insurance Portability and Accountability
Act (“HIPAA”) concerning nondisclosure of protected health information, Vivek Doppalapudi, DDS MS PC
employees may not contribute content about their work at Vivek Doppalapudi, DDS MS PC, with certain narrow
exceptions.
Employees must also keep in mind that Vivek Doppalapudi, DDS MS PC’s other policies – including but not
limited to its HIPAA policies, confidentiality policies, anti-harassment policies, E-mail and Acceptable Use of
Information Policies – apply to its employees’ online conduct, including via Social Media.
This policy applies to all employees of Vivek Doppalapudi, DDS MS PC during both working and non-working
time, regardless of whether the employee is using the practice’s equipment or the employee’s personal
equipment, on or off the practice’s property.
PROCEDURE
If an employee uses Social Media, the following rules must be followed:
Do not contribute content or images about or related to any patients or their family members. Even a
comment which does not mention a patient’s name may violate HIPAA, if the information contributed could
be used alone or in combination with other information to identify the individual who is the subject of the
information.
Do not contribute any confidential, proprietary, libelous, or defamatory content or information about or
related to Vivek Doppalapudi, DDS MS PC, its employees, or third parties such as subsidiaries, vendors,
affiliates, or business partners.
Do not engage in behavior that will reflect negatively on the reputation of Vivek Doppalapudi, DDS MS PC,
its employees, or third parties such as subsidiaries, vendors, affiliates, or business partners.
Do not post obscenities, slurs, or personal attacks that could damage the reputation of Vivek Doppalapudi,
DDS MS PC, its employees, or third parties such as subsidiaries, vendors, affiliates, or business partners.
Do not contribute commentary, content, or images that could be considered an act or threat of violence,
harassment, or could create a hostile work environment.
Do not contribute content that could be considered an endorsement of Vivek Doppalapudi, DDS MS PC’s
services without authorization and without disclosing your employment relationship with Vivek
Doppalapudi, DDS MS PC or using the following disclaimer: “The content I have contributed to this site is
my own and does not necessarily represent the views or opinions of Vivek Doppalapudi, DDS MS PC. I am
not a Vivek Doppalapudi, DDS MS PC spokesperson.”
Comply with all applicable intellectual property, trademark, copyright, and fair use laws.
Do not post photographs or other images of Vivek Doppalapudi, DDS MS PC’s employees, patients,
affiliates, vendors, or business partners without their prior express written consent. Do not reference,
mention, or cite to Vivek Doppalapudi, DDS MS PC’s employees, patients, subsidiaries, or third parties
such as vendors, affiliates, or business partners without their prior express written consent.
Do not use Vivek Doppalapudi, DDS MS PC’s images, logos, trademarks, or service marks.
Do not post content related to Vivek Doppalapudi, DDS MS PC’s legal matters, internal investigations,
litigation (whether threatened, pending or concluded), or any parties with whom Vivek Doppalapudi, DDS
MS PC may be or have been in litigation.
Do not post content that is confidential or proprietary to the practice’s competitors or referral sources.
Consider whether connecting to other Vivek Doppalapudi, DDS MS PC employees, business partners,
vendors, or competitors via Social Media is appropriate for your level, position, and responsibilities. To the
extent that you do connect to other Vivek Doppalapudi, DDS MS PC employees, business partners,
vendors, or competitors via Social Media, consider using available privacy filters or settings to block any
inappropriate, unprofessional, or overly personal information about you from access by such people.
Do not use your Vivek Doppalapudi, DDS MS PC email address to register for Social Media. You may
reference your employment with Vivek Doppalapudi, DDS MS PC and contact information on professional
networking sites, such as LinkedIn.
Requests for employment references or recommendations through Social Media sites, such as LinkedIn,
concerning present or former Vivek Doppalapudi, DDS MS PC employees, should be referred to Vivek
Doppalapudi, DDS MS PC’s Human Resources Department.
Personal use of Social Media is not permitted during work hours or on Vivek Doppalapudi, DDS MS PC’s
equipment.
Nothing in this Social Media policy is intended to prohibit employees from communicating in good faith
about wages, hours, or other terms and conditions of their or their co-workers’ employment at Vivek
Doppalapudi, DDS MS PC.
Violations
Failure to comply with these policies and guidelines may result in discipline, up to and including termination of
employment. Further, an employee who contributes content to Social Media concerning patients or patient
situations encountered at Vivek Doppalapudi, DDS MS PC may also violate HIPAA and be personally subject to
civil and criminal penalties. Employees must become familiar with Vivek Doppalapudi, DDS MS PC’s HIPAA
policies. Any employee with questions about this Social Media policy, Vivek Doppalapudi, DDS MS PC’s HIPAA
policies, or the application of HIPAA to the use of Social Media should contact the Privacy Officer.
EMPLOYEE TRAINING
REFERENCE: 45 CFR § 164.530(B)
POLICY:
Vivek Doppalapudi, DDS MS PC must train all members of its workforce on Vivek Doppalapudi, DDS MS PC’s
HIPAA/HITECH policies and procedures with respect to PHI/ePHI, as necessary and appropriate for the
members of the workforce to carry out their function within Vivek Doppalapudi, DDS MS PC.
PROCEDURE:
Vivek Doppalapudi, DDS MS PC will provide training that meets the following requirements:
To each new member of the workforce within a reasonable period of time after the person joins Vivek
Doppalapudi, DDS MS PC’s workforce.
To each member of Vivek Doppalapudi, DDS MS PC’s workforce whose functions are affected by a
material change in the policies or procedures, within a reasonable period of time after the material change
becomes effective.
The practice’s workforce includes employees, students, trainees and volunteers. It also includes all staff
that works for the practice and are under the practice’s direct control, whether or not the practice pays
them.
Vivek Doppalapudi, DDS MS PC’s practice manager will be responsible for ensuring that training occurs.
Vivek Doppalapudi, DDS MS PC’s training will include:
HIPAA/HITECH awareness training.
Periodic security reminders to staff and business associates on the need to ensure security and
confidentiality of PHI/ePHI, and on any new changes to Vivek Doppalapudi, DDS MS PC’s policies and
procedures.
All staff will be required to review Vivek Doppalapudi, DDS MS PC’s HIPAA/HITECH privacy/security
policies and procedures. An employee who does not fulfill this obligation may be subject to disciplinary
action.
All staff members are required to sign the Confidentiality and Non-Disclosure Form found in the Access to
Patient Health Information chapter of this manual to attest that they understand their obligations regarding
Vivek Doppalapudi, DDS MS PC’s HIPAA/HITECH privacy and security practices and the penalties for
violating these policies.
Vivek Doppalapudi, DDS MS PC will document that the training has been provided. These training records,
together with the confidentiality statement that each employee signs, are kept in the employee’s permanent
employment record.
=
Please refer to the “Forms” section to find the
“HIPAA and HITECH and Breach Notification
Training Acknowledgement Form”.
HIPAA COMPLAINTS, VIOLATIONS AND
SANCTIONS
REFERENCE: 45 CFR § 164.530(D), (E) AND (H)
SCOPE OF POLICY
This policy applies to all Vivek Doppalapudi, DDS MS PC’s employees, volunteers, vendors, and
subcontractors.
PURPOSE
Vivek Doppalapudi, DDS MS PC must establish policies and procedures that all Vivek Doppalapudi, DDS MS
PC personnel are expected to follow when individuals make complaints regarding privacy issues. Vivek
Doppalapudi, DDS MS PC must also have a procedure to address violations of the privacy regulations
promulgated by the Health Insurance Portability and Accountability Act (“HIPAA”), the Health Information
Technology for Economic and Clinical Health Act (“HITECH”) and implementing regulations.
This policy addresses complaints and sanctions relating to HIPAA violations. It applies to every employee and
user of Vivek Doppalapudi, DDS MS PC’s computer system.
COMPLAINTS REGARDING PRIVACY
It is the responsibility of Vivek Doppalapudi, DDS MS PC to receive all complaints (whether written or oral)
regarding Vivek Doppalapudi, DDS MS PC’s privacy policies and procedures, Vivek Doppalapudi, DDS MS
PC’s compliance with such policies and procedures, and, Vivek Doppalapudi, DDS MS PC’s compliance with
the requirements of HIPAA’s privacy regulations. The Privacy Officer shall investigate all complaints and
document the results of such investigations.
Vivek Doppalapudi, DDS MS PC’s Notice of Privacy Practices provides instructions on how to submit
complaints both to «PraticeName» and to the Secretary of the Department of Health and Human Services, the
governmental agency that oversees practices’ compliance with the HIPAA law. By law, the complaint must be
filed within 180 days of when the complainant knew or should have known that the act had occurred.
After receiving a HIPAA-related complaint, the Privacy Officer will promptly investigate the complaint and will
determine who was involved in the possible HIPAA violation, including employees, volunteers, vendors, and
sub-contractors of Vivek Doppalapudi, DDS MS PC.
All complaints received as well as the final disposition are documented in the individual’s medical record. This
documentation is kept in a written or electronic form. Vivek Doppalapudi, DDS MS PC will retain the
documentation required for six years from the date of its creation, or the date when it last was in effect,
whichever is later.
MITIGATION OF HIPAA VIOLATIONS
The Privacy Officer will take appropriate steps to mitigate, to the extent practicable, any known harmful effect
resulting from any violation of the HIPAA privacy regulations or Vivek Doppalapudi, DDS MS PC’s privacy
policies and procedures.
SANCTIONS FOR HIPAA VIOLATIONS
If the Privacy Officer determines that a violation of Vivek Doppalapudi, DDS MS PC’s privacy practices or
HIPAA has occurred, the Privacy Officer shall make written findings concerning: (i) the nature of the violation(s);
(ii) the identity of any Vivek Doppalapudi, DDS MS PC personnel involved; and (iii) recommend further action, if
any, that should be taken, including, but not limited to, sanctions to be applied against any Vivek Doppalapudi,
DDS MS PC personnel involved in such violation(s).
PROCESS FOR ISSUING SANCTIONS
Levels of Violation:
Level 1 Violation: A violation that is considered to be minor and usually accidental. This type of violation can
result from the accidental use or misuse of information, carelessness or a lack of privacy awareness education.
These types of violations are not considered a direct threat to privacy, as they usually do not include the intent
to further access, use or disclose the information or use the information to harm the patient who’s PHI has been
compromised, but each case must be examined. Sanctions might include verbal warning and mandatory reeducation
for a first offense. A repeat incident from the same person requires a more stringent disciplinary
action, up to, and including termination.
Examples of Level 1 Violations:
User fails to log off of a session, terminal or application when left unattended. This can allow another user
to access records to which they are not entitled.
User fails to protect information in a reasonable manner that results in an inadvertent disclosure.
Level 2 Violation: This type of incident occurs when there is an intentional disregard of an established
information security policy or procedure. The user is aware of the security policies and procedures, but is
willing to circumvent them in order to achieve a personal goal.
Examples of a Level 2 violations:
Accessing of any information without utilizing the proper documented procedure. This can be done by
intentionally attempting to circumvent procedures such as viewing patient information without authorization
or by knowingly using a workstation logged on with another user’s credentials to access patient
information.
Accessing patient information that would not normally be accessed in the normal course of his or her job
responsibilities. This would include, but not be limited to, a user accessing birth dates, addresses of friends
or relatives, or accessing records out of curiosity.
Collecting information on any patient or sets of patients without permission outside of the scope of his or
her job responsibilities.
Releasing records or information in an inappropriate manner.
User discusses patient information in public areas without discretion. Vivek Doppalapudi, DDS MS PC
visitors or workers that would not be authorized to access this information could overhear discussions.
User accesses patient information on behalf of another user that would not normally have access under
normal circumstances.
Level 3 Violation: The intentional actions of any user when he or she access, reviews, discloses, or
discusses patient information for personal gain, or with malicious intent. This type of incident is considered
to be the most serious and must be dealt with accordingly. It could cause personal damage to some party,
and fines and/or civil action to the organization as well as to the violator.
Examples of a Level 3 violations:
Intentionally releasing personal, corporate, or medical information for personal gain or profit.
Collecting information such as patient lists or mailing addresses for personal gain or profit.
Intentionally destroying or altering any information with intent to harm.
Releasing information of any individual with the intent to cause harm or adverse publicity, or for personal
profit or gain.
Intentionally attempting to bypass security controls and attempting to gain unauthorized access to PHI.
RECORDS
The Privacy Officer will maintain a record for every privacy-related complaint received, the investigation
undertaken, and the disposition, if any. The Privacy Officer will also maintain records of any sanctions
imposed for a HIPAA violation, including the underlying HIPAA violation, any Vivek Doppalapudi, DDS MS
PC personnel involved, and any action taken, including sanctions. Records related to HIPAA complaints
and sanctions for privacy violations shall be maintained in a secured location and for at least six years from
the date of creation.
POLICY AGAINST RETALIATION
In accordance with Vivek Doppalapudi, DDS MS PC’s policy, Vivek Doppalapudi, DDS MS PC will not
intimidate, threaten, coerce, discriminate against, or take any retaliatory action against any individual for
the exercise by the individual of any right under, or for participation by the individual in any process,
established by this policy, including the filing of a HIPAA complaint, participating or assisting in an
investigation related to a HIPAA complaint, filing a complaint with the Secretary of the Department of
Health and Human Services concerning HIPAA compliance, or opposing any act or practice prohibited by
the HIPAA privacy regulations or Vivek Doppalapudi, DDS MS PC’s privacy-related policies or procedures.
Further, Vivek Doppalapudi, DDS MS PC will not, as a condition of the provision of treatment, require
patients to waive their rights under the privacy regulations, including, without limitation, the right to
complaint to the Secretary of the Department of Health and Human Services or to the Privacy Officer
concerning possible HIPAA violations.
DE-IDENTIFICATION OF INFORMATION POLICY
REFERENCE: 45 CFR § 164.502(D)
45 C.F.R. 164.514
DEFINITIONS
Disclosure means the release, transfer, provision of access to, or divulging in any other manner of information
outside the entity holding the information.
Protected health information means individually identifiable health information transmitted by electronic
media; maintained or transmitted in any other form or medium including oral, written, and electronic
communications.
Individually identifiable health information is information that is a subset of health information, including
demographic information collected from an individual that identifies the individual; and is created or received by
a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or
future physical or mental health or condition of an individual; the provision of health care to an individual; or the
past, present, or future payment for the provision of health care to an individual.
POLICY:
Vivek Doppalapudi, DDS MS PC complies with the Health Insurance Portability and Accountability Act of 1996
and Department of Health and Human Services rule that are designed to preserve the privacy of identifiable
patient information. Vivek Doppalapudi, DDS MS PC may use PHI to create information that is not individually
identifiable health information, or disclose PHI only to a business associate for such purpose, whether or not
the de-identified information is to be used by Vivek Doppalapudi, DDS MS PC. Health information that meets
the requirements below is not considered to be individually identifiable health information, i.e., “de-identified.”
PROCEDURE:
1. Health information that does not identify an individual, and there is no reasonable basis to believe that
the information can be used to identify an individual, is not individually identifiable health information.
Vivek Doppalapudi, DDS MS PC may determine that health information is not individually identifiable
health information only if:
2. A person with appropriate knowledge of and experience with generally accepted statistical and scientific
principles and methods for rendering information not individually identifiable applying such principles and
methods, determines that the risk is very small that the information could be used, alone or in
combination with other reasonably available information, by an anticipated recipient to identify an
individual who is a subject of the information and documents the methods and results of the analysis that
justify such determination, or
3. The following identifiers of the individual or of relatives, employers or household members of the
individual are removed
Names;
All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code,
and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current
publicly available data from the Bureau of the Census: The geographic unit formed by combining all zip
codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a
zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
All elements of dates (except year) for dates directly related to an individual, including birth date,
admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including
year) indicative of such age, except that such ages and elements may be aggregated into a single
category of age 90 or older;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code; and Vivek Doppalapudi, DDS MS PC does
not have actual knowledge that the information could be used alone or in combination with other
information to identify an individual who is a subject of the information
1. Whenever possible, de-identified PHI should be used for quality assurance monitoring and utilization
reporting.
Re-Identification
Vivek Doppalapudi, DDS MS PC may assign a code or other means of record identification to allow information
de-identified to be re-identified by Vivek Doppalapudi, DDS MS PC, provided that:
The code or other means of record identification is not derived from or related to information about the
individual and is not otherwise capable of being translated so as to identify the individual.
Vivek Doppalapudi, DDS MS PC does not use or disclose the code or other means of record identification for
any other purpose, and does not disclose the mechanism for re-identification.
Documentation
When creating de-identified health information, all steps taken to create this information and the intended uses
and disclosures of such information should be documented in a written or electronic form. Vivek Doppalapudi,
DDS MS PC will retain the documentation required for six years from the date of its creation, or the date when
it last was in effect, whichever is later.
INTERPRETATION
The rule permits a practice to use PHI to create de-identified information, whether or not the de-identified
information is to be used by Vivek Doppalapudi, DDS MS PC. The rule specifies that de-identified information
created in accordance with procedures (which are found in § 164.514(a)) is not subject to the requirements of
these privacy rules unless it is re-identified. Disclosure of a key or mechanism that could be used to re-identify
such information is also defined to be disclosure of PHI.
EDUCATION ON HEALTH INFORMATION PRIVACY
REFERENCE: HITECH SECTION 13403: EDUCATION ON HEALTH INFORMATION
REGIONAL OFFICE PRIVACY ADVISORS
POLICY:
Under HITECH Section 13403, “Education on Health Information Privacy,” the Department of Health and
Human Services (HHS) was mandated to designate an individual in each regional office of HHS to offer
guidance and education to covered entities, business associates and individuals, on their federal privacy and
security protected health information (PHI) rights and responsibilities.
The HHS Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually
identifiable health information, and the HIPAA Security Rule, which sets national standards for the security of
electronic protected health information.
According to a press release by the Office for Civil Rights on August 14, 2009, the HHS Secretary authorized
the Director of the Office for Civil Rights to carry out the designations required under the Act. Pursuant to that
authorization, Robinsue Frohboese, the Acting Director and Principal Deputy Director for the Office for Civil
Rights, designated the OCR Regional Managers in each of the HHS Regional Offices to serve as the Regional
Office Privacy Advisors for their respective regions. The names, addresses, and contact information for each of
the Regional Managers are listed at www.hhs.gov/ocr/office/about/rgn-hqaddresse…
(http://www.hhs.gov/ocr/office/about/rgn-hqaddresses.html), together with a list of the states for which each
Regional Manager has responsibility.
This list can be found on the following pages. It was current as of March 2013.
EDUCATION INITIATIVE ON USES OF HEALTH
INFORMATION
POLICY:
Not later than 12 months after the date of the enactment of HITECH (which was February 17, 2009), the Office
for Civil Rights HHS was to develop and maintain a multi-faceted national education initiative to enhance public
transparency regarding the uses of protected health information, including programs to educate individuals
about the potential uses of their protected health information, the effects of such uses, and the rights of
individuals with respect to such uses. Such programs shall be conducted in a variety of languages and present
information in a clear and understandable manner.
OFFICE FOR CIVIL RIGHTS REGIONAL OFFICE PRIVACY
ADVISORS
Current as of March 2013
HEADQUARTERS
Leon Rodriguez, Director
Office for Civil Rights
U.S. Department of Health and Human Services
200 Independence Avenue, S.W.
Room 509F HHH Bldg.
Washington, D.C. 20201
REGIONAL OFFICE ADDRESSES
Region I – Boston (Connecticut, Maine, Massachusetts, New Hampshire,
Rhode Island, Vermont)
Peter Chan, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Government Center
J.F.Kennedy Federal Building – Room 1875
Boston, MA 02203
Voice phone (800) 368-1019
FAX (617) 565-3809
TDD (800) 537-7697
Region II – New York (New Jersey, New York, Puerto Rico, Virgin Islands)
Linda Colon, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza – Suite 3312
New York, NY 10278
Voice Phone (800) 368-1019
FAX (212) 264-3039
TDD (800) 537-7697
Region III – Philadelphia (Delaware, District of Columbia, Maryland,
Pennsylvania, Virginia, West Virginia)
Barbara Holland, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
150 S. Independence Mall West
Suite 372, Public Ledger Building
Philadelphia, PA 19106-9111
Main Line (800) 368-1019
FAX (215) 861-4431
TDD (800) 537-7697
Region IV – Atlanta (Alabama, Florida, Georgia, Kentucky, Mississippi,
North Carolina, South Carolina, Tennessee)
Roosevelt Freeman, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Sam Nunn Atlanta Federal Center, Suite 16T70
61 Forsyth Street, S.W.
Atlanta, GA 30303-8909
Voice Phone (800) 368-1019
FAX (404) 562-7881
TDD (800) 537-7697
Region V – Chicago (Illinois, Indiana, Michigan, Minnesota, Ohio,
Wisconsin)
Celeste Davis, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
233 N. Michigan Ave., Suite 240
Chicago, IL 60601
Voice Phone (800) 368-1019
FAX (312) 886-1807
TDD (800) 537-7697
Region VI – Dallas (Arkansas, Louisiana, New Mexico, Oklahoma, Texas)
Jorge Lozano, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
1301 Young Street, Suite 1169
Dallas, TX 75202
Voice Phone (800) 368-1019
FAX (214) 767-0432
TDD (800) 537-7697
Region VII – Kansas City (Iowa, Kansas, Missouri, Nebraska)
Frank Campbell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
601 East 12th Street – Room 353
Kansas City, MO 64106
Voice Phone (800) 368-1019
FAX (816) 426-3686
TDD (800) 537-7697
Region VIII – Denver (Colorado, Montana, North Dakota, South Dakota,
Utah, Wyoming)
Velveta Howell, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
999 18th Street, Suite 417
Denver, CO 80202
Voice Phone (800) 368-1019
FAX (303) 844-2025
TDD (800) 537-7697
Region IX – San Francisco (American Samoa, Arizona, California, Guam,
Hawaii, Nevada)
Michael Leoz, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
90 7th Street, Suite 4-100
San Francisco, CA 94103
Voice Phone (800) 368-1019
FAX (415) 437-8329
TDD (800) 537-7697
Region X – Seattle (Alaska, Idaho, Oregon, Washington)
Linda Yuu Connor, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
2201 Sixth Avenue – M/S: RX-11
Seattle, WA 98121-1831
Voice Phone (800) 368-1019
FAX (206) 615-2297
TDD (800) 537-7697
RESPONDING TO GOVERNMENT AUDIT/AGENTS
PURPOSE:
It is Vivek Doppalapudi, DDS MS PC’s policy to cooperate fully with legitimate law enforcement investigations.
It is also the policy of Vivek Doppalapudi, DDS MS PC to protect the privacy of patients’ records.
POLICY:
Government law enforcement agents may, at any time and with no prior warning, demand to search Vivek
Doppalapudi, DDS MS PC’s property or request access to patients’ records. In these situations, you should be
courteous and respectful, but explain that you are legally required to keep patient information confidential.
Explain that it is Vivek Doppalapudi, DDS MS PC’s policy not to allow anybody to view a patient’s records
without the patient’s authorization or a valid court order, such as a search warrant.
1. If a government law enforcement agent appears at Vivek Doppalapudi, DDS MS PC requesting access
to protected health information, immediately ask for identification. Check the agent’s authenticity by
contacting the field office to which the agent is attached (e.g., OSHA, HHS, OIG, etc.). Find this
information by calling directory assistance. Do not accept this information from the agent. Write down
each agent’s name, title, division, badge number, address and telephone number. Keep a record of this
information. Under HIPAA rule, it is Vivek Doppalapudi, DDS MS PC’s responsibility to ensure the
identity of those persons authorized to access protected health information.
2. Once you have verified the agent’s identity as valid, immediately contact Vivek Doppalapudi, DDS MS
PC, Do not let the agent enter Vivek Doppalapudi, DDS MS PC or access records without approval from
management.
3. Do not answer questions until you have spoken with management. You should always answer questions
truthfully, to the best of your knowledge, but do not provide more information than is requested by the
agent.
4. If the agent appears with a court order, such as search warrant, ask to see the document. If agents
request information about, access to, or possession of patients’ records, or demand to search nonpublic
areas, ask to see a search warrant or other court document. If they do not have one, politely refuse to
give them any confidential information or to let them search Vivek Doppalapudi, DDS MS PC.
NOTE: A subpoena is different from a search warrant. If law enforcement officers show you a subpoena,
give it to the practice manager immediately. Agents should not be let into nonpublic areas of Vivek
Doppalapudi, DDS MS PC or given records or information if they have a subpoena rather than a search
warrant.
5. Examine the search warrant carefully, if one is presented. The search warrant should include the
following information:
The names or types of law enforcement agents allowed to conduct the search;
Vivek Doppalapudi, DDS MS PC name and address;
The date and time that the search is permitted;
What part of Vivek Doppalapudi, DDS MS PC the agents are allowed to search; and
The records, property, or persons they may search for.
Make a copy of the search warrant for Vivek Doppalapudi, DDS MS PC’s records.
1. Ask agents to delay searches. Ask the agents if they would agree to delay the search until Vivek
Doppalapudi, DDS MS PC’s attorneys arrive, or to arrange for a more convenient time to conduct it. If
the agent has a court order, they may not be required to wait.
2. Always accompany the agent or surveyor during the search. If the agents won’t agree to a delay, at least
one staff member should go with them while they search. Make sure they search only the areas and take
only the items authorized by the warrant.
3. Record and copy seized property. If the agents take property or records with them during a search:
Write down a detailed list of items they seize;
Request a copy of the inventory the agents make of seized property;
Ask to make copies of important documents; and
Ask to copy files contained on computers or hard drives onto a disk.
1. You are not legally required to answer agents’ questions during a search. You may want to show the
agents where documents described in a search warrant are located, if you think that will speed up the
search. Keep careful notes. Write down all questions asked and the answers you provided. Keep this
information as part of your permanent records of the visit.
2. Don’t destroy documents. Once agents arrive with a search warrant or other court order, do not throw
away or destroy records or other documents.
TRANSCRIPTION OF HEALTH INFORMATION
POLICY:
Vivek Doppalapudi, DDS MS PC complies with the Health Insurance Portability and Accountability Act of 1996
and Department of Health and Human Services rule that is designed to preserve the privacy of identifiable
patient information as well as to meet its duty to protect the confidentiality and integrity of protected health
information (PHI), as required under state and federal law, the cannon of professional ethics, and applicable
accreditation requirements.
All staff and contractors who participate in the processes of dictation, transcription, maintenance, storage, and
retrieval of Vivek Doppalapudi, DDS MS PC’s transcribed data must be familiar with this Policy and their
responsibilities for protecting PHI from unauthorized use and disclosure.
Under HITECH, business associates are required to comply with many aspects of the HIPAA Privacy and
Security Rules, just as a covered entity must comply.
Transcribed information contains confidential PHI the use and disclosure of which, outside Vivek Doppalapudi,
DDS MS PC’s treatment, payment, and operations requires an individual’s authorization. Transcriptions must
be accurate to provide the highest quality of patient care. Inaccurate transcriptions may put patients at risk of
harm.
1. No Right to Privacy: Vivek Doppalapudi, DDS MS PC encourages transcription of medical records to
enhance productivity and improve the quality of care through legible and comprehensive medical records
documentation. The transcription system and all transcribed data are part of the business equipment
owned by Vivek Doppalapudi, DDS MS PC, and are not the Users’ property. As a result, Users have no
right to privacy in their use of the transcription system or its data.
2. Right to Monitor, Audit, Read: Vivek Doppalapudi, DDS MS PC reserves the right to monitor, audit, and
read transcribed documents. Vivek Doppalapudi, DDS MS PC’s manager may override user passwords.
Vivek Doppalapudi, DDS MS PC may monitor the content and usage of the transcription system to
support operational, maintenance, auditing, security, and investigative activities.
3. Training and Authorization Required: Users are permitted to use the transcription system only after
having completed appropriate training, and after having received proper authorization in accordance with
Vivek Doppalapudi, DDS MS PC’ s Security Policy. The Privacy Officer is responsible for such training
and authorization.
4. User’s Acknowledgment Required: A User is authorized to use the transcription system only after
signing an acknowledgment stating that the User acknowledges and understands the User’s obligation to
protect security and maintain confidentiality when using the transcription system, that the User will fulfill
his or her obligations, and that the User will face disciplinary action if he or she does not, in accordance
with Vivek Doppalapudi, DDS MS PC’s Sanction Policy. The Privacy Officer is responsible for obtaining
and keeping such written acknowledgment from each User.
5. Access: Access to health information, records, tapes, dictation, or a combination thereof is limited to
authorized users on a need-to-know basis in accordance with HIPAA rule and law.
6. Dictation and Dictation Playback: Dictation and dictation playback must be done in a secure
environment that protects the information from being overheard by unauthorized persons. Health
information may not be dictated into cellular phones or into public telephones where others can overhear
the dictation, or into equipment with an activated auto answer, such as an answering machine.
7. Shipping of Dictation: Dictation on audiocassette tapes, CDs, or other voice files may be shipped only
in accordance with carriers authorized by the Privacy Officer.
8. Log-off Required: Users must log off computers and dictation equipment when not transcribing, unless
using a pause feature that removes the document from screen view and access until the transcriptionist
reactivates it.
9. Electronic Transmission of Transcribed Data: No User may electronically transmit transcribed data
except as authorized by the Privacy Officer, consistent with relevant system security policies and chain of
trust partner agreements.
10. Storage and Deletion of Dictation on Voice File: Users may store dictation on an audio cassette tape,
CD, or any other voice file only for the length of time necessary to transcribe and review documentation
and in a manner that protects against unauthorized access. Once the dictation has been transcribed, and
that transcribed data received by Vivek Doppalapudi, DDS MS PC, the dictation on the voice file must be
deleted from a digital system, or erased from an analog system, in a manner approved by the Privacy
Officer to protect the confidentiality of the data. Transcribed tapes may not be reused until they are first
erased.
11. Authentication of Report: After a User completes transcription of a report, he or she must authenticate
it by an identifier assigned by the Privacy Officer. This authentication does not, however, constitute the
formal authentication of the report required by law and professional standards.
12. Release of Patient Data: No User may release any patient data, except to the individual who dictated
the data, Vivek Doppalapudi, DDS MS PC, or persons authorized in writing by the Privacy Officer.
ENFORCEMENT:
The Privacy Officer is responsible for enforcing this Policy. Employees who violate this policy are subject
to discipline, up to and including termination from employment, in accordance with Vivek Doppalapudi,
DDS MS PC’s Sanctions policy. Under HITECH Section 13409, any individual person associated with the
practice who wrongfully obtains, uses, or discloses individually identifiable health information may be
subject to criminal penalties. These penalties can include fines, imprisonment, or both.
HIPAA/HITECH BREACH NOTIFICATION POLICY AND PROCEDURE
BREACH NOTIFICATION OF UNSECURED
PROTECTED HEALTH INFORMATION
REFERENCE: HITECH Section 13402 and Omnibus Breach Notification Modification Rule
POLICY
Vivek Doppalapudi, DDS MS PC and its contractors and vendors will strive to prevent breaches of Unsecured
Protected Health Information (“PHI”) and personal information (“PI”) electronically or otherwise, and maintain
privacy and security measures to protect the confidentiality of PHI and PI. This policy describes the process by
which Vivek Doppalapudi, DDS MS PC will notify individuals regarding a confirmed breach of security when
Unsecured PHI has been acquired, assessed, used or disclosed by an unauthorized person.
Background and Purpose:
The purpose of the Rule is to provide notification in the case of breaches of unsecured protected health
information. The Rule applies to covered entities and business associates that access, maintain, retain, modify,
record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information.
Pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”) and Regulations promulgated
thereunder, Vivek Doppalapudi, DDS MS PC will notify individuals when Unsecured PHI has been acquired,
accessed, used or disclosed by an unauthorized person, when a confirmed breach of the security of the system
does not fall within a statutory exception or there is a low probability that the PHI has been compromised.
Definitions
Breach: the acquisition, access, use or disclosure of PHI in a manner not permitted by HIPAA which
compromises the security or privacy of the protected health information.
Unsecured PHI: PHI that is not secured through the use of a technology or methodology specified by the
Secretary in guidance. Technology or methodology must render PHI unusable, unreadable or indecipherable. In
guidance, these methods are:
encryption or an encryption algorithm
destruction
Access controls, fire walls and redaction are insufficient.
Encryption: “the use of an algorithmic process to transform data into a form in which there is a low
probability of assigning meaning without use of a confidential process or key and such confidential process
or key that might enable decryption has not been breached.” Decryption tools should be stored in a
separate location from data.
Valid encryption processes for data in motion are those that comply with NIST Special Publications SW-52,
SW-77, SW-113 or others which are Federal Information Standards (FIPS) 140-2 validated.
Destruction: Paper, film or other hard copy media has been shredded or destroyed so it cannot be read or
reconstructed.
Electronic media has been cleared, purged, or destroyed consistent with NIST Special Publications 800-88
so PHI cannot be retrieved.
RESPONSIBILITY
The Vivek Doppalapudi, DDS MS PC is responsible for the Breach process, although it is shared with the
Security Officer and other members of a Breach Response Team, as necessary.
Requirements
The Act requires the following:
Covered entities (CEs) and business associates (BAs) must determine if a breach is notifiable by
performing a risk assessment and determining if exceptions to the Rule apply. (Model Documents titled
“Breach Determination Worksheet” and “Breach Risk Assessment Worksheet” are available for
this purpose on the following pages.)
Notification must be provided to affected individuals and to the Secretary of Health and Human Services,
either immediately or by annual summary reports, following the discovery of a notifiable breach of
unsecured protected health information. In some cases, the Act requires covered entities to provide
notification of these breaches to the media.
Specific methods may be used by CEs and BAs to encrypt and destroy patient records to prevent
breaches.
Notifications must be made using specific methods.
The contents of the notifications must contain certain information.
The Department of Health and Human Services (HHS) Secretary must post on an HHS website a list of
covered entities that experience breaches of unsecured protected health information involving more than
500 individuals.
Covered entities and business associates are required to create and maintain specific documentation.
Covered entities and business associates must comply with certain administrative requirements.
PROCEDURE:
General Procedures
Once Vivek Doppalapudi, DDS MS PC has discovered a breach of unsecured PHI, it will perform a risk
assessment to determine if the affected individual must be notified. If so, it will (or its Business Associate will,
depending on contract provisions) notify each individual whose unsecured PHI has been, or believed by the
practice or its BA to have been, accessed, acquired, used or disclosed as a result of the breach. Notifications
are done as soon as possible without unreasonable delay, but no more than 60 days from the time a breach is
found or becomes known, (or the date the practice’s workforce member or agent such as a BA, SHOULD
have known about the breach using reasonable diligence, business care and prudence). The 60-day
investigation period does not begin after the risk assessment has been done. Notifications must be sent even if
all the information is not known or collected. For example, it is not acceptable to wait 60 days hoping a stolen
laptop will be recovered, etc.
Waiting longer than 60 days to notify individuals of breaches of their unsecured protected health information
could substantially increase the risk of harm to individuals as a result of the breach, and decrease the ability of
the individuals to effectively protect themselves from this harm. Therefore, the Breach Rule specifically states
that notification must occur before 60 days.
The practice and BAs must have systems in place for breach discovery. Both the practice and the BA can be
held liable if breaches occur and either party is unaware of them because reasonable diligence has not been
used. HHS stresses the need for training workforce members of both entities, especially regarding the 60-day
notification part of the Rule and timely reporting.
Law Enforcement Requests for Delays
If a law enforcement official states that a breach notification would impede a criminal investigation, or cause
damage to national security, the practice or its BA must:
1. Delay notification (by mail, posting or notice) for the time period requested in writing from law
enforcement.
2. If the statement is oral, document the statement, include the ID of the law enforcement official, and delay
the notification/notice/posting temporarily—no longer than 30 days from date of the oral statement,
unless a written statement is submitted during those 30 days.
BREACH NOTIFICATION CRITERIA
Generally, if a possible breach occurs, the practice will determine whether the following breach
notification criteria have been met before notifications are performed. This process will be done as soon
as reasonably possible, so that any required notifications are made in a timely fashion. The Breach Rule
specifically states that notifications must be made within 60 days.
Unsecured PHI
In order for notifications to be required, a breach must be of unsecured PHI. This is PHI in any form or
medium (electronic, paper or oral) that is not secured through the use of a technology or methodology
specified by the HHS Secretary in the guidance issued under Section 13402(h)(2) of Public Law 111-5
(the HITECH Act), which makes PHI unusable, unreadable, or indecipherable to unauthorized
individuals. These methods are published on the HHS website: www.hhs.gov/ocr/privacy, as will future
updates to this guidance.
The technologies or methodologies specified in HHS guidance within the Breach Notification Interim
Final Rule are encryption and destruction. HHS guidance gives specific information on encryption
processes that have been tested and meet HHS approval. The guidance states:
Protected Health Information is rendered unusable, unreadable, or indecipherable to unauthorized
individuals if one or more of the following applies:
3. Electronic PHI has been encrypted as specified in the HIPAA Security Rule by the use of an algorithmic
process to transform data into a form in which there is a low probability of assigning meaning without use
of a confidential process or key, and such confidential process or key that might enable decryption has
not been breached. To avoid a breach of the confidential process or key, these decryption tools should
be stored on a device or at a location separate from the data they are used to encrypt or decrypt.
The encryption processes must be approved by HHS.
4. The media on which the PHI is stored or recorded have been destroyed in one of the following ways:
Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read
or otherwise cannot be reconstructed. Redaction (edit, modify, or revise by removing confidential or
personal information) is specifically excluded as a means of data destruction.
Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–
88, Guidelines for Media Sanitization, such that the PHI cannot be retrieved.
Breach Notifications Security Methods vs. the Security Rule
The Security Rule states that encryption and destruction are “addressable” security methods, which the
practice may use to safeguard electronic PHI. The Breach Rule is not contrary to this. The Breach Rule simply
states that if encryption processes and destruction security methods are not executed according to the HHS
guidance, and the breach does not fall under one of the exceptions, then notification must be performed. Stated
another way, notification is only required in breaches of “unsecured PHI,” (NOT for secure PHI where breaches
are made unusable, unreadable, or indecipherable by using the HHS guidance recommendations of encryption
and destruction.)
Access Controls and Firewalls
Guidance within the Breach Rule discusses the use of access controls. Although these controls may render
protected health information unusable, unreadable, or indecipherable to unauthorized individuals, they do not
meet the statutory standard of the Breach Rule because if the controls are compromised, the underlying
information could still be usable, readable, or decipherable.
Identifiers
A use or disclosure of PHI that does not include the identifiers listed below from the HIPAA Privacy Rule
Section 164.514(e)(2) under “Limited Data Sets,” DOB, and zip code, does not compromise the security or
privacy of PHI, so is not a breach. If a breach does not include any of these identifiers, together with PHI, then
no breach has occurred.
PHI Identifiers
Names;
Postal address information, other than town or city, state, and zip code;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger and voice prints;
Full face photographic images and any comparable images.
Limited Data Sets, Dates of Birth, and Zip Codes
A limited data set, often used in research or public health, is protected health information that does not have
the 16 direct identifiers listed above of the individual, or of relatives, employers, or household members of the
individual. Limited data sets often contain dates of birth and/or zip codes.
Data sets are considered PHI, and are covered by the Privacy Rule. For purposes of the Breach Notification
Rule, if elements of dates such as DOB and zip codes are allowed to remain, data could be re-identified. If
impermissible use or disclosure occurs with limited data sets that include DOB or zip code, the practice or BA
needs to do a “risk assessment” and question the probablity of harm if the data is re-identified. If the probability
is low, there is no significant risk, and the breach does not require notification. Use and disclosures using data
sets are permissible under the Privacy Rule if other requirements are met (i.e., data use agreements). A
covered entity may use or disclose a limited data set only for the purposes of research, public health, or health
care operations.
Exceptions
The Breach Rule specifies certain exceptions to breach notification. For the practice and its BAs, a breach is
not notifiable if one of the following applies:- Un-retainable: Unauthorized disclosures where the practice or its
BA has good faith belief that the recipient of the information would not be able to retain the information, and it
doesn’t result in further use or disclosures. For example:
A covered entity with insufficient safeguards sends several EOBs by mail to the wrong individuals, and some
are returned by the post office unopened. Notifications do not need to be made for unopened ones, but there
could be a potentially notifiable breach for those opened or not returned, and
A nurse hands a patient a medical report, but quickly realizes that it was someone else’s report and
requests the return of the incorrect report. In this case, if the nurse can reasonably conclude that the
patient could not have read or otherwise retained the information, then providing the patient report to the
wrong patient does not constitute a breach.
Unintentional: A good faith acquisition, access, or use of information by a workforce member (employee,
volunteer, trainee—those under direct control of the CE), or persons acting under the authority of a CE or
BA, which doesn’t result in further use or disclosures EXCEPT in a manner allowed under the Privacy
Rule, i.e., if an e-mail is sent to the wrong party at a covered entity, is re-directed, and then deleted.
Inadvertent: Disclosures among persons similarly authorized to access PHI at the same facility (same
CE or BA—which can include different locations of the same CE or BA), and the original disclosure doesn’t
result in further use or disclosures without authorization. For example, disclosures between a physician at
a hospital and another hospital employee, who may both access PHI under the Privacy Rule—such as if a
nurse calls a doctor who provides medical information on a patient in response to the inquiry, and it turns
out the information was for the wrong patient.
Risk Assessment
Before deciding if a breach is notifiable, the practice or its BA must perform a risk assessment to determine if
there was or was not a low probability that the PHI was compromised. Determine the probability that the PHI
has been compromised based on a risk assessment of at least the following factors: – the nature and extent of
the PHI involved, including the types of identifiers and the likelihood of re-identification;
the unauthorized person who used the PHI or to whom the disclosure was made;
whether the PHI was actually acquired or viewed; and
the extent to which the risk to the PHI has been mitigated.
Vivek Doppalapudi, DDS MS PC and its BAs must
document their risk assessments, showing that there is a
low probability of harm to the individual. When a covered
entity or business associate knows of an impermissible
use or disclosure of protected health information, it
should maintain documentation that all required
notifications were made, or, alternatively, of its risk
assessment or the application of any exceptions to the
definition of “breach” to demonstrate that notification was
not required. BREACH NOTIFICATIONS:
Once Vivek Doppalapudi, DDS MS PC has discovered a notifiable breach of unsecured PHI, they will
notify each individual whose unsecured PHI has been, or believed to have been, accessed, acquired, used
or disclosed as a result of the breach. This notification will be done as soon as reasonably possible, and no
later than 60 days from the time the breach was discovered. The practice must provide notification of the
breach to affected individuals and the Secretary of HHS, and possibly to the media under some
circumstances. All notices are sent in a manner that is reasonably calculated to reach the individual.
Business associates must notify the practice that a breach has occurred as soon as possible after they
have become aware of it. The practice will attempt to document a reporting timeframe for BAs within the
business associate agreements. ### Content Requirements of Breach Notifications
The notice must include the following information:1. A brief description of what happened, including the
date of the breach and the date of discovery, if known;
1. A description of the types of unsecured PHI involved in the breach (e.g., Social Security number, full
name, DOB, home address, diagnosis, disability code etc.). The actual information breached should
not be used, only a description. Do not include sensitive information on the notification.
2. The steps affected individuals should take to protect themselves from harm from the breach (contact
credit card companies, credit monitoring services, file a police report, etc.);
3. A brief description of what the practice is doing to investigate the breach (filing a police report, if
needed), mitigate harm (of all types, not just financial), and protect against further breaches
(improve security, employee sanctions, etc.);
4. How to contact the practice for questions or information—the notice must include the practice’s tollfree
number, e-mail address, website or postal address.
The written notice must be written in plain language, and may need to be translated into frequently
encountered languages. Also, the Breach Rule states:
“Similarly, to the extent that a covered entity is obligated to comply with Section 504 of the Rehabilitation
Act of 1973 or the Americans with Disabilities Act of 1990, the covered entity has an obligation to take
steps that may be necessary to ensure effective communication with individuals with disabilities, which
could include making the notice available in alternate formats, such as Braille, large print, or audio.”
Notice to Individuals
Written Notice
A written notice is sent to the affected individual by first-class mail, at their last known address, or next of kin if
necessary. An e-mail notice may be sent if the individual has authorized the use of e-mail. If e-mail is used, the
practice will monitor undeliverable e-mail, and if the e-mail is returned to the practice as undeliverable, the
practice will then issue a written notice. If the individual is a minor or lacks legal capacity, the written notice will
be sent to the parent or personal representative.
If the affected individual is deceased (if known), then a written notice is sent by first-class mail to the last known
address of the next-of-kin or personal representative (if known), with authority to act. It is not necessary to try to
obtain contact information for the next-of-kin or personal representative, only to send a written notice if the
practice already has the contact information.
It may be necessary to send more than one mailing as information becomes available.
Urgent Information: If the practice determines that the information contained in the written notice is of an urgent
nature because of possible imminent misuse of unsecured PHI, a phone call or other means of immediate
notification will be used. The phone call or other method is not a substitution for the written notice, which must
still be sent. Care must be taken when leaving information on an answering machine.
Substitute Notice: The substitute notice is an alternative form of written notice, allowed by the Rule when there
is insufficient or out-of-date contact information for the affected person, or mail is returned. The substitute
notice must contain all the same elements as the written notice to the individual. If the individual is deceased,
the practice is not required to send a substitute notice to the next of kin or personal representative if the
practice doesn’t have the contact information, or has out-of-date information.
The methods used for the substitute notice will vary, depending on the number of affected individuals.
For less than 10 people:
An alternate form of written notice can be used—such as a phone call or e-mail (even if there is no
authorization for e-mail). If the practice does not have contact information available, a notice may be placed on
the company website. Sensitive information must not be included.
For greater than 10 people:
1. A website posting on the practice’s homepage (or prominent hyperlink) for 90 days, if a practice website
is available, or
2. A conspicuous notice in major print or broadcast media in the geographic areas where the affected
individuals likely reside.
Both methods must include a toll-free number, active for at least 90 days, where the individual can
receive information on whether their unsecured PHI was part of the breach. The practice may also
attempt to update the contact information.
Annual Summary Reports
For less than 500 individuals (in any geographic area), immediate HHS notification is not necessary, but
Vivek Doppalapudi, DDS MS PC must record a log or other documentation of all notifiable breaches, and
send an annual summary report to HHS not later than 60 days after the end of the calendar year. A
separate form is required for every breach that has occurred during a calendar year. (A Model
Document titled “Breach of Unsecured Protected Health Information” is available for this purpose
on the following pages.) This report must be submitted electronically to the Secretary. The annual
report form and instructions are available on the HHS website at:
www.hhs.gov/ocr/privacy/hipaa/administrativ…
(http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html)
The practice log must be retained for six years.
Breaches Involving More Than 500 Individuals
In addition to the above for notifiable breaches involving more than 500 individuals, the practice must do the
following:
Media notification: For more than 500 residents of a state or jurisdiction (defined as a geographic area smaller
than a state—such as county, city or town), whose unsecured PHI has been, or believed by the practice to have
been, accessed, acquired, or disclosed as a result of the breach, a media notification is required. Individuals
must be notified by written notice AND also by a notice (possibly a press release) to prominent media outlets
serving the state or jurisdiction. The notifications will be made without unreasonable delay, no later than 60
days after discovery (unless the law enforcement exception applies). The media notification must include the
same information as the written notice.
HHS Notification: For more than 500 individuals (in any geographic area), the practice must notify the Secretary
of HHS at same time as the individual, and no later than 60 days after the notifiable breach is found (unless the
law enforcement exception applies). As the Rule specifies, notice must be submitted electronically by following
the link below and completing all information required on the breach notification form:
www.hhs.gov/ocr/privacy/hipaa/administrativ…
(http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html))
Section 13402(e)(4) of the HITECH Act requires HHS to post a list of covered entities that submit reports of
notifiable breaches of more than 500 individuals on their website.
In cases where a BA has had a breach of more than 500 people, but the practice did not have more than 500
affected persons, the above media notification does not apply. Also, the practice does not need to notify HHS,
but must log the breach and include the information in the annual notice to HHS.
NOTIFICATION TO THE PRACTICE BY A BUSINESS
ASSOCIATE
According to Sect. 13402(b) of the HITECH Act, a business associate of Vivek Doppalapudi, DDS MS PC that
accesses, maintains, retains, modifies, records, destroys, or otherwise holds, uses, or discloses unsecured PHI
is required to notify the practice when it discovers a breach of such information.
The breach is treated as discovered by the BA as of the first day a breach is known to the BA, or should have
been known by exercising reasonable diligence, by any person (other than the one committing the breach) who
is an employee, officer, or other agent of the BA.
Occasionally, a breach originating from a BA concerns affected individuals from different covered entities. The
BA is only required to notify Vivek Doppalapudi, DDS MS PC regarding the practice’s affected individuals, as
long as the BA is certain which individuals are associated with Vivek Doppalapudi, DDS MS PC; if the BA is
uncertain, it may be necessary for the BA to notify all potentially affected covered entities.
BA AGREEMENTS REGARDING BREACHES
Agreements between BAs and Vivek Doppalapudi, DDS MS PC may address which party will provide notice to
affected individuals, and the timeframe when the BA should notify the practice following a breach, as long as all
required notifications are provided and the other requirements of Rule are met. The Breach Rule specifies that
the business associate contract can be used to determine the method a BA will use when notifying the CE
(such as whom to notify within the practice). According to the Rule, the parties should consider “which entity is
in the best position to provide notice to the individual, which may depend on circumstances, such as the
functions the BA performs for the CE.” The practice and BA should also make sure both parties don’t notify
individuals about the same breach.
Documentation
Vivek Doppalapudi, DDS MS PC must make all documentation available to HHS upon request. All
documentation requirements that apply to the practice under the HIPAA Privacy Rule Section 164.530,
Administrative Requirements also apply to the Breach Rule. This includes:
Personnel designations;
Training for each member of the practice’s current workforce, and new members of the workforce within a
reasonable period of time;
Complaints: the practice must document all complaints received, and their disposition;
Sanctions against members of its workforce who fail to comply with the privacy policies and procedures of
the practice;
Changes to the Privacy Notice;
Changes to policies and procedures;
Documentation sufficient to meet its burden of proof under 164.414(b) Breach Notifications.
All information gathered for the risk assessment during the investigative process must be documented.
Vivek Doppalapudi, DDS MS PC and its BAs have the “burden of proof,” and must demonstrate and
document that breach notification(s) were not required following an impermissible use or disclosure of PHI,
or that notification(s) were necessary, including why they were necessary. The practice must also
document that notifications were made as required by the Rule.
Administrative Requirements
The practice complies with the administrative requirements of the following parts of Section 164.530 of the
Privacy Rule, with respect to breach notification:
1. Training: Vivek Doppalapudi, DDS MS PC trains all members of its workforce on policies and
procedures with respect to PHI, including complaints to the practice, as necessary and appropriate for
the members of the workforce to carry out their functions within the covered entity. Each new member of
the workforce receives training within a reasonable period of time after the person joins the workforce.
Each member of the practice’s workforce whose functions are affected by a material change in the
policies or procedures is trained within a reasonable period of time after the material change becomes
effective. Training is documented.
2. Complaints to the Covered Entity: Vivek Doppalapudi, DDS MS PC provides a process for individuals
to make complaints concerning the HIPAA/HITECH policies and procedures, or compliance with such
policies and procedures.
3. Sanctions: The practice has, and applies, appropriate sanctions against members of its workforce who
fail to comply with our HIPAA/HITECH policies and procedures.
4. Refraining From Intimidating or Retaliatory Acts: The practice does not intimidate, threaten, coerce,
harass, discriminate against, or take other retaliatory action against any individual for:
Filing a complaint under Sect 160.306;
Testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing under
Sect 160.316; or
Opposing any act or practice made unlawful by the subchapter of Section 160.316, provided the individual
or person has a good faith belief that the practice opposed is unlawful, and the manner of opposition is
reasonable and does not involve a disclosure of protected health information in violation of subpart E of
part 164.
1. Waiver of Rights: Vivek Doppalapudi, DDS MS PC may not require individuals to waive their rights
regarding filing complaints (contained in Sect. 160.306) as a condition of the provision of treatment,
payment, enrollment in a health plan, or eligibility for benefits.
2. Policies and Procedures: Vivek Doppalapudi, DDS MS PC implements policies and procedures with
respect to PHI that are designed to comply with the standards, implementation specifications, or other
requirements of the Administrative Requirements.
3. Documentation: According to the Rule, the practice does the following:
Maintains the policies and procedures of the Administrative Requirements in written or electronic form;
If a communication is required by the Administrative Requirements to be in writing, maintain such writing,
or an electronic copy, as documentation;
If an action, activity, or designation is required by the Administrative Requirements to be documented,
maintain a written or electronic record of such action, activity, or designation;
Maintain documentation sufficient to meet its burden of proof by demonstrating that all notifications were
made as required by the Breach Rule, or that the use or disclosure did not constitute a breach.
STATE LAWS/PREEMPTION:
In cases where state law regarding breaches is “contrary” to HIPAA, the federal law preempts state law,
and the practice follows the federal HIPAA Rules. “Contrary” is defined as circumstances where “a CE
could find it impossible to comply with both the state and federal requirements” or if the state law “stands
as an obstacle to the accomplishment and execution of the full purposes and objectives” of the breach
notification provisions.
If state law is not contrary in a particular area, but is just more stringent, state law must be followed. The
practice will comply with both at the same time. For example, if the state Written Notice requires more
information than the federal Rules, the state law is followed. (Since it is possible to comply with both at the
same time, there is no conflict.)
PROCEDURE:
1. If it is confirmed that a breach of security or confidentiality has occurred and has resulted in the
unauthorized disclosure of PHI, the following risk assessment steps will be taken:
2. Determine whether or not the information breached was Unsecured. Unsecured PHI includes information
not secured through encryption or destruction, and is not rendered unusable, unreadable, or
indecipherable to unauthorized persons through the use of a technology or methodology specified by the
Secretary of HHS in guidance issued under Section 13402(h)(c) of Public Law 111-5.
3. Determine the reasonable likelihood that such information was accessed by an unauthorized person.
4. Determine the probability that the PHI has been compromised based on a risk assessment of at least the
following factors: (i) the nature and extent of the PHI involved, including the types of identifiers and the
likelihood of re-identification; (ii) the unauthorized person who used the PHI or to whom the disclosure
was made; (ii) whether the PHI was actually acquired or viewed; and (iv) the extent to which the risk to
the PHI has been mitigated.
5. The risk assessment will be documented thoroughly, including the actions taken, the conclusions of the
assessment and the basis for the determination that there was or was not a low probability that the PHI
was compromised. (This is a change in the rule, whereas the prior rule only required notification in
cases where there was a “significant risk of harm”—-the harm threshold has been removed and
many more breaches will be notifiable)
6. If it is determined that the information breached was secured and there is no reasonable likelihood that
the secured information was rendered usable, readable or viewable by an unauthorized person, no
further action is necessary, but the determination and conclusion will be documented.
7. If it is determined that the information breached was Unsecured, but the circumstance of the breach falls
within one of the exceptions to HIPAA (45 C.F.R. § 164.42), so notification is not required, such
determination will be documented.
8. If it is determined that the breach of the security of the system demonstrates that there is more than a
low probability that the PHI was compromised, Vivek Doppalapudi, DDS MS PC will as soon as
possible, but no later than 60 days after the discovery of the breach, notify the individual(s) whose
information was disclosed as a result of the breach, and the determination and conclusion will be
documented.
9. If it is determined that the information breached was Unsecured and notification is required, an analysis
of the requirements for notification of the State in which the individuals reside will be conducted and
documented.
10. If notification to law enforcement or another regulatory body or agency is required under State law, such
notification will be made to the regulatory body or agency in accordance with State law.
11. If State law requires notification to the individual, notification will be made in accordance with State law.
12. Notification to the individual may be delayed if a law enforcement agency determines that the notification
will impede a criminal investigation and the notification will be made after law enforcement determines it
will not compromise its investigation.
13. Notification of a breach to affected individuals will be in plain language and include the information given
previously.
14. The notification must include any additional information required by applicable State law.
15. If the breach involves more than 500 residents of a state or jurisdiction, notice will be provided to the
media and to the Secretary of the Department of Health and Human Services (“HHS”)
contemporaneously.
16. A log of any and all breaches of Unsecured PHI of less than 500 individuals will be maintained and
reported to the Secretary of HHS on an annual basis.
17. Business Associates and vendors, through their contracts and/or Business Associates Agreements with
Vivek Doppalapudi, DDS MS PC will be required to provide notification of a breach to Vivek
Doppalapudi, DDS MS PC so affected individuals can be notified, as necessary. Business Associates
must provide all available information without delay.
18. Documentation will be maintained of each individual notified, each notification provided to HHS and any
other notification to the Secretary of HHS as required by law.
=
Please refer to the “Forms” section to find the
“Breach Determination Worksheet” form.
=
Please refer to the “Forms” section to find the
“Breach Risk Assessment Worksheet” form.
=
Please refer to the “Forms” section to find the
“Security Incident Report” form.
=
Please refer to the “Forms” section to find the
“Breach Response Sample Letter”.
=
Please refer to the “Forms” section to find the
“Breach of Unsecured PHI Report to the
Department of Health and Human Services” form.
MITIGATION OF BREACHES POLICY
REFERENCE: 45 CFR § 164.530(F)
POLICY
Vivek Doppalapudi, DDS MS PC complies with the Health Insurance Portability and Accountability Act of 1996
and Department of Health and Human Services rules that are designed to preserve the privacy of identifiable
patient information.
Vivek Doppalapudi, DDS MS PC must mitigate, to the extent practicable, any harmful effect that is known to
Vivek Doppalapudi, DDS MS PC of a use or disclosure of PHI in violation of its policies and procedures by
Vivek Doppalapudi, DDS MS PC or its business associate.
This practice complies with the HIPAA Omnibus Rule of January, 2013 “Modifications to the HIPAA Privacy,
Security, Enforcement, and Breach Notification Rules.”
The purpose of the Rule is to provide notification in the case of breaches of unsecured protected health
information. The Rule applies to covered entities and business associates that access, maintain, retain, modify,
record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information.
The Act requires the following:
Covered entities (CEs) and business associates (BAs) must determine if a breach is notifiable by
performing a risk assessment and determining if exceptions to the Rule apply.
Notification must be provided to affected individuals and to the Secretary of Health and Human Services,
either immediately or by annual summary reports, following the discovery of a notifiable breach of
unsecured protected health information (breaches with a more than low probability that the PHI was
compromised). In some cases, the Act requires covered entities to provide notification of these breaches to
the media.
Specific methods may be used by CEs and BAs to encrypt and destroy patient records to prevent
breaches.
Notifications must be made using specific methods.
The contents of the notifications must contain certain information
In the case of a breach of unsecured protected health information at or by a business associate of a
covered entity, the Act requires the business associate to notify the covered entity of the breach.
The Department of Health and Human Services (HHS) Secretary must post on an HHS website a list of
covered entities that experience breaches of unsecured protected health information involving more than
500 individuals.
Covered entities and business associates are required to create and maintain specific documentation.
Covered entities and business associates must comply with certain administrative requirements.
Additional information on Breach Notification can be found in the “Breach Notification of Unsecured PHI
Policy” chapter of this manual.
PROCEDURE:
1. All employees are required to inform the Privacy Officer of any known or suspected violations of Vivek
Doppalapudi, DDS MS PC’s HIPAA policies and procedures.
2. The Privacy Officer will evaluate the violation and whether there was more than low probability that the
PHI was compromised, and determine the appropriate course of action according to the HITECH Breach
Notification Rule. All such violations and associated efforts to mitigate the harmful effects will be
documented. Mitigation may include, but is not limited to:
Taking operational and procedural corrective measures to remedy violations;
Taking employment actions to re-train, reprimand, or discipline employees as necessary, up to and
including termination;
Addressing problems with business associates once «PraticeName» is aware of a breach of privacy;
Incorporating mitigation solutions into Vivek Doppalapudi, DDS MS PC’s policies as necessary and
appropriate.
1. All violations of HIPAA policy and procedure that affect an individual will be documented in the
accounting of disclosures form. The patient may not necessarily be notified if the Privacy Officer
determines, using a risk assessment according to the Breach Notification Rule, that there was a low
probability that the PHI was compromised, given the nature of the violation. In cases where the
probability of compromise is more than low, the patient will be notified of the violation and Vivek
Doppalapudi, DDS MS PC’s efforts to mitigate the resulting harm. In some cases, HHS and the media
may also need to be notified, depending on the number of individuals affected by the breach.
When a breach is discovered or suspected:
Vivek Doppalapudi, DDS MS PC’s procedure for handling requests received from patients on the use and
disclosures of PHI is as follows: @REQUSEPHI@
@REQPHI@ handles requests received from patients on the use and disclosures of PHI.
Vivek Doppalapudi, DDS MS PC’s procedure for responding to known or suspected breaches is as follows:
@BREPROC@
BUSINESS ASSOCIATES
BUSINESS ASSOCIATES AND VENDOR
AGREEMENTS POLICY
REFERENCE: 45 CFR Parts 160 and 164, and the HIPAA Omnibus Rule of 2013
Definition
Business Associate:
1. Except as provided in paragraph (4) of this definition, business associate means, with respect to a
covered entity, a person who:
2. On behalf of such covered entity or of an organized health care arrangement (as defined in this section)
in which the covered entity participates, but other than in the capacity of a member of the workforce of
such covered entity or arrangement, creates, receives, maintains, or transmits protected health
information for a function or activity regulated by this subchapter, including claims processing or
administration, data analysis, processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing;
or
3. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial,
accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management,
administrative, accreditation, or financial services to or for such covered entity, or to or for an organized
health care arrangement in which the covered entity participates, where the provision of the service
involves the disclosure of protected health information from such covered entity or arrangement, or from
another business associate of such covered entity or arrangement, to the person.
4. A covered entity may be a business associate of another covered entity.
5. Business associate includes:
6. A Health Information Organization, E-prescribing Gateway, or other person that provides data
transmission services with respect to protected health information to a covered entity and that requires
access on a routine basis to such protected health information. (Courier services such as the U.S.
Postal Service or United Parcel Service and their electronic equivalents, such as internet service
providers (ISPs) providing data transmission services are excluded. A conduit transports
information in digital or hard copy form, but does not access it other than on a random or infrequent
basis, as necessary to perform the transportation service or as required by other law. Example: a
telecommunications company having random, occasional access to PHI when reviewing whether data
transmitted over its network is arriving at its destination.)
7. A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(Personal health record vendors are only considered business associates of the covered entity if they
are providing the records on behalf of the covered entity. If an individual has authorized that a
personal health record vendor receive their records, the vendor does not automatically become a
business associate.)
8. A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of
the business associate.
9. Business associate does not include:
10. A health care provider, with respect to disclosures by a covered entity to the health care provider
concerning the treatment of the individual.
11. A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or
HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of
§164.504(f) of this subchapter apply and are met.
12. A government agency, with respect to determining eligibility for, or enrollment in, a government health
plan that provides public benefits and is administered by another government agency, or collecting
protected health information for such purposes, to the extent such activities are authorized by law.
13. A covered entity participating in an organized health care arrangement that performs a function or activity
as described by paragraph (1)(i) of this definition for or on behalf of such organized health care
arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such
organized health care arrangement by virtue of such activities or services.
POLICY
Business Associates and the HIPAA Privacy and Security Rules
The HITECH Act has provisions regarding business associates and the Privacy Rule. Prior to HITECH, BAs
were required to follow the HIPAA Privacy Rules because of their contracts with CEs. Under HITECH, this has
changed.
BAs are now considered the same as CEs, and are bound by the same requirements of the HIPAA Privacy and
Security Rules as covered entities. Business associates must implement, and comply with, many parts of the
Privacy and Security Rules, and must have their own contracts with covered entities. Civil and criminal
penalties that apply to covered entities that violate the Privacy and Security Rules now also apply to business
associates.
Under “Uses and disclosures: Organizational requirements, Business associate contracts,” if a CE/BA knows of
a pattern of activity or practice of the CE/BA that constitutes a material breach or violation of the CE/BA’s
obligation under the contract or other arrangement, the CE/BA must take reasonable steps to cure the breach
or end the violation, as applicable. If these steps are unsuccessful, the CE/BA must terminate the contract or
arrangement, if feasible.
HIPAA Requirements for Business Associate Contracts
There are several HIPAA and HITECH requirements concerning business associate contracts. Attention should
be paid to the use of contracts for business associates on the subject of internet hosted or non-hosted practice
management/EHR applications. When establishing a business associate agreement, there are several aspects
that should be considered.
HIPAA 164.504(2) “Uses and disclosures of protected health information: general rules,” states that a contract
between the covered entity and a business associate must:
Establish the permitted and required uses and disclosures of such information by the business associate.
The contract may not authorize the business associate to use or further disclose the information in a
manner that would violate the requirements of this subpart, if done by the covered entity, except that:
1. The contract may permit the business associate to use and disclose protected health information for the
proper management and administration of the business associate, as provided in paragraph (e)(4),
“Other requirements for contracts and other arrangements,” of this section; and
2. The contract may permit the business associate to provide data aggregation service relating to the health
care operations of the covered entity.
Breaches
The purpose of HITECH Section 13402, “Notification in the case of breach,” is to provide individuals a
notification in the case of breaches of unsecured protected health information. The Rule applies to covered
entities and business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold,
use, or disclose unsecured protected health information. The Rule requires CEs and BAs to take steps to cure
any breaches or end violations of unauthorized use, access, or disclosure of PHI in any form (oral, written or
electronic).
The agreement should state that the business associate will comply with the Breach Notification Rule. It may
include:
The methods the BA will use to notify the CE of a breach;
Which specific individuals or departments will be notified;
Who will perform the risk assessment;
Who will provide the notification to the individual and the information that will be included;
How the BA will encrypt and destroy PHI to avoid notifiable breaches;
Whether there are available systems in place for breach discovery;
Training and sanctions for workforce members;
Maintaining documentation in compliance with the Breach Rule, which includes demonstrating that all
notifications were made as required, or that the use or disclosure did not constitute a breach.
The BA will provide notification to the Covered Entity without unreasonable delay and in no event later than
____calendar days after discovery of the breach (possibly five days after the breach becomes known to
the BA).
It may also be decided whether encryption and destruction will be performed by the BA, using the
suggestions contained in the NIST guidance documents (as HHS has stated in guidance). These methods
are not required under HITECH, but if they are not used, a breach could be notifiable. The contracts may
include other items depending on the needs of both parties. They should be reviewed by legal counsel.###
VENDORS
In order to protect the privacy of health information and to protect the interests of the practice, vendors who
are not business associates (and would not be entering into a business associate contract with the
practice) will be asked to sign a “HIPAA Vendor Confidentiality Agreement.” (A model document can be
found on the following pages.)
Vendors, unlike business associates, are individuals who do not need access or use of PHI in order to
perform their duties. Examples of vendors include contracted cleaning agencies and tradespeople such as
plumbers, electricians, etc. The Vendor Confidentiality Agreement makes clear that should these
individuals come in contact with or have access to confidential employee, patient, and business
information (in any form—oral, written electronic, images, etc.), they are required to abide by privacy
regulations. The access, possession, use, copying, printing, transmission or reading of practice records, or
disclosure of any information of a confidential or personal nature about a patient or employee to
unauthorized persons is strictly forbidden.
The Agreement contains a clause that requires the vendor to have insurance against any losses the
practice may incur though the acts of the vendor. This clause may be removed if the practice wishes to do
so.
PROCEDURE:
These procedures relate to the relationships between Business Associates, the Privacy and Security
Rules, and Business Associate contracts.
1. Vivek Doppalapudi, DDS MS PC develops and maintains a list of business associates. It determines:
if contracts are in place,
when they were instituted.
(A Model Document titled “Business Associate List” is available for this purpose in this manual. It
can also be used as a checklist for Business Associate contracts.)
1. The practice performs a gap analysis of existing contracts, determines where there are gaps, and renegotiates
contracts as needed to include the HIPAA and HITECH Act contract requirements.
2. Vivek Doppalapudi, DDS MS PC is obligated under the HITECH Act to monitor its business associates,
and be assured that they have their own HIPAA Privacy and Security Policies and Procedures.
Assurances are sought by asking each of the practice BAs specific questions relating to the above
HIPAA and HITECH business associate contract policies. This procedure alerts the practice as to which
areas the BAs are not in compliance.
3. The Breach Notification Rule is reviewed with each BA to make certain that the BA has a thorough
understanding of their responsibilities under the Rule, since both covered entities and BAs are
responsible for breaches of unsecured protected health information.
4. In the case of breaches, Vivek Doppalapudi, DDS MS PC will consider whether the business associate
or the practice is in the best position to provide notice to the individual, which may depend on
circumstances such as the functions the BA performs for the practice. The practice and BA will also
make sure both parties don’t notify individuals about the same breach.
5. The BA must notify the CE of a breach as soon as it becomes known. Vivek Doppalapudi, DDS MS PC
must perform notifications within 60 days of the discovery of the breach.
6. Vivek Doppalapudi, DDS MS PC may require business associates to notify them whenever the BA hires
subcontractors who will have access to PHI.
7. If the practice establishes a working relationship with organizations that provide data transmission of PHI
to the practice (or its business associates) who require routine access to the PHI, a business associate
agreement will be used to govern the responsibilities of each party. Under HITECH Section 13408, a
written contract or other arrangement is required, and these organizations must be considered business
associates of the practice. Examples of these organizations include:
Health Information Exchange Organizations,
Regional Health Information Organizations,
E-prescribing Gateways,
Each vendor that contracts with the practice to allow the practice to offer a personal health record to
patients as part of its electronic health record.
On the following pages is an explanation on how to determine if an entity is a business associate in
need of a business associate agreement, Business Associate and Vendor Tracking Forms to assist
with documentation, and a model Business Associate Agreement (BAA).
The BAA and Vendor Confidentiality Agreement forms contain an “Indemnification Clause”
(section 7 m) which requires the Business Associate to compensate the practice for loss or
damage in cases of breaches caused by the BA. The Indemnification Clause is not a HIPAA
requirement, but is provided as an extra assurance which the practice may wish to incorporate in
their BA Agreements.
DETERMINING BUSINESS ASSOCIATES AND NEED
FOR CONTRACTS
Instructions:
HIPAA / HITECH requires that covered entities and business associates have business associate contracts in
place, which describe the written safeguards the business associate will use to protect the PHI, among other
items. HIPAA does not require that covered entities have BAAs in place with each other; they are allowed to
share PHI for treatment, payment and health care operations (see definitions) without a written agreement,
and without patient authorization (with a few exceptions, such as psychotherapy notes). In order to determine
which entities or individuals are considered business associates and must have a contract, it is important to
know the differences between a covered entity and a business associate.
This document will examine these differences, ask some important questions you will find helpful when trying to
decide if you must have business associate agreements (BAAs) in place with various entities, and provide a “
BAA / CE Decision Grid” you may use to document your findings. Several definitions and explanations are also
provided. When in doubt, you may always err on the side of caution and establish a BAA.
If your organization has multiple facilities in different locations, a separate worksheet can be used for each
location. The worksheet is designed to ask three basic questions (listed below).
1. Does the entity need access to PHI to perform their functions (ex. lawyers, accountants, transcription,
data destruction, answering services)? If not, they are not a BA.
2. Is the entity a “covered entity” (CE)? CEs may share PHI for treatment, payment and health care
operations without using a BAA. However, there are some instances where a CE may perform functions
of a BA for another CE under contract, and a BAA would be required.
3. Can an individual be considered a member of the “workforce”? (see definitions) If so, generally a BAA is
not needed for that service.
Business Associate Defined
The department of Health and Human Services defines a “business associate” as a person or entity that
performs certain functions or activities that involve the use or disclosure of protected health information
on behalf of, or provides services to, a covered entity (or an “organized health care arrangement.”) A
member of the covered entity’s workforce (see definitions) is not a business associate.
4. A covered health care provider, health plan, or health care clearinghouse can be a business associate of
another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular
services, which make a person or entity a business associate, if the activity or service involves the use or
disclosure of protected health information. The types of functions or activities that may make a person or
entity a business associate include payment or health care operations activities, as well as other
functions or activities regulated by the Administrative Simplification Rules. The HIPAA Omnibus Rule
states:
“Except as provided in paragraph (4) of this definition, business associate means, with respect to a
covered entity, a person who:
5. On behalf of such covered entity or of an organized health care arrangement (as defined in this section)
in which the covered entity participates, but other than in the capacity of a member of the workforce of
such covered entity or arrangement, creates, receives, maintains, or transmits protected health
information for a function or activity regulated by this subchapter, including claims processing or
administration, data analysis, processing or administration, utilization review, quality assurance, patient
safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing;
or
6. Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial,
accounting, consulting, data aggregation (as defined in §164.501 of this subchapter), management,
administrative, accreditation, or financial services to or for such covered entity, or to or for an organized
health care arrangement in which the covered entity participates, where the provision of the service
involves the disclosure of protected health information from such covered entity or arrangement, or from
another business associate of such covered entity or arrangement, to the person.
7. A covered entity may be a business associate of another covered entity.
8. Business associate includes:
9. A Health Information Organization, E-prescribing Gateway, or other person that provides data
transmission services with respect to protected health information to a covered entity and that requires
access on a routine basis to such protected health information. (Courier services such as the U.S. Postal
Service or United Parcel Service and their electronic equivalents, such as internet service providers
(ISPs) providing data transmission services are excluded. A conduit transports information in digital or
hard copy form, but does not access it other than on a random or infrequent basis, as necessary to
perform the transportation service or as required by other law. Example: a telecommunications company
having random, occasional access to PHI when reviewing whether data transmitted over its network is
arriving at its destination.)
10. A person that offers a personal health record to one or more individuals on behalf of a covered entity.
(Personal health record vendors are only considered business associates of the covered entity if they are
providing the records on behalf of the covered entity. If an individual has authorized that a personal
health record vendor receive their records, the vendor does not automatically become a business
associate.)”
A business associate agreement is required only where a person or entity is conducting a
function or activity regulated by the Administrative Simplification Rules on behalf of a covered
entity, such as payment or health care operations, or providing one of the services listed in the
definition of “business associate.”
Exceptions to the Business Associate Standard
The Department of Health and Human Services states the following:
The Privacy Rule includes the following exceptions to the business associate standard. See 45 CFR
164.502(e). In these situations, a covered entity is not required to have a business associate contract or
other written agreement in place before protected health information may be disclosed to the person or
entity.
Disclosures by a covered entity to a health care provider for treatment of the individual. For example:
A hospital is not required to have a business associate contract with the specialist to whom it refers a
patient and transmits the patient’s medical chart for treatment purposes.
A physician is not required to have a business associate contract with a laboratory as a condition of
disclosing protected health information for the treatment of an individual.
A hospital laboratory is not required to have a business associate contract to disclose protected health
information to a reference laboratory for treatment of the individual.
Disclosures to a health plan sponsor, such as an employer, by a group health plan, or by the health
insurance issuer or HMO that provides the health insurance benefits or coverage for the group health plan,
provided that the group health plan’s documents have been amended to limit the disclosures or one of the
exceptions at 45 CFR 164.504(f) have been met.
The collection and sharing of protected health information by a health plan that is a public benefits
program, such as Medicare, and an agency other than the agency administering the health plan, such as
the Social Security Administration, that collects protected health information to determine eligibility or
enrollment, or determines eligibility or enrollment, for the government program, where the joint activities
are authorized by law.
Decision-Making
Below are some points to examine when making decisions on whether a particular entity is actually a
business associate, and a BAA is needed, vs. a vendor where a confidentiality agreement is sufficient:
Does equipment from the vendor have PHI stored on it? (copy machines, diagnostic equipment units etc.)
Is it necessary to give a vendor PHI in order for them to deliver goods to the patient? (such as oxygen
equipment)
Accreditation organizations are business associates of the covered entities they accredit.
Are appointment confirmations performed live, and are the employees given access to PHI?
Do you contract with an answering service?
Building remodeling / construction: will they be given access to and need to physically move patient
files (where they are actually handling files)? If so, they need a BAA. If they would only see something
inadvertently, a vendor confidentiality agreement can be used.
Is billing performed in-house by employees or through a private agency?
Examples
An attorney whose legal services to a health plan involve access to protected health information is a BA.
Certified Telecommunications Relay Services: TRS providers must comply with FCC regulations, and is
considered a public service, available without cost. TRS companies do not contract their services, thus, there is
no business relationship with a CE. Also, the patient has the opportunity to agree or object to using the service.
They are not a BA.
A consultant that performs utilization reviews for a hospital is a BA.
A CPA firm whose accounting services to a health care provider involves access to protected health
information is a BA.
Data destruction or disposal: most organizations will be BAs and need BAAs, but if the work is performed
under the direct control of the CE, on their premises, the service can be treated as members of the CE’s
“workforce” and a BAA is not required.
Collection agencies: If the agency is contracted directly with the covered entity as a business associate, then
a BAA is needed. If the collection agency is a third party to the covered entity (for example, has been hired by
another of the CE’s business associates such as a billing agency, as a contractor), then the BA is responsible
for having an agreement in place with the collection agency. Location information agencies hired directly by a
CE would also need a BAA.
Cleaning services: do they need to work with PHI in order to do their jobs? (If they do not need access to
patient files, but may see something inadvertently, they are not a BA; use only a vendor confidentiality
agreement.)
Consultants: Will they perform consultation services for billing/coding, or any other duty where PHI will be
needed (practice management etc.)? If so, they are a BA.
Couriers: The US Postal Service, United Parcel Service, delivery truck line employees and/or management, or
certain private couriers, and their electronic counterparts, are not business associates, as long as PHI is
transported but not accessed except on a very infrequent basis for performance of the service or as required by
law.
A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on
behalf of a health care provider and forwards the processed transaction to a payer is a BA.
Health information organizations (HIO): These entities can manage the exchange of PHI through networks,
on behalf of one or more covered entities. The HIO needs a BAA with CEs.
Examples of the duties an HIO might perform for covered entities:
Manage authorized requests for, and disclosures of, PHI among participants in the network;
Create and maintain a master patient index;
Provide a record locater or patient matching service;
Standardize data formats;
Implement business rules to assist in the automation of data exchange;
Facilitate the identification and correction of errors in health information records; and
Aggregate data on behalf of multiple covered entities.
A covered entity may give protected health information to another CE for treatment purposes, through the
HIO. An HIO may be a business associate of an Organized Health Care Arrangement (OHCA), (see
definitions), if the HIO performs functions or activities on behalf of the OHCA.
Interpreters: A covered health care provider might use interpreter services to communicate with patients
who speak a language other than English or who are deaf or hard of hearing, and provision of interpreter
services usually will be a health care operations function of the covered entity. A BA would be needed.
However, if a contracted service, family members or friends are not available to interpret, and the provider
locates a service to assist, the patient has the opportunity to approve or reject the service and a BA would
not be needed. A patient’s family members or friends who assist as interpreters would not be business
associates.
IT functions: Are they handled in-house by employees, or are vendors used? Do IT personnel have
access to PHI—through patient website portals, billing systems, EMRs, etc.? Will internet service providers
who perform troubleshooting have access to PHI-containing systems?
(The mere selling or providing of software to a covered entity does not give rise to a business associate
relationship if the vendor does not have access to the protected health information of the covered entity.
For example, a software company that hosts the software containing patient information on its own server
or accesses patient information when troubleshooting the software function, is a business associate of a
covered entity. In these examples, a covered entity would be required to enter into a business associate
agreement before allowing the software company access to protected health information. However, when
an employee of a contractor, like a software or information technology vendor, has his or her primary duty
station on-site at a covered entity, the covered entity may choose to treat the employee of the vendor as a
member of the covered entity’s workforce, rather than as a business associate. See the definition of
“workforce.”)
Employee benefits contractors (401K, etc.): do they have access to employee PHI?
Medical device company representatives: HIPAA allows a CE to disclose PHI to a medical device
company for the covered provider’s own treatment, payment or health operations purposes, or for the
treatment or payment purposes of a medical device company that is also a health care provider. A medical
device company meets the Privacy Rule’s definition of “health care provider” if it furnishes, bills, or is paid
for “health care” in the normal course of business. “Health care” under the Rule means care, services or
supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under
the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the
appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists
the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected
health information to provide support and guidance to a patient, or to a doctor with respect to a particular
patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a
health care provider when engaged in these services.
Additionally, the public health provisions of the Privacy Rule permit a covered provider to make
disclosures, without an authorization, to a medical device company or other person that is subject to the
jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or
effectiveness of an FDA-regulated product or activity for which the person has responsibility.
The following are some examples of circumstances in which a covered provider may share protected
health information with a medical device company, without the individual’s authorization:
A covered provider may disclose protected health information needed for an orthopedic device
manufacturer or its representative to determine and deliver the appropriate range of sizes of a prosthesis
for the surgeon to use during a particular patient’s surgery. (This would be a treatment disclosure to the
device company as a health care provider. Exchanges of protected health information between health care
providers for treatment of the individual are not subject to the minimum necessary standards. 45 CFR
164.502(b).)
The device manufacturer or its representative may be present in the operating room, as requested by the
surgeon, to provide support and guidance regarding the appropriate use, implantation, calibration or
adjustment of a medical device for that particular patient. (This would be treatment by the device company
as a health care provider. As noted in the prior example, treatment disclosures between health care
providers are not subject to the minimum necessary standards.)
A covered provider may allow a representative of a medical device manufacturer to view protected health
information, such as films or patient records, to provide consultation, advice or assistance where the
provider, in her professional judgment, believes that this will assist with a particular patient’s treatment.
(This would also be a treatment disclosure and minimum necessary would not apply.)
A covered provider may share protected health information with a medical device company as necessary
for the device company to receive payment for the health care it provides. (This would be a disclosure for
payment of a health care provider and subject to minimum necessary standards.)
A covered provider may disclose protected health information to a medical device manufacturer that is
subject to FDA jurisdiction to report an adverse event, to track an FDA-regulated product, or other
purposes related to the quality, safety, or effectiveness of the FDA-regulated product. (This would be a
public health disclosure and subject to minimum necessary standards.)
A business associate agreement would not usually be required for the disclosures noted above. For
example, a business associate agreement would not be needed for disclosures between health care
providers for the treatment of the individual (45 CFR 164.502(e)(1)(ii)(A)). Likewise, a medical device
company would not be a business associate of a covered provider with respect to public health disclosures
to a device company that is subject to FDA jurisdiction or disclosures to a device company as a health care
provider for that company’s payment purposes, as in neither case is the device company performing a
function or activity on behalf of, nor providing a specified service to, the covered provider.
In other circumstances, however, a business associate agreement may be required even if the disclosure
were permitted without an authorization. For example, a business associate agreement would be required
if a covered entity asked the medical device company to provide an estimate of the cost savings it might
expect from the use of a particular medical device; and to do so, the device company needed access to
the covered entity’s protected health information. In this case, the medical device company is performing a
health care operations function (business planning and development) on behalf of the covered provider,
which requires a business associate agreement even though the disclosure is permitted without an
authorization.
A pharmacy benefits manager that manages a health plan’s pharmacist network is a BA.
Plumbers/electricians, etc. are not BAs.
Photocopy repair persons: are not BAs if they do not assist the provider with erasing PHI from copier
hardrive.
Physicians: A health care provider can be a business associate of another healthcare provider, if the
provider has been hired to perform another activity unrelated to patient treatment, such as a hospital hiring
a provider to assist with training students. A BAA would be required. Physicians may be business
associates of health plans, if the health plan contracts the physician to perform services such as case
management.
Researchers would not need a BAA, since they are not performing functions regulated under the
Administrative Simplification Rules, even if the CE has hired the researcher to perform research on the
CE’s behalf.
A third-party administrator (TPA) to a group health plan is a business associate of the health plan,
unless the TPA can meet the definition of a covered entity based on its other activities.
Transcription services: If contracted (not employee), are BAs.
(HHS does not have the authority to regulate employers, life insurance companies or state
agencies.)
Limited data sets:
If the only PHI a BA receives is a limited data set (see definitions), the HIPAA rule does not require a BAA. A
CE may hire a BA to create a limited data set, in which case a BAA is needed. The CE may hire a public health
authority as a business associate to create the limited data set, even if the public health authority will be the
entity using the data set. (Ex: the public health authority is hired to review medical charts and extract
unidentifiable information needed for a particular public health surveillance activity.)
Situations in Which a Business Associate Contract Is NOT Required.
When a health care provider discloses protected health information to a health plan for payment purposes,
or when the health care provider simply accepts a discounted rate to participate in the health plan’s
network. A provider that submits a claim to a health plan and a health plan that assesses and pays the
claim are each acting on its own behalf as a covered entity, and not as the “business associate” of the
other.
With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not
involve the use or disclosure of protected health information, and where any access to protected health
information by such persons would be incidental, if at all.
With a person or organization that acts merely as a conduit for protected health information, for example,
the US Postal Service, certain private couriers, and their electronic equivalents.
Among covered entities who participate in an organized health care arrangement (OHCA) to make
disclosures that relate to the joint health care activities of the OHCA.
Where a group health plan purchases insurance from a health insurance issuer or HMO. The relationship
between the group health plan and the health insurance issuer or HMO is defined by the Privacy Rule as
an OHCA, with respect to the individuals they jointly serve or have served. Thus, these covered entities
are permitted to share protected health information that relates to the joint health care activities of the
OHCA.
Where one covered entity purchases a health plan product or other insurance, for example, reinsurance,
from an insurer. Each entity is acting on its own behalf when the covered entity purchases the insurance
benefits, and when the covered entity submits a claim to the insurer and the insurer pays the claim.
To disclose protected health information to a researcher for research purposes, either with patient
authorization, pursuant to a waiver under 45 CFR 164.512(i), or as a limited data set pursuant to 45 CFR
164.514(e). Because the researcher is not conducting a function or activity regulated by the Administrative
Simplification Rules, such as payment or health care operations, or providing one of the services listed in
the definition of “business associate” at 45 CFR 160.103, the researcher is not a business associate of the
covered entity, and no business associate agreement is required.
When a financial institution processes consumer-conducted financial transactions by debit, credit, or other
payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other
activity that directly facilitates or effects the transfer of funds for payment for health care or health plan
premiums. When it conducts these activities, the financial institution is providing its normal banking or
other financial transaction services to its customers; it is not performing a function or activity for, or on
behalf of, the covered entity.
Definitions
Data aggregation means, with respect to protected health information created or received by a business
associate in its capacity as the BA of a covered entity, the combining of such protected health information
by the business associate with the protected health information received by the business associate as a
BA of another covered entity, to permit data analyses that relate to the health care operations of the
respective covered entities.
Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of
information outside the entity holding the information.
Health care means care, services or supplies related to the health of an individual, including diagnostic
services.
Health care operations means any of the following activities of the covered entity to the extent that the
activities are related to covered functions, and any of the following activities of an organized health care
arrangement in which the covered entity participates:
1. Conducting quality assessment and improvement activities, including outcomes evaluation and
development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the
primary purpose of any studies resulting from such activities; population-based activities relating to
improving health or reducing health care costs, protocol development, case management and care
coordination, contacting of health care providers and patients with information about treatment
alternatives; and related functions that do not include treatment;
2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and
provider performance, health plan performance, conducting training programs in which students,
trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills
as health care providers, training of non-health care professionals, accreditation, certification, licensing,
or credentialing activities;
3. Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a
contract of health insurance or health benefits, and ceding, securing, or placing a contract for
reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss
insurance), provided that the requirements of Sec. 164.514(g) are met, if applicable;
4. Conducting or arranging for medical review, legal services, and auditing functions, including fraud and
abuse detection and compliance programs;
5. Business planning and development, such as conducting cost-management and planning-related
analyses related to managing and operating the entity, including formulary development and
administration, development or improvement of methods of payment or coverage policies; and
6. Business management and general administrative activities of the entity, including, but not limited to:
Management activities relating to implementation of and compliance with the requirements of this
subchapter;
Customer service, including the provision of data analyses for policy holders, plan sponsors, or other
customers, provided that protected health information is not disclosed to such policy holder, plan sponsor,
or customer.
Resolution of internal grievances;
Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the
potential successor in interest is a covered entity or, following completion of the sale or transfer, will
become a covered entity; and
Consistent with the applicable requirements of Sec. 164.514, creating de-identified health information,
fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not
required as described in Sec. 164.514(e)(2).
Health plans are health insurance companies, HMOs, company health plans, and government programs
like Medicare.
In electronic form means: using electronic media, electronic storage media including memory devices in
computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape
or disk, optical disk, or digital memory card; or transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the internet (wide-open), extranet
(using internet technology to link a business with information accessible only to collaborating parties),
leased lines, dial-up lines, private networks, and the physical movement of removable/transportable
electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via
telephone, are not considered to be transmissions via electronic media, because the information being
exchanged did not exist in electronic form before the transmission.
Limited Data Set is protected health information from which certain specified direct identifiers of
individuals and their relatives, household members, and employers have been removed. A limited data set
may be used and disclosed for research, health care operations, and public health purposes, provided the
recipient enters into a data use agreement.
Organized health care arrangement means:
1. A clinically integrated care setting in which individuals typically receive health care from more than
one health care provider;
2. An organized system of health care in which more than one covered entity participates and in which
the participating covered entities:
1. Hold themselves out to the public as participating in a joint arrangement; and
2. Participate in joint activities that include at least one of the following:
3. Utilization review, in which health care decisions by participating covered entities are reviewed by other
participating covered entities or by a third party on their behalf;
4. Quality assessment and improvement activities, in which treatment provided by participating covered
entities is assessed by other participating covered entities or by a third party on their behalf; or
5. Payment activities, if the financial risk for delivering health care is shared, in part or in whole, by
participating covered entities through the joint arrangement and if protected health information created or
received by a covered entity is reviewed by other participating covered entities or by a third party on their
behalf for the purpose of administering the sharing of financial risk.
6. A group health plan and a health insurance issuer or HMO with respect to such group health plan, but
only with respect to protected health information created or received by such health insurance issuer or
HMO that relates to individuals who are or who have been participants or beneficiaries in such group
health plan;
7. A group health plan and one or more other group health plans each of which are maintained by the same
plan sponsor; or
8. The group health plans described in paragraph (4) of this definition and health insurance issuers or
HMOs with respect to such group health plans, but only with respect to protected health information
created or received by such health insurance issuers or HMOs that relates to individuals who are or have
been participants or beneficiaries in any of such group health plans.
Payment means:
9. The activities undertaken by:
A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of
benefits under the health plan; or
A health care provider or health plan to obtain or provide reimbursement for the provision of health care;
and
1. The activities in paragraph (1) of this definition relate to the individual to whom health care is provided
and include, but are not limited to:
Determinations of eligibility or coverage (including coordination of benefits or the determination of cost
sharing amounts), and adjudication or subrogation of health benefit claims;
Risk adjusting amounts due based on enrollee health status and demographic characteristics;
Billing, claims management, collection activities, obtaining payment under a contract for reinsurance
(including stop-loss insurance and excess of loss insurance), and related health care data processing;
Review of health care services with respect to medical necessity, coverage under a health plan,
appropriateness of care, or justification of charges;
Utilization review activities, including precertification and preauthorization of services, concurrent and
retrospective review of services; and
Disclosure to consumer reporting agencies of any of the following protected health information relating to
collection of premiums or reimbursement:
1. Name and address;
2. Date of birth;
3. Social security number;
4. Payment history;
5. Account number; and
6. Name and address of the health care provider and/or health plan.
Plan sponsor is the employer, union, or other employee organization that sponsors and maintains the
group health plan:
Treatment refers to the provision, coordination, or management of health care and related services by
one or more health care providers, including the coordination or management of health care by a health
care provider with a third party; consultation between health care providers relating to a patient; or the
referral of a patient for health care from one health care provider to another.
Use means, with respect to individually identifiable health information, the sharing, employment,
application, utilization, examination, or analysis of such information within an entity that maintains such
information.
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the
performance of work for a covered entity, is under the direct control of such entity, whether or not they
are paid by the covered entity. If a BA has an employee whose main workstation is physically on the
CE’s premises, it can be inferred that the employee is under the control of the CE, and can be
considered a member of their “workforce.”
=
Please refer to the “Forms” section to find the
“BAA/CE Decision Grid” form.
=
Please refer to the “Forms” section to find the
“Business Associate Contract Tracking Form”.
=
Please refer to the “Forms” section to find the
“Vendor Confidentiality Agreement Tracking Form”.
=
Please refer to the “Forms” section to find the
“HIPAA Business Associate Agreement” form.
=
Please refer to the “Forms” section to find the
“HIPAA Vendor Confidentiality Agreement” form.
HIPAA SECURITY POLICIES AND PROCEDURES INTRODUCTION
INTRODUCTION TO THE HIPAA SECURITY
STANDARDS
The purpose of the HIPAA Security Rule is to adopt standards for the security of all electronic protected health
information (ePHI) created or maintained by health plans, health care clearinghouses, certain health care
providers, and business associates of covered entities. As with the HIPAA Privacy Rule, it applies to health
plans, health care clearinghouses, health care providers, and business associates of covered entities who
transmit any health information in electronic form in connection with a covered transaction.
Under the HIPAA law, the Department of Health and Human Services (HHS) was responsible for issuing the
final HIPAA Security Rule. The Final Rule was released on January 17, 2013, and becomes effective on March
26, 2013, with September 23, 2013 as the compliance deadline. The Officer for Civil Rights (OCR) is the
federal entity responsible for implementing and enforcing the HIPAA Rules.
In implementing the Rule, HHS wanted to improve the effectiveness and efficiency of the health care industry in
general, by establishing a level of protection for certain electronic health information. The HHS Medicare
Program, other federal agencies operating health plans or providing health care, state Medicaid agencies,
private health plans, health care providers, and health care clearinghouses must assure their customers (for
example, patients, insured individuals, providers, and health plans) that the integrity, confidentiality, and
availability of ePHI they collect, maintain, use, or transmit is protected. The confidentiality of health information
is threatened not only by the risk of improper access to stored information, but also by the risk of interception
during electronic transmission of the information. The purpose of the Final Rule is to adopt national standards
for safeguards to protect the confidentiality, integrity, and availability of ePHI.
The Security Rule requires implementation of three types of security safeguards that covered entities and
business associates can use to assure the confidentiality of electronic protected health information –
administrative, physical, and technical. They are divided into either “Required” or “Addressable” implementation
specifications. These terms are explained in the “Definitions” section of this manual on the following pages.
Security Risk Analysis
Each security safeguard will be addressed separately within the following Policies and Procedures.
Corresponding Model Documents can be found within the appropriate sections. The Security Risk Analysis Tool
is an important component and should be completed first, since many of the following Policies and Procedures
are determined by the results of this assessment.
SECURITY DEFINITIONS
The HIPAA Security Rule includes several definitions that are important to understand in order to interpret the
rule and its application to the practice. Under § 164.304, the definitions are as follows:
Access means the ability or the means necessary to read, write, modify, or communicate data/information or
otherwise use any system resource. (This definition applies to “access” as used in this subpart, not as used in
subparts D or E of this part.)
Administrative safeguards are administrative actions, and policies and procedures, to manage the selection,
development, implementation, and maintenance of security measures to protect electronic protected health
information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to
the protection of that information.
Authentication means the corroboration that a person is the one claimed.
Availability means the property that data or information is accessible and useable upon demand by an
authorized person.
Confidentiality means the property that data or information is not made available or disclosed to unauthorized
persons or processes.
Encryption means the use of an algorithmic process to transform data into a form in which there is a low
probability of assigning meaning without use of a confidential process or key. Facility means the physical
premises and the interior and exterior of a building(s).
Facility means the physical premises and the interior and exterior of a building(s).
Information system means an interconnected set of information resources under the same direct
management control that shares common functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Integrity means the property that data or information have not been altered or destroyed in an unauthorized
manner.
Malicious software means software, for example, a virus, designed to damage or disrupt a system.
Password means confidential authentication information composed of a string of characters.
Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s or a
business associate’s electronic information systems and related buildings and equipment, from natural and
environmental hazards, and unauthorized intrusion.
Security or Security measures encompass all of the administrative, physical, and technical safeguards in an
information system.
Security incident means the attempted or successful unauthorized access, use, disclosure, modification, or
destruction of information or interference with system operations in an information system.
Technical safeguards means the technology and the policy and procedures for its use that protect electronic
protected health information and control access to it.
User means a person or entity with authorized access.
Workstation means an electronic computing device, for example, a laptop or desktop computer, or any other
device that performs similar functions, and electronic media stored in its immediate environment.
SECURITY STANDARDS, GENERAL RULES
POLICY
REFERENCE: HIPAA SECURITY §164.306
PURPOSE
It is the policy of Vivek Doppalapudi, DDS MS PC to comply with the HIPAA Security Rule, and the practice has
established appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity
and availability of all electronic protected health information (ePHI) the practice creates, receives, maintains or
transmits.
Vivek Doppalapudi, DDS MS PC will attempt to protect ePHI against any reasonably anticipated threats or
hazards to the security or integrity of the information, and to provide reasonable safeguards of ePHI from any
intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications
or other requirements of the HIPAA rules. Vivek Doppalapudi, DDS MS PC will attempt to ensure that the
workforce complies with the HIPAA Security Rule.
In complying with the HIPAA Security Rule, a flexibility approach is used, as allowed by the Rule, in which the
practice may take into account the following factors:
1. The size, complexity and capabilities of the practice;
2. The technical infrastructure, hardware, and software security capabilities;
3. The costs of the security measures;
4. The probability and criticality of potential risks to electronic health information.
The Security Rule allows the practice to balance the risks of inappropriate use or disclosure of ePHI
against the impact of various protective measures.
Important Note: It should be noted that the Security Rule does not apply to PHI in paper form. The
preamble of the Rule discusses the typesD of electronic PHI that the Rule applies to, including telephone
voice response and “faxback” (that is, a request for information from a computer made via voice or
telephone keypad input with the requested information returned as a fax). Systems fall under this rule
because they are used as input and output devices for computers.
When the final Security Rule was published, the security standards were designed to be “technology
neutral” to accommodate changes. The rule does not prescribe the use of specific technologies, so that
the health care community will not be bound by specific systems and/or software that may become
obsolete. HHS also recognizes that the security needs of covered entities can vary significantly. This
flexibility within the rule enables each entity to choose technologies that best meet its specific needs and
comply with the standards.
The term “computer” includes only software programmable computers, for example, personal computers,
minicomputers, and mainframes. Copy machines, fax machines, and telephones, even those that contain
memory and can produce multiple copies for multiple people, are not intended to be included in the term
“computer” under the Security Rule. Because “paper-to-paper” faxes, person-to-person telephone calls,
video teleconferencing, or messages left on voice-mail were not in electronic form before the
transmission, those activities are not covered by the Security Rule, although they are covered by the
Privacy Rule.
Information being transmitted via a telephone (either by voice or a DTMP tone pad) is not in electronic
form (as defined in the first paragraph of the definition of “electronic media”) before transmission, and
therefore is not subject to the Security Rule. Information being returned via a telephone voice response
system in response to a telephone request is data that is already in electronic form and stored in a
computer. This latter transmission does require protection under the Security Rule.
PROCEDURE:
The practice reviews and modifies the security measures used to protect ePHI on an ongoing basis as
needed, in response to environmental and operational changes. Policies and procedures may be
changed at any time, provided that the changes are documented and are implemented in accordance
with the Security Rule.
An “implementation specification” is an additional detailed instruction for implementing a particular
standard. Each set of safeguards is comprised of a number of standards, which, in turn, are generally
comprised of a number of implementation specifications that are either “Required” or “Addressable.”
The following terms are used after each standard, to annotate whether the standard must be
implemented, versus whether the practice is allowed to access if the standard will protect ePHI for the
particular situation. The practice institutes, at a minimum, the Required elements of the HIPAA Security
Rule, and reviews Addressable specifications using a security analysis, risk analysis, and financial
analysis to determine the appropriateness of the specification, instituting or changing these as
necessary.
Required Implementation Specifications: the word “Required” appears after Administrative, Physical,
Technical, Organizational, and Policy and Procedure/Documentation implementation specifications that
must be performed by a covered entity in order to be in compliance with the Security Rule.
Addressable Implementation Specifications: the word “Addressable” appears after Administrative,
Physical, Technical, Organizational, and Policy and Procedure/Documentation implementation
specifications that must be employed only if “reasonable and appropriate” according to the Security Rule.
Before implementing these standards, the practice must evaluate whether the specification is a
reasonable and appropriate safeguard for its environment, taking into consideration how the safeguard
will protect ePHI. If the practice determines that the specification is NOT a reasonable and appropriate
approach, then the practice must document the reasons it cannot be done. The practice must also
attempt to implement an alternate method that may be more feasible.
SECURITY ORGANIZATION REQUIREMENTS
POLICY
REFERENCE: HIPAA SECURITY §164.314
POLICY
Vivek Doppalapudi, DDS MS PC has implemented policies and procedures for electronic information systems
that maintain ePHI to comply with, at a minimum, the “Required” standards of the HIPAA Security Rule,
Organizational Requirements.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate
for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not
reasonable and appropriate, the reasons are documented, and alternate methods are considered and
implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is
“Required.” This standard contains the following implementation specifications.
PROCEDURE:
Standard: Business Associate Contracts or Other Arrangements
The contract or other arrangement between the practice and its business associate must meet the
requirements of this section.
Implementation specifications (Required)
Business associate contracts: The contract between a covered entity and a business associate will comply
with the requirements of this section, and must provide that the business associate will:
1. Comply with the applicable requirements of this section;
2. Ensure that any subcontractor that creates, receives, transmits or maintains ePHI on behalf of the
business associate, agrees to implement reasonable and appropriate safeguards to protect it in
compliance with this section by entering into a contract or business associate agreement;
3. Report to the covered entity any security incident of which it becomes aware, including breaches of
unsecured PHI as required by §164.410.
Other Arrangements
If a business associate is required by law to perform a function or activity on behalf of the practice, or to
provide a service described in the definition of business associate as described in the Definitions portion
of the HIPAA Rule, the practice may permit the business associate to create, receive, maintain, or
transmit electronic protected health information on its behalf.
Standard: Requirements for Group Health Plans
Except when the only electronic protected health information disclosed to a plan sponsor is disclosed pursuant
to §164.504(f)(1)(ii) or (iii), or as authorized under §164.508, a group health plan must ensure that its plan
documents provide that the plan sponsor will reasonably and appropriately safeguard electronic protected
health information created, received, maintained, or transmitted to or by the plan sponsor on behalf of the
group health plan.
Implementation specifications (Required)
The plan documents of the group health plan must be amended to incorporate provisions to require the plan
sponsor to:
1. Implement administrative, physical, and technical safeguards that reasonably and appropriately protect
the confidentiality, integrity, and availability of the electronic protected health information that it creates,
receives, maintains, or transmits on behalf of the group health plan;
2. Ensure that the adequate separation required by §164.504(f)(2)(iii) is supported by reasonable and
appropriate security measures;
3. Ensure that any agent to whom it provides this information agrees to implement reasonable and
appropriate security measures to protect the information; and
4. Report to the group health plan any security incident of which it becomes aware.
SECURITY POLICIES AND PROCEDURES AND
DOCUMENTATION REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.316
POLICY
As required under standard (a) of §164.316, “Policies and Procedures and Documentation Requirements,”
Vivek Doppalapudi, DDS MS PC has implemented reasonable and appropriate policies and procedures to
comply with the HIPAA Security standards, implementation specifications, or other requirements of the Security
Rule, taking into account the following factors:
1. The size, complexity, and capabilities of the covered entity;
2. The covered entity’s technical infrastructure, hardware, and software security capabilities;
3. The costs of security measures;
4. The probability and criticality of potential risks to electronic protected health information.
The practice may change its policies and procedures at any time, provided that the changes are
documented and are implemented in accordance with this subpart.
“Addressable” implementation specifications are reviewed to determine whether the specification is
appropriate for the practice. If the specification is reasonable and appropriate, the practice must
implement it. If not reasonable and appropriate, the reasons are documented and alternate methods are
considered and implemented.
When a standard does not have implementation specifications associated with it, then the
standard itself is “Required.” This standard contains the following implementation specifications.
PROCEDURES:
Standard: Documentation (Required)
The practice maintains the policies and procedures implemented to comply with the Security Rule in written
(which may be electronic) form.
If an action, activity or assessment is required to be documented by the Security Rule, the practice maintains a
written (which may be electronic) record of the action, activity, or assessment.
Implementation Specifications
Time limit (Required): The Policy and Procedure documentation required by the above is retained for a
minimum of six years from the date of its creation, or the date when it last was in effect, whichever is later.
The covered entity’s Security Policies and Procedures and Documentation Policy date of implementation or last
date it was in effect is: @IMPDATE@
Availability (Required): Documentation is available to those persons responsible for implementing the
procedures to which the documentation pertains.
The person(s) is/are responsible for implementing the procedures to which documentation pertains is/are:
@IMPPERS@
Updates (Required): Documentation must be reviewed periodically, and updated as needed, in response to
environmental or operational changes affecting the security of the electronic protected health information.
The most current date the documentation was reviewed and/or updated is: @DOCDATE@
SECURITY ADMINISTRATIVE SAFEGUARDS
SECURITY ADMINISTRATIVE SAFEGUARDS
POLICY
REFERENCE: HIPAA SECURITY §164.308
POLICY
Vivek Doppalapudi, DDS MS PC has implemented policies and procedures to prevent, detect, contain, and
correct security violations of ePHI. Several implementation specifications are contained in the Administrative
Safeguards section of the Security Rule.
The Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures,
to manage the selection, development, implementation, and maintenance of security measures to protect
electronic protected health information and to manage the conduct of the covered entity’s workforce in relation
to the protection of that information.”
In general, Administrative Safeguards are the administrative functions that should be implemented to meet the
security standards. These include assignment or delegation of security responsibility to an individual and
security training requirements.
All “Required” implementation specifications are adopted, and “Addressable” implementation specifications are
reviewed to determine whether the specification is appropriate for the practice. If the specification is reasonable
and appropriate, the practice must implement it. If not reasonable and appropriate, the reasons are
documented and alternate methods are considered and implemented.
When a standard does not have implementation specifications associated with it, then the standard
itself is “Required.”
PROCEDURES:
Standard: Security Management Process
This standard contains the following implementation specifications; they are all “Required” under the Security
Rule.
Implementation Specifications
Risk analysis (Required): An accurate and thorough assessment is conducted of the potential risks and
vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by
the practice. The practice evaluates the security controls already in place, and performs an accurate and
thorough risk analysis to arrive at solutions to potential security issues. A helpful guide to risk analysis is “An
Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)
Security Rule,” NIST Special Publication 800-66 Revision 1, October 2008.
Risk management (Required): Security measures are implemented in order to reduce risks and
vulnerabilities, found during the risk analysis, to a reasonable and appropriate level, to comply with
the.§164.306(a), “Security Standards General Rules.”
Regarding both risk analysis and risk management, the Security Rule does not prescribe a specific
methodology. The practice is expected to formulate its own approach to these items, depending on the special
circumstances of the practice. There are several types of threats that may occur within an information system
or operating environment:
1. Natural threats: floods, earthquakes, tornadoes and landslides;
2. Human threats: intentional such as network and computer based attacks, and unintentional such as
errors in data entry or deletion of files;
3. Environmental threats: power failures, chemicals, liquid leakage.
Sanction policy (Required): Appropriate sanctions are applied against workforce members who fail to
comply with the security policies and procedures of the practice. An Employee Confidentiality Agreement
must be signed by each member of the workforce.
Information system activity review (Required): Procedures are implemented to regularly review records
of information system activity. These may include audit logs, access reports, and security incident
tracking reports. Information system activity review procedures enables covered entities to determine if
any ePHI is used or disclosed in an inappropriate manner. The practice Security Officer, together with the
practice’s hardware and software vendors, will implement the information system functionality that
generates audit logs and access reports on all practice information systems that contain electronic
protected health information. These reports will be documented and retained for six years from the date
of creation, or from the date when the document was last in effect, whichever is later.
Standard: Assigned Security Responsibility (Required)
»>
The practice has identified Dr. Vivek Doppalapudi as the security official who is responsible for the development
and implementation of the policies and procedures required by the HIPAA Security Rule. The Security Rule
allows the practice to appoint either the same person or a different person as the Security Official and Privacy
Official. Other individuals may be given assigned specific security responsibilities.
Standard: Workforce Security
The practice has implemented policies and procedures to ensure that all members of the workforce have
appropriate access to electronic protected health information if needed to perform their job functions, and to
prevent workforce members who do not need to have access from obtaining access to ePHI. This standard
contains the following implementation specifications. They are all “Addressable” under the Security Rule.
Implementation Specifications
Authorization and/or supervision (Addressable): Procedures for the authorization and/or supervision of
workforce members who work with electronic protected health information, or in locations where it might be
accessed, are reviewed and implemented as needed. Authorization is the process of determining whether a
particular user (or a computer system) has the right to carry out a certain activity, such as reading a file or
running a program. For example, operations or maintenance personnel who either work with ePHI, or work in
locations where ePHI resides, must be supervised or have authorization to work with ePHI.
Workforce clearance procedure (Addressable): Procedures to determine whether a workforce member’s
access to electronic protected health information is appropriate are reviewed and implemented as needed. The
intent of the law was not to expect background checks on each individual, but rather use a screening process,
determined by the practice, and based on risk, cost, benefit, and feasibility, etc. A record of access
authorizations is kept to ensure that operating and maintenance personnel have proper access authorization.
Termination procedures (Addressable): Procedures for terminating access to electronic protected health
information when the employment of a workforce member ends, or is deemed not appropriate to the tasks
required, are reviewed and implemented as needed. Termination procedures include contractors, employees or
other individuals previously allowed access to ePHI. Procedures such as changing combination locks, removal
from access lists, removal of user accounts(s), and turning in keys, tokens, or access cards are implemented
as needed.
Standard: Information Access Management
The practice has implemented policies and procedures for authorizing access to electronic protected health
information that are consistent with the applicable requirements of the HIPAA Privacy Rule, including minimum
necessary requirements. This standard contains the following implementation specifications.
Implementation Specifications
Isolating health care clearinghouse functions (Required): If the organization is a health care clearinghouse
and part of a larger organization, the clearinghouse must implement policies and procedures that protect the
electronic protected health information of the clearinghouse from unauthorized access by the larger
organization. If the practice has established a business associate relationship with a health care clearinghouse,
then business associate agreements must be in place as required by the HITECH Act. An important point to
consider is whether the practice shares a separate network or subsystem with a health care clearinghouse, and
if the clearinghouse is part of a larger organization, whether PHI is protected within that system.
Access authorization (Addressable): Policies and procedures for granting access to electronic protected
health information, for example, through access to a workstation, transaction, program, process, or other
mechanism, are reviewed and implemented as needed. The practice may identify who has authority to grant
access privileges, and the process used for granting access. These items should be documented.
Access establishment and modification (Addressable): Policies and procedures that are based upon the
practice’s access authorization policies to establish, document, review, and modify a user’s right of access to a
workstation, transaction, program, or process are reviewed and implemented as needed.
Standard: Security Awareness and Training
The practice has implemented a security awareness and training program for all members of its workforce
(including management). Periodic retraining should be given whenever environmental or operational changes
affect the security of ePHI. Changes may include new or updated policies and procedures; new or upgraded
software or hardware; new security technology; or changes in the Security Rule.
Implementation Specification
Security reminders (Addressable): Periodic security updates are implemented as needed. There are many
types of security reminders that the practice may choose to implement. Examples might include notices in
printed or electronic form, agenda items and specific discussion topics at monthly meetings, focused reminders
posted in affected areas, as well as formal retraining on security policies and procedures.
Protection from malicious software (Addressable): Procedures for guarding against, detecting, and
reporting malicious software are implemented as needed. Malicious software can be thought of as any program
that harms information systems, such as viruses, Trojan horses, or worms. As a result of an unauthorized
infiltration, ePHI and other data can be damaged or destroyed, or at a minimum, require expensive and timeconsuming
repairs. Malicious software is frequently brought into an organization through e-mail attachments
and programs that are downloaded from the internet. Under the Security Awareness and Training standard, the
workforce must also be trained regarding its role in protecting against malicious software and system protection
capabilities. It is important to note that training must be an ongoing process.
Log-in monitoring (Addressable): Procedures for monitoring log-in attempts and reporting discrepancies are
implemented as needed. Typically, an inappropriate or attempted log-in is when someone enters multiple
combinations of usernames and/or passwords to attempt to access a system. Fortunately, many information
systems can be set to identify multiple unsuccessful attempts to log in. Other systems might record the
attempts in a log or audit trail. Still others might require resetting of a password after a specified number of
unsuccessful log-in attempts.
Password management (Addressable): Procedures for creating, changing, and safeguarding passwords are
implemented as needed. Users should be trained on how to safeguard the information. Users should not be
allowed to share passwords, and they should not be written down in areas where others can view them.
Standard: Security Incident Procedures
Implement policies and procedures to address security incidents. All incidents will be documented.
Implementation Specification
Response and Reporting (Required): The practice identifies and responds to suspected or known security
incidents; mitigates, to the extent practicable, harmful effects of security incidents that are known to the covered
entity; and documents security incidents and their outcomes. Procedures address how to identify security
incidents and provide that the incident be reported to the appropriate person.
Standard: Contingency Plan
Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism,
system failure, and natural disaster) that damages systems that contain electronic protected health information
are established (and implemented as needed).
Implementation Specification
Data backup plan (Required): Procedures are established and implemented to create and maintain
retrievable exact copies of electronic protected health information. The practice must consider all important
sources of data such as patient accounting systems, electronic medical records, health maintenance and case
management information, digital recordings of diagnostic images, electronic test results, or any other electronic
documents created or used. Storage of backups must be in a safe, secure location. The practice also
determines the frequency of backups.
Disaster recovery plan (Required): Procedures are established (and implemented as needed) to restore any
loss of ePHI.
Emergency mode operation plan (Required): Procedures are established (and implemented as needed) to
enable continuation of critical business processes for protection of the security of electronic protected health
information while operating in emergency mode. The practice determines if any alternative security measures
are needed to protect ePHI.
Testing and revision procedures (Addressable): Implement procedures for periodic testing and revision of
contingency plans — this includes the Data Backup Plan, Disaster Recovery Plan, and Emergency Mode
Operations Plan. Disaster recovery and emergency mode operations plans might be tested by using a
scenario-based walk-through, or by performing complete live tests.
Applications and data criticality analysis (Addressable): Assess the relative criticality of specific
applications and data in support of other contingency plan components. The practice may identify software
applications (data applications that store, maintain or transmit ePHI) and determine how important each is to
patient care and business needs in order to prioritize for data backup, disaster recovery and/or emergency
operations plans.
Standard: Evaluation (Required)
Periodic technical and non-technical evaluations are performed based initially upon the standards implemented
under this rule and subsequently, in response to environmental or operational changes affecting the security of
electronic protected health information, that establishes the extent to which an entity’s security policies and
procedures meet the requirements of the Security Rule. According to guidance issued by the Centers for
Medicare and Medicaid Services, the evaluation should be performed on a scheduled basis, such as annually
or every two years.
Standard: Business Associate Contracts and Other Arrangements
The practice, in accordance with the Security Rule, may permit a business associate to create, receive,
maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered
entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.
A covered entity is not required to obtain such satisfactory assurances from a business associate that is a
subcontractor. A business associate may permit a business associate that is a subcontractor to create, receive,
maintain or transmit ePHI on its behalf only if the business associate obtains satisfactory assurances, in
accordance with §164.314(a), that the subcontractor will appropriately safeguard the information.
Implementation specifications
Written contract or other arrangement (Required): Satisfactory assurances required by this standard are
documented through a written contract or other arrangement with the business associate that meets the
applicable requirements of §164.314(a).
»>
INFORMATION SECURITY RISK ANALYSIS POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Risk Analysis Policy documents the commitment of Vivek Doppalapudi, DDS MS PC to conduct regular
assessments of the risks to the confidentiality, integrity and availability of its Confidential Information, in
accordance with Vivek Doppalapudi, DDS MS PC’s Information Security Risk Management Policy. “Confidential
Information” means protected health information, financial information, confidential and proprietary information
of Vivek Doppalapudi, DDS MS PC.
In addition to regular risk assessments, a risk analysis may
be performed whenever environmental or operational
changes have occurred that might impact the system
security. Vivek Doppalapudi, DDS MS PC will take
reasonable steps to ensure the risk analysis is completed,
documented, and remediated in accordance with the Vivek
Doppalapudi, DDS MS PC Information Security Risk
Management Policy. This policy complies with the HIPAA
Security Regulation, Section 45 CFR 164.308(a)(1)(ii)(A),
Implementation Specification for Security Management
Standard. POLICY:
Risk Analysis Requirements and Responsibilities
1. Vivek Doppalapudi, DDS MS PC identifies and prioritizes the risks to the confidentiality, integrity and
availability of the Confidential Information on an ongoing basis.
2. A documented risk analysis process is used as the basis for the identification, definition and prioritization
of risks to the Confidential Information. The risk analysis process should include the following:
3. Identification and prioritization of the threats to the Confidential Information.
4. Identification and prioritization of the vulnerabilities of the Confidential Information.
5. Identification of the probability that a threat will exploit a vulnerability of the Confidential Information.
6. Identification of the impact to the confidentiality, integrity and availability of the confidential Information, if
a threat exploits a specific vulnerability.
7. Identification and definition of measures used to protect the confidentiality, integrity and availability of the
Confidential Information.
8. Vivek Doppalapudi, DDS MS PC conducts risk assessments on an ongoing basis. The risk assessment
is used with the Vivek Doppalapudi, DDS MS PC Information Security Risk Management Policy to
identify, select and implement appropriate security measures to protect the confidentiality, integrity and
availability of the Confidential Information.
9. Vivek Doppalapudi, DDS MS PC may require an updated risk analysis when environmental or
operational changes arise that may impact the confidentiality, integrity or availability of the confidential
data. Such changes include:
10. New threats or risks that impact the Confidential Information.
11. A security incident that impacts the Confidential Information.
12. A breach of unsecured protected health information as defined in the Health Information Technology for
Economic and Clinical Health Act of 2009 (HITECH).
13. Changes to Vivek Doppalapudi, DDS MS PC information security requirements or responsibilities that
impact the Confidential Information.
14. Changes to Vivek Doppalapudi, DDS MS PC’s organizational or technical infrastructure that impacts the
Confidential Information.
15. The risk analysis completed byVivek Doppalapudi, DDS MS PC is based on the following steps:
16. Inventory – An ongoing inventory of Vivek Doppalapudi, DDS MS PC Systems that process Confidential
Information and the security measures implemented to protect those systems will be conducted.
17. Security measures analysis – The security measures already implemented are to be analyzed for
adequacy of protection. Such measures include both preventative and forensic controls.
18. Risk likelihood determination – The identified risks are rated by assigning a ratio or percentage that
indicates the probability that vulnerability is exploited by an actual threat. Three factors are considered
when assigning the rating: 1) type of vulnerability, 2) existence and effectiveness of current security
controls, and 3) threat motivation and capability.
19. Vulnerability identification – Vulnerabilities of Vivek Doppalapudi, DDS MS PC’s systems are to be
identified.
20. Threat identification – Potential threats to the confidentiality, integrity and availability of Vivek
Doppalapudi, DDS MS PC’s data (whether natural, human, or environmental) are to be identified.
21. Impact analysis – The impact analysis determines the effect on the confidentiality, integrity or availability
of the Confidential Information that results from a successfully exploited vulnerability.
22. Risk determination – The information obtained in the six steps above will be used by Vivek Doppalapudi,
DDS MS PC to identify the level of risk to the Confidential Information. Vivek Doppalapudi, DDS MS PC
makes a risk determination based on:
23. The likelihood a certain threat will attempt to exploit a vulnerability.
24. The likely level of impact should the threat successfully exploit the vulnerability.
25. The adequacy of protective security measures.
26. The results of the risk analysis conducted by Vivek Doppalapudi, DDS MS PC are to be documented in
writing, and maintained in a secure fashion.
27. Following the risk analysis, a Plan will be developed and implemented.
=
Please refer to the “Forms” section to find the
“HIPAA Security Risk Analysis Tool” form.
=
Please refer to the “Forms” section to find the
“Securtiy Standards Matrix” form.
INFORMATION SECURITY RISK MANAGEMENT
POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Information Security Risk Management Policy defines the process by which Vivek Doppalapudi, DDS MS
PC selects and implements security measures sufficient to reduce the risks to Vivek Doppalapudi, DDS MS
PC’s electronic Confidential Information. Confidential Information means protected health information, financial
information, confidential and proprietary information (“Confidential Information”).
The Risk Management process implemented by Vivek Doppalapudi, DDS MS PC will be based on Vivek
Doppalapudi, DDS MS PC’s risk analysis, as defined in the Vivek Doppalapudi, DDS MS PC Information
Security Risk Analysis Policy, and will involve a documented process that is used as a basis for selection and
implementation of security measures.
This policy complies with Administrative Safeguard Section 45 CFR 164.308(a)(1)(ii)(B) of the HIPAA Security
Regulation, Implementation Specification for Security Management Standard.
POLICY:
Information Security Risk Management Roles and Responsibilities
1. Vivek Doppalapudi, DDS MS PC will implement logical processes and technical controls to reduce the
risks to the Confidential Information to a reasonable and appropriate level.
2. The Risk Management process implemented by Vivek Doppalapudi, DDS MS PC is based on a
documented process that is used as a basis for selection and implementation of the security measures.
Vivek Doppalapudi, DDS MS PC’s Risk Management process includes the following:
3. Assessment and prioritization of the risks to Vivek Doppalapudi, DDS MS PC’s systems storing,
processing or transmitting Confidential Information
4. Selection and implementation of reasonable, appropriate and cost-effective security measures to
manage, mitigate or accept identified risks
5. Security training and awareness on implemented security measures to Vivek Doppalapudi, DDS MS
PC’s workforce members
6. Documentation of the process and its results
7. Ongoing evaluation and revision of Vivek Doppalapudi, DDS MS PC’s security measures, as necessary
8. The results of the Risk Management process are documented in writing, and reviewed and maintained
by the Privacy Officer or Security Officer.
INFORMATION SECURITY DISCIPLINARY ACTION
POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The information and information systems that Vivek Doppalapudi, DDS MS PC relies on contain sensitive data
that must be protected. Pursuant to the Health Insurance Portability and Accountability Act (HIPAA), specific
disciplinary action must be administered to users that violate policies concerning security in a degree
commensurate with the seriousness of the violation. These disciplinary actions are key in ensuring that specific
violations are not repeated.
This policy addresses all violations pertaining to Confidential Information in any form, and is not limited to only
electronic information. “Confidential Information” means protected health information, financial information,
confidential and proprietary information. This policy addresses every user including, but not limited to,
employees, volunteers, consultants, or temporary workers.
POLICY:
Roles and Responsibilities
1. The Disciplinary Officer will oversee and administer all disciplinary action taken as a result of any
violation of a security policy to ensure that actions are taken in accordance with applicable law, and to
ensure consistent, fair and just action is taken at all levels. @DISCIPLINARY@ has been named as the
Disciplinary Officer, and is responsible for establishing disciplinary action to be carried out consistently.
This individual may be the Privacy Officer, Security Officer, or another member of management.
2. For those actions that involve violations or suspected violations of a privacy policy, @DISCIPLINARY@
will consult with, and involve, if necessary, other members of management.
3. In any circumstance where Federal, State or local law has been broken, a discussion between the
Privacy Officer, Security Officer, and appropriate management shall take place before any outside
authorities are contacted.
4. The Privacy Officer (if not the same person) has the responsibility to communicate the level of
seriousness of the violation to @DISCIPLINARY@. Any communication to any user regarding a breach
or violation of policy will be administered through the Disciplinary Officer.
5. It is the responsibility of the Disciplinary Officer to ensure that all users are acquainted with all
Information Security Policies and Procedures.
6. If this policy is violated by a third party, which would include but not be limited to volunteers, temporary
workers, consultants, or other third party contractors, the management that oversees those workers will
be responsible for notification.
7. The Privacy Officer will be consulted in all security incidents or incidents of unauthorized access, use or
disclosure, and will be responsible for documenting all incidents.
Levels of Violation
Level 1 – A violation that is considered to be minor and usually accidental. This type of incident can
result from accidental misuse of information, carelessness, or a lack of security awareness education.
These types of violations are not considered a direct threat to security or privacy, although each case
must be examined. Repeat incidents from these types of violations from the same user or area may
indicate a more serious problem that may need to be addressed differently. Additionally, a user that
repeats the same violation requires a more stringent disciplinary action.
Some examples of Level 1 violation are as follows:
8. User fails to log off of a session, terminal or application when left unattended. This can allow another
user to access Confidential Information to which they are not entitled, or to enter orders without
responsibility.
9. User fails to protect Confidential Information in a reasonable manner that results in an inadvertent “leak”
or disclosure.
10. The use of organizational resources to send non-business related e-mail such as newsletters, chain
letters, personal announcements, or attachments of a non-business related nature.
Level 2 – This type of incident usually occurs from intentional disregard of established Information
Security policy or procedure. The user is aware of the security policies and procedures, but is willing to
circumvent them in order to achieve a personal goal.
Some examples of a Level 2 violation are as follows:
11. Accessing of any Confidential Information without utilizing the proper documented procedure. This can
be done by intentionally attempting to circumvent procedures such as viewing Confidential Information
without authorization or by knowingly using a workstation logged on with another user’s credentials to
access Confidential Information.
12. Accessing Confidential Information that is not under the direct care and/or supervision of the user or,
accessing the record of any patient that would not normally be accessed in the normal course of his or
her job responsibilities. This would include, but not be limited to, a user accessing birth dates, addresses
of friends or relatives, or accessing records out of curiosity.
13. Collecting Confidential Information on any patient or sets of patients without permission outside of the
scope of job responsibilities.
14. Releasing records or other Confidential Information in an inappropriate manner.
15. Circumventing established policies for access for other than what it was intended for. For example, a
user that gains access to a restricted device such as a CD-ROM to read updates to manuals, and the
user is now utilizing it to load software or other copyrighted material without permission.
16. Loading or utilizing any software or copyrighted material without proper authorization and licensing
agreements by any user.
17. Storing or retaining any sexually explicit or pornographic material from any other user or source.
18. Discouraging, willfully prohibiting or preventing a user from reporting a security concern.
19. User accesses a record or other Confidential Information on behalf of another user that would not
normally have access under normal circumstances.
20. User allows another user to use his or her login ID and/or password to gain access to information.
21. Visiting inappropriate sites on the internet or attempting to bypass webfiltering.
22. Modifying system logs to mask inappropriate behavior by them or another party.
Level 3 – The intentional actions of any user when he or she access, reviews, discloses, or discusses
patient information for personal gain, or with malicious intent. This type of incident is considered to be the
most serious and must be dealt with accordingly. It could cause personal damage to some party, and
fines and/or civil action to the organization as well as to the violator.
Some examples of a level 3 violations are as follows:
23. Intentionally releasing personal, corporate, or medical information for personal gain or profit.
24. Collecting information such as lists of patients or mailing addresses for personal gain or profit.
25. Intentionally destroying or altering any Confidential Information or information system with intent to harm.
26. Releasing Confidential Information of any individual with the intent to cause harm or adverse publicity, or
for personal profit or gain.
27. Intentionally attempting to bypass security controls and attempting to gain unauthorized entry into a
system by utilizing methodologies such as password guessing, or by attempting to cause a system
slowdown by tying up resources.
28. Releasing of any other information or intellectual property in an unauthorized manner that includes, but is
not limited to, software design, system design, security advantages or disadvantages of the network,
application or system, financial information, or corporate information.
29. Sending or displaying of any sexually explicit or pornographic material to any other person, whether
internal or external, while utilizing organization resources.
INFORMATION SECURITY AUDIT CONTROLS &
SYSTEMS ACTIVITY REVIEW POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
This policy details the requirements of Vivek Doppalapudi, DDS MS PC for IT audit controls, and monitoring
and review of system activity to safeguard systems that contain Confidential Information, such as electronic
protected health information (“ePHI”) and personally identifiable information (“PII”).
The policy complies with HIPAA Security Regulations, Technical Safeguards, 45 C.F.R 164.312(b). In addition,
this policy supports the Information Security Breach Notification, the Health Information Technology for
Economic and Clinical Health Act (HITECH) and other state laws that require safeguards in systems that
contain Confidential Information.
POLICY:
Vivek Doppalapudi, DDS MS PC will implement, where technically feasible, appropriate hardware, software or
procedural mechanisms on all systems containing Confidential Information, and will review the logs created by
these audit mechanisms on an ongoing basis.
The term “ePHI” refers to electronic protected health information that Vivek Doppalapudi, DDS MS PC receives,
maintains or transmits. “PII” refers to personal information that can identify an individual, combined with one or
more data elements such as a Social Security number, driver’s license ID (or non-driver id card), or financial
information such as bank account numbers, and credit/debit card information.
Requirements and Responsibilities
1. Vivek Doppalapudi, DDS MS PC records and reviews significant activity on all of its systems that contain
Confidential Information.
2. Vivek Doppalapudi, DDS MS PC will conduct a risk analysis, to identify and define what constitutes
“significant or unusual activity” on any information system, repository or conduit that contains
Confidential Information.
3. Vivek Doppalapudi, DDS MS PC must implement appropriate hardware, software and procedural
mechanisms on any information system, repository or conduit that contains Confidential Information to
log all access. At a minimum, such logs should contain, the following information:
Date and time of activity;
Origin of activity (e.g., I/P address, workstation ID);
Identification of individual performing activity;
Description of activity (view, modification of data, etc.);
Identity of the individual whose private information was accessed.
4. In addition to logging authorized access of Confidential Information, Vivek Doppalapudi, DDS MS PC will
also monitor and log its systems to provide additional information for detecting and analyzing suspicious
activity by logging, where possible, information such as:
Access of data (e.g. sensitive ePHI or Confidential Information);
Use of software programs or utilities (e.g. system logs);
Use of privileged accounts;
Identification of administrator activity (e.g. account or access creation, modification, or deletion);
System start up or shutdown;
Failed authentication attempts;
Deletion of Confidential Information.
5. The appropriate level and type of auditing that is required is determined by a risk analysis which takes
into consideration the following factors:
The merit or sensitivity of the information on the systems.
The importance of the applications operating on the information systems.
The degree to which the information systems are connected to other systems and the degree to
which that connection poses a risk to the system.
6. Vivek Doppalapudi, DDS MS PC implements and documents a process for regular review of all audit
logs. This process may be contained in-house or an outside party may be engaged to perform log
analysis and correlation. The documented procedure must identify:
Workforce members, or the third party responsible for reviewing logs;
Specific logs which are included in the review;
Frequency of the review (weekly, daily, realtime 24X7, etc);
Response to incidents detected by log review;
Audit record retention period.
7. Vivek Doppalapudi, DDS MS PC’s workforce members cannot be responsible for reviewing audit logs
that pertain to their system activities, and the administrator of a particular system may not be responsible
for auditing the logs for that same system.
8. Audit logs must be stored in such a way that they cannot be deleted or modified in any way.
The following procedures are in place to regularly review records of information system activity:
@ISAPROC@
POLICY ENFORCEMENT
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of
employment.
Anyone who knows or has reason to believe that another person has violated this policy should report the
matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a violation of this
policy will itself be considered a violation of this policy that may result in disciplinary action up to and including
termination of employment.
ASSIGNED SECURITY RESPONSIBILITY POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Assigned Security Responsibility Policy is a reflection of Vivek Doppalapudi, DDS MS PC commitment to
selecting and assigning a single official for the responsibility of developing and implementing Vivek
Doppalapudi, DDS MS PC’s Information Security policies and procedures to protect the confidentiality, integrity,
and availability of the data and Confidential Information of Vivek Doppalapudi, DDS MS PC. “Confidential
Information” includes information such as protected health information and financial information.
Vivek Doppalapudi, DDS MS PC has named Dr. Vivek Doppalapudi as the Security Officer.
Under the HIPAA Security Regulations, Administrative Safeguards, Section 45 C.F.R 164.308(a)(2), requires
Vivek Doppalapudi, DDS MS PC to “Identify the security official who is responsible for the development and
implementation of the policies and procedures required by this subpart for the entity.”
POLICY:
The Vivek Doppalapudi, DDS MS PC Security Officer is responsible for developing and implementing the
necessary policies and procedures to protect the confidentiality, integrity and availability of all the data,
including all electronic protected health information (“ePHI”) that Vivek Doppalapudi, DDS MS PC creates,
receives, maintains or transmits, personally identifiable information (“PII”) related to patients and staff, financial
data, confidential business information and plans, and any and all other Confidential Information.
POLICY ENFORCEMENT:
Vivek Doppalapudi, DDS MS PC employees who violate this policy will be subject to disciplinary action, up to
and including termination of employment, or revocation of medical staff privileges with Vivek Doppalapudi, DDS
MS PC.
SECURITY OFFICER RESPONSIBILITIES
The responsibilities of the Security Officer include, but are not limited to:
1. Confirming that Vivek Doppalapudi, DDS MS PC information systems does not compromise the
confidentiality, integrity or availability of any Confidential Information. This includes all Vivek
Doppalapudi, DDS MS PC information systems, repositories and conduits that contain Confidential
Information;
2. Developing, documenting, and maintaining information security controls and system review that provide
cost effective protection of information and information assets owned by, or in the custody of Vivek
Doppalapudi, DDS MS PC without an adverse impact to patient care, and support compliance with the
HIPAA Privacy and Security Rules and other applicable regulations
3. Confirming that Vivek Doppalapudi, DDS MS PC is compliant with the Health Insurance Portability and
Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health
(“HITECH”) regulations and standards (specifically the Security Rule);
4. Confirming that Vivek Doppalapudi, DDS MS PC’s information systems support required and/or
addressable implementation specifications of the HIPAA Security Rule and Vivek Doppalapudi, DDS MS
PC’s internal security requirements;
5. Developing, documenting and disseminating appropriate security policies, procedures and standards for
users and administrators of ’s information systems;
6. Confirming that an inventory of Vivek Doppalapudi, DDS MS PC’s ePHI Systems is maintained and
updated on an ongoing basis;
7. Overseeing the implementation of an effective risk management program;
8. Confirming that threats and risks to the confidentiality, integrity and availability of the information received
from covered entities and information assets are monitored and evaluated;
9. Confirming that access to Confidential Information is recorded, monitored and audited to identify security
incidents and malicious activity and that, in the case of ePHI, processes are in place to provide patients
with an audit report and an accounting of disclosures;
10. Overseeing that the process of granting levels of appropriate access to information, including access
authorization, access establishment, access modification and management of passwords are in place
and developing and implementing policies and procedures to support them;
11. Overseeing the development and implementation of an effective security incident response policy and
related procedures;
12. Confirming that adequate physical security controls exist to protect the Confidential Information received
from covered entities;
13. Develop, implement and maintaining security procedures that address contingency plans for
emergencies and disaster recovery, security incident response processes, and security incident reporting
mechanisms;
14. Conducting and/or overseeing functionality and gap analyses to determine compliance with statutory and
regulatory requirements;
15. Overseeing the development and implementation of a breach notification compliance program and
related procedures and serving on the Breach Response Team;
16. Confirming effective processes are in place to sanction employees, vendors, contractors, and volunteers;
17. In conjunction with the Privacy Officer, to report any violations of HIPAA or HITECH to the Department of
Health and Human Services;
18. To oversee that document and record keeping procedures are conducted in accordance with HIPAA and
HITECH, which includes working closely with computer technicians and the information technology
personnel;
19. To collaborate with legal counsel regarding compliance with HIPAA and HITECH standards;
20. To maintain a mobile device tracking log;
21. To be the primary authority and primary contact for managing the addition, termination, or suspension of
authorized users within the electronic system;
22. To serve as the primary contact during audits;
23. To oversee compliance with the minimum necessary rule for the access, use and disclosure of data;
24. To develop, implement and perform ongoing monitoring of security risk analysis / risk management
processes;
25. To oversee data backup and storage;
26. In conjunction with the Privacy Officer, to oversee that all HIPAA and HITECH regulations and
procedures are followed by business associates and/or covered entities;
27. In conjunction with the Privacy Officer, to develop and implement employee HIPAA and breach
notification compliance training.
SECURITY AWARENESS & TRAINING POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Security Awareness and Training policy is a reflection of Vivek Doppalapudi, DDS MS PC’s commitment to
provide security awareness and training to Vivek Doppalapudi, DDS MS PC workforce members who have
access to protected health information (PHI). “PHI” means protected health information that Vivek Doppalapudi,
DDS MS PC creates, receives, maintains or transmits.
Vivek Doppalapudi, DDS MS PC will develop, implement and provide security training and awareness to Vivek
Doppalapudi, DDS MS PC workforce members who have access to PHI. Vivek Doppalapudi, DDS MS PC
workforce members will be provided with training to enable them to appropriately protect Vivek Doppalapudi,
DDS MS PC’s PHI. New Vivek Doppalapudi, DDS MS PC workforce members will receive the appropriate
security training prior to being provided access to Vivek Doppalapudi, DDS MS PC’s PHI. Vivek Doppalapudi,
DDS MS PC will make business associates aware of Vivek Doppalapudi, DDS MS PC’s security policies and
procedures when and if appropriate. Additionally, third parties who have access to Vivek Doppalapudi, DDS MS
PC’s PHI will also be informed of Vivek Doppalapudi, DDS MS PC’s security policies and procedures when and
if appropriate and will be required to execute an Acknowledgment form indicating that they have received
certain policies and will abide by them. Documentation will be maintained regarding the individuals who have
undergone training.
Under the HIPAA Security Regulations, Administrative Safeguards, Section 45 C.F.R. 164.308(a)(5)(i), the
standard requires that Vivek Doppalapudi, DDS MS PC “Implement a security awareness and training program
for all members of a covered entity’s workforce (including management).”
POLICY:
1. Vivek Doppalapudi, DDS MS PC has developed, implemented and reviews on an ongoing basis a
documented program for providing security training and awareness to Vivek Doppalapudi, DDS MS PC
workforce members who have access to PHI, including management.
2. Vivek Doppalapudi, DDS MS PC provides workforce members who have access to PHI Systems,
including management, with training to enable them to appropriately protect the confidentiality, integrity
and availability of Vivek Doppalapudi, DDS MS PC’s PHI. Training is provided onsite at Vivek
Doppalapudi, DDS MS PC, through approved training methods. Training includes:
3. Vivek Doppalapudi, DDS MS PC’s security policies, procedures and standards.
4. The secure usage of Vivek Doppalapudi, DDS MS PC’s PHI.
5. Risks to the confidentiality, integrity and availability of Vivek Doppalapudi, DDS MS PC’s PHI.
6. Legal and business responsibilities of Vivek Doppalapudi, DDS MS PC for protecting its PHI.
7. Approved security practices of Vivek Doppalapudi, DDS MS PC including procedures for guarding
against, detecting, and reporting malicious software are implemented as needed.
8. Vivek Doppalapudi, DDS MS PC workforce members who have access to PHI receive training on Vivek
Doppalapudi, DDS MS PC’s security measures adopted to protect the confidentiality, integrity and
availability of its PHI.
9. After the training has been conducted, Vivek Doppalapudi, DDS MS PC workforce members confirm in
writing, by signing the HIPAA and HITECH and Breach Notification Training Acknowledgement form, that
they have received the training, understand the materials presented and agree to comply with Vivek
Doppalapudi, DDS MS PC’s security policies and procedures.
10. New Vivek Doppalapudi, DDS MS PC workforce members receive the appropriate security training prior
to being provided access to Vivek Doppalapudi, DDS MS PC’s PHI. After the training has been
conducted, Vivek Doppalapudi, DDS MS PC’s new workforce members confirm, in writing, they have
received the training, understand the materials presented, and agree to comply.
11. Vivek Doppalapudi, DDS MS PC is responsible for maintaining the Acknowledgment forms.
12. Vivek Doppalapudi, DDS MS PC makes business associates aware of Vivek Doppalapudi, DDS MS PC’s
security policies and procedures when and if appropriate. This awareness is performed through
contractual language or other means.
13. Vivek Doppalapudi, DDS MS PC makes third parties who have access to Vivek Doppalapudi, DDS MS
PC’s PHI aware of its security policies and procedures when and if appropriate. Vivek Doppalapudi, DDS
MS PC workforce members who retain the services of a third-party are responsible for taking reasonable
steps to ensure the third party adheres to Vivek Doppalapudi, DDS MS PC’s security policies and
procedures.
14. Vivek Doppalapudi, DDS MS PC makes its written security policies and procedures available for
reference and review by its workforce members, business associates, and third party personnel.
15. In accordance with its Breach Notification and Security Incident Response Policies, Vivek Doppalapudi,
DDS MS PC trains and reminds Vivek Doppalapudi, DDS MS PC workforce members the proper
procedures for reporting a security incident or a breach.
16. As Vivek Doppalapudi, DDS MS PC performs system updates, employees are re-trained as needed.
17. Procedures for monitoring log-in attempts and reporting discrepancies are implemented as needed.
POLICY AUTHORITY/ENFORCEMENT:
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of
employment.
Anyone who knows or has reason to believe that another person has violated this policy should report
the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a
violation of this policy will itself be considered a violation of this policy that may result in disciplinary
action up to and including termination of employment with Vivek Doppalapudi, DDS MS PC.
SECURITY INCIDENT RESPONSE & REPORTING
POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Security Incident Response & Reporting Policy is a reflection of Vivek Doppalapudi, DDS MS PC
commitment to promptly identify and respond to security incidents in order to protect the confidentiality, integrity
and availability of electronic protected health information (ePHI). “ePHI” means electronic protected health
information that Vivek Doppalapudi, DDS MS PC receives, maintains or transmits.
Vivek Doppalapudi, DDS MS PC will promptly identify, report, and respond to security incidents in order to
protect the confidentiality, integrity and availability of Vivek Doppalapudi, DDS MS PC’s ePHI Systems and
Confidential Information. “ePHI Systems” means Vivek Doppalapudi, DDS MS PC’s information systems,
repositories and conduits that contain ePHI. Vivek Doppalapudi, DDS MS PC will perform an investigation
when evidence shows that a security incident has occurred and will respond to the security incident.
“Confidential Information” means protected health information and financial information.
This policy complies with HIPAA Security Regulations, Administrative Safeguards, Implementation Specification
for Security Incident Procedures Standard 45 C.F.R 164.308(a)(6)(i) and 45 C.F.R 164.308(a)(6)(ii).
POLICY:
1. Vivek Doppalapudi, DDS MS PC promptly identifies and responds to security incidents in order to protect
the confidentiality, integrity and availability of its ePHI Systems.
2. Vivek Doppalapudi, DDS MS PC has implemented a documented process for promptly identifying
security incidents. The process includes:
Risk analysis of Vivek Doppalapudi, DDS MS PC’s electronic protected health information (ePHI)
Systems. “ePHI” means electronic protected health information that Vivek Doppalapudi, DDS MS
PC receives, maintains or transmits. “ePHI Systems” means Vivek Doppalapudi, DDS MS PC’s
information systems, repositories and conduits that contain ePHI.
On the basis of the risk analysis, identify what events constitute a security incident in the context of
Vivek Doppalapudi, DDS MS PC’s operations.
Analyze, identify and report a security incident.
Train workforce members on reporting security incidents.
Implement a process to allow access by an appropriately authorized and trained workforce member
or vendor to affected ePHI Systems to respond to and recover from a security incident.
Mitigate the harmful effects of a security incident, including minimizing its impact and preventing
additional damage.
Collect and preserve evidence of a security incident.
Assess a security incident and implement security controls to prevent a recurrence.
3. Vivek Doppalapudi, DDS MS PC conducts an investigation when a security incident has occurred. The
investigation seeks appropriate information on the basis of which he / she may identify the vulnerability
which led to the incident and take reasonable steps to ensure that the harmful effects of the security
incident are mitigated and that security controls are implemented to mitigate the vulnerability and prevent
recurrence. Another workforce member will not prohibit or otherwise attempt to hinder or prevent another
Vivek Doppalapudi, DDS MS PC workforce member from reporting a security incident.
A possible security incident is reported to @SECINCPERS@
The following procedures are in place to report a possible security incident:
@SECINC@
DATA BACKUP & STORAGE POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Data Backup and Storage Policy defines the procedures that Vivek Doppalapudi, DDS MS PC requires for
protecting the availability of Vivek Doppalapudi, DDS MS PC’s electronic data when planned activities may
impact it, or in response to a disaster. Electronic data means the critical and Confidential Information
maintained or stored electronically. “Confidential Information” means electronic protected health information,
financial information, confidential and proprietary information.
This policy complies with the HIPAA Security Regulation, under the Physical Safeguards requirements, Section
45 CFR 164.310(d)(2)(iv), Implementation Specification for Device and Media Controls Standard, which
requires Vivek Doppalapudi, DDS MS PC to, “Create a retrievable, exact copy of electronic protected health
information, when needed, before movement of equipment” and the Administrative Safeguards requirements,
Section 45 CFR 106.308(a)(7), Data Backup Plan, which requires the establishment and implementation of
“procedures to create and maintain exact retrievable copies of electronic protected health information.”
POLICY:
Data Backup & Storage Responsibilities
1. Vivek Doppalapudi, DDS MS PC makes exact, retrievable backup copies of all electronic data.
2. The backup process includes electronic data stored on hardware or electronic media, such as:
Computers
Floppy disks
Backup tapes
DVDs and CDs
Zip drives
Portable hard drives (such as USB drives)
PDAs, and smart phones
1. Vivek Doppalapudi, DDS MS PC takes reasonable steps to ensure that all electronic data that is backed
up in connection with movement of equipment into, out of, or within its facilities can be recovered
following a disaster or other emergency, or a failure of the equipment during movement.
2. If applicable, Vivek Doppalapudi, DDS MS PC has contracted with a secure offsite storage facility and
transportation company to securely transport and store backup copies of its data. Vivek Doppalapudi,
DDS MS PC ensures that all storage facility and transportation companies enter into Business Associate
Agreements with Vivek Doppalapudi, DDS MS PC, and requires that each storage facility or
transportation company implement appropriate administrative, technical and physical safeguards to
ensure the confidentiality of the data.
3. Vivek Doppalapudi, DDS MS PC will store its backup copies of data and its records of the backup copies
and restoration procedures in a secure remote location, within sufficient distance from Vivek
Doppalapudi, DDS MS PC’s facilities to allow for prompt retrieval in the event of a disaster or other
emergency, or a failure of the equipment, during movement.
4. Vivek Doppalapudi, DDS MS PC will make the backup copies of data stored at the remote location
accessible only to authorized workforce members for retrieval when needed in the event of a disaster or
other emergency, or a failure of the equipment, during movement.
5. Vivek Doppalapudi, DDS MS PC will test the backup and restoration procedures on a regular basis.
Vivek Doppalapudi, DDS MS PC will take reasonable steps to ensure that the procedures are effective
and can be completed within a reasonable amount of time.
Vivek Doppalapudi, DDS MS PC’s data back-ups are conducted in the following manner:
@BACKUPS@
Vivek Doppalapudi, DDS MS PC’s data back-ups are tested and documented
@BACKUPDOC@
DISASTER RECOVERY PLAN POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Disaster Recovery Plan Policy documents Vivek Doppalapudi, DDS MS PC detailed and documented
disaster recovery plans to facilitate the recovery of any lost, damaged or corrupted data, and business critical
systems (“systems”) in a disaster or other emergency.
This policy complies with Administrative Safeguard Section 45 C.F.R 164.308(a)(7)(ii)(B), Implementation
Specification for Contingency Plan Standard of the HIPAA Security Regulation.
POLICY:
Disaster Recovery Plan Requirements and Responsibilities
1. Vivek Doppalapudi, DDS MS PC will maintain a documented disaster recovery plan to recover systems
that are lost, damaged or corrupted in the event of a disaster or other emergency.
2. The disaster recovery plan should include:
The conditions under which the disaster recovery plan may be activated;
Vivek Doppalapudi, DDS MS PC’s staff members’ roles and responsibilities in executing the disaster
recovery plan;
Recommended procedures outlining the actions to be taken to restore systems, and to return those
systems to normal operations, within acceptable and defined timeframes;
The sequence in which systems must be restored;
Acceptable methods for reporting and notification;
3. In the event of a disaster or other emergency, procedures for granting appropriate specified staff
members physical access to the Vivek Doppalapudi, DDS MS PC’s facilities and to any backup media on
which systems are stored (whether onsite or offsite), in order to carry out the recovery plan;
4. Testing procedures that specify how and when disaster recovery drills and tests of the plan will be
conducted.
5. Vivek Doppalapudi, DDS MS PC will provide regular training and awareness on the disaster recovery
plan to appropriate staff members.
6. Vivek Doppalapudi, DDS MS PC provides current copies of the Disaster Recovery Plan to appropriate
staff members. Copies of the Disaster Recovery Plan are also kept off-site.
Vivek Doppalapudi, DDS MS PC’s documented Disaster Recovery Plan that focuses on restoring the
organization’s PHI and when was it last reviewed and tested is:
@DISRECPLAN@
EMERGENCY MODE OPERATIONS POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Emergency Mode Operations Policy is a reflection of Vivek Doppalapudi, DDS MS PC’s commitment to
take reasonable steps to ensure that in the event of a disaster or other emergency, appropriate Vivek
Doppalapudi, DDS MS PC workforce members can enter its facilities to take the necessary actions
documented in its Disaster Recovery Plan.
Vivek Doppalapudi, DDS MS PC will implement a documented procedure for allowing designated workforce
members to enter Vivek Doppalapudi, DDS MS PC facilities to take necessary actions as documented in its
Disaster Recovery Plan in order to protect the confidentiality, availability and integrity of electronic protected
health information (ePHI) while operating in emergency mode. “ePHI” means electronic protected health
information that Vivek Doppalapudi, DDS MS PC creates, receives, maintains or transmits.
Under the HIPAA Security Regulations, Physical Safeguards, the Implementation Specification for Facility
Access Controls Standard under section 45 C.F.R 164.310(a)(2)(i), requires that Vivek Doppalapudi, DDS MS
PC “Establish (and implement as needed) procedures that allow facility access in support of restoration of lost
data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.”
POLICY:
1. Vivek Doppalapudi, DDS MS PC takes reasonable steps to ensure that in the event of a disaster or
emergency, appropriate workforce members can enter its facilities to take the necessary actions as
documented in its Disaster Recovery Plan.
2. Based on its Disaster Recovery Plan, Vivek Doppalapudi, DDS MS PC develops, implements and
periodically reviews a documented procedure to allow authorized workforce members access to Vivek
Doppalapudi, DDS MS PC’s facilities to support restoration of lost data. Vivek Doppalapudi, DDS MS PC
defines workforce members’ roles in its Disaster Recovery Plan, and addresses all facilities, ePHI
Systems and electronic media involved. Vivek Doppalapudi, DDS MS PC’s Disaster Recovery Plan
defines how the actions taken by such workforce members are tracked and logged, and how
unauthorized accesses can be detected and prevented.
3. In the event of a disaster or other emergency, only authorized Vivek Doppalapudi, DDS MS PC
workforce members are permitted to administer or modify processes and controls that protect the
security of ePHI.
4. Vivek Doppalapudi, DDS MS PC tests the Emergency Mode Operations Plan.
POLICY ENFORCEMENT:
The Vivek Doppalapudi, DDS MS PC Privacy Officer has general responsibility for implementation of this
policy. Members of the Vivek Doppalapudi, DDS MS PC staff who violate this policy will be subject to
disciplinary action in accordance with the Information Security Disciplinary Action Policy, up to and
including termination of employment, contract or medical staff privileges with Vivek Doppalapudi, DDS
MS PC.
Anyone who knows or has reason to believe that another person has violated this policy should report
the matter promptly to his or her supervisor or the Vivek Doppalapudi, DDS MS PC Privacy Officer. Any
attempt to retaliate against a person for reporting a violation of this policy will itself be considered a
violation of this policy that may result in disciplinary action up to and including termination of employment
or contract with Vivek Doppalapudi, DDS MS PC.
Vivek Doppalapudi, DDS MS PC’s documented Emergency Mode Operating Procedures that focus on
maintaining and protecting critical functions that protect the security of protected health data are:
@EMOPROC@
The staff member(s) responsible for implementing these procedures and their role assignments are:
@EMOSTAFF@
Vivek Doppalapudi, DDS MS PC’s Emergency Mode Operation Plan last reviewed and tested on
@EMODATE@
INFORMATION SECURITY EVALUATION POLICY
REFERENCE: HIPAA SECURITY §164.308
PURPOSE
The Information Security Evaluation Policy details the periodic technical and non-technical evaluations of
security safeguards that Vivek Doppalapudi, DDS MS PC performs in order to demonstrate and document the
extent of its compliance with security policies, the HIPAA Security Regulations, and all other applicable and
appropriate local, state, and federal Regulations that pertain to Information Security Controls.
POLICY:
Vivek Doppalapudi, DDS MS PC will conduct periodic technical and non-technical evaluations of security
safeguards in order to demonstrate and document the extent of its compliance with HIPAA Security
Regulations, and all other applicable regulations that pertain to information security controls.
This policy supports HIPAA Security Regulations, Administrative Safeguards Standard, 45 CFR 164.308(a)(8)
(i), which requires that Vivek Doppalapudi, DDS MS PC: “Perform a periodic technical and non-technical
evaluation, based initially upon the standards implemented under this rule and subsequently, in response to
environmental or operational changes affecting the security of electronic protected health information that
establishes the extent to which an entity’s security policies and procedures meet the requirements of this
subpart.”
General
1. Vivek Doppalapudi, DDS MS PC will conduct periodic technical and non-technical evaluations of security
safeguards, including policies, controls and processes in order to demonstrate and document the extent
of its compliance with its security policies, and the HIPAA Security Regulations.
2. The technical and non-technical assessments may be conducted more frequently as a result of
environmental or operational changes in the Vivek Doppalapudi, DDS MS PC environment. Changes
that might trigger a re-evaluation include:
3. An identified security incident or breach of confidential information;
4. Evolving threats and risks to data security;
5. Changes to Vivek Doppalapudi, DDS MS PC’s organizational or technical infrastructure;
6. Changes to information security roles or responsibilities;
7. Newly emerging security technologies and industry recommendations;
8. New laws or regulatory requirements.
9. Evaluations will be conducted internally or by a third party.
10. Evaluations will include:
11. A review of Vivek Doppalapudi, DDS MS PC’s security policies and procedures to evaluate their
appropriateness and effectiveness at protecting against any reasonably anticipated threats or hazards to
the confidentiality, integrity and availability of ePHI and a gap analysis to compare the policies and
procedures against actual practices.
12. An identification of threats and risks to Vivek Doppalapudi, DDS MS PC’s systems and data.
13. An assessment of Vivek Doppalapudi, DDS MS PC’s security controls and processes as reasonable and
appropriate protections against the risks identified for the systems and confidential data.
14. Testing and verification of Vivek Doppalapudi, DDS MS PC’s security controls and processes to
determine whether they have been implemented properly and whether those controls and processes
appropriately protect Vivek Doppalapudi, DDS MS PC’s ePHI. This testing may be conducted by an
authorized workforce member or a third party acting on Vivek Doppalapudi, DDS MS PC’s behalf.
15. The evaluation process and results are documented in a report that is provided to the Security Officer.
16. Following each evaluation, Vivek Doppalapudi, DDS MS PC will update its security policies, procedures,
controls and processes as needed to protect against any reasonably anticipated threats or hazards to
the confidentiality, integrity and availability of Vivek Doppalapudi, DDS MS PC’s systems and data and to
align with local, state, and federal regulations pertaining to security controls.
17. Documentation of the evaluation process and the report shall be completed and maintained by the
practice.
SECURITY PHYSICAL SAFEGUARDS
SECURITY PHYSICAL SAFEGUARDS POLICY
REFERENCE: HIPAA SECURITY §164.310
POLICY
Vivek Doppalapudi, DDS MS PC has implemented policies and procedures that comply with, at a minimum, the
“Required” standards of the HIPAA Security Rule, Physical Safeguards. The practice complies with the
requirement to implement policies and procedures to limit physical access to its electronic information systems
and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
In the Rule, a “facility” is defined as “the physical premises and the interior and exterior of a building(s).”
In general, Physical Safeguards are the mechanisms required to protect electronic systems, equipment, and
the data they hold, from threats, environmental hazards and unauthorized intrusion. It includes restricting
access to EPHI and retaining off-site computer backups.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate
for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not
reasonable and appropriate, the reasons are documented, and alternate methods are considered and
implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is
“Required.” This standard contains the following implementation specifications.
PROCEDURES:
Standard: Facility Access Controls
The practice has instituted policies and procedures to limit physical access to its electronic information systems
and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.
Implementation Specifications
Contingency Operations (Addressable): Establish (and implement as needed) procedures that allow facility
access while lost data is restored under the disaster recovery plan and emergency mode operations plan, in
the event of an emergency.
Facility Security Plan (Addressable): Implement policies and procedures to safeguard the facility and the
equipment therein from unauthorized physical access, tampering, and theft. Facility security plans must
document the use of physical access controls. The controls must ensure that only authorized individuals have
access to facilities and equipment that contain EPHI. Some examples of methods that can be used to
accomplish this include locked doors, “restricted area” warning signs, surveillance cameras, alarms,
identification badges, escorts for large facilities, or private security services. The plan should be reviewed
annually.
Access Control and Validation Procedures (Addressable): Implement procedures to control and validate a
person’s access to facilities based on their role or function, including visitor control, and control of access to
software programs for testing and revision.
Maintenance Records (Addressable): Implement policies and procedures to document repairs and
modifications to the physical components of a facility that are related to security (for example, hardware, walls,
doors, and locks). Documentation can be done by either using a logbook noting the date, reason for
repair/modification and who authorized it, or by using a database for more extensive repairs.
Standard: Workstation Use and Security (Required)
Policies and procedures are implemented that specify the proper functions to be performed, the manner in
which those functions are to be performed, and the physical attributes of the surroundings of a specific
workstation or class of workstation that can access electronic protected health information. A workstation is
defined in the Rule as an “electronic computing device, for example, a laptop or desktop computer, or any other
device that performs similar functions, and electronic media stored in its immediate environment.” This
standard also applies to workforce members that work off-site using workstations that can access EPHI. It
includes employees who work from home, in satellite offices, or in another facility. Some examples of practices
that may be used include logging off before leaving a workstation for an extended period, and using and
continually updating antivirus software. Portable wireless devices should be secured/encrypted in order to
avoid breach notifications, as required under the HITECH Act Breach Notification Rule.
Physical safeguards are implemented for all workstations that access electronic protected health information, to
restrict access to authorized users. This addresses how workstations are physically protected from other users.
This includes relocating workstations, allowing unprotected access by other unauthorized users, and policies
on removal of mobile devices from controlled areas.
Standard: Device and Media Controls (Required)
Policies and procedures are implemented that govern the receipt and removal of hardware and electronic
media that contain electronic protected health information into and out of a facility, and the movement of these
items within the facility such as “electronic storage media,” including memory devices in computers (hard
drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or
digital memory card. This standard covers the proper handling of electronic media including receipt, removal,
backup, storage, reuse, disposal and accountability.
Implementation Specifications
Disposal (Required): Policies and procedures are implemented to address the final disposition of electronic
protected health information, and/or the hardware or electronic media on which it is stored. The practice must
ensure that any discarded electronic media is unusable and/or inaccessible. One of the methods that can be
used is degaussing—using a magnetic field to erase the data. Another is to physically damage it beyond repair.
It should be noted that simple “file delete” commands do not permanently erase data from a computer hard
drive.
Media re-use (Required): Procedures are implemented for removal of electronic protected health information
from electronic media before the media are made available for re-use.
Accountability (Addressable): Maintain a record of the movements of hardware and electronic media from
one location to another, and any person responsible for the movements. Since portable workstations and media
are becoming smaller, there may be special challenges in meeting this addressable specification.
Data backup and storage (Addressable): Create a retrievable, exact copy of electronic protected health
information, when needed, before moving equipment. Data backups must be done very frequently and on a
routine basis.
WORKSTATION USE POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
The Workstation Use Policy is intended to provide security for any workstation used in Vivek Doppalapudi, DDS
MS PC’s offices. This policy applies to all users of Vivek Doppalapudi, DDS MS PC’s information systems and
information, and all users must be familiar and comply with this policy.
POLICY:
General
1. All workstations used in Vivek Doppalapudi, DDS MS PC’s offices shall be placed in such a way that they
can be secured from public access and public view using reasonable precautions. Workstations that
access protected health information shall be placed so that the general public cannot view information on
the monitor. This may also be accomplished through the use of software and/or hardware.
2. Active workstations shall not be left logged on to systems, and/or applications, while unattended for
extended periods of time. Workstations that are inactive for more than five (5) minutes shall employ a
screen saver, and workstations that are inactive for more than fifteen (15) minutes, shall be logged off
unless a specific exemption has been granted by Vivek Doppalapudi, DDS MS PC. All users are
expected to properly log out of all applications and networks when a user leaves a workstation so that
unauthorized access to information can be prevented.
3. All workstations used for Vivek Doppalapudi, DDS MS PC business activity, no matter where located,
must use an access control.
4. All access is to be granted to workstations, folders, applications, or any information through the use of
unique, controlled login IDs assigned to specific users and passwords. All users must be authenticated to
the network, system, or application through the use of an approved authentication method.
5. All physical devices should employ some mechanism for preventing theft. Locking mechanisms are
mandatory for devices that are located in obscure locations.
6. Laptops must be secured or in the possession of the workforce member to whom it is assigned at all
times. Laptops should not be left in hotel rooms, automobiles or public locations.
Vivek Doppalapudi, DDS MS PC’s ensures that any discarded electronic media is unusable and/or
inaccessible. We; @DISMED@
Failure To Comply
Failure to comply with this policy shall result in disciplinary action up to and including termination, as well as the
possibility of appropriate legal action including, but not limited to, the right to seek compensation and or
prosecution.
Users are prohibited from gaining unauthorized access to any information or information system in any way that
damages, alters, or otherwise disrupts the operations of these systems.
DISPOSAL POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
The Disposal Policy specifies the requirements set forth by Vivek Doppalapudi, DDS MS PC for the proper
disposal of electronic protected health information (ePHI), financial information, confidential and proprietary
information (“Confidential Information”), and the hardware and electronic media on which such information has
been stored. “ePHI” means electronic protected health information that Vivek Doppalapudi, DDS MS PC
receives, maintains or transmits.
This policy complies with HIPAA Security Regulation, under the Physical Safeguards, Section 45 C.F.R
64.310(d)(2)(i), Implementation Specification for Device and Media Controls Standard.
POLICY:
When Confidential Information or the hardware or electronic media on which it has been stored is no longer
needed, it must be erased in such a manner as to permanently and completely delete all data to prevent future
access by unauthorized individuals. Vivek Doppalapudi, DDS MS PC will log and track the disposal of the
hardware and electronic media on which Confidential Information is stored.
Disposal Requirements and Responsibilities
According to the Breach Notification Rule, notifications are NOT required for breaches originating from PHI that
is secure. To be considered secure, PHI must be destroyed through the use of a technology or methodology
specified by the Secretary of the Department of Health and Human Services in guidance that renders PHI
unusable, unreadable or indecipherable. In guidance, these methods are:
Paper, film or other hard copy media must be shredded or destroyed so it cannot be read or reconstructed.
Electronic media must be cleared, purged, or destroyed consistent with NIST Special Publications 800-88
so PHI cannot be retrieved.
Disposal Requirements and Responsibilities
Hardware and electronic media on which Confidential Information may be stored, and to which this policy
applies, includes but is not limited to:
Computers (desktops, laptops, tablet devices)
Smartphones, PDAs
Floppy disks, hard disks
CDs, DVDs
Magnetic tape, videotape, audiotape
Zip drives, portable hard drives
USB storage devices
Flash memory
Vivek Doppalapudi, DDS MS PC must log and track the final disposal of all hardware and electronic media
on which Confidential Information or ePHI has been stored. This logging and tracking provides the
following information:
Date and time of disposal
Who administered the disposal
Description of the hardware and electronic media being disposed
Disposal method
Source and description of the ePHI being disposed
PHI must not be discarded in trash bins, unsecured recycle bags, or other publicly accessible locations.
Instead, this information must be personally shredded, or placed in a secured recycling bag.
If hardware or electronic media on which Confidential Information has been stored is to be reused within
Vivek Doppalapudi, DDS MS PC, reasonable and appropriate steps must be taken to completely and
permanently remove all traces of the data utilizing approved erasure tools. Vivek Doppalapudi, DDS MS
PC is responsible for approval of the erasure tool and method to be used and to take reasonable steps to
ensure that it is used properly.
Hardware or electronic media that has been determined to have reached end-of-life is to be physically
destroyed utilizing an approved destruction method in accordance with HHS Guidelines. Proof of
destruction must be maintained. Original documents shall be destroyed in accordance with Vivek
Doppalapudi, DDS MS PC’s Record Retention Policy.
Documentation of Destruction
To ensure that destruction is in fact performed, Vivek Doppalapudi, DDS MS PC personnel or a bonded
destruction service must carry out the destruction of PHI. If Vivek Doppalapudi, DDS MS PC personnel
undertakes the destruction of the records, the Vivek Doppalapudi, DDS MS PC personnel must use a practice
records destruction form. (A sample form is available on the following pages.)
If a bonded shredding company undertakes the destruction, the bonded shredding company must provide
Vivek Doppalapudi, DDS MS PC with the document of destruction that contains the following information:
Date of destruction;
Method of destruction;
Description of the disposed records;
Inclusive dates covered;
A statement that the records have been destroyed in the normal course of business;
The signatures of the individuals supervising and witnessing the destruction.
Vivek Doppalapudi, DDS MS PC will maintain certificates of destruction.
POLICY ENFORCEMENT
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of
employment or contract with Vivek Doppalapudi, DDS MS PC.
Anyone who knows or has reason to believe that another person has violated this policy should report the
matter promptly in accordance with applicable policy and procedure. Any attempt to retaliate against a
person for reporting a violation of this policy will itself be considered a violation of this policy that may result
in disciplinary action up to and including termination of employment or contract with Vivek Doppalapudi,
DDS MS PC.
MEDIA RE-USE POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
The Media Re-Use Policy specifies the requirements to be followed when erasing Confidential Information from
all electronic media before the media may be re-used. “Confidential Information” means protected health
information, financial information, confidential and proprietary information.
Vivek Doppalapudi, DDS MS PC must remove all Confidential Information from any electronic media before the
media may be re-used for any purpose.
This Policy complies with the required Implementation Specification for Device and Media Controls Standard
under section 45 C.F.R 164.310(d)(2)(ii), of the HIPAA Security Regulations, Physical Safeguards, which
states, “Implement procedures for removal of electronic protected health information from electronic media
before the media are made available for re-use.”
POLICY:
1. Vivek Doppalapudi, DDS MS PC must remove all Confidential Information, including ePHI, on any
electronic media before the media may be re-used.
2. Vivek Doppalapudi, DDS MS PC follows a documented process, taking reasonable and appropriate
steps to completely and permanently remove all traces of the information, utilizing approved erasure
tools.
3. The process applies to hardware and electronic media on which Confidential Information is stored,
including but not limited to:
4. Copiers with data storage capability
5. Computer Hard drives (desktops, laptops)
6. Floppy disks, hard disks
7. Magnetic tape, videotape, audiotape
8. Zip drives, portable hard drives
9. USB storage devices
10. Vivek Doppalapudi, DDS MS PC is responsible for approval of the erasure tools and methods to be used
and will take reasonable steps to ensure that they are used properly.
POLICY ENFORCEMENT:
Anyone who violates this policy will be subject to disciplinary action, up to and including termination of
employment.
Anyone who knows or has reason to believe that another person has violated this policy should report
the matter promptly to the Privacy Officer. Any attempt to retaliate against a person for reporting a
violation of this policy will itself be considered a violation of this policy that may result in disciplinary
action up to and including termination of employment.
FACILITY SECURITY PLAN POLICY
REFERENCE: HIPAA SECURITY §164.310
PURPOSE:
This policy outlines the requirement for Vivek Doppalapudi, DDS MS PC to develop and implement Facility
Security plans that detail how it protects its facilities and confidential data from unauthorized access, tampering
and theft.
This policy supports HIPAA Security Regulation, under the Physical Safeguards, Section 45 C.F.R. 164.310(a)
(2)(ii), Implementation Specification for Facility Access Controls Standard, requires that Vivek Doppalapudi,
DDS MS PC “Implement policies and procedures to safeguard the facility and the equipment therein from
unauthorized physical access, tampering, and theft.”
POLICY:
1. Vivek Doppalapudi, DDS MS PC must develop, implement and document a Facility Security Plan that
details how it protects its facilities and systems from unauthorized access, tampering or theft the Facility
Security Plan includes evaluations of the implemented physical safeguards for confidential information.
The basis of the Facility Security Plan will come from Vivek Doppalapudi, DDS MS PC’s annual risk
analysis.
2. The Facility Security Plan must be reviewed, and revised if necessary, on an annual basis.
3. The Facility Security Plan must addresses the following:
4. Identification of all systems which access or contain Vivek Doppalapudi, DDS MS PC’s confidential data;
5. Identification of security processes and controls used to protect Vivek Doppalapudi, DDS MS PC’s
confidential data from unauthorized access, tampering or theft;
6. Actions to be taken if unauthorized access, tampering or theft attempts have been made against Vivek
Doppalapudi, DDS MS PC’s systems;
7. Identification of Vivek Doppalapudi, DDS MS PC’s workforce members’ roles and responsibilities in the
Facility Security Plan;
8. Notification and reporting procedures;
9. Maintenance schedule that specifies how and when the plan will be tested and a process for maintaining
the Facility Security Plan.
10. The Privacy Officer is responsible for taking whatever steps are necessary to ensure the plan is tested
and maintained appropriately;
11. Vivek Doppalapudi, DDS MS PC will distribute the Facility Security Plan to the appropriate workforce
members. In addition, copies of the Facility Security Plan will be maintained off-site.
12. @CONFDATA@
@FACSECPLA@ is responsible for creating, maintaining and updating Vivek Doppalapudi, DDS MS PC’s
security plan.
POLICY AUTHORITY/ENFORCEMENT
The Privacy Officer has general responsibility for implementation of this policy, as well as the standards defined
or implied by this policy. Members of the Vivek Doppalapudi, DDS MS PC staff and health care professionals
who violate this policy will be subject to disciplinary action in accordance with the Information Security
Disciplinary Policy, up to and including termination of employment, contract or medical staff privileges with
Vivek Doppalapudi, DDS MS PC.
Anyone who knows or has reason to believe that another person has violated this policy should report the
matter promptly in accordance with applicable policy and procedure. All reported matters will be investigated,
and, where appropriate, steps will be taken to remedy the situation. Where possible, Vivek Doppalapudi, DDS
MS PC will make every effort to handle the reported matter confidentially. Any attempt to retaliate against a
person for reporting a violation of this policy will itself be considered a violation of this policy that may result in
disciplinary action up to and including termination of employment, contract or medical staff privileges with Vivek
Doppalapudi, DDS MS PC.
EXCEPTIONS:
Exceptions to this policy can be made with written approval of the Privacy Officer.
REVIEW OF POLICY
In the event that a significant regulatory change occurs, the policy will be reviewed and updated as needed.
The policy will be reviewed annually to determine its effectiveness in complying with the HIPAA Security
Regulations, as well as meeting business needs.
=
Please refer to the “Forms” section to find the
“Information Systems and Telecommunications
Hardware Inventory Worksheet”.
=
Please refer to the “Forms” section to find the
“Certificate of Destruction” form.
SECURITY TECHNICAL SAFEGUARDS
SECURITY TECHNICAL SAFEGUARDS POLICY
REFERENCE: HIPAA SECURITY §164.310
POLICY
Vivek Doppalapudi, DDS MS PC has implemented policies and procedures for electronic information systems
that maintain EPHI to comply with, at a minimum, the “Required” standards of the HIPAA Security Rule,
Technical Safeguards. Technical Safeguards are defined as “the technology and the policy and procedures for
its use that protect electronic protected health information and control access to it.”
In general, these are primarily the automated processes used to protect data and control access to data. They
include using authentication controls to verify that the person signing onto a computer is authorized to access
that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.
The results of the required risk analysis and risk management processes are used to determine the security
measures needed.
The Security Rule itself does not require specific technology solutions, however, the HITECH Breach
Notification Rule does suggest some technology solutions. Although these solutions are not required under the
Breach rule, breach notifications may be avoided if they are used.
“Addressable” implementation specifications are reviewed to determine whether the specification is appropriate
for the practice. If the specification is reasonable and appropriate, the practice must implement it. If not
reasonable and appropriate, the reasons are documented and alternate methods are considered and
implemented.
When a standard does not have implementation specifications associated with it, then the standard itself is
“Required.” This standard contains the following implementation specifications.
PROCEDURES:
Standard: Access Control
Technical policies and procedures are implemented for electronic information systems that maintain electronic
protected health information to allow access only to those persons or software programs that have been
granted access rights as specified in the Administrative Safeguards Information Access Management section of
the Security Rule. Access controls provide users with rights and/or privileges to access and perform functions
using information systems, applications, programs or files. Specific methods are not identified in the Security
Rule.
Implementation Specifications
Unique user identification (Required): A unique name and/or number for identifying and tracking user identity
is assigned. The Rule does not describe or provide a specific format for user identification. Possible best
practice methods for user identification management are to require users to change initial passwords to userselected
passwords, and to change passwords occasionally, depending on the results of the risk assessment.
The Security Officer may be given the passwords for emergency access.
Emergency access procedure (Required): Procedures are established (and implemented as needed) for
obtaining necessary electronic protected health information during an emergency. Procedures must be
established to instruct workforce members on possible ways to gain access to needed EPHI in situations where
normal environmental systems, such as electrical power, have been damaged or are inoperative. The practice
IT staff or vendor should be asked to provide a unique password for emergency access.
Automatic logoff (Addressable): Implement electronic procedures that terminate an electronic session after a
predetermined time of inactivity. This can protect EPHI in situations when the user did not have time, or had
forgotten, to log off.
Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt electronic
protected health information. Encryption is a method of converting an original message of regular text into
encoded text. There is a low probability that anyone other than the receiving party, or one with a key to the
code, would be able to decrypt the information.
Standard: Audit Controls (Required)
Hardware, software, and/or procedural mechanisms are implemented that record and examine activity in
information systems that contain or use electronic protected health information. These mechanisms are helpful
when determining if a security violation occurred. The risk analysis and organizational factors must be
considered when determining reasonable and appropriate audit controls for information systems that contain or
use EPHI. Audit controls should be performed often, on a routine basis, as this may be the only way to know
that a breach has occurred. If the practice was not aware of a breach of security, but should have been aware,
then enforcement sanctions by HHS increase. Audit logs must remain accessible to authorized users, and
retained for six years after the last dated entry.
Standard: Integrity
Implement policies and procedures to protect electronic protected health information from improper alteration or
destruction.
Implementation Specification
Mechanism to authenticate electronic protected health information (Addressable): Implement electronic
mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an
unauthorized manner. In order to determine which electronic mechanisms to implement to ensure that EPHI is
not altered or destroyed in an unauthorized manner, a covered entity must consider the various risks to the
integrity of EPHI identified during the risk analysis.
Standard: Person or Entity Authentication (Required)
Procedures are implemented to verify that a person or entity seeking access to electronic protected health
information is the one claimed. Proof of identity is accomplished in several ways, including requiring something
such as a password or PIN, a smart card, a token, a key, or a biometric such as fingerprints, voice patterns,
facial patterns or iris patterns.
Standard: Transmission Security
Implement technical security measures to guard against unauthorized access to electronic protected health
information that is being transmitted over an electronic communications network. The practice reviews the
current methods used to transmit EPHI, such as e-mail, over the internet, or some other means. Then the
practice identifies the available and appropriate means to protect EPHI as it is transmitted, selects appropriate
solutions, and documents its decisions. In particular, wireless devices can pose a significant threat and should
either be banned or secured.
Implementation Specifications
Integrity controls (Addressable): Implement security measures to ensure that electronically transmitted
electronic protected health information is not improperly modified without detection until disposed of. Integrity in
this context is focused on making sure the EPHI is not improperly modified during transmission. A primary way
to accomplish this is by using network communication protocols. This ensures that the data sent is the same as
the data received. Data or message authentication codes may also be considered.
Encryption (Addressable): Implement a mechanism to encrypt electronic protected health information
whenever deemed appropriate. There may be situations where EPHI being transmitted from the practice would
be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be
significant, a covered entity must encrypt those transmissions under the addressable implementation
specification for encryption.
INFORMATION SYSTEMS ACCESS POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE:
This policy defines the requirements that Vivek Doppalapudi,
DDS MS PC must take to protect Vivek Doppalapudi, DDS
MS PC information and information systems from
unauthorized use and/or disclosure. This policy applies to
all users of Vivek Doppalapudi, DDS MS PC information
systems and information, and all users must be familiar with
and comply with this policy as well as with the
Confidentiality and Non-Disclosure Agreement and sign an
Acknowledgment Form that they will do so. POLICY:
General
1. Only authorized users are granted access to Vivek Doppalapudi, DDS MS PC’s information systems and
related information. Access levels are defined based on job responsibilities, and as such, specific roles
and access levels have been established. This role-based access is granted following the principal of
“least-privilege.
2. All users must access information and information systems with an assigned, unique login ID established
by Vivek Doppalapudi, DDS MS PC. Users are not permitted to use another user’s credentials, or allow
another user to use theirs.
3. This policy applies to all computer and/or information systems owned or operated by Vivek Doppalapudi,
DDS MS PC. Additionally, this policy applies to all platforms, operating systems, and/or applications
owned or leased by Vivek Doppalapudi, DDS MS PC.
4. In addition to using their unique login ID, the identity of any user that accesses Vivek Doppalapudi, DDS
MS PC’s information systems must be authenticated by utilizing at least one of the following: biometric
identification, password, personal identification number, telephone callback procedure, or one-time
password token.
5. Access to systems and/or applications shall not be granted without appropriate, authorized approval.
User access is to be immediately revoked if the individual has been terminated. If the user’s job
reponsibilities have changed as a reult of a transfer or new role within Vivek Doppalapudi, DDS MS PC,
the user’s access rights will be changed appropriately.
6. All users shall be required to sign the “Staff Member Confidentiality and Non-Disclosure Agreement”
prior to receiving any access privileges.
7. In accordance with the nature of the data stored or processed, access to confidential systems will, where
feasible, be logged and audited in a manner that allows for the following information to be tracked:
access date and time, login ID, method of access, and any sensitive or privileged commands that were
issued.
8. Audit trails shall be backed up and stored, and must not be accessible, modifiable, or readable by
unauthorized users.
9. All passwords are to be stored and strictly controlled using either physical security or information security
controls.
10. All programs, networks, and applications, whether developed internally, or purchased via third party must
be password protected.
11. All systems require a valid, unique, and assigned login ID and password.
12. All system access levels and login IDs shall be reviewed annually. All obsolete access shall be removed.
Failure To Comply
Failure to comply with this policy shall result in disciplinary action up to and including termination.
Users are prohibited from gaining unauthorized access to any information or information system in any way that
damages, alters, or otherwise disrupts the operations of these systems.
EPHI MOVEMENT POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE:
Vivek Doppalapudi, DDS MS PC will log and track the movement of Vivek Doppalapudi, DDS MS PC ’s
hardware and electronic media on which ePHI is stored into, out of, and within its facilities. Vivek Doppalapudi,
DDS MS PC will hold its workforce members accountable for such movement.
This accountability policy is a reflection of Vivek Doppalapudi, DDS MS PC ’s commitment to establishing and
maintaining a complete, accurate and up-to-date inventory of hardware and electronic media on which
electronic protected health information (ePHI) is stored; logging and tracking the movement of Vivek
Doppalapudi, DDS MS PC ’s hardware and electronic media; and holding Vivek Doppalapudi, DDS MS PC
workforce members accountable for such movement. “ePHI” means electronic protected health information that
Vivek Doppalapudi, DDS MS PC receives, maintains or transmits.
This policy complies with the HIPAA Security Regulation, under the Physical Safeguards, Implementation
Specification for Device and Media Controls Standard, section 45 C.F.R. 164.310(d)(2)(iii), which states that
Vivek Doppalapudi, DDS MS PC must, “Maintain a record of the movements of hardware and electronic media
and any person responsible therefore.”
POLICY:
1. Vivek Doppalapudi, DDS MS PC has established and maintains a complete, accurate and up-to-date
inventory of hardware and electronic media on which ePHI is stored and uses that inventory to log and
track the movement of Vivek Doppalapudi, DDS MS PC’s hardware and electronic media on which ePHI
is stored. Vivek Doppalapudi, DDS MS PC’s Privacy Officer takes reasonable steps to ensure that all
such movement is promptly and accurately logged and tracked in accordance with Vivek Doppalapudi,
DDS MS PC’s documented procedure.
2. Hardware and electronic media on which ePHI is stored that is logged and tracked pursuant to this Policy
includes:
3. Computers (desktops, laptops)
4. Floppy disks
5. Backup tapes
6. CD-ROMs
7. Zip drives, USB drives
8. Portable hard drives
9. PDAs
10. The Privacy Officer and/or designee must maintain a record of the inventory of hardware and electronic
media, and document the movement of same.
11. Vivek Doppalapudi, DDS MS PC workforce members who move hardware or electronic media on which
ePHI is stored into, out of, and within Vivek Doppalapudi, DDS MS PC’s facilities must follow Vivek
Doppalapudi, DDS MS PC’s ePHI Movement Procedures and Guidelines and are responsible for the use
of the eHPI and are required to take reasonable steps to ensure that the ePHI is protected against
damage, theft and unauthorized access.
POLICY AUTHORITY/ENFORCEMENT
The Vivek Doppalapudi, DDS MS PC Privacy Officer has general responsibility for implementation of this
policy, as well as the standards defined or implied by this policy. Members of our Vivek Doppalapudi,
DDS MS PC staff who violate this policy will be subject to disciplinary action in accordance with the
Information Security Disciplinary Policy, up to and including termination of employment or contract with
Vivek Doppalapudi, DDS MS PC.
Anyone who knows or has reason to believe that another person has violated this policy should report
the matter promptly in accordance with applicable policy and procedure. All reported matters will be
investigated, and, where appropriate, steps will be taken to remedy the situation. Where possible, Vivek
Doppalapudi, DDS MS PC will make every effort to handle the reported matter confidentially. Any attempt
to retaliate against a person for reporting a violation of this policy will itself be considered a violation of
this policy that may result in disciplinary action up to and including termination of employment, contract
or medical staff privileges with Vivek Doppalapudi, DDS MS PC.
EXCEPTIONS:
Exceptions to this policy can be made with written approval of the Privacy Officer.
REVIEW OF POLICY
In the event that a significant regulatory change occurs, the policy will be reviewed and updated as
needed. The policy will be reviewed periodically to determine its effectiveness in complying with the
HIPAA Security Regulations, as well as meeting business needs.
=
Please refer to the “Forms” section to find the
“Sources of EPHI” form.
MOBILE DEVICE REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE
The following requirements concerning Vivek Doppalapudi, DDS MS PC laptops, tablets, notebooks, or any
other device that falls within the category of portable computing or data storage device, are designed to allow
appropriate usage of this technology while minimizing the security exposures that these devices can bring.
Without the implementation of the requirements, damages could include the loss of confidential data,
intellectual property, or damage to Vivek Doppalapudi, DDS MS PC systems. All users who use this type of
device must agree to these requirements.
POLICY
General Requirements
1. Devices that are allowed to access Vivek Doppalapudi, DDS MS PC information on or connect to
Vivek Doppalapudi, DDS MS PC network(s) or system(s) containing confidential data are @DEVICES@
2. Devices may not be shared or used by other individuals, including household members.
3. Protection of User ID and Password: At no time may any Vivek Doppalapudi, DDS MS PC user
provide their Vivek Doppalapudi, DDS MS PC login credentials to anyone, including family members or
other office staff members. Users must not post or display their login credentials in any way on the
device with sticky notes, taped notes, or any other affixed message, or keep login credentials stored in
the same location as the device.
4. Storage of Device: Devices must be kept secured, never unattended, and must remain with the
assigned user at all times as is reasonably possible. Devices may not be left in vehicles, or in other
places where the risk of theft is increased.
5. Loss or Theft of Device: If a device is lost, stolen, or otherwise missing, the Vivek Doppalapudi, DDS
MS PC Privacy Officer must be notified immediately as defined in the Security Incident Response and
Reporting Policy and Procedure.
6. Connecting to networks with portable devices: Only approved connections and methodologies may
be used to connect to the Vivek Doppalapudi, DDS MS PC network, and authorization must be obtained
through the practice.
7. Connecting to Vivek Doppalapudi, DDS MS PC Remotely: It is the responsibility of any user who
connects to the Vivek Doppalapudi, DDS MS PC network remotely to ensure that all of the same security
requirements are in accordance with the Vivek Doppalapudi, DDS MS PC’s Remote Access
Requirements and Acceptance Policy. The same security measures must be applied at the remote
location that would be applied while at a Vivek Doppalapudi, DDS MS PC location.
The policy for connecting to Vivek Doppalapudi, DDS MS PC system remotely is as follows:
@REMOTE@
8. Use with Wireless networks: If the device will be connected to any type of wireless network or
connection, prior approval must be obtained through Vivek Doppalapudi, DDS MS PC Information
Security so that appropriate wireless protocols can be checked. Connecting to wireless networks without
prior permission is expressly prohibited.
9. Connection to other networks: The user may connect to their internet provider with the device, only for
the purposes of connecting with a Vivek Doppalapudi, DDS MS PC network. The device cannot be used
to connect to non-Vivek Doppalapudi, DDS MS PC networks, or used to connect to external email
providers.
10. Idle Sessions: Users must ensure that active remote sessions are not left unattended thereby
preventing non-Vivek Doppalapudi, DDS MS PC users from accessing information.
11. Software Installation: All Vivek Doppalapudi, DDS MS PC devices must have only Vivek Doppalapudi,
DDS MS PC approved software installed. Users may not remove or install any software. Users are not
permitted to disable the Anti-Virus software that has been installed.
12. All Vivek Doppalapudi, DDS MS PC devices must connect locally to the Vivek Doppalapudi, DDS
MS PC network on a regular basis to ensure that any software or program updates are applied.
13. Transferring data to personal computing devices: Vivek Doppalapudi, DDS MS PC sensitive data
and ePHI may not be stored on personal or “non-Vivek Doppalapudi, DDS MS PC devices, without
written approval of Vivek Doppalapudi, DDS MS PC Information Security.
14. Device Inspections: All Vivek Doppalapudi, DDS MS PC devices must be subject to examination by
authorized Vivek Doppalapudi, DDS MS PC staff on a periodic basis, but not less than once annually.The
inspections can be done at a Vivek Doppalapudi, DDS MS PC location, or can be performed remotely by
a Vivek Doppalapudi, DDS MS PC authorized third party. The user’s department must coordinate the
inspection with Information Technology and pay any fees associated with third party vendors.
15. Storage of Information on hard drive: Users may not save, store, or copy any sensitive data including
ePHI to the hard drive of the Laptop unless it has been specifically authorized by Vivek Doppalapudi,
DDS MS PC Information Security. Where approval has been granted for ePHI or sensitive data storage
on the device; Vivek Doppalapudi, DDS MS PC approved encryption is required.
16. Device Tracking Log: The Security Officer must maintain a tracking log of all devices that store EPHI.
This log must include the device serial number, the assigned user, and the location of the device. These
logs must be made available to IT upon request and are subject to periodic audit.
17. User responsibility for device: If the device is missing or stolen or misused because the user has not
complied with these guidelines, the Vivek Doppalapudi, DDS MS PC user who was issued the device
bears responsibility for the consequences; disciplinary actions and fines could apply.
REMOTE ACCESS REQUIREMENTS POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE
The purpose of this document is to define standards for
connecting to Vivek Doppalapudi, DDS MS PC networks
from any location remotely. These standards are designed to
minimize potential security exposures while connecting to
Vivek Doppalapudi, DDS MS PC Networks remotely.
Damages could include the loss of confidential data,
intellectual property, or damage to Vivek Doppalapudi, DDS
MS PC systems. These guidelines apply to any user that
possesses a Vivek Doppalapudi, DDS MS PC device or
personally owned device used to connect to the Vivek
Doppalapudi, DDS MS PC network from an external location.
POLICY
General Requirements
1. Before any user connects remotely, authorization must be granted through the practice.
2. Only approved connections and methodologies may be used to connect to the Vivek Doppalapudi, DDS
MS PC network.
3. It is the responsibility of any user who connects remotely to ensure that all of the same security
requirements in accordance with Vivek Doppalapudi, DDS MS PC Security Policy are applied at the
remote location that would be applied while at a Vivek Doppalapudi, DDS MS PC location.
4. All Vivek Doppalapudi, DDS MS PC related data received, transmitted or displayed must be kept
confidential, and only used for approved business purposes.
5. Vivek Doppalapudi, DDS MS PC users with remote privileges to the Vivek Doppalapudi, DDS MS PC
network must not use non-Vivek Doppalapudi, DDS MS PC email accounts or other external resources
to conduct Vivek Doppalapudi, DDS MS PC business, thereby ensuring that official business is never
confused with personal business.
6. The Vivek Doppalapudi, DDS MS PC user bears responsibility for the consequences should access be
misused.
7. Vivek Doppalapudi, DDS MS PC applications that run on the Vivek Doppalapudi, DDS MS PC network,
outside of “Web-Based” applications, generally require a Vivek Doppalapudi, DDS MS PC device to
remotely connect and access those applications.
Vivek Doppalapudi, DDS MS PC Owned Device Requirements – Required
for Vivek Doppalapudi, DDS MS PC applications which are not “web
based”
1. All Vivek Doppalapudi, DDS MS PC owned devices are to be used for Vivek Doppalapudi, DDS MS PC
business use only, in accordance with the Vivek Doppalapudi, DDS MS PC Acceptable Use of
Information Policy (found within this manual) and any applicable Information Security Policies.
2. Vivek Doppalapudi, DDS MS PC devices may not be shared or used by other individuals including
household members.
3. At no time should any Vivek Doppalapudi, DDS MS PC user provide their practice login credentials to
anyone, including family members or other office staff members.
4. Vivek Doppalapudi, DDS MS PC devices may only connect to a Vivek Doppalapudi, DDS MS PC
network through the user’s Internet provider, and may not be used to connect to non-Vivek Doppalapudi,
DDS MS PC networks, or used to connect to external email providers.
5. All Vivek Doppalapudi, DDS MS PC devices must have only Vivek Doppalapudi, DDS MS PC approved
software installed. Users may not remove or install any software.
6. Users are not permitted to disable the anti-virus software that has been installed.
7. Users must ensure that active remote sessions are not left unattended thereby preventing non-Vivek
Doppalapudi, DDS MS PC users from accessing information.
8. All Vivek Doppalapudi, DDS MS PC devices are subject to audit at any time, so no right of privacy is
guaranteed.
9. All Vivek Doppalapudi, DDS MS PC devices must be subject to examination by authorized Vivek
Doppalapudi, DDS MS PC staff on a periodic basis, but not less than once every quarter. The
inspections can be done at a Vivek Doppalapudi, DDS MS PC location, or can be performed remotely by
a Vivek Doppalapudi, DDS MS PC authorized third party. The user’s supervisor must coordinate the
inspection with Information Technology. There may be fees associated with third party vendors.
Personally Owned Device Requirements – Can be used for applications
which are “web based”:
1. All personal devices connected to any Vivek Doppalapudi, DDS MS PCnetwork are to be used for Vivek
Doppalapudi, DDS MS PC business use only while connected to a Vivek Doppalapudi, DDS MS PC
network in accordance with the Vivek Doppalapudi, DDS MS PC Acceptable Use of Information Policy
and any other applicable Vivek Doppalapudi, DDS MS PC Security Policies.
2. All personal devices used to connect to Vivek Doppalapudi, DDS MS PC resources may not connect to
other services while connected to any Vivek Doppalapudi, DDS MS PC network, which includes email
providers.
3. Personal devices will only have the ability to connect to Vivek Doppalapudi, DDS MS PC applications
that have been web-enabled unless specifically approved.
4. Vivek Doppalapudi, DDS MS PC Users are not permitted to save or copy any Vivek Doppalapudi, DDS
MS PC data to a personal device. This includes email messages.
5. The use of wireless networks may not be employed while connecting to the Vivek Doppalapudi, DDS MS
PC network unless prior approval has been granted, and wireless encryption must be enabled before
conducting Vivek Doppalapudi, DDS MS PC business, since wireless networking has a number of
vulnerabilities.
6. Personal devices must not be left unattended while connected to Vivek Doppalapudi, DDS MS PC
networks.
7. Vivek Doppalapudi, DDS MS PC bears no responsibility for device malfunctions or failures on personal
devices.
8. Vivek Doppalapudi, DDS MS PC Users are not permitted to share Vivek Doppalapudi, DDS MS PC login
credentials with anyone, including household members.
9. All Vivek Doppalapudi, DDS MS PC users are required to follow the terms of this Policy as well as all
other Vivek Doppalapudi, DDS MS PC security policies while working remotely, even if connected with a
personal device.
ACCEPTABLE USE OF INFORMATION POLICY
REFERENCE: HIPAA SECURITY §164.312
PURPOSE:
Vivek Doppalapudi, DDS MS PC relies on its information and Information Technology Resources (Resources)
to support its business processes. To ensure that its Resources are used properly by its employees,
independent contractors, agents, and other Users, Vivek Doppalapudi, DDS MS PC has implemented this
Acceptable Use of Information Policy (AUIP).
POLICY:
Compliance
1. This Policy apply to all Users of Vivek Doppalapudi, DDS MS PC’s Resources, wherever they may be
located. It is each User’s duty to use Vivek Doppalapudi, DDS MS PC’s Resources responsibly,
professionally, ethically, and lawfully. Each User who is not specifically covered in this AUIP (e.g.,
affiliates, vendors, contractors, etc.) will also be required to sign, in order to obtain access to the
Environment, the Acceptable Use of Information Policy Acknowledgment form verifying that he or she
has read, understands, and agrees to follow this Acceptable Use of Information Policy.
2. Each User is responsible for the security of the Information Technology Environment. A User should
notify the Vivek Doppalapudi, DDS MS PC IT Security Office if he or she feels that security may have
been compromised in any way. Users responsible for implementing new applications, services or
hardware should coordinate activities with the Vivek Doppalapudi, DDS MS PC IT Security personnel to
determine if the new application, service or hardware complies with the previously defined Vivek
Doppalapudi, DDS MS PC security architecture.
3. Any violation of this Policy may lead to disciplinary action which will be based on the severity and context
of the violation and shall be in accordance with existing Vivek Doppalapudi, DDS MS PC policies and/or
appropriate legal action. Disciplinary action may include without limitation, verbal or written reprimand,
suspension or termination of employment and/or appropriate legal action. The Vivek Doppalapudi, DDS
MS PC Security Officer or any designee may deny or revoke access privileges if there is a reasonable
belief that a violation has occurred. Access privileges may be restored only after consultation between
the Security Officer and Vivek Doppalapudi, DDS MS PC Management and/or Vivek Doppalapudi, DDS
MS PC Senior Management personnel.
4. The policies stated in this AUIP are intended as guidelines only for Vivek Doppalapudi, DDS MS PC
Resource usage. The language should not be construed as creating a contract of employment, express
or implied, between Vivek Doppalapudi, DDS MS PC and any Vivek Doppalapudi, DDS MS PC
employee. Unless Vivek Doppalapudi, DDS MS PC employees have a written employment contract,
either the employee or Vivek Doppalapudi, DDS MS PC may terminate the employment relationship at
any time, for any reason, with or without cause. In addition, no provision of this AUIP shall create an
employer-employee relationship between Vivek Doppalapudi, DDS MS PC and any User who is not a
Vivek Doppalapudi, DDS MS PC employee, such as an affiliate contractor, third party vendor, or other
User of Vivek Doppalapudi, DDS MS PC Resources who is not a Vivek Doppalapudi, DDS MS PC
employee.
5. Vivek Doppalapudi, DDS MS PC reserves the right to add, delete, or revise any provision of the AUIP at
any time, or any Information Security Policy without prior notice to Users.
6. Users shall adhere to Vivek Doppalapudi, DDS MS PC retention and destruction schedules for all
electronic files, including e-mails, electronic documents and records, and other electronic files.
Acceptable Use of Information Procedures
1. No Expectation of Privacy. The Vivek Doppalapudi, DDS MS PC Resources and User accounts are
issued to Users to assist them in the performance of their jobs, and as such, remain the property of Vivek
Doppalapudi, DDS MS PC. Users do not have an expectation of privacy in anything Users create, store,
send, or receive on Vivek Doppalapudi, DDS MS PC Resources. Resources belong to Vivek
Doppalapudi, DDS MS PC and are to be used solely for the purpose of Vivek Doppalapudi, DDS MS PC
business, the User’s usual duties, and or other purposes authorized by management.
2. Waiver of Privacy Rights. Users expressly waive any right of privacy in anything Users create, store,
send, or receive on Vivek Doppalapudi, DDS MS PC Resources, through the Internet or any other Vivek
Doppalapudi, DDS MS PC Network. Users consent to allowing authorized Vivek Doppalapudi, DDS MS
PC IT Services personnel to access and review all materials Users create, store, send, or receive on
Vivek Doppalapudi, DDS MS PC Resources. Vivek Doppalapudi, DDS MS PC may, but is not obligated
to, use human or automated means to monitor use of its Resources.
3. No Privacy in Communication. Users must never consider electronic communications to be either private
or secure. E-mail could potentially be stored indefinitely on any number of Vivek Doppalapudi, DDS MS
PC Resources as well as non-Vivek Doppalapudi, DDS MS PC resources. Copies of your message may
be forwarded to others electronically or on paper. In addition, e-mail sent to non existent or incorrect
usernames may be delivered to the wrong person(s).
Prohibited Activities
1. _Inappropriate or Unlawful Material. _Material that is fraudulent, harassing, embarrassing, sexually
explicit, profane, obscene, intimidating, defamatory, or otherwise unlawful or inappropriate may not be
sent by e-mail, electronic text messages or any other form of electronic communication (such as bulletin
board systems, newsgroups, chat groups) or displayed on or stored in any Vivek Doppalapudi, DDS MS
PC Resource. Users encountering or receiving this kind of material should immediately report the
incident to the Security Officer.
2. _Disclaimer of Liability for Internet Use. _The Internet is a worldwide network of computers that contains
millions of pages of information, some of which may contain offensive or inappropriate material. Vivek
Doppalapudi, DDS MS PC has implemented Internet blocking software to restrict access to inappropriate
Internet sites. In the event Users nonetheless encounter inappropriate material on the Internet, Users
should immediately disconnect from the site and report the site to the practice. Vivek Doppalapudi, DDS
MS PC is not responsible for material viewed by Users on the Internet. In addition, posting your e-mail
address on the Internet may lead to receipt of unsolicited e-mail containing offensive content. Users
accessing the Internet do so at their own risk.
3. Prohibited Uses. Vivek Doppalapudi, DDS MS PC Resources may not be used for dissemination or
storage of commercial or personal advertisements, solicitations, promotions, destructive programs
(viruses), political material, or any other use prohibited by this Policy.
4. Waste of IT Resources. Users may not perform acts that waste Vivek Doppalapudi, DDS MS PC
Resources or unfairly monopolize Vivek Doppalapudi, DDS MS PC Resources to the exclusion of other
Users. These acts include, but are not limited to: sending non-business related mass distribution e-mails
or chain letters; subscribing to non-business related mailing lists; spending excessive amounts of time on
the Internet; social networking; playing non-business related computer games, music or video; or
otherwise creating unnecessary network traffic.
5. Communication of Confidential Information. Unless expressly authorized by Vivek Doppalapudi, DDS MS
PC Senior Management, sending, transmitting, or otherwise disseminating proprietary data, trade
secrets or other confidential information, including medical records and/or patient data is strictly
prohibited. Always keep in mind that e-mail and the Internet are public methods of communication. When
you send information via e-mail or make it available on the Internet, there is always a possibility that the
information will be viewed by unauthorized individuals. This type of information is a valuable asset of the
company and each of us must make sure that it is protected from unauthorized disclosure.
6. Altering Identity (Spoofing). Users may not alter the “From:” line or other attribution-of-origin information
in e-mail, messages, or postings. Anonymous or pseudonymous electronic communication is forbidden.
Users must identify themselves honestly and accurately when sending e-mail.
7. Personal Use. Any use of Vivek Doppalapudi, DDS MS PC Resources not approved by Vivek
Doppalapudi, DDS MS PC IT Management is prohibited. Vivek Doppalapudi, DDS MS PC management
is aware that personal communications between Vivek Doppalapudi, DDS MS PC coworkers and
external contacts does occur, as well as some limited personal use. Management expects Users to limit
such communications and personal use to a minimum. Excessive or abusive volume of personal
communications, activities of a personal nature that tie up resources or employees, or violate any other
provision of this agreement are expressly prohibited. Users are reminded that there are no expectations
of privacy when using Vivek Doppalapudi, DDS MS PC Systems.
8. Software and Copyright Violations. The distribution, retrieval, or reproduction of any material without the
permission of the copyright holder is expressly prohibited. The import or installation of any software
which has not been properly authorized and purchased by Vivek Doppalapudi, DDS MS PC IT
management is expressly prohibited. No User may modify, revise, transform, adapt, disassemble,
decompile, or otherwise alter any software licensed to Vivek Doppalapudi, DDS MS PC without prior
written authorization from Vivek Doppalapudi, DDS MS PC.
9. No Forward Policy. Some information that is transmitted via electronic communications is intended for
specific individuals, and therefore, should not be shared with others. Users should exercise caution when
forwarding communications to other Vivek Doppalapudi, DDS MS PC users. Vivek Doppalapudi, DDS
MS PC information that is sensitive in nature may not be forwarded to external parties without the
expressed permission of senior management. Vivek Doppalapudi, DDS MS PC e-mail users are
prohibited from modifying the settings of their e-mail account or otherwise causing e-mail received by
them to be automatically forwarded to a non-Vivek Doppalapudi, DDS MS PC e-mail address.
Logins and Passwords
1. Login Accounts. A unique login account consisting of a User ID and password (see D-2, D-3, D-4) is
required for each User of the IT Environment. Users are responsible for all transactions made using his
or her User ID. No User may access Vivek Doppalapudi, DDS MS PC Resources using another User’s
account. All Users are expected to logoff the workstation when they are away from their work area for
extended periods of time. All Users are required to logoff at the end of each day before they leave. Users
may not disguise their identity while using any Vivek Doppalapudi, DDS MS PC Resource.
2. Responsibility for Passwords. Users are responsible for safeguarding their passwords for access to
Vivek Doppalapudi, DDS MS PC Resources. Individual passwords should not be printed, stored online,
shared or given to others. Users are prohibited from using or disclosing another User’s password.
3. Password Maintenance. Passwords should be obscure and a minimum of six characters in length.
Passwords must include uppercase, lowercase and numerical characters. The use of special characters
(e.g. “@”,”!”,”&”,”%”) if supported, is strongly suggested.
4. Passwords do not Imply Privacy. Use of passwords to gain access to Vivek Doppalapudi, DDS MS PC
Resources does not imply that Users have an expectation of privacy in the material they create or
receive on Vivek Doppalapudi, DDS MS PC Resources. Vivek Doppalapudi, DDS MS PC has the right to
inspect and or read and or print without prior notice, all material stored on Vivek Doppalapudi, DDS MS
PC Resources.
5. Disclosure of Information. All information accessed by Users of Vivek Doppalapudi, DDS MS PC
systems is to be kept confidential, and only discussed or shared with another User who has been
properly authorized to view the information as part of his or her job responsibilities. Information is stored
with the expectation that it will only be used or accessed by authorized persons.
Security
1. Physical Security. Users shall take all reasonable and prudent measures to physically secure all Vivek
Doppalapudi, DDS MS PC Resources. Users shall not attempt to circumvent any system that secures
Vivek Doppalapudi, DDS MS PC Resources or its components.
2. Accessing Other Computers and Networks. A User’s ability to connect to other computers or networks
does not imply a right to connect to those systems or to make use of those systems unless specifically
authorized by the operators of those systems. Users should not view any information without proper
authorization.
3. Computer Security. Each User is responsible for ensuring that the use of external computers and
networks, such as the Internet, does not compromise the security of the Vivek Doppalapudi, DDS MS PC
Environment. This duty includes preventing intruders from accessing the Vivek Doppalapudi, DDS MS
PC Network without authorization and taking reasonable precautions to avoid the introduction and
spread of viruses, malware and other harmful software.
4. Information Technology Security. Users shall not connect to the Vivek Doppalapudi, DDS MS PC
Network by any means other than by those specifically defined by the Vivek Doppalapudi, DDS MS PC
IT: personnel. Personally owned computers should not be connected to the Vivek Doppalapudi, DDS MS
PC network without prior approval of Vivek Doppalapudi, DDS MS PC IT: personnel. Users shall not
disable Vivek Doppalapudi, DDS MS PC Resource functions (passwords, virus scan, distribution
software, audit trails) implemented by Vivek Doppalapudi, DDS MS PC IT Services.
5. Monitoring. Monitoring includes without limitation reviewing Internet sites visited, reviewing material
downloaded/uploaded by Users to/from the Internet, and reviewing e-mail sent and received by Users.
This may be done at any time and without prior notice to Users. Reasons for review include but are not
limited to, preventing or investigating allegations of abuse, assuring compliance with copyright laws, or
complying with legal or regulatory requests for information.
6. Circumventing Established Security. Users may not attempt to circumvent Vivek Doppalapudi, DDS MS
PC’s data protection measures or attempt to uncover security loopholes. Users may not gain or attempt
to gain unauthorized access to restricted areas or files on Vivek Doppalapudi, DDS MS PC Resources.
Users should not tamper with any software protections or restrictions placed on computer applications,
files or directories.
7. Encryption. Users sending e-mail containing Protected Health Information (PHI) as defined by HIPAA
and HITECH or other confidential or sensitive information such as business plans or budgets to non-
Vivek Doppalapudi, DDS MS PC e-mail addresses must encrypt the e-mail message. Encryption
instructions may be found on the Vivek Doppalapudi, DDS MS PC Intranet under the ‘Links’ – ‘Job Aids’
section.
8. Sending E-mail to Verified Addresses. You must verify that the e-mail address to which you are sending
Vivek Doppalapudi, DDS MS PC information is correct. Patient information should be sent only to verified
business addresses and not to personal addresses (e.g. @Hotmail.com, @gmail.com, @AOL.com)
unless otherwise authorized by Vivek Doppalapudi, DDS MS PC Management. It is generally safer to
‘reply to’ an address rather than typing the address yourself.
Malware
Malware Detection Malware can cause substantial damage to computer systems. Each User is responsible for
taking reasonable precautions to ensure he or she does not introduce malware into the Vivek Doppalapudi,
DDS MS PC Environment. To that end, Users should not disable malware protection software installed on Vivek
Doppalapudi, DDS MS PC Resources. Users should comply with malware software update announcements as
required, and report suspected malware activity to the Vivek Doppalapudi, DDS MS PC IT personnel as soon
as possible.
When Malware is detected @MALWARE@
Voicemail
1. Voicemail Setup. Once training is attended, each User should record an internal and external greeting in
accordance with the guidelines presented in training. Users should also change the voicemail password
from the system default.
2. Voicemail Usage. Users should be cautious when including confidential information in voicemail
messages. Users should take care not to play voicemail over speakerphones where other employees
might overhear inappropriate information.
Intellectual Property Rights
Any information developed or compiled by the User, including documents such as writings, diagrams,
spreadsheets, databases, regardless of form and any invention, discovery, development, modification, system,
program, or design that results from the use of Vivek Doppalapudi, DDS MS PC Environment by the User shall
be the exclusive property of Vivek Doppalapudi, DDS MS PC.
Malicious Destruction of Vivek Doppalapudi, DDS MS PC
Software/Hardware
Vivek Doppalapudi, DDS MS PC has considerable investments in software and hardware to provide the
environment needed by the employees. Users shall not maliciously destroy or otherwise damage/delete any
software licensed to or owned by, or any hardware owned, leased, or otherwise in the possession of Vivek
Doppalapudi, DDS MS PC. Any such damage or destruction shall subject the User to disciplinary action under
this Policy. In addition, Vivek Doppalapudi, DDS MS PC reserves the right to seek compensation through legal
action for any damages maliciously caused by the User.
Attorney-client Communications
E-mail sent to or from in-house counsel or an attorney representing Vivek Doppalapudi, DDS MS PC should
include this warning: “ATTORNEY-CLIENT PRIVILEGED. DO NOT FORWARD WITHOUT PERMISSION.”
Users who receive communication from counsel should not forward such communication without the
permission of counsel. Users are reminded that e-mail should not be considered as a secure means of
communication.
Incident Response
Users must immediately report to the Security Officer or his or her designee any suspected or confirmed
security incident. This would include, but not be limited to, a computer virus, breach of security, or security
weakness, loss or disclosure of data, or any unauthorized access or use of data. Users should not discuss the
specifics of a security problem with any one else except the Security Officer or other designee, unless
specifically authorized to do so. Additionally, Users must take no independent actions unless expressly
authorized to do so and should not attempt to remedy the situation.
Exceptions
Exceptions to this Policy can be made with written approval of both the Security Officer and Vivek Doppalapudi,
DDS MS PC Management.
Termination
Upon termination of employment, or any other termination of access rights, all programs, files, hardware or any
other data defined as intellectual property, must be returned to Vivek Doppalapudi, DDS MS PC, and any
further access to Vivek Doppalapudi, DDS MS PC systems is strictly prohibited.
Acceptable Use of Information Policy Acknowledgement
By my signature below, I attest that I have read and understand the above policies regarding acceptable use of
information.
Users Signature: _______________________
Witness Signature: _______________________
Appendix: State Laws and Preemption
STATE LAWS AND PREEMPTION TO FEDERAL
HIPAA
Most states have their own laws regarding the confidentiality of individual health care information. The HIPAA
Privacy Rule and Section 13421 within the HITECH Act, (Subtitle D-Privacy, Part 2, Relationship To Other
Laws, Regulatory References, Effective Date; Reports), addresses state Preemption.
The following Questions and Answers were obtained directly from the U.S. Department of Health & Human
Services, current as of April, 2013.
QUESTION:
How does the HIPAA Privacy Rule reduce the potential for conflict with State laws?
(www.hhs.gov/ocr/privacy/hipaa/faq/preemptio…
(http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption\_of\_state\_law/401.html))
ANSWER:
The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law in the
following ways:
The Privacy Rule establishes a floor of Federal privacy protections and individual rights with respect to
individually identifiable health information held by covered entities and their business associates. Covered
entities may provide greater privacy rights to individuals and greater protections on such information. In
addition, covered entities may comply with State laws that provide greater protections for individually
identifiable health information and greater privacy rights for individuals.
The Privacy Rule permits a covered entity to use or disclose protected health information if a State law
requires the use or disclosure. See 45 C.F.R. 164.512(a).
The Privacy Rule permits a covered entity to disclose protected health information to a public health
authority who is authorized by law to collect such information for the purposes of preventing or controlling
disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such
as birth or death, and the conduct of public health surveillance, public health investigations, and public
health interventions. (See 45 C.F.R. 164.512(b) for all of the public health disclosures permitted by the
Privacy Rule.) Thus, State laws that provide for the reporting of disease or injury, child abuse, birth or
death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict
with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45
C.F.R. 160.203(c). Because the Administrative Simplification Rules themselves exempt such State laws
from preemption, a request for the Department of Health and Human Services (HHS) to issue a
preemption exception determination is unnecessary and inappropriate.
The Privacy Rule permits a covered entity to disclose protected health information to a health oversight
agency for oversight activities authorized by law, such as audits and licensure activities. See 45 C.F.R.
164.512(d). Thus, State laws that provide for certain health plan reporting for the purpose of management
or financial audits, program monitoring and evaluation, or the licensure or certification of facilities or
individuals, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the
State law would stand. See 45 C.F.R. 160.203(d). Because the Administrative Simplification Rules
themselves exempt such State laws from preemption, a request for the Department of Health and Human
Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.
QUESTION:
How do I know if a State law is “contrary” to the HIPAA Privacy Rule?
(www.hhs.gov/ocr/privacy/hipaa/faq/preemptio…
(http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption\_of\_state\_law/402.html))
ANSWER:
A State law is “contrary” to the HIPAA Privacy Rule if it would be impossible for a covered entity to comply
with both the State law and the Federal Privacy Rule requirements, or if the State law is an obstacle to
accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.
See the definition of “contrary” at 45 C.F.R. 160.202.
For example, a State law that prohibits the disclosure of protected health information to an individual who
is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of
protected health information to an individual in certain circumstances. With certain exceptions, the Privacy
Rule preempts “contrary” State laws. See 45 C.F.R. Part 160, Subpart B.
QUESTION:
Does the HIPAA Privacy Rule preempt state laws?
(www.hhs.gov/ocr/privacy/hipaa/faq/preemptio…
(http://www.hhs.gov/ocr/privacy/hipaa/faq/preemption\_of\_state\_law/399.html))
ANSWER:
The HIPAA Privacy Rule provides a federal floor of privacy protections for individuals’ individually
identifiable health information where that information is held by a covered entity or by a business associate
of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the federal
requirements, unless a specific exception applies. These exceptions include if the state law:
1. Relates to the privacy of individually identifiable health information and provides greater privacy
protections or privacy rights with respect to such information,
2. Provides for the reporting of disease or injury, child abuse, birth, or death, or for public health
surveillance, investigation, or intervention, or
3. Requires certain health plan reporting, such as for management or financial audits. In these
circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.
In addition, the Department of Health and Human Services (HHS) may, upon specific request from a
state or other entity or person, determine that a provision of state law which is “contrary” to the federal
requirements – as defined by the HIPAA Administrative Simplification Rules (see below for definition) –
and which meets certain additional criteria, will not be preempted by the federal requirements. Thus,
preemption of a contrary state law will not occur if the Secretary or designated HHS official determines,
in response to a request, that one of the following criteria applies. The state law:
4. Is necessary to prevent fraud and abuse related to the provision of or payment for health care,
5. Is necessary to ensure appropriate state regulation of insurance and health plans to the extent expressly
authorized by statute or regulation,
6. Is necessary for state reporting on health care delivery or costs,
7. Is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy
Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when
balanced against the need to be served; or
8. Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or
other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled
substance by state law.
It is important to recognize that only state laws that are “contrary” to the federal requirements are
eligible for an exemption determination.
As defined by the Administrative Simplification Rules, contrary means that it would be
impossible for a covered entity to comply with both the state and federal requirements, or that
the provision of state law is an obstacle to accomplishing the full purposes and objectives of the
Administrative Simplification provisions of HIPAA.
See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law.