Trainual Homepage

Dental - HIPAA Privacy & Security Standards Compliance Policy Template (Annual Training)

Use this template to set up your dental practice's HIPAA privacy and security compliance policy.

No items found.
No items found.
No items found.

Dental - HIPAA Privacy & Security Standards Compliance Policy Template (Annual Training)

Use this template to set up your dental practice's HIPAA privacy and security compliance policy.


Our practice is committed to protecting the privacy and confidentiality of our patients' protected health information (PHI) in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other applicable laws and regulations.

This Confidentiality and HIPAA Compliance Policy establishes guidelines to ensure that all employees understand their responsibilities in safeguarding patient information and maintaining compliance with relevant privacy and security requirements.

HIPAA ensures that patient PHI is safeguarded. This subject will teach about HIPAA and how we ensure compliance in our business.


Being familiar with these terms and acronyms will help you understand your obligations, protect patient privacy, and ensure compliance with HIPAA regulations when handling PHI within our practice.

Here are some phrases you need to know:

  • Protected Health Information (PHI): Individually identifiable health information, including demographic data, medical history, test results, insurance information, and other personal identifiers.
  • HIPAA: The Health Insurance Portability and Accountability Act, a federal law that sets standards for the privacy, security, and confidentiality of PHI.
  • Covered Entity: Any healthcare provider, including those in our practices, that electronically transmits health information in connection with certain administrative or financial transactions. Covered entities must comply with HIPAA regulations.
  • Business Associate: A person or entity, such as an IT vendor or laboratory, that performs certain functions or activities on behalf of a covered entity involving the use or disclosure of PHI. Business associates must comply with HIPAA regulations and enter into a written Business Associate Agreement (BAA) with the covered entity.
  • Privacy Rule: HIPAA Privacy Rule establishes national standards for the protection of PHI and outlines how covered entities use, disclose, and safeguard patient information. It defines patients' rights regarding their health information.
  • Security Rule: HIPAA Security Rule provides standards for safeguarding electronic PHI (ePHI) that is created, received, maintained, or transmitted by covered entities. It requires implementing administrative, physical, and technical safeguards to protect ePHI.
  • Breach: An impermissible use or disclosure of PHI that compromises the security or privacy of the information, posing a significant risk of financial, reputational, or other harm to an individual.
  • Notice of Privacy Practices (NPP): A document that practices must provide to patients, explaining their privacy rights, how their PHI may be used and disclosed, and the agency's privacy practices.
  • Office for Civil Rights (OCR): The division of the U.S. Department of Health and
  • Human Services (HHS): responsible for enforcing HIPAA and ensuring compliance with its privacy and security provisions.
  • HITECH: The Health Information Technology for Economic and Clinical Health Act. Legislation enacted as part of the American Recovery and Reinvestment Act (ARRA) that enhances HIPAA privacy and security protections, extends HIPAA requirements to business associates, and introduces breach notification requirements.

HIPAA Basics & Guidelines

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

- Centers for Disease Control and Prevention

More information:

In other words...

The purpose of HIPAA is to ensure that the healthcare industry is efficient and that patient and health plan member privacy is protected, and that health information is secure. Also, that patients are notified if/when data breaches occur.

How it applies to us

All employees of our practice must comply with strict confidentiality requirements regarding patient information. This includes, but is not limited to, maintaining the confidentiality of patient records, conversations, and any other personal or sensitive information obtained during the course of employment. Confidentiality obligations extend beyond the workplace and continue even after the termination of employment.

What is PHI?

PHI stands for Protected Health Information.

Protected health information is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services. Protected health information is often shortened to PHI, or in the case of electronic health information, ePHI.

More information:

HIPAA Privacy Rule

This rule sets national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.

Use and Disclosure of PHI

PHI may only be used or disclosed for authorized purposes in accordance with HIPAA regulations. Employees must obtain proper authorization from patients or their legally authorized representatives before disclosing any PHI, except as permitted by law.

Access to Patient Information

Employees may only access patient information when necessary for the performance of their job duties. Access should be limited to the minimum necessary information required to carry out assigned tasks. Unauthorized access or use of patient information is strictly prohibited.

More information:

HIPAA Security Rule

This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information.

How it applies to us

Our practice employs physical, technical, and administrative safeguards to protect PHI from unauthorized access, alteration, or disclosure. Employees must follow security protocols, including password protection, secure file storage, and encryption measures, to maintain the confidentiality and integrity of patient information.

More information:

HIPAA Measures

Here's how we make sure that we follow HIPAA here at our practice.

Proper Training on HIPAA

Knowledge is power, right? We will do whatever is necessary to educate you on all aspects of HIPAA that apply to our business and to your specific job responsibilities. If you every have questions or feel unsure about any aspect HIPAA and/or how it could impact your work, please contact your manager.

Passwords and Encryption

Every machine, gadget, gizmo, program, or other electronic tool we use will require passwords to unlock. We also require passwords be updated on a regular basis (usually every 6 months). We also encrypt ALL patient data.

Vetting 3rd Party Partners

Before partnering with a 3rd party, we conduct detailed research into their practices to ensure that any patient data they may come in contact with in regular business dealings will be treated with the same care and security as we provide ourselves.

HIPAA Guidelines & Expectations

Here's how you can make sure you are following HIPAA Guidelines:

No Gossip Policy

We have a strict "No gossip" policy. PHI is private and should never be discussed outside of intentional work-related conversations. Sharing PHI with others is a direct violation of HIPAA and can lead to serious consequences for our company, and for you.

Always use secure passwords

We know, passwords can be annoying, especially when you have to remember so many of them. BUT, they help us keep PHI safe. Be sure to use effective passwords for your accounts. You will be prompted to change them regularly. Please do so.

Non-secure PHI

If at any point you encounter non-secure PHI, or witness a potential breach or unauthorized disclosure of PHI, report it immediately to our IT Support Specialist.

Any suspected or actual security incidents, including breaches or unauthorized disclosures of PHI, must be immediately reported to the appropriate supervisor or the designated HIPAA Privacy Officer. Prompt reporting allows for timely investigation, containment, and mitigation of potential harm.

Next, we'll go over more specific policies under HIPAA.

By e-signing, you acknowledge that you understand and agree to follow all of the guidelines outlined in this HIPAA Policy topic.

Privacy & Confidentiality

Protected Health Information

Definition and Prohibition

  • Medical Information is defined as any individually identifiable information, whether oral or recorded in any form or medium, in possession of or derived from a provider of healthcare services regarding a patient's current, past, or future medical status, mental or physical condition, or treatment.
  • Individually Identifiable information includes personal identifying elements, such as the patient's name, geographic subdivisions, dates, contact details, social security number, medical record number, or health plan beneficiary numbers. It also encompasses publicly available information that, when combined, reveals the individual's identity.
  • Requiring a patient to sign authorizations, releases, consents, or waivers for the disclosure of confidential medical information as a condition to receive healthcare services is strictly prohibited.

Handling of Protected Health Information

Distribution of Notice:

  • Provide the Notice of Health Information Practices to all new patients during the New Patient Registration process and no later than the date of their first service delivery.
  • Place the signed form in the medical record along with other registration forms or forward it to Health Information Management for filing.

Notice for Current Patients:

  • Provide the notice to all current patients during their first appointment after the implementation date.
  • Continue the process until reasonable efforts have been made to notify the entire patient population.

Checking for Previous Notice:

  • Inquire with patients if they have previously signed the notice during subsequent visits.
  • Patients should not sign the notice again on subsequent visits.
  • Health Information Management (HIM) staff will securely dispose of any duplicate notices as confidential waste.

Notice for New Patients:

  • Follow the same procedures outlined above for patients presenting for the first time to the clinic.
  • Retain the notice with the records of these patients.

Providing Copies:

  • Patients may be given either a copy or an unsigned form of the notice to take home

Notice Display:

  • Post the notice in prominent areas of the main waiting room.
  • Make the notice available electronically on our company's website.

By adhering to these procedures, we ensure compliance with regulations, maintain patient awareness of their privacy rights, and protect the confidentiality of Protected Health Information (PHI).

Confidentiality Related to PHI

In compliance with state and HIPAA federal laws, our practice endeavors to safeguard the privacy and confidentiality of personal data pertaining to patients, employees, and others. We will take all reasonable measures to prevent unauthorized access to personal and medical information.

I. Upholding Patient Confidentiality:

Patients have the right to:

  • Refuse interaction with anyone they do not wish to engage with.
  • Expect an environment that ensures visual and auditory privacy during interviews and examinations.
  • Anticipate that discussions about their care will be carried out discretely, without the presence of uninvolved individuals unless permitted by the patient.
  • Rest assured that their medical records will only be accessed by those directly involved in their care or in monitoring its quality, unless written consent is given by the patient or their legally authorized representative.
  • Understand that all records, including payment details, will be kept confidential.

II. Staff Responsibilities:

Staff members should not discuss, disclose, or use personal patient information outside the performance of their duties. Professional behavior must be maintained at all times to preserve confidentiality. Employees are required to review and sign a Confidentiality Statement and Agreement, which is revisited annually during HIPAA training.

III. Confidentiality of Medical Records:

Under the HIPAA federal regulations, our organization abides by the Minimum Necessary Standard, ensuring that only the necessary information is disclosed regarding a patient’s condition. Medical records, both physical and electronic, belong to the patient and will be kept confidential, with access limited to authorized users.

IV. Confidentiality of Information System:

Data stored in our computer information systems is treated as confidential and is accessible only to authorized personnel. Whenever an associate no longer requires access to patient data, their access code will be removed from the system.

V. Release of Patient Information:

All media requests, third-party payer inquiries, or legal requests related to patient information are to be directed to the Compliance Officer. Disclosure of patient information is only made in accordance with state and federal laws and regulations, and with the patient's consent.

VI. Confidentiality of Employee Information:

Requests for employee information will be directed to the HR Manager. Employees should not discuss health or confidential information about another employee or their family member without consent.

VII. Violations of Confidentiality Standards:

Violations of these standards and guidelines by any member of our organization are viewed seriously and may lead to corrective action, including possible termination of employment. This applies to all roles, from staff members to volunteers. Violations will also be subject to potential monetary and legal actions as per HIPAA regulations.

Reference: Health Insurance Portability and Accountability Act (HIPAA) – 1996

Requests for Restrictions on Personal Health Information

Our practice acknowledges the patient's right to request voluntary restrictions on the use or disclosure of their protected health information for treatment, payment, or healthcare operations. Patients also have the right to request restrictions on the information released to family or friends.

Additionally, our company allows individuals to request alternative means or locations for receiving their health information communications. While we accommodate reasonable requests, it is important to note that not all requests for restrictions can be granted.

Requesting Restrictions

Patients will be directed to the Compliance Officer to obtain the necessary forms for requesting restrictions on PHI.

Determining Nature of Restricted Information

The request for restriction will be evaluated by management personnel designated by the Compliance Officer. Only providers or personnel at the manager level or above will make determinations regarding the requested restrictions.

Alternative Communications

Requests for alternative communications may be subject to conditions such as providing alternative payment methods or contact information.

Implementation of Accepted Restrictions

Once special restrictions are accepted, they will be promptly implemented, and notification will be provided to the necessary employees involved in the implementation process.

Emergency Situations

In medical emergencies, covered entities may need to break the agreement on restricted information use or disclosure. In such cases, the emergency medical provider will be informed not to further use or disclose the restricted information.

Exceptions to Restrictions

Agreements to restrict information do not apply to specific purposes, including certain public health activities, reporting abuse or crimes, health agency oversight activities, judicial or administrative proceedings, and other legally required uses or disclosures.

Termination of Agreements

Covered entities may terminate agreements for special restrictions under the following conditions:

  • The patient requests termination through written or documented oral agreement.
  • The covered entity notifies the patient of the terminated agreement, effective only for PHI created or received after the notification is received.
  • All agreed-upon restrictions will be clearly documented in the patient's record and retained for a minimum of seven years.

By adhering to this policy, our practice ensures respect for patient autonomy, facilitates reasonable requests for restrictions on PHI, and maintains compliance with applicable regulations. We prioritize the protection of patient privacy while considering the necessary disclosures required for effective healthcare operations and legal obligations.

Patient Amendment of Health Information

Our practice must ensure the patient's right to request amendments to their personal health information while maintaining data integrity.

More details

  • Our company recognizes the patient's right to request amendments to their protected health information (PHI).
  • Patients may request changes in their medical record, and providers have the right, under HIPAA rules, to accept, deny, or limit those changes.
  • Accepted amendments will be documented as supplements to the record, superseding the original material, without altering or removing the original information.

Amendment Procedures

Requesting an Amendment

  1. The patient or their legal representative must submit a written request with supporting reasons for the amendment.
  2. The amendment request will be documented in the patient's paper chart or electronic medical record (EMR).
  3. The provider must respond to the patient's request within 60 days. If additional time is needed, the provider will notify the patient in writing, providing reasons for the delay and setting a firm deadline for a response.

Accepting an Amendment

  1. The provider will complete an acceptance form to notify the patient of their decision to accept the amendment.
  2. The form will identify any business associates or other individuals who had the amended information and relied on it to the patient's detriment.
  3. The acceptance form and amendment will be forwarded to the medical records department.
  4. The Medical Records Clerk will mail the original form to the requester and file a copy in the patient's medical record along with the amendment.
  5. The patient will be asked to identify any external entities that should be notified of the amendment. This information will be directed to the Medical Records Department.
  6. The Medical Records Clerk, on behalf of the provider, will make reasonable efforts to inform the identified parties of the amendment.
  7. The completed form noting all parties notified will replace the copy in the patient's medical record, and the Medical Records Clerk will update the appropriate log to reflect the actions taken.

Denying Request for Amendment

  1. The provider may deny the request if:
  2. The information was not created by the provider.
  3. The information is not accessible to the patient for inspection or copying.
  4. The information is not part of the designated record set.
  5. The information is already accurate and complete.

Denial of Amendment Request

  1. If the provider denies the patient's request, they will provide timely written notice of the denial, including:
  2. The basis for the denial.
  3. Information on the patient's right to submit a written statement disagreeing with the denial, along with instructions for filing the statement.
  4. Notification that if the patient does not submit a statement of disagreement, they can require the provider to include the request for amendment and the denial in any future disclosure of the information.
  5. Guidance on how the patient can file a complaint about the denial using [company]'s general HIPAA compliant procedures and the federal Department of Health and Human Services.

Inclusion of Amendment Information

  1. The provider will ensure that the following materials related to the amendment request are included:
  2. The patient's original request for an amendment.
  3. The provider's denial of the request.
  4. Any statement of disagreement submitted by the patient.
  5. The provider's written response, if any, to the patient's statement of disagreement.

Future Disclosure of Amended Information

  1. All the above materials or an accurate summary will be included in any future disclosure of the health information in question.

Handling Receipt of Amended Information

  1. Amended information received from other providers or payors will be logged in the Medical Records Department.
  2. The notice of amendment will be filed in the patient's paper chart or electronic medical record (EMR).
  3. Any amendment notices received in error will be securely stored in a confidential container for shredding.

By following these procedures, we ensure patients can exercise their right to request amendments to their health information, while maintaining data integrity and complying with HIPAA regulations.

Notice to Patients Related to Health Information Practices

Our practice must inform patients about the uses and disclosures of protected health information (PHI) that may occur within our practice, as well as their individual rights and our responsibilities as a Covered Entity.

Policy information

  • Our company will provide every patient with a Notice of Health Information Practice.
  • The notice will be prominently displayed in a clear and easily visible location within our facilities.
  • Additionally, the notice will be made available electronically on our website.
  • We will make a good faith effort to obtain written acknowledgment of receipt of the notice from patients.

Distribution to New Patients

  • The Notice of Health Information Practices will be provided to all new patients during the New Patient Registration process or no later than their first service delivery date.
  • Once signed, the form will be placed in the patient's medical record alongside other registration documents, or forwarded to the Health Information Management team for proper filing.

Distribution to Current Patients

  • Upon their first appointment following the implementation of this notice, all current patients will receive a copy.
  • This process will continue until a reasonable effort has been made to notify the entire patient population.

Management of Duplicate Notices

  • Schedulers will inquire whether patients have previously signed the notice. Subsequent visits should not require another signature.
  • Any duplicate notices will be securely destroyed by the Health Information Management staff to ensure confidentiality.

Application to New Patients

Patients visiting our practice for the first time will be provided with the Notice of Health Information Practices, which will remain with their records.

Options for Patients

Patients may be given either a copy of the notice or an unsigned form to take home.

Notice Display

  • The Notice of Health Information Practices will be prominently posted in the main waiting areas of our facilities.
  • Additionally, the notice will be electronically available on our company's website.

By implementing these procedures, we ensure that all patients receive adequate notice regarding the uses and disclosures of their protected health information, their rights, and our commitment to maintaining their privacy.

By e-signing, you acknowledge that you understand and agree to follow all of the guidelines outlined in this HIPAA Policy topic.

Compliance & Enforcement

Compliance Program: Polices and Procedures

Our organization is dedicated to upholding and adhering to all current federal, state, and local laws and regulations. Part of this commitment involves ongoing monitoring and updating of our compliance program, policies, procedures, and training modules. This ensures that our standards of conduct meet regulatory requirements and are updated as necessary in response to regular auditing, risk identification, and regulatory changes.

Responsibilities for Compliance Knowledge

Our Compliance Coordinator, along with the Compliance Committee, holds the responsibility for keeping abreast of evolving compliance requirements. This includes staying informed about changes in applicable laws, regulations, and other program necessities.

Regular Review of Compliance Materials

The Compliance Coordinator conducts regular reviews of the Compliance Plan, training materials, and Policies & Procedures. These reviews aim to ensure continued alignment with all applicable federal, state, and local laws and regulations. As part of this review process, the Compliance Coordinator visits the CMS website ( at least quarterly to confirm the most current materials and information are being utilized.

Revisions and Approval Process

If any revisions are necessary to the Compliance Plan, Standards of Conduct, Policies & Procedures, and training modules—be they due to changes in applicable laws, regulatory requirements, or audit findings—these will be reviewed by the Compliance Committee. Approval by the Board of Directors is necessary for changes to be finalized. Once approved, updates are communicated immediately to the Compliance Coordinator for dissemination throughout the organization.

HIPAA Compliance and Enforcement

We are committed to ensuring the stringent observance and enforcement of all relevant standards, requirements, and implementation procedures.

Compliance Procedures and Reporting

Our practice is devoted to adhering to the compliance procedures as outlined in our Compliance Program. Covered Entities will comply with all Health and Human Services (HHS) requirements, including:

  1. Submitting records and compliance reports as deemed necessary by HHS.
  2. Cooperating with investigations and compliance reviews.
  3. Permitting access to information, including facilities, books, records, accounts, and other sources of information, including Protected Health Information (PHI), which are essential for ascertaining compliance.

Should our practice or any other source fail to provide the necessary information, we must certify and detail our efforts to procure the information. Any PHI obtained by HHS related to an investigation or compliance review will not be disclosed, except when essential for establishing or enforcing compliance. The responsibility of enforcing these procedures lies with our Compliance Coordinator and Corporate Compliance Coordinator.

Management of Complaints

All complaints must be reported to the appropriate supervisor and the Compliance Committee. The Compliance Committee will then review all complaints regarding compliance.

Investigations and Corrective Actions

The HIPAA committee will conduct investigations and develop corrective action plans to resolve any issues that arise.

Compliance Review Cooperation

In the event that the HHS needs to conduct a compliance review, the Compliance Committee will cooperate fully, providing any requested information to assist in the review.

Documenting Reports of Fraud and Abuse and Other Violations of the Code of Conduct

Our practice is committed to meeting CMS and other regulatory body requirements for a program that records, scrutinizes, and divulges reports of fraud and abuse that potentially impact service delivery and contravene the Code of Conduct of our practice.

Accountability and Definitions

Our practice will take note of and scrutinize all potential instances of fraud, abuse, or violations of our Code of Conduct. We will swiftly report any substantiated cases of fraud and abuse to law enforcement agencies. This policy applies to all employees across all areas of our practice. Fraud and abuse can be defined as any act of deception, misrepresentation, concealment, or the permission of such actions by others to gain an undeserved advantage.

Forms of Fraudulent Activities

Fraudulent actions could lead to monetary losses for individuals, agencies, or healthcare entities. Non-monetary offenses could include cases where members do not receive the quality of care they are entitled to or which the government or another payer reasonably expects.

Role of Compliance Coordinator

Our Compliance Coordinator is tasked with documenting and investigating all reports of fraud, abuse, or violations of our Code of Conduct. Reports can be received through various channels, such as through a hotline, mail, email, or fax, and will be logged by the Compliance Coordinator promptly. The Compliance Coordinator will then inform the Chief Operating Officer (COO) and/or General Counsel about the nature of the report and confirm who will be responsible for investigating the report.

Allocation of Investigations

The delegation of investigations depends on the nature of the report. The Vice President of Human Resources will manage personnel complaints. Fraud involving the practice, fraud and abuse, and ACO/EPO fraud or malfeasance will be handled by the Compliance Coordinator and the Corporate Compliance Coordinator respectively. Matters involving employees or officers are taken care of by the COO.

Logging of Reports

All reports received will be logged by the Compliance Coordinator, detailing the date received, means of receipt, description of the allegation, and the disposition.

Reporting and Investigation Process

The Compliance Coordinator will check messages daily for potential reports and initiate investigations no later than three business days after receiving a report. The Coordinator will document ongoing investigations by updating the log regularly.

Weekly and Bi-weekly Updates

Weekly updates on ongoing investigations will be given to the Compliance Coordinator. If factual support for fraud and abuse allegations is found two weeks after concluding an investigation, the Chief Compliance Coordinator will prepare a notification for the appropriate regulator or enforcement agencies.

Legal Consultations and Notifications

The Compliance Coordinator will collaborate with legal counsel to determine the appropriate governmental agency that must be notified. The local District Attorney’s Office may also be informed, and certain cases may require notifications to local, state, and federal agencies. All notifications to an agency will be sent by certified mail, and copies will be kept by the Chief Compliance Coordinator.

Regular Reporting

The Compliance Coordinator will regularly inform the Compliance Committee, the COO, and the General Counsel about new and ongoing reports of potential fraud and abuse.

Quarterly Analysis Reports

The Compliance Coordinator will provide a quarterly trending analysis report to the Compliance Committee to identify patterns and implement any necessary preventive measures.

Annual Reports

By January 10th each year, the Compliance Coordinator will compile an annual report detailing our practice’s efforts to deter, detect, and investigate fraud over the previous calendar year. The report will also include any instances of reporting to law enforcement agencies.

Hotline Reports and Anonymity

The Compliance Coordinator will check hotline messages daily, with callers being advised that they can choose to remain anonymous. While no retaliatory action will be taken, conducting a thorough investigation may be challenging without interviewing the person reporting the violation. Therefore, an interview should be arranged as quickly as possible.

Sanctions for HIPAA Violations

Sanctions are essential to hold individuals accountable for unauthorized use or disclosure of Protected Health Information (PHI). This policy outlines the process for enforcing sanctions consistently and fairly, while exempting whistleblowers from sanctions.

Complaint Management

All complaints related to HIPAA violations should be directed to the Compliance Officer and Director of Human Resources. These individuals will serve as the primary points of contact for addressing reported violations and initiating the investigation process.

Investigation of Privacy Breaches

Upon receiving a complaint, the Compliance Officer and Director of Human Resources will thoroughly investigate the reported privacy breach to determine its validity. This investigation ensures that all allegations are properly evaluated and appropriate action can be taken.

Referral to Immediate Supervisor and Senior Management

If a privacy breach is confirmed, the Compliance Officer and Director of Human Resources will refer the matter to the employee's immediate supervisor and their respective Senior Management Team member. This referral allows for a comprehensive evaluation of the violation and subsequent determination of suitable sanctions.

Evaluation and Decision

The immediate supervisor and Senior Management Team member will evaluate the violation and determine the appropriate sanctions based on established guidelines. The Corporate Compliance Officer will be notified of their decision to ensure consistent enforcement of sanctions.

Documentation and Reporting

The immediate supervisor will complete the necessary paperwork documenting the violation and its associated sanctions. This documentation will be forwarded to the Director of Human Resources for record-keeping and appropriate action.

Timely Implementation of Sanctions

Sanctions must be implemented promptly within 72 hours of notification of a reported violation. This ensures that appropriate actions are taken in a timely manner, emphasizing the importance of compliance and privacy.

Guidelines for Sanctions

Sanctions for accidental violations, which occur due to negligence or misunderstanding, may include a written warning, counseling by the immediate supervisor, a repeat of HIPAA Privacy Orientation and Post-test, and disciplinary action up to and including termination, depending on the severity and outcome of the breach.

Willful violations, involving intentional and deliberate misuse or disclosure of PHI, may result in immediate termination without the opportunity for rehire. Such violations may also trigger an investigation by the Office of Civil Rights (OCR), potential civil monetary penalties, notification to the Department of Justice for criminal prosecution, and civil fines or penalties under applicable laws.

Breach and Termination of Business Associate Contracts

Employees have a responsibility to report any breaches or violations of patient privacy by Business Associates. Any observed breaches should be reported promptly to the Compliance Officer. The Compliance Officer, in collaboration with the administration, will address the breach, notify the Business Associate, and take necessary steps to rectify the situation. In cases where breach resolution is unsuccessful, the Covered Entity will terminate the Business Associate Agreement for non-compliance.

Reporting Non-Compliance

If termination of non-compliant individuals or entities is not possible or appropriate, the problem will be reported to the Secretary of the Department of Health and Human Services, ensuring that appropriate action is taken to address the non-compliance.

By enforcing these sanctions and reporting non-compliance, we uphold the integrity of our HIPAA policies, protect patient privacy, and reinforce a culture of compliance within our practice.

Whistleblower Protection

The Whistleblower Protection policy aims to provide a clear framework that ensures no retaliatory action or negative employment consequences will occur in response to employees or business associates who report breaches of patient privacy issues and related matters in good faith. This policy safeguards individuals who come forward with valuable information, encouraging a culture of compliance and accountability.

Encouraging Reporting

Employees, business associates, and FDRs are directed and encouraged to report any suspected breaches of patient privacy issues, non-compliance, or related matters. This active promotion of reporting supports the early identification and resolution of potential compliance issues.

Compliance Training

All employees receive comprehensive compliance training that aligns with local, state, and federal laws, including HIPAA/HITECH and FWA laws. This training equips employees with the necessary knowledge to recognize and address compliance concerns.

Reporting Process

If an employee or group of employees becomes aware of any breach of patient privacy issues or related matters, they should immediately bring their concerns to the attention of their supervisor, the company's Compliance Officer, Director of Human Resources, or any member of the company's Senior Management Team. This multi-channel reporting process ensures that individuals have various avenues to express their concerns.

Reporting Options

Employees may report suspected compliance violations, including patient privacy breaches, fraud, waste, abuse, and other non-compliance issues, through the following channels:

  • Reporting to their immediate supervisor.
  • Notifying our Compliance Coordinator via the hotline or a written complaint.

Confidentiality and Anonymity

All reports and disclosures are treated confidentially to the extent permitted by law and the nature of the investigation. Individuals may choose to remain anonymous while reporting, ensuring protection and fostering a safe environment for reporting potential compliance concerns.


Our company strictly prohibits any form of retaliation against individuals who act as whistleblowers, bringing forth information about breaches in patient privacy, non-compliance, or related matters. This protection is essential to encourage open and transparent reporting without fear of adverse consequences.

By establishing this Whistleblower Protection policy, we encourage all employees, business associates, and FDRs to play an active role in maintaining a compliant and ethical environment. This policy promotes transparency, accountability, and the early detection and resolution of potential compliance issues to ensure the highest standard of patient privacy and care.

Fraud, Waste, Abuse, and Compliance

Terms of Reference

Medicare: A government-funded healthcare program in the U.S. (established in 1965), primarily designed to provide health insurance coverage for individuals who are 65 years of age or older. Younger individuals with disabilities or end-stage renal disease may also be eligible for Medicare, too. It's administered by the Centers for Medicare & Medicaid Services (CMS), a division of the U.S. Department of Health and Human Services. The program helps beneficiaries pay for a variety of medical services, including the following, divided into several parts:

  • Part A – Hospital Insurance: Covers inpatient care, skilled nursing facility care, hospice, and home health care.
  • Part B – Medical Insurance: Pays for doctor’s services, outpatient care such as lab tests, medical equipment, some preventive care, and some prescription drugs.
  • Part C – Medicare Advantage Plans (MA): Consolidates Part A and Part B health benefits via managed care organizations. Some plans incorporate Part D (MAPD plans).
  • Part D – Prescription Drug Insurance: Assists with payment for prescription drugs, certain vaccines, and particular medical supplies like insulin needles and syringes. This coverage is offered through the Prescription Drug Plan (PDP).

First Tier Entity: An organization that enters a written agreement with an MA Organization or Part D plan Sponsor to deliver administrative services or health care services to a Medicare-eligible individual under the MA or Part D programs. Examples include IPA’s Medical Groups, Pharmacy Benefit Manager (PBM), contracted hospitals, clinics, and allied providers.

Downstream Entity: An organization that signs a written agreement with entities involved in the MA or Part D benefit, below the level of the agreement between an MA Organization or Part D sponsor and a first-tier entity. Examples include pharmacies, marketing firms, quality assurance companies, claims processing firms, and billing agencies.

Related Entity: An entity related to the MA organization or Part D Plan Sponsor through common ownership or control and performs some of the management functions or furnishes services to Medicare enrollees under a contract or agreement; or leases real property or sells materials to the MA organization or Part D Sponsor exceeding the cost of $2,500.00 during a contract.

Fraud: A deliberate act of deception, misrepresentation, or concealment to gain something of value.

Waste: Over-utilization of services (not caused by criminally negligent actions) and resource misuse.

Abuse: Excessive or improper use of services or actions inconsistent with acceptable business or medical practices. These actions, while not fraudulent, may directly or indirectly result in financial loss.

Annual Compliance Requirements

Our practice is compliant with The Centers for Medicare and Medicaid Services (CMS) annual training requirement of identifying fraud, waste, and abuse for organizations delivering health or administrative services to Medicare Advantage (MA) enrollees on behalf of a health plan. This training is also distributed to all downstream entities with documented proof of completion.

We also adhere to the CMS requirement for MA sponsors to have a compliance plan that guards against potential fraud, waste, and abuse. An MA or Part D Sponsor must establish:

  1. A Compliance Plan incorporating measures to detect, prevent, and correct fraud, waste, and abuse.
  2. A Compliance Plan comprising of training, education, and effective communication.
  3. The application of such training, education, and communication requirements to all entities providing benefits or services under MA or PDP programs.
  4. Proof of compliance from first-tier, downstream, and related entities with these requirements.

Our Compliance Program

Our practice’s compliance program adheres to the following seven elements:

  1. Written policies, procedures, and standards of conduct.
  2. A designated compliance coordinator and compliance committee reporting directly and accountable to senior management.
  3. Establishing effective training and education among the compliance coordinator, the employees, senior administrators, managers, governing body members, and our practice’s first tier, downstream, and related entities.
  4. Creating effective communication lines, ensuring confidentiality among the compliance coordinator, members of the compliance committee, and our practice's entities.
  5. Publicizing disciplinary standards through procedures to encourage participation in the compliance program by all affected individuals.
  6. Establishing an effective system for routine monitoring and identifying compliance risks.
  7. Creating procedures and a system for promptly responding to compliance issues, investigating potential compliance problems identified during self-evaluations and audits, correcting such problems promptly and thoroughly to minimize the potential for recurrence and to ensure ongoing compliance with CMS requirements.

Obligation to Report Violations

Our practice mandates that all team members and those of related entities obtain a signed attestation form, confirming that they have received, read, understood, and will comply with all written Standards of Conduct. All employees must complete an annual Compliance and Fraud, Waste, and Abuse (FWA) training with a minimum passing score of 80%.

The obligation to report any known or suspected violations of the policies, procedures, laws, and regulations is taken seriously. Allegations of fraud, waste, and abuse are reported to the health plans within ten days of discovering suspected violations, both before and after conducting an investigation.

Monitoring and Auditing

Our practice implements an effective system for routine monitoring and identification of compliance risks. We conduct internal and external monitoring and audits to evaluate compliance with CMS requirements and the overall effectiveness of the compliance program. Our practice also requires attestations from all employees and related entities upon hiring and annually thereafter, auditing, monitoring, and maintaining documentation regarding adherence to this requirement.

Response to Compliance Issues

We promptly respond to compliance issues raised, investigating potential compliance problems identified during self-evaluations and audits. Problems are corrected promptly and thoroughly to reduce the potential for recurrence and to ensure ongoing compliance with CMS requirements. Violations of the compliance policies or any federal and state law or regulations will result in sanctions according to our practice’s discipline guidelines.

Exclusion Lists Verification

Our Human Resources department complies with the CMS requirement of verifying the Office of the Inspector General (OIG) and General Services Administration (GSA) exclusion lists for all new employees and monthly thereafter.

Reporting Possible Fraud, Waste, or Abuse

Our practice acknowledges the right and responsibility to report possible fraud, waste, or abuse. Issues or concerns are addressed to our practice’s compliance coordinator or compliance hotline and/or, the compliance officer or compliance hotline of the applicable Medicare Advantage Organization Sponsor(s) with whom our practice participates; compliance hotline numbers are available on each organization’s websites. We also report any possible Fraud, Waste, and Abuse to the National Benefit Integrity Medicare Drug Integrity Contractor (NBI Medic).

Routine use of system-generated reports, such as claim ad-hoc reports or those from PCG (Virtual Examiner) or iCode software, are instrumental in identifying possible fraud, waste, and abuse. These reports, coupled with the findings from routine monitoring, auditing, and risk identification, are analyzed and routinely reported to the appropriate departments, the Compliance Committee, our practice’s Board of Directors, and health plans, as required.

Compliance Oversight

The Compliance Coordinator ensures compliance with CMS requirements quarterly or as required by the Compliance Committee.

By e-signing, you acknowledge that you understand and agree to follow all of the guidelines outlined in this HIPAA Policy topic.

Information Management & Security

Safeguard of PHI during Transportation

Our company recognizes the importance of maintaining the confidentiality and privacy of Protected Health Information (PHI) during transportation. Whether it is our employees or contracted courier services handling the transportation, we are responsible for ensuring that medical records and billing records are safeguarded throughout the process. Confidentiality and privacy must be maintained to protect the sensitive nature of PHI.

Orientation on HIPAA Privacy Rules

During department orientation, Human Resources Personnel will provide a comprehensive review of HIPAA Privacy rules specifically related to the transport and safeguarding of Patient Health Information to all company couriers. This ensures that everyone involved understands their responsibilities and obligations regarding PHI.

Secure Transport Containers

Couriers must ensure that all Protected Health Information is safeguarded from view by placing it or relevant documentation in covered transport boxes. This ensures that PHI remains confidential and is not accessible to unauthorized individuals during transportation.

Protected Transportation Area

All PHI transported by company couriers must be stored and secured in a designated protected area within the vehicle. This area should prevent unauthorized access and provide an additional layer of security.

Vehicle Locking

To prevent unauthorized access, all transportation vehicles must be locked at all times when left unattended. This applies to both company-owned vehicles and contracted courier vehicles. Maintaining strict control over access to the PHI during transportation is crucial for privacy and security.

Secure Locking Mechanism

The transportation vehicle must have an appropriate locking mechanism to ensure the security of PHI. The vehicle should remain locked at all times, except during loading and unloading processes, to minimize the risk of unauthorized access.

Violation of Procedures

Any violation of the outlined procedures will be addressed in accordance with the Sanctions of HIPAA Violations Policy. We take the safeguarding of PHI seriously, and any breaches or non-compliance will be handled accordingly to ensure the privacy and confidentiality of patient information.

By following these procedures, we prioritize the protection of patient information during transportation and uphold our commitment to maintaining the confidentiality and privacy of PHI. Our efforts to comply with HIPAA regulations contribute to the trust and confidence our patients place in us when entrusting their health information to our care.

Disposal of Protected Health Information

Should any identifiable patient information be deemed suitable for disposal, we will follow the procedures outlined in this policy to discard it. Any misuse of these procedures or deliberate disregard for this policy is a serious infraction. This may lead to corrective action, including termination, in line with the policy on Sanctions for Privacy Violations.

Confidential Information and Consultation

All documents or electronic storage media containing identifiable patient information are deemed confidential. This confidentiality extends to adhesive I.D. labels, computer disks, billing forms, claims, insurance forms, and any medical information. Employees uncertain about the appropriateness of information disposal should seek guidance from their supervisors.

Secure Disposal Facilities

We have strategically located locked storage consoles for secure waste disposal across our facility. Staff members are expected to deposit all confidential waste into these designated receptacles. Keys to these consoles are held exclusively by a select group of management staff and authorized representatives from a contracted Document Destruction Company.

Subsection: On-site Shredding

The contracted document destruction company makes regular visits to our site to collect and shred the contents of the disposal containers in situ.

Certificates of Destruction

Each shredding session is accompanied by the issue of a Certificate of Destruction before the shredding truck departs from the premises. These certificates are stored electronically on each center's shared server, within a dedicated folder for HIPAA compliance.

Recycling of Shredded Documents

All shredded documents are further processed via an environmentally friendly recycling program.

HIPAA Compliance as it Relates to Email and Electronic Data Transmission

Our practice's Electronic Data Transmission (EDT) policy has been developed to reflect our business practices, focusing on the appropriate use and protection of Electronic Protected Health Information (ePHI). This policy aligns with the requirements of HIPAA, the HITECH Act, federal and state regulations, and health plan requirements. All employees and Business Associates working with our practice are expected to abide by this policy.

Key Definitions

The term "Electronic Data Transmission Resources" encompasses our practice's PCs, portable/laptop PCs, handheld PCs, servers, network connections, process control computers, modems, cables, all telephone equipment, software and program applications, and related hardware. It also includes all electronic communication systems such as telephones, cell phones, pagers, email, voice-mail, fax, and the Intranet or Internet.

Our practice commits to implementing a process by which all electronic communication transmitted outside of the organization will be appropriately encrypted. We encourage all organizations to use encryption services. Note that text messaging is strictly prohibited as texts cannot be password protected or encrypted.

ePHI Permissions

Our practice designates permissions for the creation, reception, maintenance, and transmission of ePHI based on the company's needs and the role, duty, and responsibility of the transmitter (e.g., employee, Business Associate, vendor, etc.). These permissions are determined with an aim to safeguard ePHI effectively, and any non-compliance with this policy may result in disciplinary actions, including termination of employment.

Business Associate Agreements

Specific use restrictions and confidentiality agreements for Business Associates will be outlined in individual contracts. Any misuse may result in contract termination. Legal actions, depending on the severity of policy non-compliance, may also be considered.

Email System Usage

Our company's email system should not be used for communicating patient-identifiable health information (PHI) unless the data is encrypted. This includes inter-company emails and emails sent outside the company. Confidential information should generally not be emailed to maintain the privacy and confidentiality of all sensitive material and information.

Email Encryption

On the rare occasion when an employee needs to send ePHI via email, they must contact the Management Information Systems (MIS) department to be set up with appropriate encryption tools.

Policy Compliance

Our EDT policy complies with state and federal laws and regulations and health plan regulations. Strict patient privacy and confidentiality measures are applied to all electronic transfers involving patient information, records, and personal data. Any violation of this policy will be reported immediately to the Director of Human Resources and Compliance Coordinator.

EDT Monitoring

The use of our EDT resources is a privilege and can be revoked or restricted at any time. Our practice reserves the right to monitor any EDT resources randomly or at the discretion of managers/supervisors and/or administration. All information stored or transmitted through our electronic transmission system will be treated as confidential and proprietary.

Hardware and Software Use

The MIS department alone has the authority to connect or integrate hardware and equipment. Any unauthorized hardware modifications are strictly prohibited. Similarly, the MIS department is responsible for authorizing and installing all software, with any unauthorized access, use, or distribution of our proprietary software being strictly prohibited.

Patient and Employee Security Measures

The Corporate Security Officer is responsible for overseeing policies related to all EDT resources in alignment with the "Patient's Right to Privacy" policies. Our Internet sites feature the Privacy Policies, including the HIPAA required privacy notice, and our Marketing Department generates additional patient material to disclose our privacy protection practices.

Employee security measures, including assigning and enforcing employee identification passwords, are managed by the MIS department. Any removal of EDT from company premises without written permission from MIS and/or Administration is strictly prohibited. In addition, the MIS Department ensures that all patient data and our practice's documents are protected during the disposal, selling, or re-issuing of any company EDT system.

HIPAA Minimum Necessary Data Request and Disclosure

Our practice is dedicated to offering clear guidelines for using, disclosing, or requesting protected health information from another covered entity under the regulations of the Health Insurance Portability and Accountability Act (HIPAA).

Exceptions to Minimum Necessary Rules

There are specific situations where minimum necessary rules do not apply. These exceptions include:

  1. Disclosures to or requests by a healthcare provider for treatment purposes.
  2. Uses or disclosures made directly to the patient who is the subject of the information.
  3. Disclosures made to the Department of Health and Human Services for compliance and investigation purposes.
  4. Uses and disclosures that are required by law.
  5. Uses or disclosures made following an authorization request by the patient.
  6. Uses or disclosures required for compliance with standardized HIPAA transactions.

Scope of Responsibility

This policy applies to all team members in our practice, including employees, volunteers, interns, and business associates. Everyone in the team shares the responsibility of ensuring that these guidelines are adhered to at all times.

Ensuring Limited Access to Protected Health Information

Our practice is committed to making reasonable efforts to limit access to protected health information. We aim to ensure the information shared or requested is only the minimum necessary to accomplish the intended purpose, with the exception of the scenarios noted above.

This means that the Compliance Coordinator will ensure that only the minimum amount of information needed for the task at hand will be provided or requested, in order to maintain patient confidentiality and privacy to the greatest extent possible.

Privacy Inspection Walk Through

Here's how to conduct a privacy walkthrough.

Privacy Inspection Assignment

Conduct an annual walk-through inspection as assigned on the Privacy Inspection Assignment Sheet.

Privacy Walk-Through Checklist

  • Utilize the Privacy Walk-Through Checklist to conduct a comprehensive review of all areas of concern.
  • Mark the appropriate column ("Agree," "Disagree," or "N/A") for each item.
  • Use the "Comments" column to provide clarification or explanation, as necessary.

Submission of Completed Checklists

  • Submit all completed checklists to the Compliance Coordinator.
  • The Compliance Coordinator will present the checklists to the Compliance Committee for further discussion.

Recommendations and Actions

  • The Compliance Committee will provide recommendations based on the findings and discussions during the Privacy Walkthrough.
  • Communicate the identified recommendations to the respective department heads for necessary actions and resolutions.

Documentation and Follow-up

Document the identification and resolution of problems related to the privacy walk-through activities in the minutes of the Compliance Committee meetings.

By following these procedures, we ensure regular privacy inspections, identify areas for improvement, and take appropriate actions to maintain compliance with HIPAA regulations while protecting the privacy of patients' health information.

By e-signing, you acknowledge that you understand and agree to follow all of the guidelines outlined in this HIPAA Policy topic.

Covered Entity Responsibilities

Covered Entities Compliance with State Laws

Our organization consistently abides by privacy standards that override state laws whenever there is a conflict between HIPAA privacy norms and state law. However, there are certain exceptions to this general rule.

Exceptions to HIPAA Preemption

These exceptions include:

  1. Laws instituted by the Department of Health and Human Services (HHS) which are crucial for the prevention of fraud and abuse, for the appropriate regulation of insurance and health plans, and those which are necessary for state reporting on health care delivery among other purposes.
  2. Laws that pertain to the control of substances.
  3. Laws that impose stricter regulations than those set by HIPAA.
  4. Laws that call for the reporting of instances of disease, injury, child abuse, birth, death, or initiatives related to public health.

These exceptions remain valid until there are significant changes to either the state law or federal regulation, requirement, or implementation specification. The exceptions will also cease to be in effect if the HHS withdraws the exception. In cases where the state law imposes stricter regulations than HIPAA, our organization will adhere to the state law.

Adherence to HIPAA and Exceptions

Our organization complies with HIPAA regulations with the only exceptions being the cases stated above where state law takes precedence.

Unclear State Laws

In the event that a state law seems ambiguous, irrespective of its exception status, it should be reported to the organization's HIPAA/Compliance Officer who will seek to clarify it.

Role of Compliance Committee

All such reported cases will be evaluated by the Compliance Committee, which will interpret the legislation.

Legal Counsel Consultation

If the Compliance Committee is unable to clearly interpret the legislation, the case will be escalated to the organization's legal counsel for further clarification.

HIPAA Compliance Oversight

Our practice is committed to establishing comprehensive guidelines for oversight. This is intended to ensure our practice's strict compliance with the policies and procedures outlined by the Compliance Committee in accordance with the Health Insurance Portability and Accountability Act (HIPAA).

Commitment to Compliance Monitoring

Our practice's policy necessitates effective oversight to ensure consistent adherence to all compliance policies. This oversight aims at fostering a culture of compliance within the practice and guarantees that all activities adhere to HIPAA regulations.

Semi-Annual Compliance Audits

Our Compliance Coordinators perform audits on a semi-annual basis. During these audits, each team's electronic data is thoroughly reviewed to ascertain strict adherence to compliance policies. This rigorous scrutiny ensures that all aspects of our operations align with HIPAA guidelines and fosters an environment of continuous improvement in compliance practices.

Focus on Destruction Certificate Documentation

A pivotal part of this audit revolves around reviewing the Certificate of Destruction: a dedicated folder for HIPAA compliance. By verifying these certificates, we ensure that all protected health information (PHI) that is no longer required has been disposed of in a secure and compliant manner.

Employee Privacy Orientation and Training

This approach aligns with the requirements of the HIPAA Administrative Simplification and Breach Notification for Unsecured Protected Health Information as outlined in the Health Information Technology for the Economic and Clinical Health (HITECH) Act. Our goal is to safeguard both patient and employee privacy.

Key Information

Our practice policy provides training for new hires and ongoing training to ensure all employees are informed, knowledgeable, and comply with the regulations related to the HIPAA and HITECH Act.

Initial Training

New employees will receive an orientation that covers the HIPAA regulations and the HITECH Act. After completing the HIPAA training, new hires are required to take a quiz. This quiz will be automatically graded, and a certificate of completion will be added to the employee's personnel file as an acknowledgment that they have undergone training and understand the HIPAA regulations and the HITECH Act.

Monthly Updates on HIPAA and HITECH Act

Employees will receive monthly updates and reminders regarding these Acts. During monthly staff meetings, employees will have the opportunity to ask questions or engage in discussions about the training topic for that month.

Annual Refresher Course

During National Privacy and Security Week in April, our practice conducts mandatory annual in-service training that includes a review of the HIPAA and HITECH Act regulations. The training also introduces new or upcoming legislation. At the end of the session, employees sign an acknowledgment stating they have received and understand the training.

Routine Checks

On a semi-annual basis, the Compliance Coordinator will audit each group’s electronic data to ensure strict adherence to our privacy policies. The audit will cover the following information:

Release of Medical Information

At our practice, protecting patient privacy and ensuring the proper disclosure of medical information is of utmost importance. We recognize the significance of safeguarding sensitive health data as mandated by the Confidentiality of Medical Information Act, HIPAA, and other State and Federal laws. This policy outlines our commitment to maintaining the privacy and confidentiality of protected health information (PHI) while adhering to the guidelines for disclosing patient-identifiable information. By implementing appropriate measures and following established procedures, we aim to comply with legal requirements and safeguard the privacy of our patients' personal health information.

Definition of Medical Information:

Medical information encompasses any individually identifiable information, whether oral or recorded in any form or medium, in possession of or derived from a healthcare provider. This includes information related to a patient's current, past, or future medical status, mental or physical condition, or treatment.

Release of Information:

Medical information or records transmitted by electronic media, maintained electronically, or in any other form shall not be disclosed unless authorized by applicable laws or the patient.

Ensuring Proper Disclosure and Compliance

Processing Requests for Medical Information:

  • Authorization Requirements: Specific criteria must be met for an authorization to be valid, including plain language, proper signature, and identification of authorized recipients.
  • Processing Requests: Requests for medical records should be processed promptly, following specific timeframes required by law. Subpoenas and attorney requests should be directed to the appropriate management personnel.

Discretionary Disclosure:

Certain parties, such as healthcare providers for diagnosis or treatment purposes, insurers, regulatory agencies, and law enforcement officers as mandated by law, may receive medical information without patient authorization.

Disclosure of Transfer Records:

Medical records obtained from other healthcare providers, once incorporated into the current records, are subject to release authorization requirements.

Release of Information to Service Providers for Copying:

Copying of medical records may only be performed by contracted or non-contracted service providers. Copies will be made available by appointment, with large volumes provided in electronic media.

Charges for Medical Records Requests:

Fees will be applied for requests to cover the cost of record retrieval, verification, and related services.

By adhering to this policy, we ensure the protection of patient privacy, maintain compliance with applicable laws and regulations, and uphold our commitment to safeguarding sensitive medical information. Our dedication to proper disclosure procedures contributes to maintaining the trust and confidentiality of our patients' health data.

Mitigation of Violations

To safeguard the confidentiality and privacy of our patients' protected health information (PHI), our practice is committed to implementing effective measures for the mitigation of violations. This policy outlines our approach to minimizing the impact of improper or unlawful use and disclosure of PHI.

The following guidelines provide a framework for immediate action and appropriate steps to be taken in the event of a privacy breach. By adhering to these protocols, we aim to ensure the well-being and trust of our patients, while also maintaining compliance with relevant regulations and standards.

Evaluation of Reported Privacy Breaches

  • Privacy breaches reported by staff or patients will undergo a thorough evaluation process.
  • The evaluation will follow the steps outlined in the Patient Grievance/Complaint Policy and Sanctions for Privacy Violations Policy.

Immediate Action for Privacy Breaches

  • Upon confirming a privacy breach, our company will promptly respond to mitigate potential harm.
  • Swift measures will be taken to minimize or eliminate any harmful effects resulting from the breach.

Notification of Impacted Parties

  • In the event of a privacy breach, all affected parties, including patients, members, and health plans, will be promptly notified.
  • Clear and concise communication will be provided to ensure transparency and allow individuals to take appropriate actions.

Compliance with Reporting Requirements

  • Our practice is committed to complying with all reporting obligations stipulated by HIPAA COW (Compliance, Operations, and Workflows).
  • All teams within the organization will fulfill their respective responsibilities in reporting privacy breaches as mandated by HIPAA guidelines.

Mitigation of Harmful Effects

  • If harm has already occurred as a result of a privacy breach, our company will allocate necessary resources to mitigate the adverse consequences.
  • Our team will proactively work towards minimizing the impact on affected individuals and implementing remedial actions to the best extent practicable.

By adhering to these guidelines, we affirm our dedication to protecting the privacy of our patients' health information and ensuring their trust in our practice.

By e-signing, you acknowledge that you understand and agree to follow all of the guidelines outlined in this HIPAA Policy topic.

Tips for Assessing Confidentiality

What Confidential Information Is

The confidential information will include all data and information relating to the business and management of the employer. This includes (but is not limited to) the following.

Examples of confidential information:

  • Patient Health Information (PHI): This includes any information related to a patient's physical or mental health, treatments received, and personal identifiers. It covers details like medical history, diagnosis, medications, treatment plans, X-rays, lab test results, and more.
  • Personal Identification Information (PII): This includes information such as full names, home addresses, email addresses, telephone numbers, Social Security numbers, and birth dates.
  • Payment Information: Credit or debit card information, bank account details, and insurance policy details used for billing and payment purposes.
  • Employee Records: This encompasses personal and professional information of employees, including their home addresses, contact information, Social Security numbers, salary details, and performance evaluations.
  • Business Information: Any details related to the practice’s business operations, such as financial records, internal reports, strategic plans, vendor contracts, proprietary research, and trade secrets, are also confidential.

The confidential information will also include any information that has been disclosed by a third party to the employer and is governed by a non-disclosure agreement entered into between that third party and the employer.

What Confidential Information Is NOT

The confidential information will not include information that is nonproprietary or generally known.

Examples of non-confidential information:

  • General Office Policies: Information about the office's general policies such as appointment scheduling and cancellation policies, office hours, accepted insurance plans, payment options, and patient rights and responsibilities are not confidential.
  • Services Offered: Details about the types of procedures and services offered by the practice, as well as general information about these procedures, are not confidential.
  • Publicly Available Contact Information: The practice's name, address, phone number, website, and publicly listed email addresses are not confidential.
  • Publicly Shared Staff Information: Information about the office's staff that is shared publicly, such as the medical staff's names, credentials, professional history, and any specializations, is not confidential.
  • Marketing Materials: Promotional materials like brochures, newsletters, blog posts, social media posts, and other publicly distributed materials are not confidential.
  • General Medical Advice: General health tips and advice given in a non-personalized way (like on a website or social media post) is not confidential.

It's important to note that while the above categories of information aren't inherently confidential, the application of them to an individual patient's situation would be. For instance, the fact that a practice offers root canal services isn't confidential, but the fact that a specific patient is scheduled to receive one is.


You've now completed our HIPAA Compliance Policy! 🎉

As you can see, there are a lot of intricacies to the HIPAA policy. If anything doesn't make sense or you have any questions, reach out to the owner of this subject, our Compliance Coordinator.

Similar Templates

No items found.