25 Steps Toward Privacy and Breach Notification Compliance
Reproduction of this material by dentists and their staff is permitted. Any other use, duplication or distribution by any other party requires the prior written approval of the American
Dental Association. this material is for general reference purposes only and does not constitute legal advice. it covers only HiPaa, not other federal or state law.
changes in applicable laws or regulations may require revision. dentists should contact qualified legal counsel for legal advice, including advice pertaining to HiPaa
compliance, the HitecH act, and the u.S. department of Health and Human Services rules and regulations.
© 2010, 2013 American Dental Association. All Rights Reserved.
OtHer uSeS aNd diSclOSureS OF PHi
Your authorization is required, with a few exceptions, for disclosure
of psychotherapy notes, use or disclosure of PHI for marketing, and
for the sale of PHI. We will also obtain your written authorization
before using or disclosing your PHI for purposes other than those
provided for in this Notice (or as otherwise permitted or required by
law). You may revoke an authorization in writing at any time. Upon
receipt of the written revocation, we will stop using or disclosing
your PHI, except to the extent that we have already taken action
in reliance on the authorization.
yOtour HealtaH iNFOrMatiONorriGHtS
access. You have the right to look at or get copies of your health
information, with limited exceptions. You must make the request
in writing. You may obtain a form to request access by using the
contact information listed at the end of this Notice. You may also
request access by sending us a letter to the address at the end of
this Notice. If you request information that we maintain on paper,
we may provide photocopies. If you request information that we
maintain electronically, you have the right to an electronic copy.
We will use the form and format you request if readily producible.
We will charge you a reasonable cost-based fee for the cost of
supplies and labor of copying, and for postage if you want copies
mailed to you. Contact us using the information listed at the end
of this Notice for an explanation of our fee structure.
If you are denied a request for access, you have the right to
have the denial reviewed in accordance with the requirements
of applicable law.
disclosure accounting. With the exception of certain disclosures,
you have the right to receive an accounting of disclosures of
your health information in accordance with applicable laws and
regulations. To request an accounting of disclosures of your
health information, you must submit your request in writing to the
Privacy Official. If you request this accounting more than once in a
12-month period, we may charge you a reasonable, cost-based fee
for responding to the additional requests.
right to request a restriction. You have the right to request
additional restrictions on our use or disclosure of your PHI by
submitting a written request to the Privacy Official. Your written
request must include (1) what information you want to limit, (2)
whether you want to limit our use, disclosure or both, and (3) to
whom you want the limits to apply. We are not required to agree
to your request except in the case where the disclosure is to
a health plan for purposes of carrying out payment or health
care operations, and the information pertains solely to a health care
item or service for which you, or a person on your behalf (other than
the health plan), has paid our practice in full.
alternative communication. You have the right to request
that we communicate with you about your health information by
alternative means or at alternative locations. You must make your
request in writing. Your request must specify the alternative means
or location, and provide satisfactory explanation of how payments
will be handled under the alternative means or location you request.
We will accommodate all reasonable requests. However, if we are
unable to contact you using the ways or locations you have requested
we may contact you using the information we have.
amendment. You have the right to request that we amend your
health information. Your request must be in writing, and it must
explain why the information should be amended. We may deny your
request under certain circumstances. If we agree to your request,
we will amend your record(s) and notify you of such. If we deny
your request for an amendment, we will provide you with a written
explanation of why we denied it and explain your rights.
right to Notification of a Breach. You will receive notifications
of breaches of your unsecured protected health information as
required by law.
electronic Notice. You may receive a paper copy of this Notice
upon request, even if you have agreed to receive this Notice
electronically on our Web site or by electronic mail (email).
QueStiONS aNd cOMPlaiNtS
If you want more information about our privacy practices or have
questions or concerns, please contact us.
if you are concerned that we may have violated your privacy
rights, or if you disagree with a decision we made about access
to your health information or in response to a request you
made to amend or restrict the use or disclosure of your health
information or to have us communicate with you by alternative
means or at alternative locations, you may complain to us using
the contact information listed at the end of this Notice. You also
may submit a written complaint to the U.S. Department of Health
and Human Services. We will provide you with the address to file
your complaint with the U.S. Department of Health and Human
Services upon request.
We support your right to the privacy of your health information. We will not retaliate in any way if you choose to file a complaint with us or
with the U.S. Department of Health and Human Services.
Our Privacy Official: _________________________________________________________________________________________________________
Telephone: ______________________________________________________ Fax: _____________________________________________________
Address: ___________________________________________________________________________________________________________________
Email: _____________________________________________________________________________________________________________________
25 Steps Toward Privacy and Breach Notification Compliance
Sample Notice of Privacy Practices
We are required by law to maintain the privacy of protected health information, to provide individuals with notice of our legal duties and
privacy practices with respect to protected health information, and to notify affected individuals following a breach of unsecured protected
health information. We must follow the privacy practices that are described in this Notice while it is in effect. This Notice takes effect
____/____/____, and will remain in effect until we replace it.
We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted
by applicable law, and to make new Notice provisions effective for all protected health information that we maintain. When we make a
significant change in our privacy practices, we will change this Notice and post the new Notice clearly and prominently at our practice
location, and we will provide copies of the new Notice upon request.
You may request a copy of our Notice at any time. For more in formation about our privacy practices, or for additional copies of this Notice,
please contact us using the information listed at the end of this Notice.
HOW We May uSe aNd diSclOSe HealtH iNFOrMatiON aBOut yOu
We may use and disclose your health information for different purposes,
including treatment, payment, and health care operations. For each of
these categories, we have provided a description and an example. Some
information, such as HIV-related information, genetic information, alcohol
and/or substance abuse records, and mental health records may be
entitled to special confidentiality protections under applicable state or
federal law. We will abide by these special protections as they pertain
to applicable cases involving these types of records.
treatment. We may use and disclose your health information
for your treatment. For example, we may disclose your health
information to a specialist providing treatment to you.
Payment. We may use and disclose your health information to
obtain reimbursement for the treatment and services you receive
from us or another entity involved with your care. Payment activities
include billing, collections, claims management, and determinations
of eligibility and coverage to obtain payment from you, an insurance
company, or another third party. For example, we may send claims
to your dental health plan containing certain health information.
Healthcare Operations. We may use and disclose your health
information in connection with our healthcare operations. For example,
healthcare operations include quality assessment and improvement
activities, conducting training programs, and licensing activities.
individuals involved in your care or Payment for your care.
We may disclose your health information to your family or friends or
any other individual identified by you when they are involved in your
care or in the payment for your care. Additionally, we may disclose
information about you to a patient representative. If a person has
the authority by law to make health care decisions for you, we will
treat that patient representative the same way we would treat you
with respect to your health information.
disaster relief. We may use or disclose your health information to
assist in disaster relief efforts.
required by law. We may use or disclose your health information
when we are required to do so by law.
Public Health activities. We may disclose your health information
for public health activities, including disclosures to:
Prevent or control disease, injury or disability;
Report child abuse or neglect;
Report reactions to medications or problems with products or devices;
Notify a person of a recall, repair, or replacement of products
or devices;
Notify a person who may have been exposed to a disease or
condition; or
Notify the appropriate government authority if we believe a patient
has been the victim of abuse, neglect, or domestic violence.
National Security. We may disclose to military authorities the
health information of Armed Forces personnel under certain
circumstances. We may disclose to authorized federal officials health
information required for lawful intelligence, counterintelligence, and
other national security activities. We may disclose to correctional
institution or law enforcement official having lawful custody the
protected health information of an inmate or patient.
Secretary of HHS. We will disclose your health information to the
Secretary of the U.S. Department of Health and Human Services
when required to investigate or determine compliance with HIPAA.
Worker’s compensation. We may disclose your PHI to the extent
authorized by and to the extent necessary to comply with laws relating
to worker’s compensation or other similar programs established by law.
law enforcement. We may disclose your PHI for law enforcement
purposes as permitted by HIPAA, as required by law, or in response
to a subpoena or court order.
Health Oversight activities. We may disclose your PHI to an oversight
agency for activities authorized by law. These oversight activities include
audits, investigations, inspections, and credentialing, as necessary for
licensure and for the government to monitor the health care system,
government programs, and compliance with civil rights laws.
Judicial and administrative Proceedings. If you are involved in a
lawsuit or a dispute, we may disclose your PHI in response to a court or
administrative order. We may also disclose health information about you
in response to a subpoena, discovery request, or other lawful process
instituted by someone else involved in the dispute, but only if efforts
have been made, either by the requesting party or us, to tell you about
the request or to obtain an order protecting the information requested.
research. We may disclose your PHI to researchers when their
research has been approved by an institutional review board
or privacy board that has reviewed the research proposal and
established protocols to ensure the privacy of your information.
coroners, Medical examiners, and Funeral directors. We may
release your PHI to a coroner or medical examiner. This may be
necessary, for example, identify deceased person determine the
cause of death. We may also disclose PHI to funeral directors consistent
with applicable law to enable them to carry out their duties.
Fundraising. We may contact you to provide you with information
about our sponsored activities, including fundraising programs,
as permitted by applicable law. If you do not wish to receive such
information from us, you may opt out of receiving the communications.
Just want the HIPAA Kit?
ADA Complete
HIPAA Compliance Kit
Developing a HIPAA program is a two-part process. First you need HIPAA training to train
your staff and learn how to develop your compliance program. The second step is to design
and implement your program. Our manual gives you a step-by-step, plain-language process
with all the forms you need. A USB drive makes it easy to customize.
The kit includes:
The ADA Practical Guide to HIPAA Compliance: Privacy and Security Manual with USB drive
The ADA Practical Guide to HIPAA Training CD-ROM
A three-year subscription to the annual HIPAA Compliance Update Service
Level 1 Earn 1 hour CE credit.* Level 2 Earn 2 hours CE credit.*
Book + CD-ROM
Retail $502.50
Members $335.00
Book ISBN# 978-1-935201-91-5
CD-ROM ISBN# 978-0-9860279-9-4
Buy in bulk and save! See
page 91 for bulk pricing info.
Updated annually!
A step-by-step process for developing privacy, breach
notification and security compliance programs
A complete training program with CE credit
Template for developing policies and procedures
Sample Business Associate Agreement
Sample Notice of Privacy Practices
Customizable forms
A staff training module to help staff understand HIPAA
Information to help management develop and implement a
HIPAA compliance program
Explanations of HIPAA Privacy, Security, and Breach
Notification rules
Simplified definitions of key concepts such as PHI, ePHI,
workforce, and business associates
Information about patient rights, the minimum necessary rule,
and notice of privacy practices
Guidance on HIPAA documentation
Examples of security breaches and information about
responding to them
A glossary of simplified key terms to refer to throughout
the program
HIPAA compliance is the law.
What is HIPAA?
HIPAA stands for the Health Insurance and Portability
Act of 1996. It is legislation that provides provisions
that protect and safeguard data privacy and medical
information. It guides health care professionals on how
to protect patients’ protected health information (PHI),
as well as when and to whom it is appropriate to disclose
the information. HIPAA applies to both physical data, such
as hard copies of patient files, as well as electronic data,
such as electronic health records.
What happens if I don’t comply with HIPAA?
In addition to compromising your patients’ privacy, civil
monetary penalties can range from $100 to $50,000 per
violation, up to an annual maximum of $1,500,000 for
all violations of a given HIPAA requirement or prohibition.
Additionally, an individual or entity that violates HIPAA
can face criminal penalties.
How can I educate myself and train my staff to
comply with HIPAA?
The ADA Practical Guide to HIPAA Compliance: Privacy
and Security Manual provides tools to help dental
practices implement or update a HIPAA compliance
program. The manual also comes with a digital edition
with customizable forms.
The ADA Practical Guide to HIPAA Training is a two-
level CD-ROM program. Level one teaches the basics
of HIPAA compliance to dental office staff. Level two is
a more detailed module intended for managers who are
developing a compliance program in conjunction with the
ADA Practical Guide to HIPAA Compliance.
HIPAA Compliance
Update Service
Suitable for practices that already have the
ADA Practical Guide to HIPAA Compliance:
Privacy and Security Manual. Stay up-to-
date with HIPAA regulations by subscribing
to the ADA’s update service.
The three-year subscription delivers an
update annually or whenever federal
HIPAA laws change. Includes both paper
and digital versions.
Update Service
Retail $90.00
Members $60.00
ORDER BY PHONE: 800.947.4746
Previous Page Next Page