web site is provided for information and education purposes only. No
doctor/patient relationship is established by your use of this site.
No diagnosis or treatment is being provided. The information
contained here should be used in consultation with a dentist of your
choice. No guarantees or warranties are made regarding any of the
information contained within the web site. This web site is not
intended to offer specific medical or dental advice to anyone. Dr.
Maria Aganon-Fu is licensed to practice in the state of California and this
web site is not intended to solicit patients from other states.
Further, this web site and Dr. Maria Aganon-Fu take no responsibility for
web sites hyper-linked to this site and such hyper-linking does not imply
any relationships or endorsements.
Information and names within this web site may be subject to copyright and
trademark protection with all rights reserved. Duplication or use
without the expressed written permission by Maria Aganon-Fu, D.D.S.,
subjects the violator to both civil and criminal penalties.
HEALTH INFORMATION PRIVACY
POLICIES & PROCEDURES
Health Information Privacy Policies & Procedures implement our
obligations to protect the privacy of individually identifiable health
information that we create, receive, or maintain as a healthcare provider.
implement these Health Information Privacy Policies and Procedures as a
matter of sound business practice; to protect the interests of our
patients; and to fulfill our legal obligations under the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA"), its
implementing regulations at 45 CFR Parts 160 and 164 (65 Fed. Reg 82462
(Dec. 28, 2000)) ("Privacy Rules"), as amended (67 Fed. Reg.
53182 [Aug. 14, 2002]), and state law that provides greater protection or
rights to patients than the Privacy Rules.
a member of our workforce or as our Business Associate, you are obligated
to follow these Health Information Privacy Policies & Procedures
faithfully. Failure to do so can result in disciplinary action, including
termination of your employment or affiliation with us.
Policies & Procedures address the basics of HIPAA and the Privacy
Rules that apply in our dental practice. They do not attempt to cover
everything in the Privacy Rules. The Policies & Procedures sometimes
refer to forms we use to help implement the policies and to the Privacy
Rules themselves when added detail may be needed.
note that while the Privacy Rules speak in terms of "individual"
rights and actions, these Policies & Procedures use the more familiar
word "patient" instead; "patient" should be read
broadly to include prospective patients, patients of record, former
patients, their authorized representatives, and any other
"individuals" contemplated in the Privacy Rules.
you have questions or doubts about any use or disclosure of individually
identifiable health information or about your other obligations under
these Health Information Privacy Policies & Procedures, the Privacy
Rules or other federal or state law, please contact our office. This
policy was adopted effective 4/14/03
General Rule: No Use or Disclosure
dental office must not use or disclose protected health information
(PHI), except as these Privacy Policies & Procedures permit or
Acknowledgement and Optional Consent
dental office will make a good faith effort to obtain a written
acknowledgement of receipt of our Notice of Privacy Practices (see
Section 9) from a patient before we use or disclose his or her protected
health information (PHI) for treatment, to obtain payment for that
treatment, or for our healthcare operations (TPO).
dental office’s use or disclosure of PHI for our payment activities and
healthcare operations may be subject to the minimum necessary requirements
(see Section 7).
dental office will become familiar with our state’s privacy laws. If
required by our state law, or as directed by the dentist, we will also
seek Consent from a patient before we use or disclose PHI for TPO
purposes – in addition to obtaining an Acknowledgement of receipt of our
Notice of Privacy Practices.
Obtaining Consent – If consent is to be
obtained, upon the individual’s first visit as a patient (or next
visit if already a patient), our dental office will request and obtain
the patient’s written Consent for our use and disclosure of the
patient’s PHI for treatment, payment, and healthcare operations.
consent we obtain must be on our Consent form, which we may not
alter in any way. Our dental office will include the signed Consent
form in the patient’s chart.
Exceptions – Our dental office does not have to obtain the
patient’s Consent in emergency treatment situations; when treatment is
required by law; or when communications barriers prevent consent.
Consent Revocation – A patient from whom we obtain consent may
revoke it at any time by written notice. Our dental office will include
the revocation in the patient’s chart. There is space at the bottom of
our Consent form where the patient can revoke the consent.
Applicability – Consent for use or
disclosure of PHI should not be confused with informed consent for dental
treatment. This section applies to our practice.
some cases we must have proper, written Authorization from the
patient (or the patient’s personal representative) before we use or
disclose a patient’s PHI for any purpose (except for TPO purposes) or as
permitted or required without consent or authorization (see Sections 3, 4,
dental office will use the Authorization form. We will always act
in strict accordance with an Authorization.
Authorization Revocation – A patient may revoke an authorization
at any time by written notice. Our dental office will not rely on an Authorization
we know has been revoked.
Authorization from Another Provider – Our dental office will use
or disclose PHI as permitted by a valid Authorization we receive
from another healthcare provider.
dental office may rely on that covered entity to have requested only the
minimum necessary protected PHI. Therefore, our dental office will not
make our own "minimum necessary" determination, unless we know
that the Authorization is incomplete, contains false information,
has been revoked, or has expired.
Authorization Expiration – Our dental office will not rely on an Authorization
we know has expired.
dental office may use or disclose a patient’s PHI with the patient’s Oral
Agreement or if the patient is unavailable subject to all applicable
dental office may use professional judgment and our experience with common
practice to make reasonable inferences of the patient’s best interest in
allowing a person to act on behalf of the patient to pick up
dental/medical supplies, X-rays, or other similar forms of PHI.
Permitted Without Acknowledgement, Consent Authorization or Oral Agreement
dental office may use or disclose a patient’s PHI in certain situations,
without Authorization or Oral Agreement. In our dental
office, these disclosures are not likely to be frequent.
Verification of Identity – Our dental
office will always verify the identity of any patient, and the identity
and authority of any patient’s personal representative, government or
law enforcement official, or other person, unknown to us, who requests PHI
before we will disclose the PHI to that person.
dental office will obtain appropriate identification and, if the person is
not the patient, evidence of authority. Examples of appropriate
identification include photographic identification card, government
identification card or badge, and appropriate document on government
letterhead. Our dental office will document the incident and how we
Uses or Disclosures Permitted under this Section 5 – The
situations in which our dental office is permitted to use or disclose PHI
in accordance with the procedures set out in this Section 5 are listed
public health activities;
health oversight agencies;
coroners, medical examiners, and funeral directors;
employers regarding work-related illness or injury;
federal officials for lawful intelligence, counterintelligence, and
national security activities;
correctional institutions regarding inmates;
response to subpoenas and other lawful judicial processes;
law enforcement officials;
report abuse, neglect, or domestic violence;
required by law;
part of research projects; and
authorized by state worker’s compensation laws.
dental office will disclose protected health information (PHI) to a
patient (or to the patient’s personal representative) to the extent that
the patient has a right of access to the PHI (see Section 10); and to the
U.S. Department of Health and Human Services (HHS) on request for
complaint investigation or compliance review.
dental office will use the disclosure log to document each disclosure we
make to HHS.
dental office will make reasonable efforts to disclose, or request of
another covered entity, only the minimum necessary protected health
information (PHI) to accomplish the intended purpose.
is no minimum necessary requirement for disclosures to or requests
by one another in our dental office or by a healthcare provider for
treatment; permitted or required disclosures to, or for disclosure
requested and authorized by, a patient; disclosures to HHS for compliance
reviews or complaint investigations; disclosures required by law; or uses
or disclosures required for compliance with the HIPAA Administrative
Routine or Recurring Requests or Disclosures
– Our dental office will follow the policies and procedures that we
adopt to limit our routine or recurring requests for our disclosures of
PHI to the minimum reasonably necessary for the purpose.
Non-Routine or Non-Recurring Requests or Disclosures
– No non-routine or non-recurring request for or disclosure of PHI will
be made until it has been reviewed on a patient-by-patient basis against
our criteria to ensure that only the minimum necessary PHI for the purpose
is requested or disclosed.
Other’s Requests – Our dental office
will rely, if reasonable for the situation, on a request to disclose PHI
being for the minimum necessary, if the requester is: (a) a covered
entity; (b) a professional (including an attorney or accountant) who
provides professional services to our practice, either as a member of our
workforce or as our Business Associate, and who represents that the
requested information is the minimum necessary; (c) a public official who
represents that the information requested is the minimum necessary; or (d)
a researcher presenting appropriate documentation or making appropriate
representations that the research satisfies the applicable requirements of
the Privacy Rules.
Entire Record – Our dental office will not
use, disclose, or request an entire record, except as permitted in these
Policies & Procedures or standard protocols that we adopt reflecting
situations when it is necessary.
Minimum Necessary Workforce Use – Our
dental office will use only the minimum necessary PHI needed to perform
dental office will obtain satisfactory assurance in the form of a written
contract that our Business Associates will appropriately safeguard
and limit their use and disclosure of the protected health information
(PHI) we disclose to them.
Business Associate requirements are not applicable to our
disclosures to a healthcare provider for treatment purposes. The Business
Associate Contract Terms document contains the terms that federal law
requires be included in each Business Associate Contract.
by Business Associate – If our dental
office learns that a Business Associate has materially breached or
violated its Business Associate Contract with us, we will take
prompt, reasonable steps to see that the breach or violation is cured.
the Business Associate does not promptly and effectively cure the
breach or violation, we will terminate our contract with the Business
Associate, or if contract termination is not feasible, report the Business
Associate’s breach or violation to the U.S. Department of Health and
Human Services (HHS).
Notice of Privacy Practices
dental office will maintain a Notice of Privacy Practices as
required by the Privacy Rules.
Our Notice – Our dental office will use
and disclose PHI only in conformance with the contents of our Notice of
Privacy Practices. We will promptly revise a Notice of Privacy
Practices whenever there is a material change to our uses or
disclosures of PHI to legal duties, to the patients’ rights or to other
privacy practices that render the statements in that Notice no longer
1, Notice of Privacy Practices, found in this Privacy Kit, contains the
terms that federal law requires.
Distribution of Our Notice – Our dental
office will provide our Notice of Privacy Practices to any person
who requests it, and to each patient no later than the date of our first
service delivery after April 14, 2003.
dental office will have our Notice of Privacy Practices available
for patients to take with them. We will also post our Notice of Privacy
Practices in a clear and prominent location where it is reasonable to
expect patients seeking services from us will be able to read the Notice.
Acknowledgement of Notice – Our dental
office will make a good faith effort to obtain from the patient a written
Acknowledgement of receipt of our Notice of Privacy Practices.
dental office shall use Form 2, Acknowledgement of Receipt of Notice of
Privacy Practices, found in this Privacy Kit, to obtain the
Acknowledgement. If we cannot obtain written Acknowledgement from the
patient, we will use the form to document our attempt and the reason why
written Acknowledgement was not signed by the patient.
dental office will honor the rights of patients regarding their PHI.
Access – With rare exceptions, our dental
office must permit patients to request access to the PHI we or our Business
PHI will be withheld from a patient seeking access unless we confirm that
the information may be withheld according to the Privacy Rules. We may
offer to provide a summary of the information in the chart. The patient
must agree in advance to receive a summary and to any fee we will charge
for providing the summary. Our dental office will contact our Business
Associates to retrieve any PHI they may have on the patient.
Amendment – Patients have the right to
request to amend their PHI and other records for as long as our dental
office maintains them.
dental office may deny a request to amend PHI or records if: (a) we did
not create the information (unless the patient provides us a reasonable
basis to believe that the originator is not available to act on a request
to amend); (b) we believe the information is accurate and complete; or (c)
we do not have the information.
dental office will follow all procedures required by the Privacy Rules for
denial or approval of amendment requests. We will not, however, physically
alter or delete existing notes in a patient’s chart. We will inform the
patient when we agree to make an amendment, and we will contact our Business
Associates to help assure that any PHI they have on the patient is
appropriately amended. We will contact any individuals whom the patient
requests we alert to any amendment to the patient’s PHI. We will also
contact any individuals or entities of which we are aware that we have
sent erroneous or incomplete information and who may have acted on the
erroneous or incomplete information to the detriment of the patient.
we deny a request for an amendment, we will mark any future disclosures of
the contested information in a way acknowledging the contest.
Disclosure Accounting – Patients
have the right to an accounting of certain disclosures our dental office
made of their PHI within the 6 years prior to their request. Each
disclosure we make, that is not for treatment payment or healthcare
operations, must be documented showing the date of the disclosure, what
was disclosed, the purpose of the disclosure, and the name and (if known)
address of each person or entity to whom the disclosure was made. The Authorization
or other documentation must be included in the patient’s record. We use
the patient’s chart to track each disclosure of PHI as needed to enable
us to fulfill our obligation to account for these disclosures.
are not required to account for disclosures we made: (a) before April 14,
2003; (b) to the patient (or the patient’s personal representative); (c)
to or for notification of persons involved in a patient’s healthcare or
payment for healthcare; (d) for treatment, payment, or healthcare
operations; (e) for national security or intelligence purposes; (f) to
correctional institutions or law enforcement officials regarding inmates;
or (g) according to an Authorization signed by the patient or the patient’s
representative; (h) incident to another permitted or required use
will temporarily suspend the accounting of any disclosure when requested
to do so pursuant according to the Privacy Rules by health oversight
agencies or law enforcement officials. We may charge for any accounting
that is more frequent than every 12 months, provided the patient is
informed of the fee before the accounting is provided. We will contact our
Business Associates to assure we include in the accounting any
disclosures made by them for which we must account.
Restriction on Use or Disclosure –
Patients have the right to request our dental office to restrict use or
disclosure of their PHI, including for treatment, payment, or healthcare
operations. We have no obligation to agree to the request, but if we do,
we will comply with our agreement (except in an appropriate dental/medical
may terminate an agreement restricting use or disclosure of PHI by a
written notice of termination to the patient. We will contact our Business
Associates whenever we agree to such a restriction to inform the Business
Associate of the restriction and its obligations to abide by the
restriction. We will document in the patient’s chart any such agreed to
Alternative Communications – Patients have
the right to request us to use alternative means or alternative locations
when communicating PHI to them. Our dental office will accommodate a
patient’s request for such alternative communications if the request is
reasonable and in writing.
dental office will inform the patient of our decision to accommodate or
deny such a request. If we agree to such a request, we will inform our
Business Associates of the agreement and provide them with the information
necessary to comply with the agreement.
Applicability – Our dental office will be
aware of and respect these patients’ rights regarding their PHI, even
though in most situations patients are unlikely to exercise them.
Staff Training and Management, Complaint Procedures, Data Safeguards,
Staff Training and Management
Training – Our dental office will train
all members of our workforce in these Privacy Policies & Procedures,
as necessary and appropriate for them to carry out their functions. We
will complete the privacy training of our existing workforce by April 14,
April 14, 2003, our dental office will train each new staff member within
a reasonable time after the member starts. We will also retain each staff
member whose functions are affected either by a material change in our
Privacy Policies and Procedures or in the member’s job functions, within
a reasonable time after the change.
7, Staff Review of Policies and Procedures, can be used to have
workforce members acknowledge they have received and read a copy of these
Policies and Procedures.
and Mitigation – Our dental office will
develop, document, disseminate, and implement appropriate discipline
policies for staff members who violate our Privacy Policies &
Procedures, the Privacy Rules, or other applicable federal or state
members who violate our Privacy Policies & Procedures, the Privacy
Rules or other applicable federal or state privacy law will be subject to
disciplinary action, possibly up to and including termination of
Complaints – Our dental office will
implement procedures for patients to complain about our compliance with
our Privacy Policies and Procedures or the Privacy Rules. We will also
implement procedures to investigate and resolve such complaints.
Complaint form can be used by the patient to lodge the complaint.
Each complaint received must be referred to management immediately for
investigation and resolution. We will not retaliate against any patient or
workforce member who files a Complaint in good faith.
Data Safeguards – Our dental office will
"add to" and strengthen these Privacy Policies & Procedures
with such additional data security policies and procedures as are needed
to have reasonable and appropriate administrative, technical, and physical
safeguards in place to ensure the integrity and confidentiality of the PHI
dental office will take reasonable steps to limit incidental uses and
disclosures of PHI made according to an otherwise permitted or required
use or disclosure.
Documentation and Record Retention – Our
dental office will maintain in written or electronic form all
documentation required by the Privacy Rules for six years from the date of
creation or when the document was last in effect, whichever is greater.
Privacy Policies & Procedures – Only
Dr. Maria Aganon-Fu may change these Privacy Policies & Procedures.
State Law Compliance
dental office will comply with the privacy laws of each state that has
jurisdiction over our practice, or its actions involving protected health
information (PHI), that provide greater protections or rights to patients
than the Privacy Rules.
dental office will give the U.S. Department of Health and Human Services (HHS)
access to our facilities, books, records, accounts, and other information
sources (including individually identifiable health information without
patient authorization or notice) during normal business hours (or at other
times without notice if HHS presents appropriate lawful administrative or
will cooperate with any compliance review or complaint investigation by
HHS, while preserving the rights of our practice.
dental office will designate a Privacy Officer and other responsible
persons as required by the Privacy Rules.
Return to Top of Page