MCDONOUGH CENTER FOR FAMILY DENTISTRY, LLC

Transcription

1 MCDONOUGH CENTER FOR FAMILY DENTISTRY, LLC HIPAA Privacy Policies & Procedures & HIPAA Security Policies & Procedures

2 TABLE OF CONTENTS 1. PROTECTED HEALTH INFORMATION (PHI) 2. HIPAA PRIVACY POLICIES & PROCEDURES KEY THINGS TO REMEMBER 4. HIPAA SECURITY POLICIES & PROCEDURES

3 I PROTECTED HEALTH INFORMATION (PHI)

4 PROTECTED(HEALTH(INFORMATION((PHI)(!

5 II HIPAA PRIVACY POLICIES & PROCEDURES

6 MCDONOUGH CENTER FOR FAMILY DENTISTRY LLC HIPAA PRIVACY POLICIES & PROCEDURES 1.0 Privacy Management 1.1 Privacy Official Procedure: McDonough Center for Family Dentistry LLC has designated Frank F. Nia, DMD, MSEd to be the Privacy Official. He has overall responsibility to develop and implement the privacy policies and procedures for the practice. The Privacy Official is the person responsible for determining McDonough Center for Family Dentistry LLC s privacy policies and procedures, receiving complaints, and for providing further information about matters covered in the practice s Notice of Privacy Practices (NPP). Employees will consult the Privacy Official about all privacy matters. McDonough Center for Family Dentistry LLC will provide training and ongoing support to our Privacy Official. 1.2 Notice of Privacy Practices The Privacy Official shall document and maintain all policies, procedures, and actions taken by the practice with respect to the HIPAA Privacy Rule, and retain such documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. 45 CFR (b)(2)(i). Stonewalk Family Dentistr, LLC provides a Notice of Privacy Practices (NPP) with adequate notice of how it will use and disclose protected health information for treatment, payment, and health care operations. The NPP also identifies the individual s rights with respect to protected health information, and the practice s legal duties with respect to such information. McDonough Center for Family Dentistry LLC will revise and distribute our NPP whenever there is a material change in any of the above or to other privacy practices stated in the NPP. Each member of our practice will be aware and have an understanding of the NPP s contents, including what it means to the practice and to our patients. Each new patient will receive and will be asked to sign an Acknowledgement of Receipt of Notice of Privacy Practices indicating that he or she has reviewed a copy of our NPP. We will either scan the Acknowledgement into our system or insert the signed Acknowledgement into the HIPAA section of the patient s paper chart. A copy of our NPP is posted at the entrance to our practice in a clear and prominent place so that our patients and/or their personal representatives can view it. To determine whether the NPP needs to be updated, we will follow this procedure: 1. Included in our NPP is a statement that our practice reserves the right to change the terms of our NPP and make the new terms effective for all protected health information that we maintain. The statement will describe how we will provide individuals with a revised notice. 2. Our Privacy Official, in collaboration with legal counsel and Dr. Frank Nia, will determine whether expanded patient rights such as those included in the HITECH Act require substantial updates to our NPP. Those updated HITECH Act rights include the following: a. A patient s right to restrict disclosure of protected health information to a health plan with respect to items or services for which the patient has paid in full out of pocket.

7 b. If our practice adopts electronic health records, we will include the patient s right to an accounting of electronic disclosures for treatment, payment and health care operations. 3. If our legal counsel agrees that updates are a material change and thus warrant a revised NPP, we will post the updated NPP in a prominent location with the words Updated Notice of Privacy Practices as soon as reasonably practicable, and we will provide revised notice to individuals in accordance with the statement referred to in point 1 above. 4. We will provide a copy of the updated NPP to anyone who requests it. We may provide the NPP by if the individual agrees to electronic notice and such agreement has not been withdrawn. If we know an transmission of the NPP has failed, we will provide a paper copy of the NPP to the individual. 5. If we maintain a Web site that provides information about our customer services, we must prominently post our NPP on our Web site and make the NPP available electronically through the Web site Consistent with Notice of Privacy Practices Our practice will not disclose without patient authorization protected health information in a manner that is inconsistent with our NPP or state law. Any requests to obtain protected health information will be directed to our Privacy Official who then will verify whether the use or disclosure is consistent with our Notice of Privacy Practices, and state and federal laws Consistent with other Documents In areas where state and federal law are inconsistent, our practice will consult legal counsel. Our Privacy and Security Officials (who may be the same person) will collaborate to ensure security requirements, state laws, and privacy safeguards are consistent with our privacy policies and procedures. Our Privacy and Security Officials will review Privacy, Security, Patient Identity Protection, Breach Notification, Business Associate Agreement, health plan contract, and other applicable documents to ensure continuity and consistency regarding our practice s protected health information use and disclosure policies and procedures. 1.3 Policies and Procedures Our practice will implement policies and procedures that are designed to comply with the HIPAA Privacy Rule and the Breach Notification Rule. At the same time, our policies and procedures will comply with applicable state laws. Our Privacy Official is responsible for developing and updating our privacy policies and procedures. Under the Privacy Official s direction, our practice will review each of the Standards identified in the HIPAA Privacy and Breach Notification Rules, determine how we will comply with each Standard, develop policies and procedures that meet the requirements, and document them. All members of our workforce will have access to our policies and procedures either electronically or on paper. An additional copy will be placed in our library.

8 As liability can now be extended to employers and individuals, each workforce member will receive a copy of our updated policies and procedures and sign an acknowledgement form that he or she understands the policies and procedures, and will comply with them. Such forms shall be retained according to the HIPAA documentation Standard. 1.4 Documentation Our practice will maintain for a period of six (6) years after its creation or last effective date, whichever is later, documentation for the following activities: Notice of Privacy Practices. Acknowledgement of Receipt of Notice of Privacy Practices. Any complaint filed by a patient with our practice or to the Secretary of HHS, and any actions taken to mitigate the complaint. Our HIPAA Privacy policies and procedures. Acknowledgement of Receipt of HIPAA Privacy Policies and Procedures by workforce members. Any sanction applied to a workforce member. Our Privacy Official will maintain an electronic or hard copy file of our current and archived policies and procedures. Our Privacy Official will maintain all signed acknowledgements by workforce members and patients. Our Privacy Official will maintain all hard copy documentation in a secure storage facility, and will back up off-site any electronic documentation. Our practice will permit an agent of the Secretary of HHS to access our facilities, books, records, accounts, and other information during our practice s normal business hours in response to a compliance audit or complaint investigation. If the Secretary determines that special circumstances warrant, such as in the case of hidden or destroyed files, our practice will allow HHS access at any time. 1.5 Training Training is an ongoing vital part of our practice. We conduct training on HIPAA s Privacy and Breach Notification Rules on a formal and an informal basis. Retraining is included as a procedure in our sanctions policy as a method to remediate workforce members needing reminders of our privacy policies and procedures. Our Privacy Official will develop, coordinate, and facilitate initial and ongoing training programs on privacy, and consult with the Security Official to coordinate privacy training with security training requirements. Each member of our workforce, including management, will be trained on our policies and procedures at least once annually in a formal setting, and regularly in an informal setting and as needed. Our Privacy Official will determine who needs additional training, the type of training that is appropriate, and the frequency with which such training will occur. New employees will participate in training within thirty (30) days following their first date of service.

9 All workforce members, including dentist(s), will participate in retraining on privacy policies and procedures related to the HITECH Act and the Breach Notification Rule, and on any other regulations related to the safeguarding of protected health information. Upon completing training or retraining, each member of our workforce will sign an acknowledgement form that he or she participated in training and is aware of and understands our practice s privacy policies and procedures. When retraining is a result of a sanction for a violation of a privacy policy or procedure by a workforce member, a copy of the workforce member s acknowledgement form will be maintained in the personnel file of the workforce member. 1.6 Sanctions Our practice will enforce the Privacy Rule and apply sanctions against workforce members who violate our privacy policies and procedures. The Privacy Official or another person designated by the Privacy Official must first review the privacy violation. Our practice has adopted the following sanctions for repeated privacy violations. Our practice reserves the right to skip steps, repeat steps, or impose other sanctions as it deems appropriate. First violation: Privacy Official provides a verbal reminder. Second violation: Reminder and workforce member required to participate in training. Third violation: Reminder placed in employee s personnel file with warning that repeat offense will result in time off without pay; additional retraining. Fourth violation: Suspension for three (3) days without pay. Fifth violation: Workforce member employment terminated. No sanctions are to be imposed against workforce members whose reason for conduct is in good faith and in accordance with HIPAA Privacy Rule provisions, such as a whistleblower reporting to a government agency, or a workforce member crime victim reporting to a law enforcement official. 1.7 Mitigation If we or one of our Business Associates uses or discloses our protected health information in a way that violates HIPAA Privacy requirements or our privacy policies and procedures, we will mitigate, to the extent practicable, any harmful effect known to us of that use or disclosure. Our workforce members will be trained to bring all privacy complaints, whether they originate from a patient or from an outside source, including the Secretary of HHS, to our Privacy Official. Even if a complaint is not filed, any member of the workforce may report to the Privacy Official his or her concerns about whether or not our practice is following HIPAA Privacy requirements or our privacy policies and procedures. Our Privacy Official will document any such privacy complaint or report.

10 If a violation of HIPAA Privacy requirements or our privacy policies and procedures is discovered, the Privacy Official will determine how best to mitigate any known harmful effects of the violation. The Privacy Official will be responsible for reviewing and responding to the concerns accordingly. At any time the Privacy Official may consult with the dentist and other leaders of the practice to determine resources required to mitigate the violation. In accordance with the Guidance contained in the August 24, 2009, Breach Notification Rule, our practice has encrypted or will encrypt our server connections, portable computers, and all mobile devices to NIST Standards specified in the Guidance. In the event of a breach of unsecured protected health information, our practice will evaluate the breach and follow requirements of the Breach Notification Rule and our policies and procedures for mitigation of harm. 1.8 Refraining from Intimidating or Retaliatory Acts Our workforce will not intimidate, threaten, coerce, discriminate against, or take any retaliatory action against any patient for filing a complaint with our practice or with the Secretary of HHS; testifying, assisting, or participating in an investigation, compliance review, proceeding, or hearing, or opposing any act or practice made unlawful by the Privacy Rule or the Breach Notification Rule, provided the patient: 1. In good faith believes that the practice is unlawful and, 2. The manner of opposition is reasonable and does not involve the disclosure of protected health information that further violates the Privacy or Breach Notification Rules. Our Privacy Official is to be notified if any member of our workforce retaliates against a patient for filing a complaint with the practice or with HHS. 1.9 Waiver of Rights Workforce members who retaliate against a patient or other complainant will be subject to sanctions, retraining, or immediate termination of employment. Our practice will not require a patient to waive his or her rights to file a complaint with our practice or with the Secretary of HHS, or his or her rights under the Security, Privacy, or Breach Notification Rules, as a condition of treatment, payment, enrollment in a health plan, or eligibility for benefits. Our Privacy Official will confirm that our practice does not require patients to sign waivers of any of the following rights as a condition of receiving treatment, payment, enrollment in a health plan, or eligibility for benefits: Their rights to file a complaint with our practice or with the Secretary of HHS. Their rights under the Security Rule. Their rights under the Privacy Rule. Their rights under the Breach Notification Rule. Our Privacy Official shall train workforce members not to request any patient to sign a waiver as a condition for obtaining treatment, payment, enrollment in a health plan, or eligibility for benefits. Any workforce member who makes such a request will be subject to our practice s sanctions policy, up to and including termination of employment.

11 2.0 Protected Health Information Permissions 2.1 Required Disclosures Our practice will disclose protected health information to individuals or their personal representatives as required by the HIPAA Privacy Rule, and to HHS when it is undertaking a compliance investigation or review or enforcement action. Our Privacy Official manages the processes for required and permitted disclosures by our dental practice. When our practice receives a request for health information, we will determine whether it is a required or permissible disclosure. For required disclosures, we will follow these steps: a. Request for protected health information from a patient: Step 1: If you do not know the person, obtain a photo ID. If this is a regular patient of the practice whom you recognize, then you are not required to obtain a photo ID. Step 2: Ask what information is being requested. For example, is the request for a summary of a recent visit? Copies of radiographs or digital images? Payment history? Step 3: Provide requested information to the patient. If you are entitled to impose a fee in connection with the request, ask for payment. b. Request from a patient s personal representative. Step 1: Evaluate the relationship between the patient and personal representative, referring to the discussion of personal representative in Step 2 and examining and copying any applicable credentials or other documentation. Obtain a photo ID. Step 2: Document the personal representative s request in the patient s record. If you provide the requested information, document your provision of the requested protected health information and your basis for doing so. If you refuse to provide the requested information, document your refusal and your basis for refusing (e.g., your reasonable belief that the personal representative did not provide necessary credentials and/or your belief that the personal representative might endanger the patient). c. Request from an agent from the Secretary of HHS or from a law enforcement official. Step 1: Politely request to see the agent or official s credentials, inform the Privacy Official and the dentist, who should determine whether the practice s attorney should be involved. Step 2: Verify the agent or official s credentials and determine the nature of the inquiry. Consult with the practice s attorney to determine the practice s rights and obligations with respect to its response to the inquiry and the timeframe for responding to the inquiry. Document all actions, times, and personnel involved that pertain to the inquiry and the practice s response. 2.2 Permissible Disclosures: Treatment, Payment, and Health Care Operations

12 Our practice will use and disclose protected health information for our treatment, payment, and health care operations as permitted without authorization from the patient, based on the Privacy Rule. If a patient agrees to pay in full out of pocket for an item or service and requests that our practice not send information regarding that item or service to a health plan, we will honor the patient s request. We will use protected health information for our treatment, payment, and health care operations without obtaining authorization from the patient, except for cases where HIPAA authorization, State law, or other Special Requirements apply. A patient may request that his or her health information not be submitted to a health plan for purposes of payment or health care operations. The patient must complete the Patient Request for Use or Disclosure Restriction on Patient s Protected Health Information. We will agree to such a request if the Patient has paid in full out-of-pocket for the item or service. In all other cases, the Privacy Official shall determine whether to refuse or honor the request. Our Privacy Official is designated to be the contact person for questions, suggestions, or complaints relating to use or disclosure of protected health information for our treatment, payment, and health care operations. 2.3 Permissible Disclosures: Another Covered Entity s Treatment, Payment, and Health Care Operations Our practice may disclose protected health information for treatment, payment and health care operations of another health care provider if that request complies with the list below or is approved by our Privacy Official. All requests for another Covered Entity s treatment, payment, and health care operations must be approved by our Privacy Official. There are several reasons for agreeing to such a disclosure: 1. For treatment activities of another dentist or health care provider. 2. To another Covered Entity or health care provider for payment activities of the entity receiving the protected health information. 3. We may disclose protected health information to another Covered Entity for its health care operations as long as the other Covered Entity also has or had a relationship with the patient, the protected health information pertains to that relationship, and the disclosure has one of the following purposes: a. Quality assessment and improvement, including outcomes evaluation and developing clinical guidelines (but not primarily to obtain general knowledge.) b. Population-based activities related to improving health or reducing health care costs. c. Protocol development. d. Case management and care coordination. e. Contacting health care providers and patients with information about treatment alternatives. f. Functions not including treatment that are related to the purposes listed above.

13 g. Performance evaluation, including reviewing the competence or qualifications of health care professionals. h. Evaluating practitioner or provider performance. i. Health plan performance. j. Conducting training programs where health care students, trainees, or practitioners learn under supervision to practice or improve their skills. k. Training non-health care professionals. l. Accreditation, certification, licensing, or credentialing activities m. Detecting health care fraud or abuse, or for compliance. Other purposes may apply, but should be submitted to our Privacy Official if they are not listed above. 2.4 Permissible Disclosures: Family, Friends, and Disaster Relief Agencies Our practice will comply with the HIPAA Privacy Rule for communicating with Family, Friends, and Disaster Relief Agencies and will follow the guidance outlined in the OCR document, Communicating with a Patient s Family, Friends, or Others Involved in the Patient s Care. We may disclose protected health information if the patient is able to agree to or prohibit use or disclosure, or if the patient is incapacitated and the disclosure is in his or her best interest. If the patient is present and has the capacity to make decisions, we will discuss the patient s care with family or friends accompanying the patient, including a family member, friend, or other person if the patient agrees or does not object. We may also share information with a family member or friend, if using professional judgment, the patient is either incapacitated or in the dentist s professional opinion, the patient has not objected. If the patient is incapacitated and in our professional opinion the disclosure is not in the patient s best interest, we will not disclose protected health information to friends or family members, such as in cases of abuse, neglect, or domestic violence. If we determine, in accordance with this policy and these procedures, that such disclosure is appropriate, we may share a patient s health information over the phone, in person, or in writing with a person whom our office knows to be a friend or family member. We may use or disclose protected health information to an authorized public or private disaster relief agency for the purpose of helping such entity notify a patient s family member, personal representative, or another person responsible for the patient s care, of the individual's location, general condition, or death. We will comply with the procedures discussed above regarding communicating with family members and friends if in our professional judgment we determine that doing so will not interfere with the ability to respond to the emergency circumstances. Here are some examples from Communicating with a Patient s Family, Friends, or Others Involved in the Patient s Care:

14 An emergency room doctor may discuss a patient s treatment in front of the patient s friend if the patient asks that her friend come into the treatment room. A doctor s office may discuss a patient s bill with the patient s adult daughter who is with the patient at the patient s medical appointment and has questions about the charges. A doctor may discuss the drugs a patient needs to take with the patient s health aide who has accompanied the patient to a medical appointment. A doctor may give information about a patient s mobility limitations to the patient s sister who is driving the patient home from the hospital. 2.5 Permissible Disclosures: Incidental to a Use or Disclosure Otherwise Permitted or Required Protecting patient confidentiality is an important part of our dental practice s privacy policies and procedures. Our workforce members are required to conduct conversations between health care providers in a manner that does not violate our patient s privacy through impermissible incidental disclosures. Our workforce members will speak quietly when discussing a patient s condition with the patient, with family members in a waiting room, or other public areas. Our workforce members will avoid using patients names in public hallways and elevators. Signs posted in our facility will remind workforce members to protect patient confidentiality. Patient records will be stored in locked file cabinets or records rooms that are located away from general traffic in our dental practice. Our practice will maintain the confidentiality of passwords and avoid public view access to our practice s workstation screens in reception and payment areas. Our practice will enforce sanctions against workforce members who do not keep voices low when discussing protected health information in public areas. 2.6 Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is not Required Our Privacy Official will recognize situations in which disclosure of protected health information is required or permitted and will comply with federal, state, and local laws when disclosing protected health information about an individual. 1. Public Health Activities. Our practice may disclose protected health information without the individual s authorization for public health activities and purposes as follows: a. Public Health Reporting. Our practice may disclose protected health information without the individual s authorization to a public health authority that is authorized by law to collect or receive such information for the purposes of preventing or controlling disease, injury, or disability, including but not limited to the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. b. Child Abuse or Neglect. Our practice may disclose protected health information without the individual s authorization to a public health

15 authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. c. Food and Drug Administration (FDA). A person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDAregulated product or activity. d. Communicable Disease. Our practice may disclose protected health information without the individual s authorization to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the Covered Entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation. 2. Abuse, Neglect, or Domestic Violence. a. If disclosure is required by law. In cases that do not involve reports of child abuse or neglect (see above), our practice shall not require an individual s authorization to disclose protected health information about an individual whom we reasonably believe to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence to the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law. b. If disclosure is not required by law. If disclosure is not required by law, and in our professional judgment we believe the disclosure is necessary to prevent serious harm to the individual or other potential victim, we will consult legal counsel to determine whether the disclosure is expressly authorized by statute or regulation and any other legal requirements have been met. c. Informing the individual. If our practice makes such a permitted disclosure of abuse, neglect, or domestic violence, whether or not the individual agreed to the disclosure, we shall promptly inform the individual that such a report has been or will be made, except if: i. In the exercise of professional judgment, we believe informing the individual would place the individual at risk of serious harm, or ii. We would be informing a personal representative, and we reasonably believe the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as we determine in the exercise of professional judgment. 3. Government Health Oversight Activities. If our practice receives a request for disclosure from a health oversight agency in connection with an activity such as an audit, investigation, inspection, licensure or disciplinary action, civil, administrative, or criminal proceeding or action, we shall contact legal counsel to determine how to respond and whether we must obtain authorization from the appropriate individual(s) prior to disclosing any requested protected health information. Examples of such activities include:

16 a. Oversight of the health care system. b. Government benefit programs such as Medicare and Medicaid. c. Government regulatory programs. d. Determining compliance with civil rights laws. e. Investigation of an individual related to the receipt of health care, a claim for public benefits related to health, or qualification for public benefits or services when a patient s health is integral to his or her claim for public benefits or services. 4. Judicial and administrative proceedings. If our practice receives an order of a court or administrative tribunal or a subpoena, discovery request, or other lawful process, we shall contact our legal counsel to determine: a. How to respond. b. Whether we must obtain authorization from the appropriate individual(s) prior to disclosing any requested protected health information. c. Whether we must receive satisfactory assurances from the party seeking the information. d. Whether a qualified protective order is required. e. Whether we must give the individual notice of the request or obtain the individual s authorization prior to disclosing protected health information. 5. Law Enforcement Official. a. Request. Our practice shall promptly contact legal counsel if we receive a request for information for law enforcement purposes from a law enforcement official, including any of the following: i. A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer. ii. iii. iv. A grand jury subpoena. An administrative request, including an administrative subpoena or summons, or a civil or an authorized investigative demand, or similar process authorized under law. A request for information about an individual who is or is suspected to be a victim of a crime. b. Response. Before our practice responds to a request for a law enforcement purpose to a law enforcement official, we shall determine in consultation with our legal counsel how to respond, what information must be disclosed, whether any additional items, such as samples of body fluids or tissue must be disclosed, and whether we require authorization from the individual prior to disclosure. c. Decedent. If an individual has died and we suspect that the death may have resulted from criminal conduct, our practice may disclose protected health information to a law enforcement official about the individual for the purpose of alerting law enforcement of the death.

17 d. Crime on premises. We may disclose to a law enforcement official protected health information that we believe in good faith constitutes evidence of criminal conduct that occurred on our premises. e. Reporting crime in emergency. If we provide emergency health care in response to a medical emergency (other than a medical emergency on our premises), we may disclose protected health information to a law enforcement official if the disclosure appears necessary to alert law enforcement to: i. The commission and nature of a crime, ii. iii. The location of the crime or the victim(s) of the crime, and The identity, description, and location of the perpetrator of the crime. However, if we believe the medical emergency is the result of abuse, neglect, or domestic violence of the individual who needed emergency health care, our practice must follow the procedure in Sample Procedure 2 above, Abuse, Neglect, or Domestic Violence. 6. Coroners, medical examiners, and funeral directors. We may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. We may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, we may disclose the protected health information prior to, and in reasonable anticipation, of the individual s death. 7. Organ and tissue donation. We may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for donation or transplantation. 8. Research. Our dental practice shall not use or disclose protected health information for research purposes without consulting legal counsel to make sure all necessary requirements have been met. Examples of such requirements include approval by an Institutional Review Board or privacy board, reviews preparatory to research, review and approval procedures, and required signatures. 9. Averting a serious threat to health or safety. Our practice will consult our legal counsel to determine whether HIPAA and other applicable laws permit us to disclose protected health information if we believe in good faith that such disclosure is necessary: a. To prevent or lessen a serious and imminent threat to the health or safety of a person or the public. b. For law enforcement authorities to identify or apprehend an individual where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody. c. For law enforcement authorities to identify or apprehend an individual because of a statement by an individual admitting participation in a violent crime that we reasonably believe may have caused serious physical harm to the victim.

18 10. Specialized government functions. Our practice shall consult legal counsel to determine whether HIPAA and other applicable laws permit us to disclose protected health information involving: a. Military and veterans activities. b. National security and intelligence activities. c. Protective services for the President and others. d. Correctional institutions and other law enforcement custodial situations. 11. Workers Compensation. Our practice may disclose protected health information as authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. 2.7 Authorization Our practice will not disclose protected health information without a valid authorization unless the Privacy Rule permits or requires the disclosure. An authorization form may be signed in person, or sent by fax and returned by fax with the individual s signature. Our Privacy Official will determine when an authorization is required. Other members of our workforce also will be trained to manage authorizations. Examples of uses and disclosures of patient information that require authorization include: Posting photos of patients on the wall. Using a patient s diagnostic photographs or radiographs to educate other patients. Our Privacy Official will take the following four steps to determine whether an authorization is required. Step 1: Instruct all workforce members that if a use or disclosure is not for one of the following procedures (a-c), it will require an authorization. a. Treatment, Payment, and health care operations, which may include: Quality assurance and quality reporting. Credentialing and licensing verification. Practitioner and provider evaluations. Insurance contracting and underwriting. Audits. Legal services. Compliance programs. Business planning and development. Management and general administration.

19 b. Request by the patient or his or her personal representative. c. Required by HIPAA, including uses or disclosures required by the Department of Health and Human Services for compliance audit or complaint investigation. d. A use or disclosure permitted under HIPAA Privacy (see 2.6, Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is not Required ) Step 2: The Privacy Official will provide the Authorization Form to the patient. Step 3: The patient will complete the authorization form, sign it and return it to the Privacy Official. The Privacy Official will confirm that the authorization request is valid, complete and signed, and will verify that the following information is included: A description of the protected health information to be used or disclosed. The name of the person authorized to make the use or disclosure. The name of person(s) to whom the requested use or disclosure may be made. The purpose for the use or disclosure (if the patient has requested an authorization the Privacy Official may write at the request of the individual.) An expiration date or expiration event. Signature and date of signature of the individual whose information is to be used or disclosed. (If the authorization is signed by a personal representative of the individual, a description of the representative s authority to act for the individual must also be provided.) Defective authorization. An authorization is defective and not valid if: It has expired. It has not been filled out completely. Our practice is aware that the authorization has been revoked. It is an impermissible compound authorization. It is an impermissible conditional authorization. Our practice knows that material information in the authorization is false. Step 4: Retain the authorization for six (6) years from the date of its creation or from the date when it was last in effect, whichever is later. 2.8 Uses and Disclosures of De-Identified Protected Health Information De-Identified health information is not protected health information and does not require an authorization for use or disclosure. Before using or disclosing de-identified protected health information, our practice will confirm that to our knowledge the de-identified

20 information cannot be used alone or in combination with other information to identify the individual. Using a black marker to hide the patient s name, address, medical record number, and other identifiers may be used to de-identify protected health information. However, such redaction does not render the protected health information secure for Breach Notification purposes. A breach of redacted protected health information may still require the Covered Entity to send applicable notifications. To de-identify health information we will follow one of two processes. 1. Work with a credentialed statistician to de-identify protected health information. 2. Remove the following eighteen identifiers of the individual, the individual s relatives, household members, and employers: a. Names. b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of Census: i. The geographic unit, formed by combining all zip codes with the same three initial digits, contains more than 20,000 people; and ii. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000. c. All elements of dates (except year) for dates directly related to the individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older. d. Telephone numbers. e. Fax numbers. f. Electronic mail addresses. g. Social security numbers. h. Medical record numbers. i. Health plan beneficiary numbers. j. Account numbers. k. Certificate/license numbers. l. Vehicle identifiers and serial numbers, including license plate numbers. m. Device identifiers and serial numbers. n. Web Universal Resource Locators (URLs). o. Internet Protocol (IP) address numbers. p. Biometric identifiers, including finger and voice prints.

21 q. Full face photographic images and any comparable images. r. Any other unique identifying number, characteristic, or code, except as permitted for re-identification purposes provided certain conditions are met. In addition to the removal of the above-stated identifiers, we will confirm that we do not have actual knowledge that the remaining information could be used alone or in combination with any other information to identify an individual who is subject of the information. Code or re-identification mechanism. If we develop a code or other means of reidentifying the information, we must not derive the code from the information about the individual and the code must not be otherwise capable of being translated so as to identify the individual. We will not use or disclose the code or other means of reidentification for any other purpose and we will not disclose the mechanism for reidentification. 2.9 Limited Data Set for Purposes of Research, Public Health, or Health Care Operations If our practice participates in research, public health reporting (other than those required by law), or health care operations (as defined by HIPAA), our Privacy Official, in consultation with our practice s attorney, will draft a data use agreement that safeguards protected health information and will require any limited data set recipient to sign the appropriate data use agreement. All requests to participate in research, public health reporting, or health care operations for use of a limited data set will be directed to our Privacy Official, who will consult with our practice s legal counsel as necessary regarding compliance with HIPAA and other applicable laws. Our Privacy Official may enter into a data use agreement with recipients of limited data sets for appropriate research, public health and health care operations purposes. To meet the requirements of a limited data set, our Privacy Official will remove the following sixteen (16) identifiers from protected health information. 1. Names. 2. Postal address information, other than town or city, state and zip code. 3. Telephone numbers. 4. Fax numbers. 5. Electronic mail addresses. 6. Social Security numbers. 7. Medical record numbers. 8. Health plan beneficiary numbers. 9. Account numbers. 10. Certificate/license numbers. 11. Vehicle identifiers and serial numbers, including license plate numbers.

22 12. Device identifiers and serial numbers. 13. Web Universal Resource Locators (URLs). 14. Internet Protocol (IP) address numbers. 15. Biometric identifiers, including finger and voice prints. 16. Full face photographic images and any comparable images. 3.0 Protected Health Information Special Permissions 3.1 Verification Requirements Our Practice may disclose protected health information to a person whose identity and whose authority to access protected health information is known to our practice without the practice having to follow special verification procedures. If our practice does not know the person requesting access, we will verify the identity and authority of that person. Our practice prides itself in knowing our patients and their families. Even so, there may be times when in our professional judgment we will require additional proof of a person s identity and authority before releasing protected health information to the individual or to his or her representative. For new patients: Upon entering the practice, each new patient is required to provide us with at least two forms of ID, with one being a photo ID. We will verify that the name on a credit card is the same as the name on the photo ID. We will make a copy of the photo ID, return both cards to the individual, and tape the photocopied ID to the inside of the patient s chart or scan and upload it into the patient s electronic chart. If our system has digital camera capabilities, we will take a photo of the patient and save it to the patient s record (we understand that the photo itself is protected health information). Within 18 months, this process will allow us to store photos of our active patients. For existing patients: To verify the identity and authority of an existing patient who requests protected health information, we will proceed using the following steps: Step 1. Determine whether verification is needed (do we know this person?). If we do not know the person, then proceed to Step 2. Step 2. Follow the If-Then procedures outlined below: If the person requesting PHI is The patient appearing in person The patient, but on the phone Then... Request a photo ID and one other piece of information that is on the medical record, such as address, social security number, or date of birth for verification. If you do not recognize the person s voice, ask for several pieces of information to help identify the individual. This may include last name, date of birth, address, or approximate date last seen in our practice.

23 A friend or family member Request a photo ID; require signature from the person requesting protected health information. When identity has been verified, see Section 2.4 regarding disclosures to friends or family members. A personal representative A public official If a personal representative accompanies the individual, exercise professional judgment to verify that this person is acting on behalf of the individual and verify his or her identity. If you are unsure of the representative, request a copy of the Power of Attorney or other document, such as for verifying legal guardianship; and request a photo ID. When identity has been verified, see Section 2.1 regarding disclosures to personal representatives. Request to see the identification badge or other official credentials; or if the request is in writing, review the appropriate government letterhead, insignia, address, and credentials. When identity has been verified, see Section 2.6, Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is not Required, for more information regarding permissible disclosures to public officials. 3.2 Minimum Necessary Step 3: When to decline to recognize identity and authority. If we have followed verification procedures, and we can document our reason why we should not provide protected health information to the person requesting it, we will politely tell the requestor that we are unable to release the protected health information. If the person persists, he or she may request a meeting with our Privacy Official. Step 4: We require all persons receiving protected health information to acknowledge receiving protected health information by signing a Verification of Identity form. This form will be scanned and saved in the patient s record or copied and placed in the patient s paper chart. Our practice will identify roles of workforce members and the appropriate amount of protected health information that will be made available to each of them. We will make reasonable efforts to limit the accessibility of our workforce members to the appropriate amount of protected health information. Routine disclosures. Our practice will implement policies and procedures for routine disclosures (which may be Standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. Non-routine disclosures. Our practice will develop criteria to limit the protected health information disclosed to the minimum necessary information required to accomplish the purpose of the disclosure. We will review each request for non-routine disclosure on an individual basis in accordance with such criteria. Relying on a Covered Entity or professional as to what is the minimum necessary. If reasonable under the circumstances, our practice may rely on a requested disclosure as

24 the minimum necessary for the stated purpose if the information is requested by: 1. Another Covered Entity, or 2. By a professional who is either a member of our workforce or a Business Associate, for the purpose of providing professional services to our practice, if the professional represents that the information requested is the minimum necessary for the stated purpose. General rule as to when minimum necessary does not apply. In general, the minimum necessary rule does not apply to: 1. Disclosures to or requests to a health care provider for treatment. 2. Uses or disclosures made to the individual. 3. Disclosures made to the Secretary of HHS. 4. Certain uses or disclosures required by law. 5. Uses or disclosures that are required for compliance with HIPAA Privacy. 3.3 Disclosures to Business Associates Our Privacy Official will work with our practice s attorney to identify our Business Associates and to develop an updated Business Associate Agreement form for our practice. Effective February 17, 2010, no member of our workforce is permitted to disclose protected health information to a Business Associate unless our practice has an updated executed agreement with that Business Associate. Our Privacy Official, in consultation with our practice s attorney, will determine whether the practice needs to have a Business Associate Agreement with another Covered Entity acting in a Business Associate role. Identifying Business Associates. Our Privacy Official shall identify all of our practice s Business Associates. The term Business Associate is defined by HIPAA. In general: A Business Associate means an entity, or a person who is not a member of a Covered Entity s workforce, that performs, on behalf of a Covered Entity, a function or activity involving the use or disclosure of protected health information. Examples of Business Associates include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing. Entities and persons are also Business Associates if they provide a Covered Entity legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to the Covered Entity, where the provision of the service involves the disclosure of individually identifiable health information from such Covered Entity or arrangement, or from another Business Associate of the Covered Entity. A Covered Entity may be a Business Associate of another Covered Entity.

25 Any organization that provides electronic data transmission services of protected health information to a Covered Entity or its Business Associate and that requires access on a routine basis to such protected health information will be treated as a Business Associate. Examples of such organizations include Health Information Exchange Organizations (HIEOs), Regional Health Information Organizations (RHIOs), E-prescribing Gateways, and certain vendors whose contracts with Covered Entities involve electronic health record, practice management, or personal health record systems. Each Business Associate must implement HIPAA Administrative, Physical and Technical Security policies and procedures in compliance with the HITECH Act provision no later than February 17, 2010 and must provide satisfactory assurance that it has done so in the Business Associate Agreement. Any contractor that does not require access to protected health information in order to fulfill its duties will not be considered a Business Associate, will not be required to execute a Business Associate Agreement, and will not be given access to protected health information. Any request for access to protected health information from a Business Associate will be directed to our Privacy Official. Beginning February 17, 2010 our Privacy Official will ensure that new Business Associate Agreements incorporating privacy and security provisions of the HITECH Act are in place with each of our Business Associates. Our Privacy Official will ensure that appropriate Business Associate Agreements are in place for any Business Associate that has access to protected health information. Our Privacy Official will train our workforce members to report any pattern of activity or practice of a Business Associate that constitutes a material breach or violation of the Business Associate s obligation under the contract. If we discover such a pattern of activity or practice, our Privacy Official shall take reasonable steps to cure the breach or end the violation, as applicable. If such steps are unsuccessful, our practice shall terminate the contract, if feasible, or if termination is not feasible, report the problem to the Secretary of HHS. 3.4 Marketing Our Practice will not use or disclose protected health information for any marketing purposes without first obtaining any necessary patient authorization. Our Privacy Official will determine whether a proposed use or disclosure of protected health information meets the HIPAA definition of a marketing communication, whether the disclosure is for payment or remuneration, whether an authorization is required and, if so, what the authorization must contain. Our Privacy Official will obtain any necessary authorizations prior to using or disclosing protected health information for marketing purposes and will retain such authorizations for six (6) years from the date of their creation or the date when they last were in effect, whichever is later. 1. Examples of marketing activities that require authorization: a. A company that wants to send a marketing communication to all of your patients with a certain dental condition offers to give you direct or indirect remuneration or payment in exchange for those patients names and addresses. You must obtain prior valid authorization from those

26 3.5 Psychotherapy Notes patients and the authorization must state that such remuneration is involved. Six months after new final rulemaking to be promulgated by HHS in late 2010 or 2011, the authorization will be required to specify whether the company receiving the data can further exchange it for remuneration. b. On or after February 18, 2010, a company offers to pay you to send a communication to all of your patients who have a certain dental condition that encourages them to purchase one of the manufacturer s products. You will require authorization before sending such a communication, and the communication must state that such remuneration is involved. 2. Examples of communications that do not require authorization: a. You send out a notice to your patients that your office is relocating. b. You announce the arrival of a new dentist. c. You recommend case management or care coordination for the individual, or direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual, and (as of February 18, 2010) you do not receive direct or indirect payment for making such communication and it does not fall into one of the exceptions. d. A pharmacy sends out a refill reminder for a medication that you prescribed for a patient. e. A pharmaceutical company offers to pay you to send a marketing communication to certain of your patients, and the communication describes only a drug or biologic that is currently being prescribed for the recipients of the communication, and any payment that you receive in exchange for making the communication is reasonable in amount (HHS will adopt regulations regarding what is reasonable). Authorization for using or disclosing protected health information for marketing communication must meet the requirements for a valid authorization (see Section 2.2.7, pp.26-27). In addition, if the marketing involves direct or indirect remuneration to the Covered Entity from a third party (e.g., selling a list of patient names and addresses to another entity that plans to send the patients a marketing communication, or getting paid by another entity to send a marketing communication), the authorization must state that such remuneration is involved. As is likely in 2011, if a Covered Entity or Business Associate receives remuneration in exchange for protected health information, the authorization must also specify whether the protected health information can be further exchanged for remuneration by the entity that receives the individual s information (unless one of the exceptions applies). Our practice does not include psychotherapy professionals or provide psychotherapy, and thus does not generate psychotherapy notes. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Our practice will refer any request for psychotherapy notes to our Privacy Official.

27 3.6 Consent for Uses and Disclosures Permitted Our Privacy Official will prepare a consent form for the patient that indicates that our practice may use or disclose the patient s protected health information to carry out treatment, payment, or health care operations and any other permissible or required use or disclosure for which an authorization is not required. Our Privacy Official will consult with our practice s attorney with respect to our consent form for use and disclosures of protected health information for treatment, payment, and health care operations, and to ensure that it is referenced in our Notice of Privacy Practices. Below is a list of circumstances in which our State privacy laws may require a consent or notice for the use or disclosure of confidential health information. Our Privacy Official will contact our state dental society and consult our practice s legal counsel as necessary to determine how to comply with any applicable state health record privacy laws concerning consent. The circumstances below may apply to our practice: Consent Circumstance Requirements (check if applicable) Consent Details Communicable Diseases Mental Health Substance Abuse Genetic Other 4.0 Patient Rights 4.1 Access Request Our practice will review each patient request to access protected health information and will respond to the individual after following our verification policies and procedures and our Privacy Official s review of the nature of the request and the protected health information requested. In most cases, our practice will honor the patient s request for access to protected health information. We may deny an individual access in certain circumstances. We will deny a request for access to protected health information: If, in the verification process, we determine that the individual making the request is not the patient. If we do not hold the information in a designated record set. The following are reviewable grounds for denial of access: If, in the professional judgment of a licensed health care professional, the patient s access is reasonably likely to endanger the life or physical safety of the individual or another person. If the protected health information makes reference to another person (unless that person is a health care provider) and, in the professional judgment of a licensed health care professional, the access requested is reasonably likely to cause substantial harm to that person. If the request for access is made by the individual s personal representative and, in the professional judgment of a licensed health care professional,

28 providing access to such personal representative is reasonably likely to cause substantial harm to the individual or another person. The following are examples of unreviewable grounds for denial: The information was compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. The information requested was obtained from someone other than a health care provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information. Procedure: All requests from patients to access their dental records will be directed to our Privacy Official. If we know the patient, we may not request that the individual provide verification documents. If we do not know the patient, we will request a photo ID and one other piece of identifying information, such as a credit card. A designated member of our workforce will review both. If photo or signatures do not match, access will be denied. A designated member of our workforce will ask the patient to provide details about portions of the dental record he or she wishes to access and the form of access requested (inspection or copies). For example, a patient may request to view records from a specific visit or to copy particular portions of the dental record. Patients may never be left unattended with original records in any format. If the patient s record is stored on our electronic health record software, we will ask if the patient wishes to receive a printed hard copy summary of the requested information or to receive the information downloaded to a portable USB drive that the patient provides to us. Our dentists will establish protocols on what we will and will not download from the patient record onto a patient s online personal health record. A patient may also request that we transmit an electronic copy directly to an entity or person that he or she designates. We are not required to provide copies in electronic format unless the individual s request is clear, conspicuous, and specific. Our practice is also required to comply with applicable state privacy laws that are more stringent than HIPAA. For example, some states have adopted laws limiting access to protected health information to minors or personal representatives. Access Procedures (once a request for access has been granted): 1. Determine the protected health information to be provided, such as lab results, treatment on specific date, billing history, etc. 2. Determine the form of access to protected health information that is to be provided, such as viewing or copies (and, if copies, whether hard copy or electronic. 3. Record the Grant of Access Request in our Access Request Log. 4. Impose a reasonable cost-based fee as permitted by HIPAA unless a more stringent state law applies. Unless prohibited by state law, when an individual requests a copy of his or her protected health information, HIPAA permits your practice to charge a reasonable cost-based fee as follows:

29 a. Charges for hard copies may include the cost of: i. Copying, including the cost of supplies for the labor of copying the requested information. ii. Postage, when the individual has requested the copy or a summary or explanation (see below) to be mailed. b. A charge for preparing a summary or explanation of the protected health information that includes a reasonable, cost-based fee covering only the cost of preparing the summary or explanation may be imposed if: i. The individual has agreed in advance to such a summary or explanation and ii. The individual has agreed in advance to the fees for preparing the summary or explanation. c. A fee for providing an individual with an electronic copy (or an electronic summary or explanation of electronic protected health information) may not be greater than the labor costs in responding to the request for the electronic copy (or summary or explanation). 5. Place a copy of the practice-authorized Patient Request for Access to Protected Health Information Records form in the patient s dental file. 6. Provide the protected health information for the patient to inspect, or provide a copy of the information to the patient, sent via US Postal Service, or transmitted electronically, as applicable. Denial Procedures (if our practice denies the request): 1. Complete the Patient Request for Access to Protected Health Information Records form and indicate that the request has been denied. The written denial must include: a. A plain language reason for the denial. If the denial is based on reviewable grounds, the denial must state that the individual may request a review of the denial and describe how the individual may exercise such review right. b. A description of how the individual may complain to our dental practice (including the name or title and telephone number of the contract person or office that we have designated to receive complaints) or to the Secretary of HHS. 2. If the practice does not maintain the protected health information but knows where it can be located, we will inform the patient where to redirect his or her request for access. 3. Document the decision in the patient s dental record by including in the record the Patient Request for Access to Protected Health Information Records form, showing denial. 4. Send to the patient a copy of the Patient Request for Access to Protected Health Information Records, showing denial.

30

31 4.2 Amendment As stated in our Notice of Privacy Practices, an individual may request, in writing, that we amend information in the individual s dental record if that information is incorrect. The written request must provide a reason for the amendment. If we deny the individual s request, we will put our reason for denying the request in writing. If we agree to amend the record, we will amend the record and send a copy of the amended information to the patient. If another Covered Entity informs our practice of an amendment to an individual s protected health information, we will amend the protected health information in our designated record set(s) accordingly. All requests to amend a patient s dental record will be directed to our Privacy Official. We must act on such a request within 60 days of receipt. Our practice will maintain documentation of each amendment request, including a log of amendment requests. Permitted Reasons to Deny a Request for Amendment Our practice may deny an individual s request for amendment only under specified circumstances. A Covered Entity may deny the request if we determine that the information or record that is the subject of the request: 1. Is accurate and complete. 2. Would not be available for access by the individual. 3. Was not created by our practice(unless the individual provides a reasonable basis to believe the originator is no longer available). 4. Is not part of the designated record set. Procedure if a Request for Amendment is Granted If our practice grants a request to amend the patient s protected health information, we will: 1. Inform the patient of our decision. 2. Identify the affected records and append or otherwise provide a link to the location of the amendment. 3. Inform parties whom the patient identifies as requiring the newly amended information. 4. Make reasonable efforts to provide the amendment to persons the individual identifies as having received the information that required amendment and persons (including our Business Associates) we know have the information and may have relied (or could foreseeably rely) on the information to the individual s detriment. Procedure if a Request for Amendment is Denied 1. If our Practice denies the amendment request we must then send a timely written denial in plain language that includes the following: a. The reason the request was denied. b. Individual s right to submit a written statement disagreeing with the denial and how to submit such a statement.

32 4.3 Accounting of Disclosures c. A statement that, if the individual does not submit a statement of disagreement, he or she may request that we provide the request for amendment and the denial with any future disclosures of the information that is the subject of the request. d. Individual s right to submit a complaint to HHS or to our practice, with instructions on how to submit the complaint, including the name (or title) and telephone number of the person we designated to receive complaints. 2. We must permit the individual to submit a written statement disagreeing with the denial. We may reasonably limit the length of the statement. 3. If the individual submits a statement of disagreement, we may prepare a written rebuttal. If we do so, we must provide a copy to the individual. 4. We must append (or otherwise link) the request for amendment, our denial, the statement of disagreement (if any), and our rebuttal (if any) to the appropriate record or protected health information. 5. If the individual submits a statement of disagreement, we must include the request for amendment, our denial, the statement of disagreement, and any rebuttal with any subsequent disclosure of the applicable protected health information. In the alternative, we may elect to prepare an accurate summary of such information and include the summary with subsequent disclosures instead. 6. If the individual has not submitted a written statement of disagreement, we must include the request for amendment and its denial (or an accurate summary of such information) with any subsequent disclosure of the applicable protected health information only if the individual has requested us to do so. 7. If a subsequent disclosure that is a HIPAA standard transaction requires additional material under items 5 or 6, and the transmittal does not permit the additional material to be included, we may separately transmit the material. Upon written request, we will provide the patient with an appropriate accounting of disclosures. All requests for an accounting of disclosures will be directed to our Privacy Official. We must act on such a request within sixty (60) days of receipt. If we are unable to provide the accounting within sixty (60) days, we are entitled to one 30-day extension if we provide the individual with a written statement of the reasons for the delay and the date on which we will provide the accounting. Our practice will maintain documentation of the content of each accounting requested, each written accounting provided, and the title of the person or office responsible for receiving and processing requests for an accounting, for six years from the date of its creation or the date when it was last in effect, whichever is later. Our Privacy Official will keep an accounting of paper record disclosures in a log. Electronic disclosures will be tracked by our electronic health record system. Our Practice must provide the first accounting to a patient in any 12-month period without charge. Upon receiving any subsequent request from the same individual within the 12-month period, we may charge a reasonable cost-based fee as long as we have informed the patient in advance of the cost and provided him or her an opportunity to withdraw or modify the request to avoid or reduce the fee.

33 An individual has the right to request an accounting of disclosures made up to six years prior to the date of request but not prior to April 14, An individual does not have the right to an accounting of the following kinds of disclosures: Disclosures made to carry out treatment, payment, and health care operations as defined by HIPAA (However, see sidebar regarding electronic health records). Disclosures to individuals of protected health information about them. Disclosures made incident to a disclosure otherwise permitted or required under HIPAA privacy. Disclosures that were authorized by the individual. Appropriate disclosures to family and friends (see section 2.4 of this chapter.) Certain disclosures for national security or intelligence or to correctional institutions or law enforcement officials. Disclosures of information as part of a limited data set (see section 2.9 of this chapter.) The accounting must include the following information regarding disclosures made by our practice or one of our Business Associates during the applicable time period: Date of disclosure. Name of the entity or person who received the information, and if known, the address of the entity or person. A brief description of the protected health information disclosed. A brief statement of the purpose of the disclosure, or if applicable, a copy of the written request for disclosure. Under certain circumstances, our practice may be required to suspend a patient s right to receive an accounting of his or her disclosures made to health oversight agencies or law enforcement officials. 4.4 Confidential Communications Requirements Our practice will accommodate reasonable requests by patients to receive communications from our practice by an alternative means or at an alternative location. Our practice will require patient requests for confidential communications to be in writing. In making appointments with an existing patient, our scheduler will ask if the designated address and telephone number is appropriate for contact or if the patient would like to provide an alternative method or methods of communication. We also will ask if we can leave information about dental care at the designated address or telephone number. When it is appropriate, we may set conditions for Alternative Communications with respect to how payment will be handled. We may also, in the appropriate circumstance, set conditions on how Alternative Communications are executed in the case of alternative addresses or other forms of

34 contact, such as an address. Our Practice will not require an explanation for why the patient wants Alternative Communications. 4.5 Right of an Individual to Request Restriction of Uses and Disclosures Our practice allows patients to submit a Patient Request for Use or Disclosure Restriction on Patient s Protected Health Information form to request a restriction on how his or her protected health information will be used and disclosed, but we are not required to agree to the restriction, except that as of February 18, 2010, if a patient who pays in full out-of-pocket for an item or service requests that we not submit a claim or protected health information about that item or service to a health plan for purposes of payment or health care operations, we must comply with that request. As of February 18, 2010, our practice will comply with a Restriction Request not to disclose protected health information to a health plan for payment or health care operations if the patient first pays out-of-pocket and in full for the item or service. Our practice will develop any necessary procedures to comply with this provision. For example, we may need to adjust the way we submit claims to health plans in order to comply with such a request. As another example, if a patient receives two or more services in one visit, pays for one of the services in full out of pocket, and requests that our practice not disclose information about that service to a health plan for payment, our practice will determine how best to appropriately maintain protected health information concerning the procedures to comply with the request. Otherwise we are not required to agree to a requested restriction. Generally, we will agree to restrictions only when exceptional circumstances exist, and when we can reasonably accommodate them. The Privacy Official determines whether or not we should agree to the request. If we agree to a Restriction Request, we must document the restriction and we must not violate the restriction; however, we may use and disclose protected health information for treatment, payment and health care operations, except as noted above, and as required or permitted by HIPAA for emergency treatment, HHS investigation, and permitted uses and disclosures. If we agree to a Restriction Request, the agreement can only be terminated in three ways: 1. The patient agrees to or requests the termination in writing. 2. The patient orally agrees to the termination, and the oral agreement is documented. 3. Our Practice may inform the individual that we are terminating our agreement to a restriction, but such termination is only effective with respect to protected health information created or received after we inform the patient that the restriction has been terminated. 4.6 Complaints Our practice will provide a process for complaints concerning our HIPAA Privacy and Breach Notification policies, procedures, and compliance. Any workforce member who receives a privacy violation complaint from an individual will immediately enter the time, date, and a brief description of the complaint into a log. The workforce member will then inform the Privacy Official of the complaint. Our practice has designated the Privacy Official to receive complaints and provide further information

35 5.0 HIPAA Privacy Safeguards about our Notice of Privacy Practices. The Privacy Official will listen to the individual s complaint and then ask the individual to document the details of the complaint to make sure that we have a common understanding of the nature of the complaint and a record of the complaint. Our Privacy Official, working with the dentist, will make inquiries into the nature of the complaint to determine what has occurred and whether it constitutes a HIPAA privacy breach of protected health information and/or a violation of the practice s policies and procedures. The Privacy Official then will put a response in writing to the complainant, either describing how the practice will address and resolve the complaint, or explaining why the practice s action did not involve a violation of policies or procedures or a breach of protected health information. At no time will our practice retaliate against an individual for filing a privacy complaint. Our dental practice will exercise care to safeguard the use and disclosure of protected health information. The following procedures identify how we will safeguard protected health information in oral, hard copy (paper and other physical documentation such as dental films), and electronic formats. 5.1 Administrative Safeguard Sign-in Sheets: Patients will sign in using last name only and time of arrival. Dental staff will call patients by first name into the exam room. Oral communications: Our workforce members will avoid unnecessary disclosures of protected health information by monitoring their voice levels and being alert for unauthorized listeners. Dictation and telephone conversations will be conducted away from public areas. Speaker-phones may be used only in private areas. Telephone messages: Unless a patient has requested that he or she be contacted specifically by alternative means of communication, telephone messages and appointment reminders may be left on answering machines and voic systems, but we shall limit the amount of protected health information disclosed in a telephone message. If we suspect abuse or neglect, we will seek an alternative means of communication for messages. Faxes: Only the protected health information necessary to meet details of the request will be faxed. A cover sheet that includes a confidentiality notice will accompany all faxes. We will make reasonable efforts to verify that a fax transmission was sent to the correct destination. Fax machines will be located in secure areas that cannot be easily accessed by visitors or patients. Misdirected faxes containing protected health information must be accounted for in our Accounting of Disclosures Log. Any misdirected fax must be investigated and assessed under the Breach Notification Rule; if the misdirected fax constitutes a breach of unsecured protected health information, appropriate notifications will be sent. Mail: Protected health information that is mailed will be concealed and sent via first class mail to the patient s primary address unless the patient requests an alternative address. Copies: Copies of records containing protected health information will be stamped

36 5.2 Physical Safeguards 5.3 Technical Safeguard Copy in a color other than black so that copies can be distinguished from originals. Destruction of protected health information: When it is appropriate to destroy protected health information in compliance with applicable federal and state laws and regulations and our practice s document retention policies, such information will be destroyed in compliance with the Guidance contained in the August 24, 2009, Breach Notification Rule. Hard copy media (which includes paper and other physical documentation) containing protected health information will be destroyed using a shredder that renders information unusable, unreadable, or indecipherable. Electronic media, including compact disks, magneto-optic disks, optical disks, and USB drives must be destroyed by pulverizing, crosscut shredding or burning. Our Privacy Official will determine and authorize workforce members who may destroy protected health information, and whether safety, hazmat, or special disposition needs should be identified and addressed prior to destruction. Paper Records: Our practice will store paper records and medical charts away from unauthorized persons. Dental records will be placed face down on desks, counters, and workstations to conceal the identity of patients. Our receptionist will pull patient dental records the evening prior to the patient visit, and is responsible for ensuring that the records are safely returned to the dental record files. If the dentist chooses to remove the dental records from the physical location, he or she must sign out the records and is responsible for returning them the next day. If a breach that occurs while the records are away from the practice, it is the responsibility of the dentist who checked them out to notify the Privacy Official of the breach. Theft or loss of any paper record or dental chart must be reported immediately to the Privacy Official. Patients and Visitors: Visitors and patients will be appropriately monitored during the visit to our practice. Patients will not be allowed to access other patient s records or other protected health information. Computer Workstations: Computer monitors will be positioned so that they face away from public areas of the dental office. Unattended computers will time out after 10 minutes of inactivity. containing protected health information shall be encrypted. Our practice will consult with our software vendor(s) and Internet provider to determine encryption solutions that would render protected health information unusable, unreadable, and indecipherable according to the August 24, 2009 Guidance discussed in Chapter 1 and in Chapters 4 through 6 regarding Security safeguards for electronic protected health information. s sent between dentists and other health care providers via a common Internet carrier shall not include protected health information unless the is encrypted. If is encrypted, workforce members may exchange s containing protected health information with patients, but only if: 1. The patient has signed a Consent for Electronic Communication form. 2. The is documented in the patient s dental record. 3. The content of the is limited to only the information requested by the patient.

37 Internet: Access to the Internet from a computer workstation that contains protected health information is prohibited. Our practice will set up a workstation in the lunchroom where workforce members may check personal s or conduct other Internet business. Portable and Mobile Handheld Computing Devices: Workforce members other than dentists may not store protected health information on portable or mobile computing devices. Any protected health information on a dentist s portable or mobile handheld computing device must be encrypted according the August 24, 2009, Guidance encryption requirements. Workforce members storing any unsecured protected health information on portable or mobile handheld computing devices are responsible for the security of the protected health information and are subject to our practice s HIPAA policies and procedures and to sanctions up to and including termination of employment if the handheld device is misplaced, lost, or stolen. Workforce members must immediately notify the Privacy Official of a breach or suspected breach of protected health information. Portable Storage Devices: Protected health information shall not be downloaded onto portable storage devices, such as USB flash drives and CDs, unless the device is encrypted.

38 A-1 Privacy Official Job Description General Duties: Be the advocate that maintains the privacy of patients protected health information and oversee activities that keep our practice in compliance with rules that govern the privacy of protected health information in oral, written and electronic form. Specific Duties: Management Advisor Work with the dental practice s management team and lawyers to comply with federal and state laws governing the privacy of individually identifiable health information. Stay current on privacy laws and updates in privacy technology. Immediately notify dental management of requested investigations and reviews by HHS or other governing agency. Human Resources and Training Develop, or serve as team leader in the development of the practice s privacy policies and procedures. Integrate those policies into the practice s day-to-day activities and provide training, either as on-the-spot refresher courses or planned courses. Oversee sanctions according to our policies and procedures and bring them to the attention of the practice s leadership committee. Risk Management Collaborate with the Security Official to ensure privacy and security risks are analyzed and policies and procedures are developed, updated, and enforced to prevent unauthorized disclosures of protected health information. Business Associates Lead the practice in updating business associate contracts and work with our lawyers to develop and execute business associate agreements in accordance with the HITECH, HIPAA and Breach Notification Rules. Patient Rights Oversee patient requests to the practice and help the practice s employees to understand how to address patient questions about the practice s privacy initiatives. Develop an effective internal and external communications effort to help patients and workforce understand how the practice protects patient rights. Complaint Management Implement and manage complaints regarding the practice s standards and protocols, including documenting and investigating and, if necessary, mitigating those complaints. Educate workforce on the practice s policies and procedures on complaints and prohibited retaliatory actions against individuals who exercise their patient rights. Qualifications Must be familiar with dental and administrative functions of the practice. Must have excellent communication, problem solving, and research skills. Has an interest in privacy laws and regulations; recognized as having high integrity, detail oriented. Strong organizational skills and works well with management and staff.

39 A-2 Notice of Privacy Practices Our Legal Duty MCDONOUGH CENTER FOR FAMILY DENTISTRY LLC NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. THE PRIVACY OF YOUR HEALTH INFORMATION IS IMPORTANT TO US. We are required by applicable federal and state law to maintain the privacy of your protected health information. We are also required to give you this Notice about our privacy practices, our legal duties, and your rights concerning your protected health information. We must follow the privacy practices that are described in this Notice while it is in effect. This Notice takes effect / /, and will remain in effect until we replace it. We reserve the right to change our privacy practices and the terms of this Notice at any time, provided such changes are permitted by applicable law. We reserve the right to make the changes in our privacy practices and the new terms of our Notice effective for all health information that we maintain, including health information we created or received before we made the changes. Before we make a significant change in our privacy practices, we will change this Notice and provide the new Notice at our practice location, and we will distribute it upon request. You may request a copy of our Notice at any time. For more information about our privacy practices, or for additional copies of this Notice, please contact us using the information listed at the end of this notice. Your Authorization: In addition to our use of your health information for the following purposes, you may give us written authorization to use your health information or to disclose it to anyone for any purpose. If you give us an authorization, you may revoke it in writing at any time. Your revocation will not affect any use or disclosures permitted by your authorization while it was in effect. Unless you give us a written authorization, we cannot use or disclose your health information for any reason except those described in this Notice. Uses and Disclosures of Health Information We use and disclose health information about you without authorization for the following purposes. Treatment: We may use or disclose your health information for your treatment. For example, we may disclose your health information to a physician or other healthcare provider providing treatment to you. Payment: We may use and disclose your health information to obtain payment for services we provide to you. For example, we may send claims to your dental health plan containing certain health information. Healthcare Operations: We may use and disclose your health information in connection with our healthcare operations. For example, healthcare operations include quality assessment and improvement activities, reviewing the competence or qualifications of healthcare professionals, evaluating practitioner and provider performance, conducting training programs, accreditation, certification, licensing or credentialing activities. To You Or Your Personal Representative: We must disclose your health information to you, as described in the Patient Rights section of this Notice. We may disclose your health information to your personal representative, but only if you agree that we may do so. Persons Involved In Care: We may use or disclose health information to notify, or assist in the notification of (including identifying or locating) a family member, your personal representative or another person responsible for your care, of your location, your general condition, or death. If you are present, then prior to use or disclosure of your health information, we will provide you with an opportunity to object to such uses or disclosures. In the event of your absence or incapacity or in emergency circumstances, we will disclose health information based on a determination using our professional judgment disclosing only health information that is directly relevant to the person s involvement in your healthcare. We will also use our professional judgment and our experience with common practice to make reasonable inferences of your best interest in allowing a person to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of health information. Disaster Relief: We may use or disclose your health information to assist in disaster relief efforts. Marketing Health-Related Services: We will not use your health information for marketing communications without your written authorization. Required by Law: We may use or disclose your health information when we are required to do so by law.

40 Public Health and Public Benefit: We may use or disclose your health information to report abuse, neglect, or domestic violence; to report disease, injury, and vital statistics; to report certain information to the Food and Drug Administration (FDA); to alert someone who may be at risk of contracting or spreading a disease; for health oversight activities; for certain judicial and administrative proceedings; for certain law enforcement purposes; to avert a serious threat to health or safety; and to comply with workers compensation or similar programs. Decedents: We may disclose health information about a decedent as authorized or required by law. National Security: We may disclose to military authorities the health information of Armed Forces personnel under certain circumstances. We may disclose to authorized federal officials health information required for lawful intelligence, counterintelligence, and other national security activities. We may disclose to correctional institution or law enforcement official having lawful custody the protected health information of an inmate or patient under certain circumstances. Appointment Reminders: We may use or disclose your health information to provide you with appointment reminders (such as voic messages, postcards, or letters). Patient Rights Access: You have the right to look at or get copies of your health information, with limited exceptions. You may request that we provide copies in a format other than photocopies. We will use the format you request unless we cannot practicably do so. You must make a request in writing to obtain access to your health information. You may obtain a form to request access by using the contact information listed at the end of this Notice. You may also request access by sending us a letter to the address at the end of this Notice. We will charge you a reasonable cost-based fee for the cost of supplies and labor of copying. If you request copies, we will charge you $0. for each page, $ per hour for staff time to copy your health information, and postage if you want the copies mailed to you. If you request an alternative format, we will charge a cost-based fee for providing your health information in that format. If you prefer, we will prepare a summary or an explanation of your health information for a fee. Contact us using the information listed at the end of this Notice for a full explanation of our fee structure. Disclosure Accounting: You have the right to receive a list of instances in which we or our business associates disclosed your health information for purposes other than treatment, payment, healthcare operations, and certain other activities, for the last 6 years, but not before April 14, If you request this accounting more than once in a 12-month period, we may charge you a reasonable, cost-based fee for responding to these additional requests. Restriction: You have the right to request that we place additional restrictions on our use or disclosure of your health information. In most cases we are not required to agree to these additional restrictions, but if we do, we will abide by our agreement (except in certain circumstances where disclosure is required or permitted, such as an emergency, for public health activities, or when disclosure is required by law). We must comply with a request to restrict the disclosure of protected health information to a health plan for purposes of carrying out payment or health care operations (as defined by HIPAA) if the protected health information pertains solely to a health care item or service for which we have been paid out of pocket in full. Alternative Communication: You have the right to request that we communicate with you about your health information by alternative means or at alternative locations. (You must make your request in writing.) Your request must specify the alternative means or location, and provide satisfactory explanation of how payments will be handled under the alternative means or location you request. Amendment: You have the right to request that we amend your health information. Your request must be in writing, and it must explain why the information should be amended. We may deny your request under certain circumstances. Electronic Notice: You may receive a paper copy of this notice upon request, even if you have agreed to receive this notice electronically on our Web site or by electronic mail ( ). Questions and Complaints If you want more information about our privacy practices or have questions or concerns, please contact us. If you are concerned that we may have violated your privacy rights, or you disagree with a decision we made about access to your health information or in response to a request you made to amend or restrict the use or disclosure of your health information or to have us communicate with you by alternative means or at alternative locations, you may complain to us using the contact information listed at the end of this Notice. You also may submit a written complaint to the U.S. Department of Health and Human Services. We will provide you with the address to file your complaint with the U.S. Department of Health and Human Services upon request. We support your right to the privacy of your health information. We will not retaliate in any way if you choose to file a complaint with us or with the U.S. Department of Health and Human Services. Contact Officer: _Frank F. Nia, DMD, MSEd. Telephone: Fax: Address: 5304 Windward Parkway #107, Alpharetta, Georgia 30004

41 III 12 KEY THINGS TO REMEMBER

42 12#KEY#THINGS#TO#REMEMBER:# HIPAA#Privacy,#Security,#and#Breach#Notification#! These twelve (12) key attributes give a general overview of certain compliance issues; however,!it!is!not!intended,!and!should!not!be!interpreted!as!a!substitute!for!the!detailed! information! provided! in! McDonough! Center! for! Family! Dentistry! LLC s! HIPAA! Privacy! Policies!&! Procedures! and! McDonough! Center! for! Family! Dentistry! LLC s! HIPAA! Security! Policies!&!Procedures!Manuals.!Foramorecompleteunderstandingoftheissuesinvolved, refer to the appropriate statute or regulation, and consult the attorney for your dental practice.thefollowingtwelveattributesareinnoparticularorder. 1.##Three#Fundamental#Properties#of#HIPAA#Privacy#and#Security#Rules# The three fundamental properties of HIPAA Privacy and Security are confidentiality, integrity,andavailabilityofprotectedhealthinformationinanyform: 2 Confidentiality is the property that data or information is not made available or disclosedtounauthorizedpersonsorprocesses. 2 Integrity2isthepropertythatdataorinformationhasnotbeenalteredordestroyed inanunauthorizedmanner. 2 Availabilityisthepropertythatdataorinformationisaccessibleanduseableupon demandbyanauthorizedperson. 2.##Definition#of#Protected#Health#Information# HIPAA applies to protected2 health2 information.2 The definition of protected2 health2 information2startswiththedefinitionofindividually2identifiable2health2information 1. Individually2 identifiable2 health2 information2 is information that is a subset of health information,includingdemographicinformationcollectedfromanindividual,and: 1. iscreatedorreceivedbyahealthcareprovider,healthplan,employer,orhealthcare clearinghouse;and 2. relates to the past, present, or future physical or mental health or condition of an individual;theprovisionofhealthcaretoanindividual;orthepast,present,orfuture paymentfortheprovisionofhealthcaretoanindividual;and i. thatidentifiestheindividual;or ii. withrespecttowhichthereisareasonablebasistobelievetheinformationcan beusedtoidentifytheindividual. Protected2health2informationisindividuallyidentifiablehealthinformationthatis:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1!45!CFR! !

43 i. transmitted 2 byelectronicmedia; ii. maintained 3 inelectronicmedia;or iii. transmittedormaintainedinanyotherformormedium, andisnot!certaineducationrecords 4 oremploymentrecordsheldbyacoveredentityinits roleasemployer.! 3.##Protected#Health#Information#Identifiers# Make sure that your workforce members are aware of the following list of eighteen identifiers.ifalleighteenidentifiers(withrespecttotheindividualorrelatives,employers, or household members of the individual) are removed, the information is not considered protected health information, unless the Covered Entity has actual knowledge that the information could be used alone or in combination with other information to identify an individualwhoisasubjectoftheinformation.theeighteenidentifiersare: Names. Anygeographicsubdivisionsmallerthanastate(includingaddress,city,county, precinct, zip code, and their equivalent geocodes, except for the initial three digitsofazipcode 5 ). Allelementsofdates(includingabirthdate,treatmentdate,etc.)exceptyear, allagesover89,andalldates,includingyear,thatindicateagesover89. Telephonenumbers. Faxnumbers. ETmailaddresses. Socialsecuritynumbers. Medicalordentalrecordnumbers. Healthplanbeneficiarynumbers. Accountnumbers. Certificate/licensenumbers.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 2!Data!in!motion.! 3!Data!at!rest.! 4!Education!records!covered!by!the!Family!Educational!Rights!and!Privacy!Act!( FERPA ),!as!amended,!20!u.s.c.!1232g!and!records! described!at!20!u.s.c.!1232g(a)(4)(b)(iv).! 5!The!geographic!unit!formed!by!combining!all!zip!codes!with!the!same!three!digits!must!contain!more!than!20,000!people;! otherwise,!the!threeqdigit!code!must!be!changed!to! 000.!

44 Vehicleidentifiersandserialnumbers,includinglicenseplatenumbers. Deviceidentifiersandserialnumbers. WebUniversalResourceLocators(URLs). InternetProtocol(IP)addressnumbers. Biometricidentifierssuchasfingerandvoiceprints. Fullfacephotographicandanycomparableimages. Anyotheruniqueidentifyingnumber,characteristic,orcode. 4. #HIPAA#Security#Rule#Attributes# TheHIPAASecurityRulepertainstoelectronicprotectedhealthinformation.Herearesome factsaboutthehipaasecurityrulethatyoumustknow: TheSecurityRuleisasetofstandardsandimplementationspecificationswithwhich your dental practice must comply and with which your Business Associates must complybeginningfebruary17,2010. TheSecurity Rule standards always require compliance by your dental practice, whileimplementationspecificationscanberequired2oraddressable. 6 The Security Rule is scalable, taking into consideration the size of your dental practice, and flexible, taking into consideration the structure of your practice, the costs of security measures, and the likelihood and criticality of potential risks to electronicprotectedhealthinformationthatyourpracticemayencounter. The Security Rule is reasonable and permits your dental practice to implement securitymeasuresthatareappropriate. The Security Rule is based on the key principles of confidentiality, integrity, and availability pertaining to your dental patient s electronic protected health information. TheSecurityRuleistechnology2neutral:yourpractice schoiceofsafeguards(inputs) is up to the practice as long as safeguard performance measures (outputs) are achieved. 7!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 6! Addressable!does!not!mean! optional.!rather,!an!addressable!implementation!specification!means!that!a!dental!practice!must! assess!whether!the!implementation!specification!is!a!reasonable!and!appropriate!safeguard!for!that!dental!practice,!when!analyzed! with!reference!to!its!likely!contribution!to!protecting!the!entity's!electronic!protected!health!information.!then!the!dental!practice! must! either! implement! the! implementation! specification! if! it! is! reasonable! and! appropriate! or,! if! it! is! not! reasonable! and! appropriate,!the!practice!must!document!why!not,!implement!an!equivalent!alternative!measure!if!reasonable!and!appropriate,!and! document!the!equivalent!alternative!measure.!

45 TheSecurityRuleisbasedonrisk2analysisandmitigation2of2risk:youmustidentify potentialvulnerabilitiesandthreats2toyourelectronicprotectedhealthinformation andimplementriskavoidancemeasures. The Security Rule is built on a foundation of safeguarding electronic protected health information, so your dental practice must maintain the availability2 of2 electricity. Itislikelythatyourpracticehasalreadyimplementedandusesonadailybasismany of the policies and procedures that are formalized in the Security Rule and its standards,implementationspecifications,anddocumentationrequirements. The Security Rule represents prudent business operation behavior and is an investmentinthefutureofyourdentalpracticeasasuccessfulbusiness. 5.##Nine#Critical#Steps#in#the#Security#Risk#Analysis# Whenyourdentalpracticeconductsitsinitialorupdatedriskanalysis,refertothefollowing ninesteps: DefineScope 8 ofyourriskanalysis. GatherInformation. IdentifyRealisticThreats. IdentifyPotentialVulnerabilities. AssessCurrentSecurityControls. DetermineLikelihoodandImpactofaThreatExercisingaVulnerability. DetermineLevelofRisk. RecommendSecurityControls. DocumentRiskAssessmentResults. 6.##Privacy#and#Security#Awareness#Training# HereisanoverviewoftheHIPAAtrainingrequirements:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 7!However,!remember!that,!unlike!the!Security!Rule,!the!Breach!Notification!Rule!is!not!technology!neutral.!A!Covered!Entity!must! provide! the! required! notifications! if! unsecured! protected! health! information! is! breached.! HHS! specifies! the! technologies! and! methodologies!for! securing!protected!health!information.! 8!Determine!how!your!dental!practice!uses!electronic!media!that!contain!electronic!protected!health!information.!

46 Privacy. 9 Yourdentalpracticemusttrainitsworkforcemembersonthepoliciesand procedures with respect to protected health information required by the HIPAA PrivacyRuleandtheBreachNotificationRule. o Current workforce members must be retrained within a reasonable period of timewhenevertheir functionsareaffectedbyamaterialchangeinthepolicies or procedures required by the HIPAA Privacy Rule and the Breach Notification Rule. 10 o Newworkforcemembersmustbetrained withinareasonableperiodoftime afterthepersonjoinsyourdentalpractice. o Yourdentalpracticemustdocumentthattraininghasbeenprovided. Security!Awareness. 11 Implementasecurityawarenessandtrainingprogramforall members of McDonough! Center! for! Family! Dentistry! LLC s! workforce (including management), throughthefollowingaddressableimplementationspecifications: 12 o Periodicsecurityupdates. o Proceduresforguardingagainst,detecting,andreportingmalicioussoftware. o ProceduresformonitoringlogTinattemptsandreportingdiscrepancies. o Proceduresforcreating,changing,andsafeguardingpasswords. Hereisguidanceastohowtoconductyourrequiredtraining: Allocatetimeateachstaffmeetingtoaddressprivacyandsecurity. Topics to consider at staff meetings might include your dental practice s policies relatedto: o LoggingTintomultipleworkstations. o Auditinguseraccesstoworkstations. o Detectingsecurityincidentsorprivacybreaches. o Prohibitiononpostingorsharingofpasswords.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 9!45!CFR!! (b)(2).! 10!Ibid.! 11!45!CFR!! (5).! 12! These! implementation! specifications! are! addressable.!! Assess! whether! each! implementation! specification! is! reasonable! and! appropriate!and!determine!whether!it!would!likely!contribute!to!protecting!the!practice s!electronic!protected!health!information.!! If! so,! then! implement! the! specification.!! If! the! implementation! specification! is! not! reasonable! and! appropriate,! implement! an! equivalent!alternative!measure!if!it!is!reasonable!and!appropriate.!document!your!decision!and!your!reasoning!for!whatever!your! practice!implements.!!!

47 o Encryptingelectronicprotectedhealthinformation. o Protecting against unauthorized access to your practice s protected health informationinvariousforms. Instituteformaltrainingforcurrentworkforcemembersannually;trainingastonew or changed policies every six (6) months; and applicable training whenever a workforce member changes jobs within the practice or takes on new job responsibilities. Instituteformaltrainingfornewworkforcemembersnolaterthan30daysfollowing anewhire. Consider whether online training courses on privacy and security, with tests to document understanding of privacy and security rules, would enhance your practice sriskmitigationeffortsandcompliancewithhipaatrainingrequirements. Postremindersignsnearworkstations,inthebreakroom,andotherareasinyour practicefacilitywhereworkforcemembersgather.! 7.##Enforcement#of#Privacy#and#Security#Compliance# EffectiveJuly27,2009,SecretaryofHealthandHumanResources(HHS)KathleenSebelius delegatedenforcementofthehipaasecurityruletothehhsofficeforcivilrights(ocr), whichhashadhipaaprivacyruleenforcementresponsibilitiessincethecompliancedate of that rule, April 14, Then, on Friday, October 30, 2009, HHS published in the FederalRegisteritsInterimFinalRulethatstrengthensHIPAAenforcementunderHITECH ActcivilpenaltyrevisionsenactedaspartoftheAmericanRecoveryandReinvestmentAct on February 17, These HITECH Act revisions significantly increase the penalty amounts the Secretary [of HHS] may impose for violations of the HIPAA rules and encourage prompt corrective action, according to the HHS press release. 15 The Interim FinalRuletookeffectonNovember30,2009.OCRwillalsoenforcetheHITECHActBreach Notification Rule.Unified enforcement and higher penalties increase both the likelihood andtheseverityofconsequencesforhipaanontcompliancewiththeprivacyandsecurity RulesandtheBreachNotificationRule. Prior to the February 17, 2009 enacted HITECH Act revisions, civil penalties for HIPAA violationswere$100foreachviolationor$25,000forallviolationsofthesameprovisionin acalendaryearperiod. 16 UndertheHITECHAct,penaltiesaresubstantiallyincreasedand havebeendividedintofourtiers,withamaximumpenaltyof$1.5millionforallviolations ofanidenticalprovisioninacalendaryear.thetieredpenaltiesnowrangeasfollows,for!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 13!See!Department!of!Health!and!Human!Services,!Office!of!the!Secretary,! Office!for!Civil!Rights;!Delegation!of!Authority,!Federal! Register,! v.74,! n.148,! August! 4,! 2009,! p.! 38630,! which! is! available! online! at! 14!See!Department!of!Health!and!Human!Services,!Office!of!the!Secretary,! 45!CFR!Part!160 HIPAA!Administrative!Simplification:!! Enforcement;!Interim!Final!Rule,!Federal!Register,!v.74,!n.209,!October!30,!2009,!pp.!56123Q56131,!which!is!available!online!at:!! 15! Press! release,! HHS! Strengthens! HIPAA! Enforcement,! October! 30,! 2009,! which! is! available! online! at:! 16!See!74!Federal!Register!56131:!!45!CFR! (b)(1).!

48 eachviolation: $100 T $50,000 if the Covered Entity did! not! know and, by exercising reasonable diligence,wouldnothaveknown,thatitviolatedsuchprovision. $1,000 T $50,000 if the violation was due to reasonable! cause and not to willful neglect. $10,000T$50,000iftheviolationwasduetowillful!neglectandwascorrectedas required. 17 $50,000ormoreiftheviolationwasduetowillful!neglectandwasnot!correctedas required. According to the OCR Director Georgina Verdugo, The Department s implementation of thesehitechactenforcementprovisionswillstrengthenthehipaaprotectionsandrights related to an individual s health information. This strengthened penalty scheme will encourage health care providers, health plans and other health care entities required to comply with HIPAA to ensure that their compliance programs are effectively designed to prevent,detectandquicklycorrectviolationsofthehipaarules #Securing#Electronic#Protected#Health#Information# OnAugust24,2009,theSecretaryofHealthandHumanServicespublishedintheFederal Register the Interim2 Final2 Rule: Breach2 Notification2 for2 Unsecured2 Protected2 Health2 Information. 19 ContainedwithinthisdocumentistheveryimportantGuidance2Specifying2 the2 Technologies2 and2 Methodologies2 that2 Render2 Protected2 Health2 Information2 Unusable,2 Unreadable,2 or2 Indecipherable2 to2 Unauthorized2 Individuals, 20 which instructs your dental practice and your hardware and software vendors how to secure your practice s protected health information in your database, in transmission, or in disposal. The Guidanceisreproducedbelow.HHSmayupdateorchangetheGuidance2onanannualbasis beginninginapril2010. Guidance!Specifying!the!Technologies!and!Methodologies!that!Render!Protected!Health! Information!Unusable,!Unreadable,!or!Indecipherable!to!Unauthorized!Individuals. Protectedhealthinformation(PHI)isrenderedunusable,unreadable,orindecipherableto unauthorizedindividualsifoneormoreofthefollowingapplies: a.electronicphihasbeenencryptedasspecifiedinthehipaasecurityruleby theuseofanalgorithmicprocesstotransformdataintoaforminwhichthereis!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 17! For!a!violation!in!which!it!is!established!that!the!violation!was!due!to!willful!neglect!and!was!corrected!during!the!30Qday!period! beginning!on!the!first!date!the!covered!entity!liable!for!the!penalty!knew,!or,!by!exercising!reasonable!diligence,!would!have!known! that!the!violation!occurred.!!74!federal!register!56131:!45!cfr! (b)(2)(iii).! 18! Press! release,! HHS! Strengthens! HIPAA! Enforcement,! October! 30,! 2009,! which! is! available! online! at:! 19!Department!of!Health!and!Human!Services,!Office!of!the!Secretary,! 45!CFR!Parts!160!and!164:!!Breach!Notification!for!Unsecured! Protected! Health! Information,! Federal! Registerv.74,! n.162,! August! 24,! 2009,! pp.42739q42770,! which! is! available! online! at! 20!74!Federal!Register!42742Q42743.!

49 alowprobabilityofassigningmeaningwithoutuseofaconfidentialprocessor key 21 andsuchconfidentialprocessorkeythatmightenabledecryptionhas notbeenbreached.toavoidabreachoftheconfidentialprocessorkey,these decryptiontoolsshouldbestoredonadeviceoratalocationseparatefromthe datatheyareusedtoencryptordecrypt.theencryptionprocessesidentified belowhavebeentestedbythenationalinstituteofstandardsandtechnology (NIST)andjudgedtomeetthisstandard. i.validencryptionprocessesfordataatrest[yourpractice sdatabase] areconsistentwithnistspecialpublication800t111,guide2to2storage22 Encryption2Technologies2for2End2User2Devices ii.validencryptionprocessesfordatainmotion[yourpractice selectronic transmissions]arethosewhichcomply,asappropriate,withnistspecial Publications800T52,Guidelines2for2the2Selection2and2Use2of2Transport2Layer22 Security2(TLS)2Implementations;800T77,Guide2to2IPsec2VPNs;or800T113, Guide2to2SSL2VPNs,orotherswhichareFederalInformationProcessing Standards(FIPS)140T2validated. 24 b.themediaonwhichthephiisstoredorrecordedhavebeendestroyedinone ofthefollowingways: i.paper,film,orotherhardcopymediahavebeenshreddedordestroyed suchthatthephicannotbereadorotherotherwisecannotbe reconstructed.redactionisspecificallyexcludedasameansofdata destruction. iii.electronicmediahavebeencleared,purged,ordestroyedconsistent withnistspecialpublication800t88,guidelines2for2media2sanitation, 25 such thatthephicannotberetrieved. We recommend that you encrypt your electronic protected health information in your database and in transmissions so that it is secure as defined in the Guidance. We also recommend that you follow the protected health information disposal requirements outlinedintheguidance.bealerttoanychangesintheprovisionsoftheguidance. 9.#Business#Associates#Must#Comply#with#the#HIPAA#Security#Rule# Effective February 17, 2010, your dental practice s Business Associates must comply with the HIPAA Security Rule. As a Covered Entity, your practice is not required to enforce a Business Associate s compliance with the Security Rule. Rather, as stated in 45 CFR (b)(1), your dental practice, as a Covered Entity, in accordance with the General Rules Section of the HIPAA Security standards, 26 may permit a Business Associate to!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 21!45!CFR! ,!definition!of! encryption.! 22!NIST!Roadmap!plans!include!the!development!of!security!guidelines!for!enterpriseQlevel!storage!devices,!and!such!guidelines!will! be!considered!in!updates!to!this!guidance,!when!available.! 23!Available!at! 24!Available!at! 25!Available!at! 26!45!CFR! !

50 create, receive, maintain, or transmit electronic protected health information on your behalf only if you obtain satisfactory! assurances, in accordance with the HIPAA Security standard for Business Associate Agreements (or other arrangements as defined in the OrganizationalRequirementsSectionoftheHIPAASecuritystandards), 27 thatthebusiness Associatewillappropriatelysafeguardtheinformation. ItisexpectedthattheDepartmentofHealthandHumanResourceswillissueinthenear future additional guidelines for Business Associate Agreements to reflect enhanced compliancebybusinessassociateswithelectronicprotectedhealthinformationsafeguards required by the HIPAA Security Rule. In the meantime, your dental practice may find it prudenttoinformyourbusinessassociatesthattheymustcomplywiththehipaasecurity RulebeginningonFebruary17,2010,andthattheyaresubjecttothesignificantlyhigher civilpenaltiesfornontcompliance.!10.##is#certification#a#substitute#for#compliance?# HIPAA requires compliance by the dental practices and individuals to which it applies. It does not require that dental practices or their workforce members obtain certification! of their compliance from an external source. Compliance is an ongoing effort, whereas certification generally is considered a snapshot in a moment of time. The MerriamT Webster s Collegiate Dictionary (11th ed.) defines certification as the act or state of attest[ing]asbeingtrueorasrepresentedorasmeetingastandard. The comment in the preamble of the January 16, 2009, Final Rule pertaining to HIPAA Electronic Transaction Standards states that HHS does not recognize certification of any systemsorsoftwareforpurposesofhipaacompliance. 28 Althoughthiscommentrefersto administrativetransactions, itmaybeinstructiveinthecontextoftrainingaswell.hipaa requires your dental practice as a Covered Entity to undertake a number of tasks; for example, you must conduct and periodically review your risk assessment, implement and modify, as necessary, policies and procedures to safeguard protected health information, conduct awareness training for all workforce members based on those policies and procedures, update that training if policies and procedures change or HIPAA privacy and security regulations are initiated or modified, and document those activities. Obtaining trainingcertificationisnotarequirementforhipaacompliance. HIPAA training is an ongoing process that your practice must undertake to safeguard protectedhealthinformationfromunauthorizeduseordisclosureasbusinesspoliciesand procedures evolve and regulatory standards are initiated or modified. Training requires that workforce members, including management, demonstrate awareness and understandingonanongoingbasis(notjustonceinordertoobtaincertification),andthat Covered Entities and Business Associates document that their workforce members have been trained and document continuing training as it occurs. As examples, the first implementation specifications of the Security Rule Security Awareness and Training standardis Securityreminders(addressable).Periodicsecurityupdates. 29 Onepartofthe!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27!45!CFR! ! 28!74!Federal!Register!3310.!Do!not!confuse!HIPAA!training!certification!with!the! certification!of!electronic!health!records!(ehrs)! for!purposes!of!hitech!act!reimbursement!incentives!for!covered!entities!that!adopt!ehrs.! 29!45!CFR! (a)(5)(ii)(A).!

51 implementationspecificationfortheprivacyruletrainingstandardstatesthata covered entity must provide training [t]o each member of covered entity s workforce whose functionsareaffectedbyamaterialchangeinthepoliciesorproceduresrequiredby[the HIPAA Privacy Rule or the Breach Notification Rule], within a reasonable period of time after the material change becomes effective 30 Another part requires that a new workforce member receive training within a reasonable period of time after the person joins the covered entity s workforce. These examples indicate that training must be dynamic2andongoing.hipaatrainingcertificationisnotrequired,andthehipaatraining requirementswouldnotbesatisfiedbyasingletrainingepisode,whetherornotitresulted incertification.! 11.####Build#Your#Dental#Practice#Disaster#Recovery#Plan# The HIPAA Administrative Safeguard Standard Contingency Plan requires each Covered Entity 31 to build a disaster recovery plan under the Standard s second implementation specification, 32 whichisrequired,notaddressable. The disasterrecoveryplan implementationspecificationrequirescoveredentities(and, underthehitechact,theirbusinessassociates)to establish(andimplementasneeded) procedurestorestoreanylossofdata[e.g.,electronicprotectedhealthinformation]. The content and procedures of your dental practice s disaster recovery plan will depend on your practice s risk analysis: specifically, your disaster recovery plan will focus on the potentialthreatsandvulnerabilitiesthatyoudetermine,duringyourriskanalysis,thatyour practicemightexperienceinadisaster.hasyoursecurityofficialassignedapracticeteam torespondifthereisadisasteranddomembersoftheteamknowwhattodoshoulda disaster trigger required action? Has your practice simulated a disaster to test readiness shouldadisasteroccur? Your dental practice, and in particular, your Security Official, should prepare a comprehensive, usable, and effective disaster recovery plan, which will take time and which will involve the entire workforce. Your dental practice s loss of electricity for a sustained period of time should be considered a disaster, affecting both your dentistry toolsandyourelectronicprotectedhealthinformation.howwouldyourpracticedealwith suchadisaster,andhowlongwouldittakeforyourpracticetorecover? Thefinal[Security]rulecallsforcoveredentitiestoconsiderhownaturaldisasterscould damagesystemsthatcontainelectronicprotectedhealthinformationanddeveloppolicies and procedures for responding to such situations. We [HHS] consider this to be a reasonableprecautionarysteptotakesinceinmanycasestheriskwouldbedeemedtobe low. 33 Eventhoughtheprobabilityofoccurrencemaybelow,yourdentalpracticeshould considerpotentiallossesthatcouldresultfromanyvulnerabilityorthreatinaworsttcase scenario. #!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 30!45!CFR! (b)(2)(c).! 31!Business!Associates!also!are!required!to!comply!with!the!HIPAA!Security!Rule!standards!began!February!17,!2010,!under!the! HITECH!Act!provisions!of!the!American!Recovery!and!Reinvestment!Act!of!2009!(ARRA).! 32!45!CFR! (a)(7)(ii)(B).! 33!68!Federal!Register!8351.!

52 12.##Breach#Notification#Rule#Enforcement# On February 22, 2010, the federal government began enforcing the HITECH Act Breach Notification Rule for breaches discovered on or after that date. The Breach Notification RulerequirementswerepublishedintheFederalRegisteronAugust24, andbecame effective September 23, 2009, although HHS will not impose sanctions for breaches discovered prior to February 22, If your dental practice has implemented the Guidance, then your practice has secured certain protected health information. Notificationisonlyrequiredif unsecured protectedhealthinformationisbreached. What is a breach in the Interim Final Rule? Generally, a breach means the acquisition, access,use,ordisclosureofprotectedhealthinformationinamannerthatisnotpermitted underthehipaaprivacyruleandthatposesasignificantriskoffinancial,reputational,or otherharmtotheindividual. Information that does not include any of the eighteen the HIPAA identifiers 36 is not considered protectedhealthinformation (unlessthecoveredentityhasactualknowledge that the information could be used alone or in combination with other information to identifyanindividualwhoisasubjectoftheinformation);unauthorizeduseordisclosureof information that is not protected health information does not constitute a breach. Informationina limiteddataset thatexcludesthehipaa directidentifiers, 37 dateof birth,andzipcodedoesnotconstituteabreach. 38 Thedefinitionof breach 39 isreproducedbelow.notethethreeexclusions,withemphasis addedinbold:!breach!meanstheacquisition,access,use,ordisclosureofprotectedhealthinformationin a manner not permitted under subpart E of this part which compromises the security or privacyoftheprotectedhealthinformation. 1. i. Forpurposesofthisdefinition,compromises2the2security2or2privacy2of2the2protected2 health2information2meansposesasignificantriskoffinancial,reputational,2orotherharmto theindividual.22 2 ii. A use or disclosure of protected health information that does not include the2 identifiers listed at (e)(2), date of birth, and zip code does not2 compromise the securityorprivacyoftheprotectedhealthinformation.2 2.Breachexcludes:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 34!74!Federal!Register!42739Q42770.! 35!74!Federal!Register!42756Q42757.! 36!45!CFR! (b)(2)(i).!For!more!information!about!protected!health!information!and!the!HIPAA!Identifiers.! 37!45!CFR! (e)(2).!! 38!45!CFR! ! 39!45!CFR! !The!definition!of!Breach!also!appears!in!the!Definitions!of!Key!Terms!in!Appendix!1Q1!

53 i. Any unintentional acquisition, access, or use of protected health information by a workforcememberorpersonactingundertheauthorityofacoveredentityorabusiness Associate,ifsuchacquisition,access,orusewasmadeingood!faith!and!within!the!scope!of! authority!anddoesnotresultinfurtheruseordisclosure!inamannernotpermittedunder subparteofthispart.!! ii. Anyinadvertent!disclosurebyapersonwhoisauthorizedtoaccessprotectedhealth information at a Covered Entity or Business Associate to another person authorized to access protected health information at the same Covered Entity or Business Associate, or organized health care arrangement in which the Covered Entity participates, and the information received as a result of such disclosure is not further used or disclosed in a mannernotpermittedundersubparteofthispart. iii. A disclosure of protected health information where a Covered Entity or Business Associatehasagoodfaithbeliefthatanunauthorizedpersontowhomthedisclosurewas madewould!not!reasonably!have!been!able!to!retain!suchinformation.! WhatdothesethreeexclusionsinthedefinitionofBreachmean?Hereareexamples: Exclusioni(Acting! in! Good! Faith). Someone that your dental practice employs or contracts with was acting in good faith and accidently accessed protected health information.thispersondoesnotfurtheruseordisclosesuchinformationinaway thatwouldviolatethehipaaprivacyrule.2 2 Exclusion ii(inadvertent!disclosure). A workforce member in your dental practice who is authorized to access certain protected health information inadvertently leavesanopendentalpatientfileonadeskinalimitedaccessareaofthepractice, whereitisseenbyanotherworkforcememberwhoisauthorizedtoaccesscertain other protected health information. The patient file and the protected health informationinthefileisnotusedorfurtherdisclosedinawaythatwouldviolatethe HIPAAPrivacyRule.2 2 Exclusioniii(No!Retention).Oneofyourdentalpracticeworkforcemembersbrings hisorher6tyeartoldchildintotheofficeonasaturdaytocatchuponsomework. Thechildseesanopenfilewithprotectedhealthinformationonthedesk.Thechild, whoreadsatafirsttgradelevel,likelywouldnotretainknowledgeoftheprotected healthinformation.2 The Breach Notification Rule is triggered when someone without permission an unauthorizedperson accesses,uses,ordisclosesprotectedhealthinformation.youhave to Determineiftheprotectedhealthinformationwas secured or unsecured. Assessextentofharmthrougharisk2analysis.

54 DetermineifthediscloseddataweredeTidentified. Determineifthedatawerepartofalimiteddataset. Thecriticalpointhereisinthesecondbullet:assessextentofharmthroughariskanalysis. Youmustassesstheriskoffinancial,reputation,orotherharmtotheindividualwhenever youdiscoveranunauthorizeduseordisclosureofunsecuredprotectedhealthinformation. Ifyouconclude,afterconductingyourriskanalysis,thatthebreachposesasignificantrisk offinancial,reputational,orotherharm,youmustsendtheappropriatenotificationstothe affectedindividual(s),tohhs,and,insomecases,tothemedia. Balance the cost of conducting those risk analyses, along with the potential adverse reputationalimpactabreachofpatientinformationcouldcausetoyourdentalpracticeand thecostsinmoneyandtimeinvolvedinsendingtherequirednotifications,againstthecost of securing your electronic protected health information by encrypting it using the technologiesandmethodologiesspecifiedintheguidance.securingyourprotectedhealth informationenhancesitsprivacyandsecurityanddecreasesthelikelihoodthatyourdental practicewillberequiredtoconductriskanalysesandsendnotificationsunderthebreach NotificationRule. In summary, if your dental practice appropriately encrypts its electronic protected health information at rest (database) and in motion (transmission), then that information is secure (rendered unusable, unreadable, or indecipherable ). The Breach Notification Rule does not require notification in the event of a breach of secure! protected health information. If your dental practice does not encrypt its electronic protected health information, then that information is unsecured (it has not! been rendered unusable, unreadable,orindecipherable ),and,ifthereisabreach,yourpracticeisrequiredtomake thatbreachknowntoaffectedindividuals,hhs,and,insomecases,themedia.wehighly recommendthatyourdentalpracticeconsiderencryptingyourelectronicprotectedhealth informationaccordingtotheguidance,andtomakesurethatallportableormobiledevices have installed encryption so that your practice will not be required to provide breach notification if such devices are missing, lost, or stolen. While the Breach Notification Rule applies to unsecured protected health information in any form (oral, hard copy, and electronic), securing your electronic protected health information according to the Guidancemaysignificantlydecreasethelikelihoodthatyouwillberequiredtosendbreach notifications.

55 IV HIPAA SECURITY POLICIES & PROCEDURES

56 MCDONOUGH CENTER FOR FAMILY DENTISTRY LLC S HIPAA SECURITY POLICIES & PROCEDURES 1.0 Administrative Safeguards Security Management Process Implementation Specification: Risk Analysis Our dental practice Security Official, Frank F. Nia, DMD, MSEd, will conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the practice s electronic protected health information and will update the risk analysis whenever our practice determines that risks of changes in our practice operating environment or in the regulatory environment warrant review. Our dental practice workforce members are responsible for complying with the practice s risk analysis policies and procedures. Our Security Official shall conduct and periodically update, as necessary, our practice s risk analysis whenever our practice determines that risks or changes in our practice operating environment or in the regulatory environment warrant review. Our practice shall use the nine risk analysis guidelines outlined in the National Institute of Standards and Technology (NIST) Special Publications, and (Revision 1) : Define the scope of your risk analysis based on how your dental practice uses electronic media that contain electronic protected health information. Gather Information. Identify Realistic Threats. Identify Potential Vulnerabilities. Assess Current Security Controls. Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability. Determine the Level of Risk. Recommend Security Controls. Document the Risk Assessment Results. Our Security Official shall form a risk analysis working group comprised of appropriate workforce members and representatives of Business Associate hardware and software vendors, as needed. Our Security Official shall establish the agenda for the risk analysis working group, delegate duties and functions, manage workflow, prepare written reports of findings, and retain documentation for six years from the most recent risk analysis report in accordance with the HIPAA Documentation Standard.

57 1.1.2 Implementation Specification: Risk Management Our dental practice Security Official will develop and implement a plan to manage the risks that our practice has identified in its risk assessment. Our dental practice workforce members are responsible for complying with the practice s risk management policies and procedures. Our Security Official will prepare policies and procedures for managing the practice s risks identified in our risk analysis. Our Security Official will use flexibility of approach in managing our practices risks, namely: We will use any security measures that allow our dental practice to reasonably and appropriately implement the Standards and Implementation Specifications of the Security Rule, and We will take into consideration the following factors in choosing security measures to use: o o o o The size, complexity, and capabilities of our dental practice. Our dental practice s technical infrastructure, hardware, and software security capabilities. The costs of security measures. The probability and criticality of potential risks to our electronic protected health information. Our Security Official will establish ongoing efforts to ensure that our practice maintains at acceptable levels the risks that we have identified in our risk analysis, and will implement policies and procedures to attain those acceptable levels of risk Implementation Specification: Sanction Policy Our dental practice Security Official will develop, implement, and enforce a sanction policy for workforce members who do not comply with safeguards designed to secure the practice s electronic systems and electronic protected health information. Our dental practice workforce members are responsible for complying with the practice s sanction policies and procedures. Our Security Official will be responsible for ensuring that each workforce member receives awareness and understanding training on our practice s policies and procedures for safeguarding electronic protected health information and on the consequences for failure to comply with those policies and procedures. Such training will be conducted for each new workforce member as part of employee orientation and for each workforce member prior to implementation of any change in policies or procedures. Our practice has adopted the following sanctions for repeated security violations of the same type (e.g., posting of password visible to passersby). Our practice reserves the right to skip steps, repeat steps, accelerate steps, or impose other sanctions depending upon the nature and severity of the security violation.

58 First violation: The Security Official and workforce member s supervisor will have a private conversation with the workforce member to review the appropriate safeguards related to the security violation and make sure that the workforce member understands the policy. Second violation: The Security Official, supervisor, and the dentist will have a private conversation with the workforce member to review the appropriate safeguards related to the security violation, make sure that the workforce member understands the policy, tell the workforce member that any further violation will involve suspension, and a letter of warning of suspension will be placed in the workforce member s personnel file. Third violation: Suspension without pay for three days for repeat violation, and letter warning of termination will be placed in the workforce member s personnel file. Fourth violation: Termination of employee Implementation Specification: Information System Activity Review Our dental practice Security Official will be responsible for implementing procedures for reviewing system activity functions, such as audit logs, access reports, and security incident tracking reports to validate performance of safeguard measures designed to protect confidentiality, integrity, and availability of the practice s electronic protected health information and to detect evidence of any unauthorized access to or inappropriate use of data in our practice s information system. Our dental practice workforce members are responsible for complying with the practice s risk management policies and procedures. The Security Official, in collaboration with our practice s hardware and software vendors, will implement the information system functionality that generates audit logs and access reports on all practice information systems that contain electronic protected health information Assigned Security Responsibility Our Security Official will be responsible for implementing a weekly review of information system audit logs, access reports, and security incident tracking reports in our dental practice to identify any suspect data activities or unauthorized access to the system. Our Security Official will review any suspect data activities or unauthorized access to the information system, respond to potential system vulnerabilities, implement improved safeguards, and invoke disciplinary action according to the practice s sanction policies and procedures, as necessary. Our Security Official will document audit logs, access reports, and security incident tracking reports in electronic or paper format, and retain those reports for six years from date of creation or from the date when such document last was in effect, whichever is later. Our dental practice has designated a Security Official who has overall responsibility in the practice for compliance with the Security Rule and for implementing policies and procedures that ensure the confidentiality, integrity, and availability of the practice s electronic protected health information.

59 Our dental practice shall designate a workforce member to serve as Security Official, who may delegate tasks and responsibilities to other workforce members or Business Associates, as appropriate, but shall retain ultimate responsibility and accountability for our practice s compliance with the HIPAA Security Rule Workforce Security Our dental practice shall ensure that all workforce members are aware of and understand the Security Official s responsibilities and authority with regard to security safeguards. Our Security Official shall work closely with our practice s Privacy Official, or serve in that role also if circumstances warrant. Our Security Official shall be responsible for conducting and updating our practice s risk analysis. Our practice shall designate a backup to our Security Official to take responsibility for that role in the event the Security Official is ill, on vacation, or otherwise unable to respond to a security situation. Our Security Official shall prepare and manage the budget allocated to the practice s security program, and be responsible for maintaining an up-to-date inventory of the practice s electronic systems that contain electronic protected health information. Our Security Official shall develop, implement, and monitor administrative, technical, and physical security safeguard policies and procedures, and document all actions taken for compliance with security safeguard Implementation Specifications. Our Security Official shall be responsible for monitoring, testing, evaluating, and enhancing the practice s security program for effectiveness. Our Security Official shall supervise representatives of Business Associates who perform technical system maintenance activities in the practice, including ensuring that such representatives are aware of and understand our practice s security policies and procedures, as appropriate. Our Security Official shall investigate, respond to, remediate and document security incidents Implementation Specification: Authorization and/or Supervision Our dental practice Security Official will ensure that our practice has procedures in place to authorize workforce members who work with electronic protected health information to access only the information that they require and to supervise them in locations where such information might be accessed. Our dental practice workforce members are responsible for complying with the practice s workforce security authorization and supervision policies and procedures. As part of the risk analysis process, our Security Official shall analyze workforce member responsibilities with respect to need for access to electronic protected health information and shall incorporate those responsibilities in workforce member job descriptions as appropriate.

60 Our Security Official shall ensure that each workforce member is aware of and understands chains of command and lines of authority in our dental practice, responsibilities with respect to authorization to access electronic protected health information, and how such access is supervised in locations where such information is accessed. Our Security Official shall discuss with each workforce member how his or her job description links work responsibilities with appropriate levels of access to electronic protected health information Implementation Specification: Workforce Clearance Procedure Our dental practice Security Official will evaluate and describe work functions in the practice, determine the level of access to electronic protected health information necessary for each work function, and incorporate appropriate access clearances in connection with each workforce member s job function. Our dental practice workforce members are responsible for complying with the practice s workforce clearance policies and procedures. Our Security Official shall analyze job responsibilities of workforce members as part of the practice s risk analysis process, and incorporate those responsibilities into workforce member job descriptions as a prerequisite for issuing clearances for appropriate access to electronic protected health information. Our Security Official shall ensure that an appropriate clearance procedure, including as appropriate a background check, is initiated for each workforce candidate. The clearance procedure may include some or all of the following: Require a written application for employment. Confirm prior employment history. Confirm educational history. Verify licenses, if applicable. Verify compliance with any regulatory or professional requirements pertinent to employment in a dental practice. Verify citizenship or resident alien status. Criminal record check. Financial record check, if applicable. Request and evaluate professional and personal references. Our Security Official shall ensure that workforce member hires have complied with and provided to the practice all federal and state required tax withholding documentation, and any professional credentials, as applicable. Our Security Official shall ensure that access to electronic protected health information clearance procedures are described in the employee handbook, that new and existing workforce members are aware of and understand those procedures, and that all workforce members acknowledge that awareness and understanding in writing.

61 Our Security Official shall document all credentials for access (e.g., username/password) issued to workforce members. Upon issuance, each workforce member shall sign a receipt acknowledging an understanding of responsibilities associated with such clearance. Upon any change in job responsibility that eliminates access to electronic protected health information or termination of employment, each affected workforce member shall acknowledge in writing consequences of unauthorized access to the practice s electronic protected health information, as outlined in the practice s sanction policy Implementation Specification: Termination Procedures Our dental practice Security Official will implement procedures in the practice to terminate access to electronic protected health information when a workforce member s job responsibilities change such that he or she no longer requires such access, or when a workforce member s employment terminates. Our dental practice workforce members are responsible for complying with the practice s policies and procedures for termination of access. Our Security Official shall conduct an interview with each workforce member whose job responsibilities have changed such that he or she no longer requires access to electronic protected health information. During the interview, the Security Official shall: Information Access Management Explain that authorization for access to electronic protected health information is terminated and all authentication and authorization credentials for access (e.g., password) are invalidated. Reiterate the dental practice s Security Sanction Policy for handling a security incident by a workforce member who attempts unauthorized access to electronic protected health information. Require the workforce member to sign a form indicating awareness and understanding of the change in access authorization. Our Security Official shall conduct an exit interview with each workforce member whose employment is terminated. During the interview, the Security Official shall: Explain that authorization for access to electronic protected health information is terminated and all authentication and authorization credentials for access are invalidated and, as appropriate, are removed. Explain that the practice will refer any unauthorized attempts at access to the practice s electronic protected health information to appropriate authorities. Ensure that all exit interview topics are covered by going through and ticking off each item on an exit interview checklist. Require the departing workforce member to sign a form indicating awareness and understanding of the foregoing exit interview information Implementation Specification: Isolating Health Care Clearinghouse Functions

62 Our dental practice Security Official shall determine whether our dental practice uses a clearinghouse that is part of a larger organization. If so, our Security Official shall confirm and document that the clearinghouse a Covered Entity serving in a Business Associate role with our practice has policies and procedures in place to protect against unauthorized access to electronic protected health information by the larger organization. Our Security Official shall make the determination as outlined in our dental practice s policy regarding our clearinghouse s safeguarding of electronic protected health information in its role as our Business Associate. Our Security Official shall determine if our dental practice uses a clearinghouse that is part of a larger organization, and, if so, shall require written confirmation from the clearinghouse a Covered Entity serving in a Business Associate role with our practice that it has policies and procedures in place to protect against unauthorized access to electronic protected health information by the larger organization. Our Security Officer shall document that finding in the Business Associate Agreement between our practice and the clearinghouse. If our Security Official determines that our dental practice does not use a clearinghouse that is part of a larger organization, our Security Official shall document the fact that this Implementation Specification is not germane to our practice Implementation Specification: Access Authorizations Our dental practice Security Official will implement procedures for granting workforce members appropriate access authorization to electronic media, transactions, processes, and other mechanisms that contain electronic protected health information. Our dental practice workforce members and representatives of Business Associates who may come in contact with electronic protected health information are responsible for complying with the practice s access authorization policies and procedures. Our Security Official and our Privacy Official will coordinate procedures for granting access authorization to our practice s workforce members and representatives of our Business Associates. Our Security Official, with the concurrence of our dental practice s office manager, if different persons, is the only person in the practice with authority to grant access privileges, in accordance with job function as described in writing in a job description. The Security Official shall ensure that workforce members are aware of and understand that access granted is only for the minimum amount of information needed to complete assigned tasks Implementation Specification: Access Establishment and Modification Our dental practice Security Official will implement policies and procedures based on our practice s access authorization policies for establishing, documenting, reviewing, and modifying a user s right of access to electronic media, transactions, processes, and other mechanisms that contain electronic protected health information. Our dental practice workforce members and representatives of Business Associates who may come in contact with electronic protected health information are responsible for complying with the practice s access establishment and modification policies and procedures.

63 Our Security Official shall establish policies and procedures for granting workforce members appropriate access to electronic media, transactions, processes, and other mechanisms that contain electronic protected health information, and provide access authorization in writing to each person who is granted access Security Awareness and Training Our Security Official shall document and maintain access authorization records, including any modifications in authorization due to changes in job functions, relating to grants of access, levels of access, and times of access, if applicable. Our Security Official shall evaluate on a periodic basis, and at least quarterly, existing access controls and their effectiveness, and any access controls planned for implementation as replacements or enhancements. Our Security Official shall ensure that only minimum necessary electronic protected health information is available to workforce members based on their job functions described in their job descriptions. Our Security Official shall review on a periodic basis, and at least quarterly, the list of access authorizations to verify its accuracy and to detect if any authorizations have been inappropriately altered or manipulated. Our Security Official shall ensure that any representative of an entity outside of our practice, such as a hardware or software vendor or consultant, who has been granted access to the practice s electronic systems that contain electronic protected health information, does so under a Business Associate Agreement and has been counseled on the practice s security policies and practices Implementation Specification: Security Reminders Our dental practice Security Official will implement policies and procedures for security awareness training of workforce members and security awareness counseling of representatives of our practice s Business Associates. In addition, the Security Official will be responsible for providing periodic security updates and security reminders to our workforce members and representatives of our Business Associates. Our dental practice workforce members and representatives of Business Associates who may come in contact with electronic protected health information are responsible for complying, respectively, with the practice s security awareness training and counseling policies and procedures. Our Security Official, in coordination with our Privacy Official, shall develop, implement, and document a security awareness training program for workforce members and a security awareness counseling program for representatives of our practice s Business Associates. The Security Official shall ensure that any representative of a Business Associate (for example, a technician who is an employee of a hardware or software vendor) who has access to the practice s electronic protected health information is made aware of and understands the practice s security policies and procedures. Our Security Official, in coordination with our Privacy Official, shall develop and implement a periodic security reminder program. Reminders shall: Be posted monthly in electronic format on electronic media that contain electronic protected health information.

64 Be posted monthly on bulletin boards in proximity to any electronic media that contain electronic protected health information for which representatives of Business Associates have access. Be posted whenever the practice requires that passwords for electronic system access be changed. Our Security Official, in coordination with our Privacy Official and from suggestions provided by workforce members, shall develop content for security reminders, which may include, but are not limited to, the following, as examples: Do not write your password on paper. Do not post your password on your workstation, on your desktop, under a desk mat calendar, or any place that an unauthorized electronic system user could readily detect it. Report to the Security Official immediately any security threat or vulnerability that you observe. Review the practice s sanctions for violating its HIPAA Security policies and procedures. Our Security Official shall promptly inform workforce members and Business Associates, as appropriate, of changes to the practice s electronic systems that contain electronic protected health information, changes in security procedures, changes in outcomes of a risk analysis that affect security procedures, and how to handle any newly identified security threats or vulnerabilities Implementation Specification: Protection from Malicious Software Our dental practice Security Official will implement policies and procedures for guarding against, detecting, and reporting malicious software, including software that has not yet compromised the practice s electronic systems but that is suspect. Our dental practice workforce members are responsible for complying with the practice s protection from malicious software policies and procedures. Our Security Official, in consultation with the practice s hardware and software vendor(s), will analyze our practice s electronic system and software capabilities to mitigate the likelihood of experiencing effects of malicious software. Our Security Official, in consultation with the practice s hardware and software vendor(s), as appropriate, will authorize installation of any new software or data on the practice s electronic media. Our Security Official, in consultation with the practice s hardware and software vendor(s), shall select virus protection software and system patches, as appropriate, which workforce members are required to install and keep current, as applicable. Our Security Official shall implement a policy, with sanctions for violations, that workforce members are not allowed to bring from home into the practice any electronic media (e.g., diskettes or flash drives), software, or data for download, for use in the practice or on its electronic systems.

65 Our Security Official shall implement a policy, with sanctions for violations, that prohibits access to open networks via the Internet of any electronic media that contain electronic protected health information that is not encrypted according to the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Users. Our Security Official shall monitor system performance and access on a periodic basis, at least weekly, in order to guard against, detect, and report malicious software Implementation Specification: Log-In Monitoring Our dental practice Security Official will implement policies and procedures for monitoring computer log-in attempts and reporting discrepancies. Our dental practice workforce members are responsible for complying with the practice s log-in monitoring and reporting policies and procedures. Our Security Official, in consultation with the practice s hardware and software vendor(s), as appropriate, shall establish a triggering mechanism that immediately alerts the Security Official or a workforce member designee after three failed log-in attempts from the same user within a 24-hour time span. Our Security Official, in consultation with the practice s hardware and software vendor(s), shall activate username account lockout capabilities on any electronic device after a certain number of consecutive failed log-in attempts, say, three in a row, a pattern of failed log-in attempts over time, say, one each day for a consecutive number of days, or when the workforce is out of the practice, such as on weekends or overnight. Our Security Official shall review log-in activity on at least a weekly basis, and act upon any discrepancies in log-in activity on the practice s electronic systems or access to Web sites in contravention of the practice s policies pertaining to Internet access Implementation Specification: Password Management Our dental practice Security Official will implement policies and procedures for creating, changing, and safeguarding passwords. Our dental practice workforce members are responsible for complying with the practice s password management policies and procedures. Our Security Official, in consultation with the practice s hardware and software vendor(s), as appropriate, and the practice s office manager, shall implement policies and procedures regarding password management, including, but not limited to, the following: Passwords should be at least eight characters in length, and alphanumeric (combination of letters and numbers). Passwords should be selected that do not relate to the user s personal identity, history, or environment. Passwords should not be shared or publicly posted, with sanctions for doing so.

66 1.6.0 Security Incident Procedures Only an authorized user should know his or her password. Each authorized user is responsible for protecting against the loss of his or her password and its disclosure to unauthorized persons. Passwords should be changed periodically, in accordance with the practice s risk analysis, which should include consideration of replacement cost, facility operations, and workforce skill level. Passwords should be changed as quickly as possible whenever a compromise to security is suspected or known, and no later than one business day. Passwords should be deleted from the practice s electronic system as soon as possible when they are no longer used or needed. Passwords that are forgotten should be replaced not reissued. Our Security Official, or the Security Official s designee, is required to reset a user s password following three failed log-in attempts. Our Security Official shall revoke a workforce member s password when the workforce member leaves employment with the practice. Our Security Official shall prepare a one-page password reference guide that will be included in the practice s employee handbook, posted near electronic devices in the practice, and sent to all workforce members electronically at least quarterly, and include the practice s policies and procedures related to the following: Password sharing. Log-in requirements. Allowable log-in attempts before lockout. Electronic device time-outs. Monitoring event logs. Sanctions for violators of password policies and procedures. Training awareness and understanding requirements vis-à-vis password management Implementation Specification: Response and Reporting Our dental practice Security Official will implement policies and procedures for identifying and responding to suspected or known security incidents; mitigating, to the extent practicable, harmful effects of security incidents that are known to our practice; and documenting security incidents and their outcomes. Our dental practice workforce members are responsible for complying with the practice s security incident response and reporting policies and procedures. Our Security Official shall implement response and reporting procedures in the practice regarding suspected or known security incidents.

67 1.7.0 Contingency Plan Workforce members shall be responsible for reporting suspected or known security incidents to the Security Official as soon as discovered, with failure to do so resulting in appropriate sanctions. Our Security Official, upon notification of a suspected or known security incident, shall take immediate action to contain the incident and minimize damage to our practice s electronic protected health information and to our practice s electronic systems that contain electronic protected health information. Our Security Official shall document any security incident and actions taken to minimize harmful effects that are known to our practice in a written or electronic format Security Incident Report that is appropriately backed up. The Security Incident Report shall be maintained by the practice for at least six years. Our Security Official, in consultation with the practice s attorney and other advisors, as appropriate, shall determine, for any security incident, reporting and notification requirements to affected parties, regulatory authorities, and others. Our Security Official shall document each security incident in a written or electronic format Security Incident Log that is appropriately backed up. The Security Incident Log shall be maintained by the practice for at least six years from the date of its creation or the date when the last entry was made, whichever is later.. Our Security Official shall be responsible for receiving and acting upon any security incident reported to the dental practice involving a breach of electronic protected health information by a Business Associate, as required by Section 13402(b) of the HITECH Act and the August 24, 2009, Breach Notification for Unsecured Protected Health Information; Interim Final Rule. Our Security Official shall review our practice s security safeguard procedures following any security incident, make appropriate changes to minimize recurrence of such incidents, ensure that workforce members are aware of and understand the changes, and include a report of review and action as a follow-up in the relevant Security Incident Report and Security Incident Log. Our Security Official will develop and implement policies and procedures for responding to emergencies that may impair the practice s electronic systems containing electronic protected health information. Our dental practice workforce members are responsible for complying with the practice s contingency plan policies and procedures. Our Security Official shall establish a Contingency Planning Workgroup comprised of designated workforce members and representatives of our practice s hardware and software vendor(s), and shall serve as its head. The Contingency Planning Workgroup shall undertake the following tasks: Assess vulnerabilities and threats as part of risk analysis. Assign priorities to vulnerabilities and threats to electronic systems that contain electronic protected health information.

68 Assess recovery strategies to impairments of the practice s electronic systems and core applications. achieve recovery. Prepare policies, procedures, and a sequential list of tasks to Discuss these strategies, policies, and procedures with workforce members for feedback, revise if necessary, test if practicable, and train workforce members to carry out recovery procedures in the event of a contingency. Review and update the contingency plan periodically, at least annually, and if there is a material change in business operations pertaining to use of electronic systems. Identify key workforce members who can declare an emergency and those who can fashion a timely recovery, and how to reach each identified person 24/ Implementation Specification: Data Backup Plan Our dental practice Security Official will implement policies and procedures for establishing and implementing a data backup plan that creates and maintains up-to-date exact copies of our practice s electronic protected health information. Our dental practice workforce members are responsible for complying with the practice s data backup plan policies and procedures. Our Security Official, in consultation with our practice s hardware and software vendor(s), and working with the practice s office manager, shall develop and implement an offsite backup plan for safeguarding our practice s electronic system applications and database(s) so that the practice has access to those applications and an exact, up-to-date copy of our practice s electronic protected health information. Our Security Official shall verify on a daily basis that a successful backup has been accomplished. Our Security Official shall ensure that the practice s offsite facility maintains daily, weekly, monthly, and quarterly backups of exact electronic protected health information of its patients. Our Security Official, working with the practice s office manager, shall be responsible for testing backup systems periodically to determine that the integrity of the electronic protected health information is safeguarded Implementation Specification: Disaster Recovery Plan Our dental practice Security Official will implement policies and procedures for establishing and implementing a disaster recovery plan for restoring business operations and electronic systems that contain electronic protected health information should a disaster occur. Our dental practice workforce members are responsible for complying with the practice s disaster recovery plan policies and procedures. Our Security Official shall develop and implement the practice s disaster recovery plan using the Contingency Planning Workgroup, which shall:

69 Consider compiling documentation related to disaster recovery planning, including Contingency Planning Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology [NIST], NIST Special Publication , June Analyze, in the practice s risk analysis, potential threats and vulnerabilities and their consequences associated with potential disasters. Identify, as outcomes of the risk analysis, safeguards to mitigate disaster risks and mechanisms and tools to restore business operations and electronic systems that contain electronic protected health information within a practice-defined recovery period, say, 24 to 48 hours, or less. Prepare a comprehensive, usable, testable, and effective disaster recovery plan for the practice that will take time and involve all workforce members. Assign key workforce members to execute the plan should a disaster occur and train all workforce members on their roles for achieving recovery. Our Security Official shall plan for establishing a temporary offsite location with telecommunication and electronic system capabilities sufficient for our practice s size and business operations should the practice s facility become unavailable as a result of a disaster. Our Security Official shall ensure that backed up electronic protected health information used at the temporary offsite location is safeguarded according to the provisions of the HIPAA Security Rule and the August 24, 2009, Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Our Security Official shall ensure that our practice has mitigated the potential disaster of loss of electricity supply by having backup source(s) of electricity available in an emergency Implementation Specification: Emergency Mode Operation Plan Our dental practice Security Official will implement policies and procedures for establishing and implementing, as needed an emergency mode operation plan for safeguarding the availability of our practice s electronic protected health information while operating in emergency mode. Our dental practice workforce members are responsible for complying with the practice s emergency mode operation plan policies and procedures. Our Security Official, in consultation with the practice s office manager and representatives of the practice s hardware and software vendor(s), shall develop an emergency mode operation plan that is reasonable and appropriate for our practice by accomplishing the following tasks: Identifying and arranging for use of an alternate site to perform the practice s data processing functions if a disaster materially disrupts those functions in the practice facility. Ensuring hardware and software compatibility at primary and backup sites.

70 Providing backup power and secure communication capabilities in the event of an emergency. Appointing workforce members to the emergency mode operations team. Training all workforce members on roles and responsibilities during emergency mode operations. Testing the emergency mode operation plan, and making modifications to the plan after testing, as necessary. Ensuring that all actions taken and results experienced during emergency mode testing and operations are documented in writing. Our Security Official, working with the emergency mode operations leader, if different from the Security Official, shall be responsible for the following tasks prior to and during execution of the plan: Determine extent and seriousness of emergency. Ensure that the practice official responsible for declaring an emergency does so, given that emergency plan execution criteria are met. Notify emergency operations team and set up meeting at emergency operations facility if the practice facility is inaccessible or inoperable, or both. Inform patients that may be affected by expected duration of the emergency (e.g., 24 to 48 hours, or less) that emergency operations have been initiated. Determine if there are additional equipment and supply requirements and order those that are required. Notify electronic system and practice management system vendors, explain the emergency, and secure cooperation and assistance, as needed, for recovery from the emergency. Coordinate the shift of operations from the impaired practice facility to the emergency facility. Run necessary tests on electronic systems that contain electronic protected health information to ensure that availability and integrity of such information is intact. Initiate emergency operations at the emergency facility following successful tests and verification of results. Ensure that safeguarding of electronic systems and electronic protected health information is reasonable and appropriate, given the emergency. Outline and execute plan for restoration to normal operations, including informing patients of the situation and progress toward recovery.

71 Document all actions before and during execution of the emergency mode operation plan Implementation Specification: Testing and Revision Procedure Our dental practice Security Official will implement policies and procedures for testing and revising our practice s contingency plans, including the practice s data backup, disaster recovery, and emergency mode operation plans. Our dental practice workforce members are responsible for complying with the practice s testing and revision policies and procedures. Our Security Official shall be responsible for establishing a testing schedule for the practice s data backup, disaster recovery, and emergency mode operation plans. Each plan shall be tested no less frequently than annually, based on inputs to and outcomes from the practice s risk analysis. Our Security Official shall be responsible for documenting in writing actions observed during testing, especially successes, responses, response times, and plan weaknesses and failures. Our Security Official shall evaluate in writing the effectiveness of the practice s data backup, disaster recovery, and emergency mode operation plans, based on testing results, and present findings during the next round of the practice s risk analysis review. Our Security Official shall be responsible for making modifications to relevant contingency plans following testing in order to correct plan weaknesses and deficiencies that resulted in test failures. Our Security Official shall inform workforce members of any plan modifications and conduct retraining of workforce members, as necessary Implementation Specification: Applications and Data Criticality Analysis Our dental practice Security Official will assess vulnerabilities and threats as part of our practice s risk analysis, and prioritize steps in data backup, disaster recovery, and emergency mode operation plans for recovery of electronic systems that contain electronic protected health information. Our dental practice workforce members are responsible for complying with the practice s applications and data criticality analysis policies and procedures. Our Security Official shall establish criteria for assessing the relative importance of vulnerabilities and threats as part of our practice s risk analysis, and prioritizing steps in data backup, disaster recovery, and emergency mode operation plans for recovery of operations and for safeguarding the practice s electronic systems and its electronic protected health information Evaluation Our dental practice Security Official will establish procedures for our practice to perform periodic technical and non-technical evaluations of security performance, based upon the Standards our practice has implemented under the HIPAA Security Rule and changes required to those Standards Implementation Specifications due to environmental or operational changes affecting the security of our practice s electronic protected health information. Our dental practice workforce members are responsible for complying with the practice s evaluation policies and procedures.

72 Our Security Official shall be responsible for the design of the evaluation process for our dental practice. Our Security Official shall establish, lead, and convene an evaluation working group comprised of the practice s workforce members and representatives of its hardware and software vendors, as needed. Our Security Official shall establish the agenda for the evaluation working group, delegate duties and functions, manage workflow, and prepare written reports of findings. Our Security Official shall be responsible for developing, with the evaluation working group, criteria for determining acceptable levels of risk for vulnerabilities and potential threats to the practice s electronic systems and electronic protected health information, and mitigation strategies and procedures for maintaining risks at acceptable levels in the practice. Our Security Official shall conduct evaluation of risks on at least an annual basis and whenever our practice determines that risks of changes in our practice operating environment or in the regulatory environment warrant review Business Associate Contracts and Other Arrangements Implementation Specification: Written Contract or Other Arrangement Our dental practice Security Official, in consultation with the practice s attorney, will prepare a Business Associate Agreement that contains the necessary assurances and the Security Official will ensure that such agreement is executed with each Business Associate engaged by the practice. Our dental practice workforce members are responsible for complying with the practice s Business Associate Agreement policies and procedures. The Security Official, in consultation with the practice s attorney, shall ensure that the practice s Business Associate Agreement is revised from time to time to reflect changes resulting from the HITECH Act and its enabling regulations, including duties and responsibilities each party owes to the other, as applicable. 2.0 Technical Safeguards Access Control The Security Official, in cooperation with the Privacy Official, shall identify each of the practice s Business Associates and shall require each Business Associate to sign the practice s most current Business Associate Agreement. The Security Official, in cooperation with the Privacy Official, shall retain the practice s copies of the Business Associate Agreements in compliance with HIPAA document retention requirements. Our dental practice will implement technical policies and procedures for electronic information systems that maintain electronic protected health information, allowing access only to those persons, entities, or automated processes (e.g., software programs) that have been granted access rights as specified in the Administrative Safeguard Standard Information Access Management.

73 Our dental practice will establish policies and procedures to show how our electronic information systems allow access to electronic protected health information, to whom (or what), and for what purposes. We will do this by using access control features in our software applications, operating system, database management system, or some combination thereof, and by documenting in writing what we have done. Our practice s risk analysis will determine how we will control access by list, user identity, role, or context Implementation Specification: Unique User Identification practice. Our Security Official will determine each workforce member s need for access to electronic protected health information, and make sure that workforce members only have access to the information that is necessary to perform their work responsibilities. Our practice will identify users and track user identity through assigned unique names and/or numbers. Our dental practice prohibits any workforce member from sharing or otherwise disclosing his or her username, number, or password to other workforce members. Our dental practice prohibits the use of generic or shared user ID credentials to access records containing electronic protected health information. Our Security Official is responsible for assigning a unique user ID to each workforce member in our dental practice. In addition, our Security Official is responsible for: Assigning, managing, and tracking user ID credentials in our dental Defining and enforcing our practice s policy on sharing and disclosing user ID credentials. Instructing users that initial assigned passwords must be changed to user-selected passwords on initial login. Requiring users to change their passwords every <30>, <60>, or <90> days, as determined appropriate through the practice s risk analysis Implementation Specification: Emergency Access Procedure Our Security Official will establish methods of emergency access to electronic protected health information in the event of loss of data and systems due to an emergency or disaster such as fire, earthquake, flood, tornado, hurricane, vandalism, terrorism, power outage, or system failure. Our Security Official will identify, as part of our practice s risk analysis, the types of emergencies and disasters that could impair our practice s ability to access our patients electronic protected health information. Our practice realizes that a delay in accessing our patients electronic protected health information could hinder our ability to provide appropriate treatment and possibly pose a risk to the patient s health. The Security Official will work with our practice s electronic system vendors to establish and test emergency access procedures to accommodate the types of emergencies and disasters that our practice identified in its risk analysis. Our Security Official will train authorized workforce members on how to implement and periodically test those procedures.

74 Our Security Official will document emergency access procedures and distribute instructions for initiating emergency access procedures to designated authorized workforce members. As one of those procedures, the Security Official may establish, in consultation with the practice s electronic system vendors, a special user password that would allow the Security Official and at least one designated authorized backup workforce member full access to electronic protected health information in an emergency or disaster situation. In such a situation, the Security Official would be responsible for documenting in a special emergency access log the actions taken and by whom. The special emergency access log should include any incidence of abuse of emergency access and the sanctions imposed on the individuals responsible Implementation Specification: Automatic Log-Off Our Security Official will ensure that automatic logoff procedures are in place on all systems and devices that provide access to electronic protected health information in our dental practice. Our Security Official will establish an inventory of all of the practice s systems and devices that provide access to electronic protected health information. Our Security Official will check each system and device that accesses or stores electronic protected health information to make sure its screen-saver locks are enabled and set to 10 minutes or less. An authorized user of any such system or device must use his or her username and password to unlock a locked system or device. The Security Official will enforce the automatic logoff procedure and sanction any workforce member that adjusts a locking interval. The Security Official will ensure that workforce members are trained to lock any electronic systems or devices located in patient service areas while a patient is in the area Implementation Specification: Encryption and Decryption Our Security Official is responsible for safeguarding our practice s electronic protected health information. Our practice s Notice of Privacy Practices outlines our practice s policy on communication over open networks or electronic systems. Our policy is to inform patients by that an electronic message from the practice can be accessed on the practice s server only when the patient provides a unique patient ID and password for access. In conformance with the Guidance in the HHS Breach Notification Rule, our dental practice as a matter of policy encrypts all electronic protected health information at rest in the practice s database and in motion through outbound communications using the technologies and methodologies specified in the Guidance. The Security Official will ensure that all electronic protected health information at rest or in motion is encrypted, and thus secure, as outlined in the Guidance referenced in our policy on this matter. As necessary, the Security Official will work with the Privacy Official to update the practice s Notice of Privacy Practices to reflect this policy, to indicate that the practice will not send to its patients unencrypted containing electronic protected health information, and that patients wishing to communicate by e- mail with the practice will be required to use a secure application to retrieve any such information.

75 2.2.0 Audit Controls Our Security Official will train workforce members to comply with the practice s technical safeguards regarding the use of electronic systems and access to and protection of electronic protected health information, and enforce workforce compliance through sanctions. Our Security Official will review system-generated audit logs regularly, as frequently as the practice s risk analysis deemed necessary, and will initiate appropriate actions to correct accessibility issues or incidents and to sanction inappropriate use, as necessary. The Security Official will confirm and document that existing and newly acquired software has auditing capabilities and that such capabilities are enabled. Our Security Official will monitor all systems containing electronic protected health information for unauthorized intrusions. The Security Official will review access logs on a weekly basis to detect unauthorized access attempts. The Security Official will make sure that audit logs are retained in accordance with the Security Rule document retention requirements, and destroyed thereafter. The Security Official will impose appropriate sanctions under the dental practice s sanction policy and procedures on any workforce member found to have attempted or achieved unauthorized access Integrity Implementation Specification: Mechanism to Authenticate Electronic Protected Health Information Our Security Official is responsible for implementing mechanisms for corroborating the integrity of electronic protected health information. Our Security Official shall: Person or Entity Authentication Work with our dental practice s information system vendor to understand how our system achieves and checks data integrity, how intrusions are detected, and how integrity performance is measured and reported. Ensure that users of our dental practice s electronic systems authenticate their access to those systems and electronic protected health information therein. Ensure that our practice s electronic systems have intrusion detection that provides audit trails and alerts of potential hacking. Test our electronic systems and their backup counterparts every < > days to identify any mechanical errors. Confirm that data transmitted via standard network protocols is the same as data received. Every < > days, test and monitor the results of data integrity checks on applications, databases, operating systems, networks, servers, workstations, and backup storage devices. Our Security Official has implemented a policy that any user seeking access to our dental practice s electronic systems and electronic protected health information shall possess credentials that authenticate access. Credentials

76 entered by a potential user must match those stored in the electronic system in order to gain access. Our Security Official shall define technical and procedural mechanisms to authenticate the identity of users and/or processes that access our electronic systems and electronic protected health information, and shall implement procedures to monitor and enforce authentication. Such mechanisms will be a combination of authentication credentials and audit trails to enforce authorized access Transmission Security Our Security Official shall ensure that electronic system users authenticate themselves with credentials, such as a combination of username and password or a biometric authentication such as thumbprint or retina scan. Our Security Official permits users to synchronize usernames and passwords on multiple electronic devices that are owned by the practice, provided the password is strong, appropriate security safeguards are in place, and data are encrypted on the electronic devices Implementation Specification: Integrity Controls Our Security Official is responsible for implementing a policy that will ensure that electronic protected health information has not been altered without appropriate knowledge and approval of our dental practice. Our Security Official shall assign unique user username/password combinations to persons authorized to log onto our dental practice s electronic systems. Our Security Official shall ensure that all entries into our electronic systems are tracked appropriately by audit trail technology. Our Security Official shall regularly review audit trail reports and identify any unauthorized changes to electronic protected health information. Our Security Official shall immediately notify any person, and that person s supervisor, who is observed or recorded making unauthorized changes to electronic protected health information, and shall apply appropriate sanctions for such unauthorized changes. In addition, our Security Official will work with our technology vendors to ensure that our system runs routine integrity checks and alerts the Security Official and practice ownership to any problems detected Implementation Specification: Encryption As a matter of policy, our dental practice encrypts all electronic protected health information at rest in the practice s database and in motion through outbound communications in conformance with the technologies and methodologies specified in the Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals of the August 24, 2009, Interim Final Rule: Breach Notification for Unsecured Protected Health Information. The Security Official of our dental practice will ensure that all electronic protected health information at rest or in motion is encrypted, and thus secure, as outlined in the Guidance referenced in our policy on this matter. The Security Official will ensure that this policy is reflected accurately in an update of our Notice of Privacy Practices. In addition, the Security Official shall make sure that the Notice of Privacy Practices indicates that we will not send our patients unencrypted containing electronic protected health information. Rather, patients wishing to communicate by with the

77 3.0 Physical Safeguards Facility Access Controls practice will be required to have a unique username and password, and login to the practice s secured website to send or retrieve any such information Implementation Specification: Contingency Operations Our dental practice Security Official is responsible for our disaster and emergency operations procedures, and in particular, building processes that are consistent with our Administrative Safeguard Standard Contingency Plan so that we can restore electronic systems and electronic protected health information in the event of a disaster or an emergency. Our dental practice workforce members are responsible for complying with the practice s contingency operations policies and procedures. Our Security Official shall develop procedures to restore electronic systems and electronic protected health information should our dental practice experience a disaster or an emergency. Such procedures shall be based on outcomes of the practice s risk analysis, and coordinated with the Administrative Safeguard Standard, Contingency Plan. Our Security Official shall catalog the types of potential disasters and emergencies that could occur and determine their potential impact on the practice s operations. (For example, what would the practice do if the practice were damaged by fire? Would it relocate? How would it access backed up electronic protected health information? As another example, what will the practice do if its power supply is interrupted for a protracted period of time, or its electronic systems damaged by a lightning strike?) Our Security Official shall outline procedures for re-establishing access to the practice s electronic systems and for restoring lost electronic protected health information and other business data. The procedures shall include identification of key personnel in the practice and personnel from our system vendors who would have emergency access credentials and responsibility for handling contingency operations Implementation Specification: Facility Security Plan Our dental practice will safeguard the practice and its facility and the electronic systems and electronic protected health information contained therein from unauthorized physical access, tampering, and theft. Our dental practice workforce members are responsible for complying with the practice s facility security plan policies and procedures. Our dental practice Security Official shall develop and evaluate the effectiveness of policies and procedures to protect the practice s facility and the electronic systems and electronic protected health information contained therein. These policies and procedures will be based on our risk analysis of vulnerabilities and threats to our practice s physical infrastructure. Our Security Official shall leverage the clinical and administrative assigned locations of workforce members to safeguard the practice internally during business hours. Our Security Official has determined that our dental practice s risk analysis will include consideration of the following areas for our development of policies and procedures to safeguard our practice s physical infrastructure:

78 Which individuals should be authorized to access electronic systems containing electronic protected health information, and appropriate modes of access. Procedures for opening and closing the dental office. Layout, design, and construction of our facility. Entrances and exits to our facility. Lock and key control. Locking mechanisms for doors, gates, windows, and other access points. Access badges and cards, and door keys. Sign-in and sign-out procedures. Person responsible for authorizing access to facility (e.g., Security Official). Parking rules. Surveillance of facility areas. Perimeter and barrier protection. Natural barriers, landscape, and terrain. Fencing, type and construction. Gate facilities and security checkpoints. Wall, ceiling, and floor construction. Identification and control of high-risk areas. Door and window locations and security devices used on each. Alarms, intrusion detection systems, and burglary deterrence devices. Fire and water hazards. Fire protection, detection, and extinguishers. Contingency operations, including emergency access for personnel to handle contingencies and emergencies. Reception area locations and facility entry controls. Employee surveillance and vigilance procedures. Access controls to locations containing electronic systems (e.g., server room).

79 Firewalls safeguarding access to electronic protected health information. Environmental controls, such as heating, ventilation, and air conditioning, if necessary, for electronic systems. Plan for periodic testing, monitoring, and evaluating effectiveness of facility security. Our Security Official shall make sure that the employee handbook includes the dental practice s facility security plan policies and procedures and that they are kept current Implementation Specification: Access Control and Validation Procedures Our dental practice will control and validate a person s access to our facilities in the following four ways: Verify an individual s authorization based on role or function to access electronic systems that contain electronic protected health information. Establish a visitor sign-in/sign-out and badge system in order to safeguard electronic protected health information. Visitors, including Business Associates, shall be required to wear a visitor badge at all times while in the dental practice facility. Control access and movement within the dental practice. Escort visitors in areas with access to electronic protected health information if there is a reason for visitors to be in such areas. Our dental practice workforce members are responsible for complying with the practice s access control and validation policies and procedures. Our dental practice Security Official shall implement physical access controls for areas in our practice that have electronic systems that contain electronic protected health information and shall be responsible for validating a person s access to such systems and information. The Security Official shall confirm that any outside party requiring access to the dental practice s electronic systems that contain electronic protected health information meets the following conditions: (a) Business Associate Agreement in place; (b) positive identification of appropriate credentials of any representative of the Business Associate; and (c) Business Associate representative is aware of and understands the dental practice s security policies and procedures. Our Security Official shall confirm that all electronic systems containing electronic protected health information that are stationary in the practice are housed in physically secure locations within the practice, and that all portable electronic systems containing electronic protected health information that are used inside or outside of the practice are password protected with such information encrypted. Our Security Official shall assign facility keys and alarm system codes to designated dental practice workforce members. The Security Official shall implement and manage key assignments and their locations so that keys are returned and lock and alarm codes changed when designated practice workforce members resign or are terminated, or other circumstances warrant. The Security Official shall verify any person who is not a member of our workforce who may have access to our electronic protected health information, especially representatives of electronic systems

80 3.1.4 Maintenance Records vendors who test, revise, and update systems hardware and software used in the dental practice, and notify them of our security policies and procedures. Our Security Official also shall obtain appropriate Business Associate Agreements and, in addition to a secure file of these agreements in the practice, maintain a duplicate file in a secure location off-site, such as with the practice attorney. Our dental practice shall document repairs and modifications to the physical components of the practice s facility that are related to security, including hardware, locks, doors, and walls. Our dental practice workforce members are responsible for complying with the practice s maintenance records policies and procedures. Our dental practice Security Official shall maintain a log of any repairs or modifications to the physical components of the practice s facility that are related to security. The log shall include: date of repair or modification; description of the reason for repair or modification; name, address, and contact telephone number of person or entity performing the modification; cost, if any, of the repair or modification; signature of Security Official or designated responsible workforce member responsible for making sure repair is completed Workstation Use Our Security Official shall update the log in writing within one business day of completion of any security-related repair or modification to the physical components of the practice s facility, and shall verify that the repair or modification was completed. Our Security Official shall maintain the log, in print or electronic format, for a period of six years from the date of the last recorded security-related repair or modification to the physical components of the practice s facility or from the date when the last entry was last in effect, whichever is later. Our dental practice has specified the proper functions to be performed on each workstation, the manner in which they are to be performed, and the physical attributes of the surroundings of specific workstations or classes of workstations that can access electronic protected health information. Our dental practice workforce members are responsible for complying with the practice s workstation use policies and procedures. Our Security Official shall establish and implement workstation use procedures and physical access controls for workstation areas in the practice that contain electronic protected health information. Our Security Official, or appropriate designee, shall provide oversight for the following activities: No food or drink (if water, must have a screw-top lid) near workstations that contain electronic protected health information. Compliance with terms and conditions of software licenses and copyright laws. Workforce members routinely keep workstation antivirus software current when updates are routed to them.

81 3.3.0 Workstation Security Place workstations containing electronic protected health information in controlled areas where only practice workforce member users and other authorized users, such as electronic system vendors under a Business Associate Agreement, have access, as appropriate. Portable electronic media containing electronic protected health information, used in the practice or authorized in writing to be taken out of the practice, has appropriate encryption as outlined in the Breach Notification Rule Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. Our dental practice will maintain workstation security for all workstations that provide access to electronic protected health information in order to prevent access by unauthorized users. Our dental practice workforce members are responsible for complying with the practice s workstation security policies and procedures. Our dental practice Security Official shall establish and implement workstation security procedures and physical access controls to workstation areas in the practice. Our Security Official shall assign passwords to authorized users of electronic media that contain electronic protected health information. Our Security Official shall establish the procedures that we determined were appropriate when we conducted our risk analysis. These procedures include ensuring that strong passwords are used, that they are changed regularly, and that their use is monitored. Our Security Official shall periodically issue security reminders about the use of passwords, including reminders of the sanctions for sharing passwords and for inappropriately posting written passwords on workstations or desktop surfaces, or placing them under desktop calendars or in drawers. Our Security Official shall verify that workstations containing electronic protected health information are placed in controlled areas where only practice workforce members who are authorized users, and other authorized users such as electronic system vendors under a Business Associate Agreement, have access, as appropriate. Our Security Official shall make sure that workstations that contain electronic protected health information are not visible to unauthorized passersby. Our Security Official shall monitor unattended electronic media so that they have an automatic logoff of ten minutes or less, with the time to be determined through our practice s risk analysis. Our Security Official shall validate a Business Associate s credentials before allowing access to electronic media that contain electronic protected health information. Our Security Official shall oversee and confirm that any portable electronic media containing electronic protected health information, used in the practice or authorized in writing to be taken out of the practice, have appropriate encryption as outlined in the Guidance of the Breach Notification Rule.

82 3.4.0 Device and Media Controls Our dental practice will monitor and document the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of our facility, and the movement of hardware and electronic media within the facility. Our dental practice workforce members are responsible for complying with the practice s device and media controls policies and procedures. Our dental practice Security Official shall establish and implement media control policies and procedures, including identifying and tracking all hardware and electronic media used in our practice Implementation Specification: Disposal Our Security Official shall train our workforce members to protect hardware and electronic media so as to protect our practice s electronic protected health information and proprietary business information from loss and from exposure to unauthorized persons. Our Security Official, in conjunction with our IT personnel, shall prohibit the use of unauthorized hardware and electronic media within the practice, and shall enforce sanctions for violations of this procedure. Our Security Official shall verify that electronic protected health information is backed up on a routine basis and stored off-site in a physically secure facility. The Security Official shall verify on a regular basis that an exact copy of such information is readily retrievable. Our Security Official shall confirm that any disposal of hardware or electronic media complies with the Breach Notification Rule Guidance and NIST guidelines so that any electronic protected health information on such hardware or electronic media is unusable, unreadable, or indecipherable and cannot be retrieved. Prior to final disposition of any hardware or electronic media in our practice, our practice will dispose of electronic protected health information in a manner that is consistent with the Breach Notification Rule Guidance. Our dental practice workforce members are responsible for complying with the practice s hardware and electronic media disposal policies and procedures. Our dental practice Security Official shall confirm that our practice s hardware and electronic media disposal procedures are consistent with the Breach Notification Rule Guidance and any updates to it, and that our system vendors are aware of and understand the National Institute of Standards and Technology (NIST) Special Publication , Guidelines for Media Sanitization, which is the current Guidance-recommended set of guidelines for disposal of electronic media containing electronic protected health information. Our Security Official shall include the NIST Guidelines in our risk analysis updates and review. Our Security Official shall verify that any electronic protected health information is deleted from hardware or electronic media.

83 3.4.2 Media Re-Use Our dental practice Security Official shall confirm that our practice s hardware and electronic media disposal procedures are consistent with the Breach Notification Rule Guidance and any updates to it, and that our system vendors are aware of and understand the National Institute of Standards and Technology (NIST) Special Publication , Guidelines for Media Sanitization, which is the current Guidance-recommended set of guidelines for removal of electronic protected health information on electronic media "such that the PHI cannot be retrieved." Our dental practice workforce members are responsible for complying with the practice s hardware and electronic media re-use policies and procedures. Our Security Official shall include the NIST Guidelines in our risk analysis updates and review. Our Security Official shall verify that any electronic protected health information is removed from electronic media such that the PHI cannot be retrieved. Our Security Official has determined that electronic media are relatively inexpensive and are becoming more so each year. Accordingly, as a result of our practice s risk analysis, we consider it appropriate risk mitigation to destroy rather than re-use electronic media (we balanced cost of new electronic media against potential costs of access of electronic protected health information by unauthorized users) Accountability Our dental practice will establish and maintain a written record of the movements of hardware and electronic media and any person responsible therefor. Our dental practice workforce members are responsible for complying with the practice s accountability policies and procedures. Our dental practice Security Official shall establish and maintain documentation of the movement of hardware and electronic media and the parties responsible for such hardware and electronic media. The documentation should include the following column headings: Description; Model; Serial Number; Manufacturer; Purchase Price; Date Purchased; Date in Service; Assigned to; Reassigned to; Date Taken Out of Service Data Backup and Storage Our Security Official shall maintain the documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. Our Security Official shall maintain an up-to-date copy of the inventory in a safe place outside of the premises of the practice, such as in a safe deposit box, or with our practice s attorney, bookkeeper, or insurance agent. Our dental practice will regularly back up electronic protected health information, in accordance with the backup procedures that we determined were appropriate when we conducted our risk analysis. We will keep an exact copy of that information stored off-site and readily retrievable in case it is needed. Prior to moving stationary hardware or electronic media in the practice s facility, we will back up the electronic protected health information and verify that it is an exact copy. Our dental practice workforce members are responsible for complying with the practice s data backup and storage policies and procedures.

84 Our dental practice Security Official shall confirm that a retrievable, exact copy of electronic protected health information is available prior to movement of stationary hardware or electronic media in the practice. Our Security Official shall periodically test the practice s data backup procedures, with the frequency that we determined was appropriate when we conducted our practice s risk analysis. Our Security Official shall confirm that backup data are tested for integrity and availability, with the frequency that we determined was appropriate when we conducted our practice s risk analysis. Our Security Official shall confirm that the practice maintains and stores offsite, at a secure facility daily, weekly, monthly, and quarterly backups of the practice s electronic protected health information, software, and system audits.