NOTICE OF PRIVACY PRACTICES

OF THE DENTAL PRACTICE OF ANDREA D RICE D.D.S.

As Effective Commencing On Or After January 2, 2018 (the “Effective Date”)

THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

Notice of Privacy Practices (Effective November 24, 2017) Page 1 of 13

This Privacy Notice (this “Privacy Notice”) is provided pursuant to section 164.520 of Title 45 of the Code of Federal Regulations to provide written notification of the privacy policies and practices (the “Privacy Practices”) governing the use, access and disclosure of Protected Health Information (as defined below) by or on behalf of those components of the dental practice ofAlan D. Marcotte, D.D.S. (the “Practice”)when and if acting as a “health care provider” within the meaning of 45 C.F.R. § 160.103 and a “covered entity” within the meaning of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the associated implementing privacy regulations set forth in Parts 106 and 164 of Title 45 of the Code of Federal Regulations (the “Privacy Rule”). If an individual has any questions about this Privacy Notice, want additional information about the notice or the policies or procedures it describes or wish to make a comment or complaint about these policies, please contact the Privacy Officer for the Practice using the procedures provided at the end of this Privacy Notice.

Who Will Follow These Practices?

The policies and practices described in this Privacy Notice apply to the use, access, security and disclosure of Protected Health Information by the Practice as a “health care provider htat is a “covered entity” within the meaning of HIPAA if and to the extent required to comply with HIPAA or otherwise applicable law. For this purpose, the HIPAA Privacy Rule defines a “health care provider” as “a providerof services (as defined in section 1861(u)of the Act, 42 U.S.C. 1395x(u)), a providerof medical or health services (asdefined in section 1861(s) of the Act, 42U.S.C. 1395x(s)), and any other personor organization who furnishes, bills, oris paid for health care in the normalcourse of business.

For purposes of this Notice, however, the term “Practice” only refers to the health care operations of the dental Practice of Alan D. Marcotte D.D.S. and not any non-care components of its operations except as otherwise required by HIPAA or otherwise applicable law..

What Protected Health Information Is Covered By This Privacy Notice?

The policies described in this Privacy Notice only apply to “Protected Health Information” or “PHI” for short. “Protected Health Information” means information that meets each of the following conditions:

  • Is created or received by or on behalf of the Practice;
  • Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual (including “genetic information”);
  • Either identifies the individual or there exists a reasonable basis to believe the information can be used to identify the individual;
  • Is not individually identifiable information in education records covered by the Family Education Rights and Privacy Act;
  • Is not individually identifiable information contained in records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
  • Is not individually identifiable information held by a HIPAA-covered entity in its role as an employer;
  • Is not “identified” within the meaning of the Privacy Rule; and
  • Is not otherwise excluded from the definition of Protected Health Information for purposes of the Privacy Rule.

What Generally Are the Responsibilities of the Practice Under the Privacy Rule?

The Practice requires that the Practice comply with HIPAA with respect to its use, access, and disclosure of PHI. HIPAA generally requires the Practice:

  • To safeguard and protect the privacy of Protected Health Information as specified in the Privacy Rule;
  • To use or disclose Protected Health Information only as allowed by the Privacy Rule;
  • To adopt and apply certain policies regarding the use, protection and disclosure of Protected Health Information;
  • To give Members this Privacy Notice describing the Practice’s Privacy Practices with respect to Protected Health Information; and
  • To follow the Privacy Practices as described in this Privacy Notice until modified as described in this Privacy Notice.

How May The Practice Generally Use and Disclose Protected Health Information?

The Privacy Practices prohibit the use or disclosure of Protected Health Information by or on behalf of the Practice, except as permitted or required by the HIPAA Privacy Regulations. For purposes of this Privacy Notice:

  • “Use” generally means, with respect to Protected Health Information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information.
  • “Disclosure” generally means the release, transfer, provision of access to or divulging in any other manner Protected Health Information outside the entity holding the information.

Consistent with the Privacy Rule, the Practice’s Privacy Practices permit any use or access of Protected Health Information by or on behalf of the Practice that qualifies as a permitted or required disclosure under the Privacy Rule, as well as any use or disclosure made incidental to a required or permitted disclosure.

When using or disclosing Protected Health Information or when requesting Protected Health Information from another covered entity, the Privacy Practices generally require that reasonable efforts be made to limit use or disclosure of Protected Health Information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Except as otherwise required to comply with the Privacy Rule, however, this minimum necessary requirement does not apply to:

  • Disclosures to or requests by a health care provider for treatment;
  • Uses or disclosures made to the individual, as permitted or required under paragraph E.17 of this Privacy Notice;
  • Uses or disclosures made pursuant to an authorization that complies with the Privacy Rule;
  • Disclosures made to the Secretary of Health and Human Services;
  • Uses or disclosures that are required by law; or
  • Uses or disclosures that is required for compliance with applicable requirements of the Privacy Rule.

The paragraphs that follow describe various categories of circumstances when the Practice may be required or permitted to use or disclose Protected Health Information. In connection with its description of the categories of permitted or required uses and disclosures, this Privacy Notice in certain instances also may provide one or more examples of permitted uses or disclosures to help illustrate a situation where that category might apply. Where provided, these examples are for illustrative purposes only and are not exhaustive. Not every use or disclosure permitted by a category will be listed. However, the Privacy Practices require that each use or disclosure of Protected Health Information by or on behalf of the Practice fall within a category of permitted or required disclosures described below.

Except under those circumstances identified in this Privacy Notice as requiring advance authorization, the Practice has the right to use or disclose Protected Health Information without notification to or the authorization or consent of the individual who is the subject of the information.

Uses and Disclosures Permitted by Privacy Rule Without Authorization

In accordance with the Privacy Rule, the Privacy Practices permit the use or disclosure of Protected Health Information by or on behalf of the Practice without authorization from the subject of the Protected Health Information or any other person under the following categories of circumstances:

Disclosures toBusiness Associates

As part of the Practice administration function, the Practice discloses Protected Health Information to outside entities or persons (business associates) involved in the operation or administration of the Practice. In connection with their performance of Practice related responsibilities on behalf of the Practice, business associates also may create or receive Protected Health Information from Members, health care providers and other covered entities and other third parties. Each business associate is required to sign an agreement obligating the business associate to protect and safeguard the confidentiality of the Protected Health Information and limiting their use of the information to specified purposes.

De-identified Protected Health Information

Consistent with the Privacy Rule, the Privacy Practices exclude from the definition of Protected Health Information that health information that qualifies as “de-identified” for purposes of the Privacy Rule. Therefore, the Practice may use or disclose health information that qualifies as de-identified by the Practice or any other party for any purpose.

The Practice also may use Protected Health Information to create information that is not individually identifiable health information or disclose Protected Health Information to a business associate for such purpose. If de-identified information is re-identified, however, the Privacy Practices require that the re-identified health information be treated as Protected Health Information and used or disclosed only as allowed by the Privacy Rule.

For Treatment, Payment or Health Care Operations

The Practice has the right to use or disclose Protected Health Information for treatment, payment or health care operations purposes within the meaning of the Privacy Rule.

For Treatment

The Practice may use or disclose Protected Health Information to carry out its own treatment related activities. The Practice also may disclose Protected Health Information to a health care provider for purposes of the treatment of a Member or other patient, whether or not the health care provider is a covered entity under HIPAA.

For this purpose, “treatment” means the provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

For example:

  • The Practice might disclose Protected Health Information to a health care provider or other party for purposes of evaluating or coordinating alternative treatment opportunities for purposes of administering utilization management provisions of the Practice with respect to a Member.
  • The Practice may disclose Protected Health Information about prior prescriptions to a pharmacist to facilitate his assessment if a pending prescription that he has been asked to fill is contraindicative with prior prescriptions.
  • The Practice may disclose Protected Health Information about a Member’s blood-type to assist a health care provider to assess the potential suitability of an individual to serve as a blood or transplant donor for another patient.
  • The Practice also may disclose Protected Health Information to a parent, spouse or other person participating in the delivery of health care.
For Payment

The Practice may use and disclose Protected Health Information for purposes of its payment activities and may disclose Protected Health Information to a health care provider or other covered entity or its business associates for purposes of the recipient’s payment activities.

Examples of payment activities of the Practice for which the Practice may use or disclose Protected Health Information for payment purposes include, but are not limited to, activities associated with the Practice’s investigation, determination or payment of Medical Benefits under the Practice including uses and disclosures made to determine eligibility for Practice benefits, to facilitate payment for the treatment and services the individual receives from health care providers, to determine the respective benefit responsibility of the Practice or another health plan, to coordinate the Practice coverage, to obtain or confirm information that the Practice determines relevant to determine or pay the Medical Benefits under the Practice, to investigate, pursue and recover potential sources of payment or reimbursement of Medical Benefits or other costs paid or payable under the Practice by other health plans, insurers, reinsurers or other third parties.

For example:

  • The Practice might use or disclose a Member’s Protected Health Information to health care providers, insurers, re-insurers, the Practice’s pharmacy benefit management company, other health plans or the parties as part of its investigation of a claim for benefits made to the Practice.
  • The Practice may disclose Protected Health Information to a health care provider seeking to investigate or receive payments under the Practice.
  • The Practice may tell a broker specific claims that have been denied or paid at an incorrect level in order to investigate and determine the proper payment amounts.
  • The Practice may share Protected Health Information with a utilization review or pre-certification service provider.
  • The Practice may share claim detail information with the County for purposes of requesting or obtaining payments of contributions from the County to pay benefits under the Practice.
  • The Practice may share Protected Health Information with another insurer, health plan, worker’s compensation carrier or fund, liability insurance carrier or other third party to investigate and coordinate benefits and coverages or identify and apply subrogation or assignment rights and obligations.
  • The Practice also may disclose Protected Health Information to someone who is or may be responsible for payment for the health care of a Member or other patient. For instance, the Practice may disclose Protected Health Information about a Member to a spouse, family member, workers' compensation or other insurer, social services agency or other party who is or may be responsible for payment for purposes of investigating or pursuing sources of payment. The Practice also will share PHI about a Member, who is enrolled in Dependent Coverage with the employee who has enrolled that Member in the Practice, the designated representative of a child enrolled in dependent coverage under the Practice pursuant to a "qualified medical child support order."
For Health Care Operations

The Practice may use or disclose Protected Health Information for its own health care operations within the meaning of the Privacy Rule.

The Practice also may disclose Protected Health Information to another covered entity for health care operations activities of the entity that receives the information, if the following conditions are met:

  • Each entity either has or had a relationship with the individual who is the subject of the Protected Health Information being requested,
  • The Protected Health Information pertains to such relationship, and
  • The disclosure is for purposes of conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines as allowed by the Privacy Rule; for purposes of population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives and related functions that do not include treatment; or for the purpose of health care fraud and abuse detection or compliance.

To the extent that the Practice participates in an organized health care arrangement within the meaning of the Privacy Rule, the Practice also may disclose Protected Health Information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

For these purposes, the term “health care operations” has the meaning provided in the Privacy Rule. It generally includes any of the following activities:

  • Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities;
  • Population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives and related functions that do not include treatment;
  • Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees or health care practitioners learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing or credentialing activities;
  • Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance);
  • Conducting or arranging for medical review, legal services, and internal and external auditing functions, including fraud and abuse detection and compliance programs;
  • Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies;
  • Management activities relating to implementation of and compliance with the Privacy Rule;
  • Customer service, including investigation of potential problems and concerns relating to claims, the facilitation of communications between claimants and others involved in plan administration, the provision of data analyses for members, policy holders, plan sponsors or other Members and their beneficiaries, as allowed by the HIPAA Regulations;
  • Administration of claims and appeals and other activities associated with the resolution of internal grievances;
  • The sale, transfer, merger or consolidation of all or part of the Practice with another Practice or other covered entity or an entity that following such activity will become a covered entity and due diligence related to such activity;
  • Creating de-identified health information or a limited data set and fundraising for the benefit of the Practice consistent with the Privacy Rule; and
  • Other business management and general administrative activities of the Practice or other covered entity.

For example:

  • The Practice will disclose Protected Health Information about a Member, who is enrolled in dependent coverage under the Practice, to the employee whose employment relationship with the County qualifies the Member for enrollment in dependent coverage in connection with the administration of the Practice.
  • The Practice also may use Protected Health Information in connection with: conducting quality assessment and improvement activities; underwriting, premium rating and other activities relating to Practice coverage; submitting claims for stop-loss (or excess loss) coverage; conducting or arranging for medical review, legal services, audit services and fraud and abuse detection programs; business planning and development such as cost management; and business management and general Practice administrative activities.

As Required By Law

The Practice will disclose Protected Health Information when required to do so by federal, state or local law consistent with the applicable Privacy Rule if the use is limited to the relevant requirements of the law for any of the following purposes: