HIPAA Privacy Policy

1. Introduction

This Privacy Policy describes how Anush A. John DMD, MD, PA., an Oral & Maxillofacial Surgery practice located in Maryland, uses, discloses, and safeguards Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations (45 CFR Parts 160 and 164).

2. Our Legal Obligations

As a covered entity under HIPAA, we are required to:

·         Maintain the privacy and security of your PHI

·         Provide you with notice of our privacy practices

·         Obtain your authorization before using or disclosing your PHI (except as permitted by law)

·         Implement administrative, physical, and technical safeguards to protect your information

·         Report breaches of unsecured PHI to affected individuals and, when required, to the U.S. Department of Health and Human Services (HHS)

3. What Is Protected Health Information (PHI)?

PHI includes any health information that identifies you or could reasonably identify you, including:

·         Your name, address, and contact information

·         Social Security number and date of birth

·         Dental and medical history

·         Examination and treatment records

·         Radiographs (X-rays) and diagnostic images

·         Insurance information

·         Payment and billing records

·         Diagnoses, treatment plans, and clinical notes

·         Video, audio, or photographic images of your mouth or face taken during treatment

4. How We Use and Disclose Your PHI

4.1 Treatment, Payment, and Healthcare Operations (TPO)

We use and disclose your PHI without your authorization for:

Treatment: Providing you with oral surgery services, consultations, follow-up care, and coordination with other healthcare providers (e.g., primary care physicians, orthodontists, oral pathologists, hospitals).

Payment: Processing insurance claims, billing you for services, collecting payment, and managing accounts receivable. We may disclose PHI to your health plan to request prior authorization, verify coverage, or coordinate benefits.

Healthcare Operations: Running the practice, including quality improvement, staff training, accreditation, licensing, audits, business management, and legal compliance.

4.2 Other Uses and Disclosures Without Your Authorization

We may disclose your PHI without your written authorization in the following circumstances:

·         Family members and caregivers: When you are present and agree, or when a family member or caregiver is directly involved in your care or payment

·         Emergencies: When necessary to prevent serious harm to you or others

·         Court orders and legal process: When required by subpoena, court order, or other legal authority

·         Public health and safety: To public health authorities for disease reporting, health oversight activities, or law enforcement purposes as permitted by law

·         Abuse, neglect, or domestic violence: When required or authorized by law to report suspected abuse or neglect

·         Workers' compensation: As required by Maryland workers' compensation law

·         Organ donation: To organizations involved in organ procurement or transplantation

·         Coroner or medical examiner: When necessary to identify a deceased person or determine cause of death

·         Funeral directors: For preparation and burial services

4.3 Disclosures Requiring Your Written Authorization

We will not use or disclose your PHI for any purpose other than treatment, payment, or healthcare operations without your prior written authorization, except as required or permitted by law. Authorized uses may include:

·         Release of records to attorneys or insurance companies

·         Marketing or fundraising purposes

·         Psychotherapy notes (separate authorization required)

·         Substance abuse or mental health treatment information (if applicable)

·         HIV/AIDS testing information (requires separate specific authorization in Maryland)

You may revoke any authorization in writing at any time.

5. Your Privacy Rights

5.1 Right to Access Your Records

You have the right to access, inspect, and obtain a copy of your dental records, including radiographs and clinical notes. We will provide you with this information within 30 days of your request. A reasonable copying fee may be charged. You may request records in electronic format or on paper.

5.2 Right to Request Amendments

If you believe that information in your dental record is inaccurate or incomplete, you may request that we amend it. We will review your request and respond within 60 days. If we deny your request, we will explain the reason and provide information about how you may appeal.

5.3 Right to an Accounting of Disclosures

You may request a written accounting of disclosures we have made of your PHI during the past six (6) years, except disclosures made for treatment, payment, healthcare operations, or as authorized by you. We will provide this accounting within 60 days and at no charge for the first request in a 12-month period.

5.4 Right to Request Restrictions

You may request that we restrict how we use or disclose your PHI. For example, you may request that we not disclose information to a particular family member or that we not send billing statements to a certain address. We are not required to agree to all requests, but we will consider your request and inform you of our decision.

5.5 Right to Request Confidential Communications

You may request that we communicate with you about your dental care in a particular manner or location (e.g., by email or cell phone). We will accommodate reasonable requests.

5.6 Right to Receive This Notice

You have the right to receive a copy of this Privacy Policy at any time.

6. Our Privacy and Security Practices

6.1 Administrative Safeguards

·         Designating a Privacy Officer responsible for developing and implementing privacy policies and procedures

·         Conducting regular staff training on privacy and security requirements

·         Implementing employee access controls and role-based restrictions

·         Maintaining documentation of privacy practices and incidents

·         Establishing a process for handling privacy complaints and breach reports

6.2 Physical Safeguards

·         Limiting access to patient records and clinical areas to authorized personnel

·         Securing facilities with locks, alarms, and access controls

·         Maintaining secure reception and waiting areas to prevent unauthorized viewing of patient information

·         Using closed-door consultation rooms for private conversations

·         Securing computers and devices containing PHI with password protection and screen locks

·         Implementing policies for the secure disposal of paper records and digital media (shredding, certified destruction)

6.3 Technical Safeguards

·         Using encrypted passwords and unique user IDs for all staff accessing electronic health information

·         Encrypting electronic PHI transmitted over insecure networks

·         Implementing firewalls and antivirus software on all computers and networks

·         Maintaining automatic logoff of inactive sessions

·         Conducting regular security audits and risk assessments

·         Applying software updates and security patches promptly

·         Backing up electronic records and maintaining disaster recovery protocols

6.4 Breach Notification

If we discover a breach of unsecured PHI, we will:

·         Notify you without unreasonable delay and in no case later than 60 days after discovery of the breach

·         Provide written notice describing the nature of the breach, information involved, steps you should take, and our mitigation efforts

·         Notify the Secretary of HHS if the breach affects 500 or more residents of Maryland or other states

·         Notify prominent media outlets if the breach affects 500 or more residents of Maryland

·         Maintain a log of any breaches and their investigation

7. Our Responsibilities

We are committed to:

·         Maintaining the privacy and security of your PHI

·         Providing you with this Privacy Policy and answering your questions about it

·         Notifying you of any breach of your unsecured PHI

·         Complying with HIPAA regulations and Maryland state privacy laws

·         Protecting your rights as outlined in this policy

·         Not retaliating against you for exercising your privacy rights or filing a complaint

8. Business Associates

We may share your PHI with Business Associates (BA) who perform services on our behalf, such as:

·         Dental laboratories (for crown fabrication, denture construction, etc.)

·         Billing and collection agencies

·         IT support and software vendors

·         Cloud-based storage and backup services

·         Patient scheduling and electronic health record (EHR) vendors

All Business Associates must enter into a Business Associate Agreement (BAA) with us and agree to maintain the privacy and security of your PHI according to HIPAA standards.

9. Patient Rights and Complaint Procedures

9.1 How to Exercise Your Rights

To request access to your records, request an amendment, request an accounting of disclosures, request restrictions, or request confidential communications, please submit your request in writing to:

Anush A. John DMD, MD, PA.Privacy Officer: [Name]Address: [Street Address], [City], Maryland [Zip Code]Phone: [Phone Number]Email: [Email Address]

We will respond to your request within the timeframes specified by HIPAA (generally 30–60 days).

9.2 How to File a Complaint

If you believe your privacy rights have been violated, you may file a written complaint with us or with the U.S. Department of Health and Human Services (HHS). You will not be retaliated against for filing a complaint.

To file a complaint with our practice:

Anush A. John DMD, MD, PA.Privacy Officer: [Dr. Anush John]Address: 2405 York Rd, Ste 304, Lutherville, MD 21093

Phone: 4103377755

Email: john@anushjohnoms.com

To file a complaint with HHS:

U.S. Department of Health and Human ServicesOffice for Civil Rights

Complaint Portal: https://www.hhs.gov/ocr/complaints/index.html

Phone: 1-800-368-1019

Mail: U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Washington, D.C. 20201

10. Maryland-Specific Privacy Protections

In addition to HIPAA, our practice complies with Maryland privacy laws, including:

·         Maryland Health-General Article § 4-301 et seq.: Protection of health information and confidentiality of medical and dental records

·         Health Information Technology for Economic and Clinical Health (HITECH) Act: Enhanced privacy and breach notification requirements

·         Maryland Genetic Privacy Act: Special protections for genetic testing information

·         Maryland Substance Abuse Treatment Confidentiality Act: If applicable, special protections for substance abuse treatment records

We recognize that Maryland law may provide additional protections beyond HIPAA. In cases of conflict, the law providing the greater protection will apply.

11. Changes to This Policy

We reserve the right to modify this Privacy Policy. Any changes will be effective immediately upon posting to our office or website. If we make significant changes that materially alter our privacy practices, we will provide you with notice and, where required by law, obtain your authorization.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact:

Anush A. John DMD, MD, PA.

Privacy Officer: [Dr. Anush John]

Address: 2405 York Rd, Ste 304, Lutherville, MD 21093

Phone: 4103377755

Email: john@anushjohnoms.com

Acknowledgment of Receipt

I/We acknowledge that I/we have received and reviewed a copy of the Privacy Policy for Anush A. John DMD, MD, PA..

Patient Name (Print): _______________________________________________

Patient Signature: ___________________________ Date: ______________

Parent/Guardian Signature (if minor): ___________________________ Date: ______________

This Privacy Policy is effective as of March 1, 2015, and will remain in effect unless modified. All patients will be notified of any material changes.