Patient Privacy Policy

Harbor Light Oral & Maxillofacial Surgery
Patient Privacy Policy

It is the policy of the Practice to comply with the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA); the Health Information Technology for Economic and Clinical Health Act, Public Law 111-005 (HITECH Act); regulations promulgated there under by the U.S. Department of Health and Human Services (HIPAA Regulations); and other applicable laws. This policy describes procedures implemented by the Practice to ensure the privacy of patients’ protected health information (PHI). The Practice obtains acknowledgment of receipt of such notice from all patients.


  • A designated privacy and security officer is appointed from within the Practice to oversee the policies and procedures to ensure that patients’ rights to privacy are fulfilled.
  • All patients arriving for care receive a Notice of Patients’ Privacy Rights and the Receipt of Notice of Privacy Practices Written Acknowledgment Form. All patients are asked to acknowledge receipt form.
  • The Practice obtains written acknowledgment from the patient or legal guardian prior to engaging in treatment, payment, or healthcare operations.
  • An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the three years prior to the date on which the accounting is requested, except for disclosures defined in HIPAA. The Practice obtains written authorization for use or disclosure of PHI in connection with research and marketing.
  • The Practice discloses only the minimum PHI to requesting entities and insurance companies in order to accomplish the intended purpose.
  • As a covered entity, the Practice fully complies with the HIPAA Privacy Rule, effective April 14, 2003.
  • The Practice provides the patient, in the Notice of Privacy Practices, a clear, written explanation of how a covered entity may use PHI.
  • Patients can request a correction or amendment to their PHI. Any allowed amendments must be in a written amendment; no changes are made directly to the medical record. The Practice must inform patients that a written request for a correction or amendment is required, and that the patient is required to provide a reason to support the requested change. The amendment is accepted or denied in a provider’s written response, on a Disposition of Amendment Request.
  • Patients can have access to their medical records. If the Practice is unable to provide copies based upon the HIPAA guidelines, written notice, in the form of the Patient Denial Letter, is provided to the patient.
  • Anyone who feels the confidentiality of a patient’s PHI has been violated may submit a Patient Complaint to the Privacy and Security Officer. Complaints are kept confidential, and no repercussion may occur due to the report. Complaints are logged in the Privacy and Security Officer’s Incident Event Log.
  • Sanctions are imposed upon employees who violate the privacy of a patient’s PHI; sanctions may vary from a warning to termination.
  • All employees of the Practice receive initial and ongoing training on how to prevent misuse of PHI and how to obtain authorization for its use.
  • The Practice secures a Business Associate Agreement between the Practice and other covered entities that share PHI. The Practice and other entities performing services on behalf of the Practice release no PHI to employers or financial institutions without explicit authorization from the patient or legal guardian.
  • Electronic, physical, and logistical safeguards are implemented to secure the confidentiality of all patients’ PHI.
  • The Practice maintains secure, electronic access to patient data when its providers require it.
  • The patient may submit a Request for Limitations and Restrictions of Protected Health Information.