Privacy Policy
Dr. Watson, DDS,MS,PA/Orthodontics1.net

PRIVACY NOTICE
As Outlined by the American Association of Orthodontists

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
 Your protected health information (i.e., individually identifiable information, such as names, dates, phone/fax numbers, email addresses, home addresses, social security numbers, and demographic data) may be used or disclosed by us in one or more of the following respects:

  1. To other health care providers (i.e., your general dentist, oral surgeon, etc.) in connection with our rendering orthodontic treatment to you (i.e., to determine the results of cleanings, surgery, etc.);
  2. To third party payors or spouses (i.e., insurance companies, employers with direct reimbursement, administrators of flexible spending accounts, etc.) in order to obtain payment of your account (i.e., to determine benefits, dates of payment, etc.);
  3. To certifying, licensing and accrediting bodies (i.e., the American Board of Orthodontics, state dental boards, etc.) in connection with obtaining certification, licensure or accreditation;
  4. Internally, to all staff members who have any role in your treatment;
  5. To other patients and third parties who may see or overhear incidental disclosures about your treatment, scheduling, etc.;
  6. To your family and close friends involved in your treatment; and/or,
  7. We may contact you to provide appointment reminders or information about treatment alternatives or other health-related benefits and services that may be of interest to you.

Any other uses or disclosures of your protected health information will be made only after obtaining your written authorization, which you have the right to revoke.

Under the new privacy rules, you have the right to:

  1. Request restrictions on the use and disclosure of your protected health information;
  2. Request confidential communication of your protected health information;
  3. Inspect and obtain copies of your protected health information through asking us;
  4. Amend or modify your protected health information in certain circumstances;
  5. Receive an accounting of certain disclosures made by us of your protected health information; and,
  6. You may, without risk of retaliation, file a complaint as to any violation by us of your privacy rights with us (by submitting inquiries to our Privacy Contact Person at our office address) or the United States Secretary of Health and Human Services (which must be filed within 180 days of the violation).

We have the following duties under the privacy rules:

  1. By law, to maintain the privacy of protected health information and to provide you with this notice setting forth our legal duties and privacy practices with respect to such information;
  2. To abide by the terms of our Privacy Notice that is currently in effect;
  3. To advise you of our right to change the terms of this Privacy Notice and to make the new notice provisions effective for all protected health information maintained by us, and that if we do so, we will provide you with a copy of the revised Privacy Notice.

Please note that we are not obligated to:

  1. Honor any request by you to restrict the use or disclosure of your protected health information;
  2. Amend your protected health information if, for example, it is accurate and complete; or,
  3. Provide an atmosphere that is totally free of the possibility that your protected health information may be incidentally overheard by other patients and third parties.

If you have any questions about the information in this Notice, please ask for our Privacy Contact Person or direct your questions to this person at our office address. Thank you.

Please note our internet site is secure and we use firewalls at our offices. You will notice the security lock at the bottom right of each webpage through our patient portal.

Our orthodontic software vendor is Practiceworks. Here is their HIPPA compliance statement:

"The Health Insurance Portability and Accountability Act (HIPAA) was signed into law August 21, 1996. This industry sweeping, landmark legislation affects nearly everyone involved in the healthcare process from providers to healthcare information systems vendors to payers. HIPAA contains provisions for the portability of insurance coverage as employees move from one employer to another. It also contains provisions for Administrative Simplification covering privacy and security of healthcare information and for government-mandated Standards for electronic Transactions, Code Sets and Identifiers.
HIPAA Administrative Simplification provisions require the protection of patient data from inappropriate disclosure, define the type of information that must be protected, and define the circumstances under which this information can be disclosed. HIPAA Administrative Simplification Security provisions define the policies, practices, and mechanisms that should be in place to ensure that the privacy of healthcare information is maintained.
The goals of the Administrative Simplification provisions of HIPAA are to improve the efficiency and effectiveness of healthcare through standardization of all shared electronic information, protect the privacy and security of patient information stored and exchanged electronically and reduce the cost of exchanging information among healthcare partners. HIPAA legislation will restructure the approach in which health data is captured, transmitted, stored, secured and managed. It will affect healthcare policy, procedure, and information technology. Those payers and providers that choose not to use the electronic standards can use a clearinghouse to comply with the requirement. Providers' paper transactions are not subject to this requirement.
The Administrative Simplification portion of HIPAA drew heavily from the work developed by the Workgroup for Electronic Data Interchange (WEDi). Their report, published in July 1992, proposed the use of standard transactions and codes for healthcare transactions, and the use of national identifiers for patients, providers and health plans. As a result, HIPAA Administrative Simplification establishes standards for the format and data content of various healthcare transactions. It also sets minimum requirements for the transmission, storage and handling of healthcare information.
The following deadlines exist relating to HIPAA Administrative Simplification:
Standards for Electronic Transactions (Compliance Date: October 16, 2002, with an extension allowed until October 16, 2003 for entities that filed for an extension with Secretary of Department of Health and Human Services (HHS) by October 16, 2002, the original compliance date) CMS (Centers for Medicare and Medicaid Services) has indicated that a covered entity that did not submit an extension request should come into compliance as soon as possible and be prepared to submit a corrective action plan in the event a complaint is filed against them. CMS has also indicated that penalties for non-compliance would not be automatically imposed on entities that did not file for the extension. The process leading to these penalties will be initiated primarily in response to an external complaint filed against a covered entity. If a complaint is received, the entity will have opportunities to avoid penalties by demonstrating compliance, or showing how they will achieve compliance by submitting a corrective action plan. Only when an entity does none of these things would CMS give consideration to invoking civil monetary penalties or excluding a provider from Medicare. Please refer to http://www.cms.gov/hipaa/.
It is important to note that the compliance date for Privacy, April 14, 2003, is not affected by this legislation.
Standards for Privacy (Compliance Date: April 14, 2003) Standards for Security (Compliance Date: Not Yet Set) Organizations governed by the new rules, or "covered entities," are defined as health plans, healthcare clearinghouses and healthcare providers who transmit healthcare information electronically for the purposes identified under the HIPAA transaction Standards.
The Privacy Standard
The Privacy Standards apply to "individually-identifiable health information" transmitted or stored in any form ("paper, oral, or electronic") that concern the individual's past, present, or future physical or mental health, or that relates to the provision of health care to or payment of health care for the individual.
The phrase "individually identifiable health information" refers to any health-related information that could be used to identify an individual. Examples include but are not limited to the following:

  1. Names
  2. Addresses
  3. Cities and countries
  4. Phone numbers
  5. Fax numbers
  6. addresses
  7. Web addresses (URLs)
  8. IP addresses
  9. Certificate numbers
  10. License numbers
  11. Zip codes
  12. Account numbers
  13. Birth dates

Patients are afforded a number of new rights under the Privacy Standards, including the right to adequate notice of privacy policies, the right to access protected health information, the right to an accounting of disclosures and the right to request amendment of protected health information. Covered entities are obligated to implement a number of administrative requirements (including privacy initiatives, security administration, physical and technical security safeguards for information), in order to honor these patient rights and achieve compliance with the other provisions of the rule. Covered entities will generally be permitted to disclose protected health information to "business associates," provided that they obtain contractual assurances from the business associate that it will safeguard the information. A business association is created when the right to use or disclose information belongs to the covered entity and another party requires the information either (1) to perform a function for, or on behalf of the covered entity (e.g. billing or practice management services) or (2) to provide certain specified services (e.g., legal and accounting) to the covered entity. A business associate contract is not required where a disclosure is made for treatment purposes from one provider to another.
PracticeWorks will be a business associate with respect to certain of our products and services and is committed to safeguarding any protected health information it might receive. We are in the process of revising our vendor agreements to include appropriate Business Associate language.
HHS' Office of Civil Rights (OCR) has been charged with enforcing the Privacy Standards, and its focus will be on achieving organizations' voluntary compliance with the rule. Where this goal cannot be attained, the HIPAA statute establishes a range of civil and criminal penalties for violation of the Privacy Standards. HHS has emphasized that the Privacy Standards are intended to be "scalable" so that they can be implemented appropriately with different types of covered entities ranging from one-provider dental and physician practices to national hospital chains.
The Transaction Standard HIPAA contains provisions for Administrative Simplification covering privacy and security of healthcare information including government-mandated Standards for electronic transactions.
The Transaction Standards covered by HIPAA include the following types of transactions:

  1. Healthcare claims or equivalent encounter information;
  2. Eligibility for a health plan;
  3. Referral certification and authorization;
  4. Healthcare claim status;
  5. and disenrollment in a health plan;
  6. Healthcare payment and remittance advice;
  7. Health plan premium payments;
  8. Coordination of benefits.

The HIPAA Transaction Standards rules define a special role for Healthcare Clearinghouses, allowing them to provide services to translate non-compliant data into standard electronic formats. This role is particularly important to our existing practice management clients, since it provides a mechanism for them to meet the HIPAA Transaction Standards’ compliance requirements without the substantial investment in software or hardware upgrades that would be required to process these transactions directly. As part of our commitment to our customers, PracticeWorks developed an implementation schedule in 2001 that would bring transactions currently offered by our company into compliance by the original deadline of October 16, 2002. The PracticeWorks Electronic Services clearinghouse, which directly handles transactions for a large percentage of our clients, has purchased and integrated translation software into our clearinghouse operations to convert non-compliant transactions into compliant transactions as provided under HIPAA regulations.
The PracticeWorks Electronic Services division has already been certified by an independent testing facility (Claredi) as compliant for claim transactions. See details by clicking on the icon on the right.
Additionally, PracticeWorks has assessed the ability of its products to generate the electronic data content required to be able to comply with HIPAA Transaction Standards for primary claim submission. Certain code sets, which expand the range of values for existing data content elements (ie. “Place of Service” and “Patient Relationship to Insured”) need to be expanded in a number of products. We are currently evaluating the feasibility of implementing these changes into our products prior to October 2003, and PracticeWorks will notify clients when these product updates are available.
As the PracticeWorks implementation plan was being executed in late 2001 and early 2002, it became clear that some of our clearing service business associates were not able to meet their initial schedules for testing transaction compliance. Several of these business associates have now filed for an extension to the Electronic Health Care Transaction and Code Sets Compliance deadline, which allows them to defer compliance until October 16, 2003. Although our business associates are also working on their HIPAA compliance, and have committed to be compliant by the new deadline of October 16, 2003, PracticeWorks also filed for and received an extension because PracticeWorks will not be able send compliant transactions if any of its business associates handling covered transactions are not in compliance.
As additional transactions are enabled for our clients, some software upgrades will be required in order for clients to take advantage of the advanced features and expanded code sets available through the HIPAA Transaction Standards. However, clients using PracticeWorks Electronic Services and its Business Associates to send electronic transactions will be compliant under the HIPAA Transaction regulations, with the exceptions as noted above regarding the use of certain expanded code sets, when our clearinghouse operations, our business associates, and the insurance companies receiving the transactions have completed their compliance efforts, but no later than October 16, 2003.
The American Dental Association (ADA) is one of the Designated Standards Maintenance Organizations (DSMO) for HIPAA. DSMOs are organizations identified to maintain standards for healthcare transactions adopted by the Secretary of HHS, and receive and process requests for adopting a new standard or modifying an adopted standard. The ADA is responsible for maintaining the CDT-3 and CDT-4 code sets (Dental Procedure Codes), and for making recommendations for changes to the transaction standards to accommodate specific dental requirements. The ADA web site also provides assistance to dental practices in understanding HIPAA requirements.
The Security Standard The final HIPAA Security regulation has not yet been published, but CMS has estimated that it will be released on December 27, 2002, and compliance will be required two years and sixty days following final publication. The Security Standards include provisions for Security Administration, Physical Security, and Technical Security Services and Mechanisms designed to protect the confidentiality, integrity, and availability of protected patient health information. Specific controls required to comply with the Security requirements must be interwoven into the operational and information management systems of healthcare providers and their business associates.
Conclusion It is only through employee training, operating procedures, and the information processing tools provided by PracticeWorks and similar vendors that healthcare providers will actually have the ability to meet HIPAA's requirements. It is important to note that there are no particular requirements posed by the Privacy Standards or the proposed Security Standards that mandate any particular software mechanism or functionality; however, it is clear that some software changes will likely be necessary to enable users to meet the final requirements.
PracticeWorks' products and operations are currently under internal review to determine the most appropriate and desirable manner for our products and services to fulfill their role in our customers' operating environment."

If you are accessing your invisalign case, here is Invisalign's HIPPA Compliance statement:

"Align would like you to know that that our interface with our customers is HIPAA compliant. Furthermore, you and your practice by no means risk becoming non-compliant with the HIPAA regulations by interacting in any way with Align, or through your use of Invisalign in your practice. Your interactions with Align through our web site are HIPAA-compliant because: Patient data is sent in a proprietary format that can only be reviewed through Align's ClinCheck® software, which is only distributed to authorized users after their credentials have been verified and they have been trained to use the Invisalign®; The web site is password-protected and password security procedures are enforced; and Patient data resides behind Align's firewall in a secure manner. As a result, doctors can be assured that patient information is well protected when they access our web site. Align Technology's senior management has committed significant resources to addressing HIPAA regulations. Align has established a corporate, multi-disciplinary team to study the impact of HIPAA standards, develop a management strategy and ensure that Align meets any applicable standards in advance of the corresponding deadline. You can be also confident that Align Technology already maintains a heightened sensitivity to client and personal information. Our employees handle sensitive and personal information in a manner that ensures confidentiality. Our deep-rooted concern with preserving patient confidentiality is reflected in the care that Align puts in designing its software and communication network."