DynaFlex HIPAA Notice of Privacy Practices
Effective August 12, 2019
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This HIPAA Notice of Privacy Practices (the “Notice”) contains important information regarding your medical information. Our current Notice is posted on our website www.dynaflex.com. You also have the right to receive a paper copy of this Notice and may ask us to give you a copy of this Notice at any time. If you received this Notice electronically, you are entitled to a paper copy of this Notice. If you have any questions about this Notice please contact the person listed in Part 8, below.
DynaFlex is a dental, orthodontic and sleep laboratory business regulated by the F.D.A. Your dentist, orthodontist or other healthcare provider supplies us with certain individually identifiable health information (e.g. a dental script or teeth impression) in order for us to conduct our business and supply devices to your provider who delivers them to you and supervises your care. DynaFlex does not practice medicine and does not sell devices directly to patients. DynaFlex does not collect medical information except through a health care practitioner.
The Health Insurance Portability and Accountability Act of 1996 (”HIPAA”) imposes numerous requirements on handlers of individually identifiable health information – known as protected health information or PHI – including how it may be used and disclosed. This Notice describes how Ortho Solutions, LC d/b/a DynaFlex (the “DynaFlex”), and any third party that assists us in our business, may use and disclose your protected health information for treatment, payment, or health care operations and for other purposes that are permitted or required by law. This Notice also describes your rights to access and control your protected health information. “Protected health information” is information that is maintained or transmitted by DynaFlex, which may identify you and that relates to your past, present, or future physical condition and related health care services (including dental, orthodontic and sleep medicine care and devices).
We understand that medical information about you and your health is personal. We are committed to protecting medical information about you and will use it to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request of it. This Notice applies to all of the medical records we maintain.
Your personal doctor or health care provider may have different policies or notices regarding their use and disclosure of your medical information.
We are required by law to abide by the terms of this Notice to:
- Make sure that medical information that identifies you is kept private.
- Give you this Notice of our legal duties and privacy practices with respect to medical information about you.
- Follow the terms of the Notice that is currently in effect.
It is important to note that these rules do not apply to DynaFlex as an employer.
- How We May Use and Disclose Medical Information About You. HIPAA generally permits use and disclosure of your health information without your permission for purposes of health care treatment, payment activities, and health care operations. These uses and disclosures are more fully described below. Please note that this Notice does not list every use or disclosure; instead it gives examples of the most common uses and disclosures.
- Treatment: When and as appropriate, we may use or disclose medical information about you to facilitate medical treatment or services by providers. The medical information generally comes from your dental, orthodontic or other health care provider so we can manufacture a medical device for you (e.g. a retainer or brackets for your teeth). We may use medical information about you to advise your health care provider regarding the proper placement or use of the medical device.
- Payment: When and as appropriate, we may use and disclose medical information about you to facilitate payment for the medical devices you receive from health care providers which are manufactured or sold by DynaFlex. For example, a patient name and description of the device is required on our invoices to your provider.
- Health Care Operations: When and as appropriate, we may use and disclose medical information about you for DynaFlex operations, as needed. For example, we may use medical information in connection with: conducting quality assessment and administration improvement; or conducting or arranging for medical review, legal services, and audit services.
We will always try to ensure that the medical information used or disclosed is limited to a “Designated Record Set” and to the “Minimum Necessary” standard, including a “limited data set,” as defined in HIPAA and ARRA (as defined in Part 3, below) for these purposes.
OTHER PERMITTED USES AND DISCLOSURES
- To Comply with Federal and State Requirements: We will disclose medical information about you when required to do so by federal, state, or local law. For example, we may disclose medical information when required by the Food & Drug Administration or other government agencies that regulate us; to federal, state, and local law enforcement officials; and in response to a judicial order, subpoena, or other lawful process. We are required to disclose medical information about you to the Secretary of the U.S. Department of Health and Human Services if the Secretary is investigating or determining compliance with HIPAA. We may disclose your medical information to a health oversight agency for activities authorized by law (such as audits, investigations, inspections, and licensure).
- Business Associates: We may disclose your medical information to our business associates. We have contracted with entities (defined as “business associates” under HIPAA) to help us conduct our business. We will enter into contracts with these entities requiring them to only use and disclose your health information as we are permitted to do so under HIPAA.
Uses and disclosures other than those described in this Notice will require your written authorization. Your written authorization is required for: uses and disclosures of PHI for marketing purposes; and disclosures that are a sale of PHI. You may revoke your authorization at any time, but you cannot revoke your authorization if DynaFlex has already acted on it.
The privacy laws of a particular state or other federal laws might impose a more stringent privacy standard. If these more stringent laws apply, DynaFlex will follow that more stringent privacy standard.
- Your Rights Regarding Medical Information About You. You have the following rights regarding medical information that we maintain about you:
- Right to Inspect and Copy: You have the right to inspect and obtain a copy of your medical information that may be used to make your medical device.
- If you request a copy of the information, we may charge a fee for the costs of copying, mailing, or other supplies associated with your request which must be paid in advance of delivery.
- We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to medical information, you may request that the denial be reviewed. Generally, you should contact your health care provider first as he or she is the source of the medical information we have for you.
- Your Right to Amend: If you feel that medical information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as the information is kept by DynaFlex. Before you contact us to amend, we request that you contact the health care provider who supervises your care and ask them to handle any amendment and send it on to us for our updated records.
- You also must provide a reason that supports your request.
- We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend any of the following information:
- Information that was not created by us, unless the person or entity that created the information is no longer available to make the amendment.
- Information that is not part of the information which you would be permitted to inspect and copy.
- Information that is accurate and complete.
- Your Right to an Accounting of Disclosures: You have the right to request an “accounting of disclosures” (that is, a list of certain disclosures DynaFlex has made of your health information). Generally, you may receive an accounting of disclosures if the disclosure is required by law, made in connection with public health activities, or in situations similar to those listed above as “Other Permitted Uses and Disclosures”. You do not have a right to an accounting of disclosures where such disclosure was made:
- For treatment, payment, or health care operations.
- To you about your own health information.
- Incidental to other permitted disclosures.
- Where authorization was provided.
- As part of a limited data set where the information disclosed excludes identifying information.
- To request this list or accounting of disclosures, you must submit your request, which shall state a time period, which may not be longer than six years and may not include dates before April 14, 2003. Your request should indicate in what form you want the list (for example, paper or electronic). The first list you request within a 12-month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred.
Notwithstanding the foregoing, you may request an accounting of disclosures of any “electronic health record” (that is, an electronic record of health-related information about you that is created, gathered, managed, and consulted by authorized health care clinicians and staff). To do so, however, you must submit your request and state a time period, which may be no longer than three years prior to the date on which the accounting is requested. In the case of any electronic heath record created on your behalf on or before January 1, 2009, this paragraph shall apply to disclosures made on or after January 1, 2014. In the case of any electronic health record created on your behalf after January 1, 2009, this paragraph shall apply to disclosures made on or after the later of January 1, 2011, or the date we acquired the electronic health record.
- Your Right to Request Restrictions: You have the right to request a restriction or limitation on the medical information we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the medical information we disclose about you to someone who is involved in your care or the payment for your care, like a family member or friend.
- We are not required to agree to your request. If DynaFlex does agree to a request, a restriction may later be terminated by your written request, by agreement between you and DynaFlex, or unilaterally by DynaFlex for health information created or received after DynaFlex has notified you that they have removed the restrictions and for emergency treatment.
- To request restrictions, you must make your request in writing and must tell us the following information:
- What information you want to limit.
- Whether you want to limit our use, disclosure, or both.
- To whom you want the limits to apply (for example, disclosures to a family member).
- Right to Request Confidential Communications: You have the right to request that we communicate with you about medical records in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail. As a reminder, we only do business with health care professionals and not directly with patients. We cannot respond to requests to manufacture or change any medical device from a patient. Please contact your health care provider first.
- We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.
You must make any of the requests described above, to the person listed in Part 8, below.
- Breach Notification. Pursuant to changes to HIPAA required by the Health Information Technology for Economic and Clinical Health Act of 2009 and its implementing regulations (collectively, “the HITECH Act”) under the American Recovery and Reinvestment Act of 2009 (”ARRA”), this Notice also reflects federal breach notification requirements imposed on DynaFlex in the event that your “unsecured” protected health information (as defined under the HITECH Act) is acquired by an unauthorized party.
We understand that medical information about you and your health is personal and we are committed to protecting your medical information. Furthermore, we will notify you following the discovery of any “breach” of your unsecured protected health information as defined in the HITECH Act (the “Notice of Breach”). Your Notice of Breach will be in writing and provided via first-class mail.
- Changes to This Notice. We can change the terms of this Notice at any time. If we do, the new terms and policies will be effective for all of the medical information we already have about you as well as any information we receive in the future. We will post a copy of the changed Notice on our website with a new effective date.
- Complaints. If you believe your privacy rights have been violated, you may file a complaint with DynaFlex. To file a complaint with DynaFlex, contact the person listed in Part 8, below.
All complaints must be submitted in writing.
You will not be penalized for filing a complaint.
- Other Uses of Medical Information. Other uses and disclosures of medical information that are not covered by this Notice or the laws that apply to us will be made only with your written permission. If you grant us permission to use or disclose medical information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose medical information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we may be required to retain our records related to your medical device or care related to your medical device.
- Effective Date. The effective date of this Notice is August 12, 2019.
- Contact Information. All correspondence relating to the contents of this Notice should be directed as follows:
Attn: Maureen M Miller, Esq.
8050 Hawk Ridge Trail
Lake St. Louis, Missouri 63367