Notice of Privacy Practices

Purpose of This Notice

Irene S. Olaes, DMD ("Practice," "We," or "Our") respects your privacy. We are legally required to maintain the privacy of your protected health information ("PHI") under the Health Insurance Portability and Accountability Act ("HIPAA") and other federal and state laws. We follow California state privacy laws, including when they are stricter or more protective of your PHI than federal law.

This Notice describes:

• Our legal duties and privacy practices regarding your PHI
• Our duty to notify you following a data breach of your unsecured PHI
• Our permitted uses and disclosures of your PHI
• Your rights regarding your PHI

What is Protected Health Information (PHI)?

Your PHI is health information about you:

• Which someone may use to identify you
• Which we keep or transmit in electronic, oral, or written form

PHI includes information such as your:

• Name and contact information
• Past, present, or future physical or mental health conditions
• Dental treatment records, X-rays, and clinical notes
• Payment information for health care products or services
• Insurance information

Your Rights

When it comes to your health information, you have certain rights:

Right to Access Your PHI

You can ask to see or obtain an electronic or paper copy of the PHI that we maintain about you. You may also request a summary or explanation of your PHI.

• We may require you to make access requests in writing
• We may charge a reasonable, cost-based fee for copying, mailing, or other supplies
• You may request that we send a copy to a family member or designated person
• We will generally respond within 30 days
• We may deny access in certain limited circumstances, but will provide written reasons and explain your right to appeal

Right to Request Corrections

You may ask us to correct or amend PHI that you believe is incorrect or incomplete.

• Submit requests in writing, specifying the inaccurate information and your reason
• We will respond within 60 days (with possible 30-day extension)
• We may deny if the information is accurate, was not created by us, or is not part of your designated record
• If denied, you may submit a written statement of disagreement

Right to Request Restrictions

You have the right to ask us to limit what we use or share about your PHI for treatment, payment, or operations, or with certain persons involved in your care.

• We are not required to agree to all restrictions
• We may say "no" if it would affect your care
• We will agree not to disclose information to a health plan for services you paid in full out-of-pocket, unless required by law

Right to an Accounting of Disclosures

You have the right to request a list of certain PHI disclosures we have made.

• We will respond within 60 days
• The list will not include disclosures for treatment, payment, or health care operations
• We will provide one accounting per year for free; additional requests may incur a reasonable fee

Right to Request Confidential Communications

You have the right to ask that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we contact you only at work or at a specific address.

• We will not ask for a reason
• You must specify how or where you wish to be contacted
• We will accommodate all reasonable requests

Right to Choose a Personal Representative

If you have given someone medical power of attorney or if someone is your legal guardian, that person can exercise your rights and make choices about your PHI. We will confirm their authority before taking action.

Right to File a Complaint

You have the right to complain if you feel we have violated your rights. We will not retaliate against you for filing a complaint.

You may file a complaint:

• Directly with us by contacting our Privacy Officer at the address above
• With the Office for Civil Rights at the U.S. Department of Health and Human Services at www.hhs.gov/ocr/privacy/hipaa/complaints/

Your Choices

For certain health information, you can tell us your choices about what we share. Contact us if you have a clear preference for how we share your information in these situations:

Sharing with Family and Friends

You can tell us whether to share information about your condition or location with family members, close friends, or others involved in your care.

Disaster Relief

You can tell us whether to share your information with a relief organization to help locate or notify family in a disaster.

If You Cannot Tell Us Your Preference

If you are unable to tell us your preference (for example, if you are unconscious), we may share your information if we believe it is in your best interest or when needed to lessen a serious and imminent threat to health or safety.

We Will Not Share Without Your Written Permission

• Marketing purposes
• Sale of your information (we never sell PHI)
• Certain research activities
• Most sharing of psychotherapy notes (if applicable)

You may revoke your authorization at any time in writing, but it will not affect information we already used or disclosed.

How We Use and Disclose Your PHI

Treatment

We may use or disclose your PHI to provide, coordinate, and manage your dental care. For example, we might share information with specialists, laboratories, or other healthcare providers involved in your treatment.

Payment

We may use and disclose your PHI to bill and collect payment from you, your insurance company, or other third parties. This includes verifying benefits, submitting claims, and processing payments.

Healthcare Operations

We may use and disclose your PHI to run our practice, improve your care, train staff, conduct quality assessments, and perform administrative functions.

As Required by Law

We will share information when required by federal, state, or local law, including reporting certain conditions to public health authorities.

Public Health and Safety

We may share your PHI to:

• Report injuries, births, and deaths
• Prevent disease
• Report adverse reactions to medications
• Report suspected child neglect or abuse, or domestic violence
• Avert a serious threat to public health or safety

Legal Proceedings

We may share your PHI in response to court orders, subpoenas, discovery requests, or other lawful legal processes.

Research

We may share your PHI for certain types of health research that do not require your authorization, such as when an institutional review board has waived the authorization requirement.

Other Government Functions

We may use and disclose your PHI for:

• Workers' compensation claims
• Health oversight activities
• Law enforcement purposes
• Coroners, medical examiners, or funeral directors
• Specialized government functions (military, national security, etc.)

Business Associates

We may share your PHI with outside persons or entities that perform services on our behalf (such as billing companies, IT services, or laboratories). These Business Associates are required by law and contract to protect your PHI.

Minimum Necessary Standard

When using or disclosing PHI, we make reasonable efforts to limit the information to the minimum necessary to accomplish the intended purpose.

Data Breach Notification

We will promptly notify you within the legally required time frame (generally within 60 days) if a data breach occurs that may have compromised the privacy or security of your PHI.

• We will notify you in writing by first-class mail, or by email if you have agreed to receive electronic notices
• The notice will describe what happened, types of information involved, and steps you can take
• We will also notify appropriate regulatory authorities as required by law

Changes to This Notice

We reserve the right to change the terms of this Notice at any time. Changes will apply to all information we have about you. The new notice will be available upon request, posted in our office, and on our website.

Contact Information

If you have any questions about this Notice or wish to exercise your rights, please contact: