HIPPA Privacy Policy

Effective date: August 17, 2018

for the Healthcare Facility of:
Hands for Life Therapy, LLC
3 North River Street, Unit 5
Plains, PA 18705


For purposes of this Notice “us” “we” and “our” refers to the Name of this Healthcare Facility:
Hands for Life Therapy, LLC and “you” or “your” refers to our patients (or their legal
representatives as determined by us in accordance with state informed consent law). When
you receive healthcare services from us, we will obtain access to your medical information (i.e.
your health history). We are committed to maintaining the privacy of your health information
and we have implemented numerous procedures to ensure that we do so.
The Federal Health Insurance Portability & Accountability Act of 2013, HIPAA Omnibus Rule,
(formally HIPAA 1996 & HI TECH of 2004) require us to maintain the confidentiality of all your
healthcare records and other identifiable patient health information (PHI) used by or disclosed
to us in any form, whether electronic, on paper, or spoken. HIPAA is a Federal Law that gives
you significant new rights to understand and control how your health information is used.
Federal HIPAA Omnibus Rule and state law provide penalties for covered entities, business
associates, and their subcontractors and records owners, respectively that misuse or improperly
disclose PHI.

Starting April 14, 2003, HIPAA requires us to provide you with the Notice of our legal duties and
the privacy practices we are required to follow when you first come into our office for healthcare
services. If you have any questions about this Notice, please ask to speak to our HIPAA
Privacy Officer.

Our doctors, clinical staff, employees, Business Associates (outside contractors we hire), their
subcontractors and other involved parties follow the policies and procedures set forth in this
Notice. If at this facility, your primary caretaker / doctor is unavailable to assist you (i.e. illness,
on-call coverage, vacation, etc.), we may provide you with the name of another healthcare
provider outside our practice for you to consult with. If we do so, that provider will follow the
policies and procedures set forth in this Notice or those established for his or her practice, so long
as they substantially conform to those for our practice.

Under the law, we must have your signature on a written, dated Consent Form and/or an
Authorization Form of Acknowledgement of this Notice, before we will use or disclose your PHI for
certain purposes as detailed in the rules below.

Documentation – You will be asked to sign an Authorization / Acknowledgement form when you
receive this Notice of Privacy Practices. If you did not sign such a form or need a copy of the
one you signed, please contact our Privacy Officer. You may take back or revoke your consent
or authorization at any time (unless we already have acted based on it) by submitting our
Revocation Form in writing to us at our address listed above. Your revocation will take effect
when we actually receive it. We cannot give it retroactive effect, so it will not affect any use or
disclosure that occurred in our reliance on your Consent or Authorization prior to revocation (i.e.
if after we provide services to you, you revoke your authorization / acknowledgement in order to
prevent us billing or collecting for those services, your revocation will have no effect because we
relied on your authorization/ acknowledgement to provide services before you revoked it).
General Rule – If you do not sign our authorization/ acknowledgement form or if you revoke it, as
a general rule (subject to exceptions described below under “Healthcare Treatment, Payment
and Operations Rule” and “Special Rules”), we cannot in any manner use or disclose to anyone
(excluding you, but including payers and Business Associates) your PHI or any other information
in your medical record. By law, we are unable to submit claims to payers under assignment of
benefits without your signature on our authorization/ acknowledgement form. You will however
be able to restrict disclosures to your insurance carrier for services for which you wish to pay “out
of pocket” under the new Omnibus Rule. We will not condition treatment on you signing an
authorization / acknowledgement, but we may be forced to decline you as a new patient or
discontinue you as an active patient if you choose not to sign the authorization/
acknowledgement or revoke it.

Healthcare Treatment, Payment and Operations Rule
With your signed consent, we may use or disclose your PHI in order:
• To provide you with or coordinate healthcare treatment and services. For example, we
may review your health history form to form a diagnosis and treatment plan, consult with
other doctors about your care, delegate tasks to ancillary staff, call in prescriptions to
your pharmacy, disclose needed information to your family or others so they may assist
you with home care, arrange appointments with other healthcare providers, schedule
lab work for you, etc.
• To bill or collect payment from you, an insurance company, a managed-care
organization, a health benefits plan or another third party. For example, we may need
to verify your insurance coverage, submit your PHI on claim forms in order to get
reimbursed for our services, obtain pre-treatment estimates or prior authorizations from
your health plan or provide your x-rays because your health plan requires them for
payment; Remember, you will be able to restrict disclosures to your insurance carrier for
services for which you wish to pay “out of pocket” under this new Omnibus Rule.
• To run our office, assess the quality of care our patients receive and provide you with
customer service. For example, to improve efficiency and reduce costs associated with
missed appointments, we may contact you by telephone, mail or otherwise remind you
of scheduled appointments, we may leave messages with whomever answers your
telephone or email to contact us (but we will not give out detailed PHI), we may call you
by name from the waiting room, we may ask you to put your name on a sign-in sheet,
(we will cover your name just after checking you in), we may tell you about or
recommend health-related products and complementary or alternative treatments that
may interest you, we may review your PHI to evaluate our staff’s performance, or our
Privacy Officer may review your records to assist you with complaints. If you prefer that
we not contact you with appointment reminders or information about treatment
alternatives or health-related products and services, please notify us in writing at our
address listed above and we will not use or disclose your PHI for these purposes.
• New HIPAA Omnibus Rule does not require that we provide the above notice regarding
Appointment Reminders, Treatment Information or Health Benefits, but we are including
these as a courtesy so you understand our business practices with regards to your (PHI)
protected health information.
Additionally you should be made aware of these protection laws on your behalf, under the new
HIPAA Omnibus Rule:
• That Health Insurance plans that underwrite cannot use or disclose genetic information
for underwriting purposes (this excludes certain long-term care plans). Health plans that
post their NOPPs on their web sites must post these Omnibus Rule changes on their sites
by the effective date of the Omnibus Rule, as well as notify you by US Mail by the
Omnibus Rules effective date. Plans that do not post their NOPPs on their Web sites must
provide you information about Omnibus Rule changes within 60 days of these federal
• Psychotherapy Notes maintained by a healthcare provider, must state in their NOPPs
that they can allow “use and disclosure” of such notes only with your written

Special Rules
Notwithstanding anything else contained in this Notice, only in accordance with applicable
HIPAA Omnibus Rule, and under strictly limited circumstances, we may use or disclose your PHI
without your permission, consent or authorization for the following purposes:
• When required under federal, state or local law
• When necessary in emergencies to prevent a serious threat to your health and safety or
the health and safety of other persons
• When necessary for public health reasons (i.e. prevention or control of disease, injury or
disability, reporting information such as adverse reactions to anesthesia, ineffective or
dangerous medications or products, suspected abuse, neglect or exploitation of
children, disabled adults or the elderly, or domestic violence)
• For federal or state government health-care oversight activities (i.e. civil rights laws, fraud
and abuse investigations, audits, investigations, inspections, licensure or permitting,
government programs, etc.)
• For judicial and administrative proceedings and law enforcement purposes (i.e. in
response to a warrant, subpoena or court order, by providing PHI to coroners, medical
examiners and funeral directors to locate missing persons, identify deceased persons or
determine cause of death)
• For Worker’s Compensation purposes (i.e. we may disclose your PHI if you have claimed
health benefits for a work-related injury or illness)
• For intelligence, counterintelligence or other national security purposes (i.e. Veterans
Affairs, U.S. military command, other government authorities or foreign military authorities
may require us to release PHI about you)
• For organ and tissue donation (i.e. if you are an organ donor, we may release your PHI to
organizations that handle organ, eye or tissue procurement, donation and
• For research projects approved by an Institutional Review Board or a privacy board to
ensure confidentiality (i.e. if the researcher will have access to your PHI because involved
in your clinical care, we will ask you to sign an authorization)
• To create a collection of information that is “de-identified” (i.e. it does not personally
identify you by name, distinguishing marks or otherwise and no longer can be connected
to you)
• To family members, friends and others, but only if you are present and verbally give
permission. We give you an opportunity to object and if you do not, we reasonably
assume, based on our professional judgment and the surrounding circumstances, that
you do not object (i.e. you bring someone with you into the operatory or exam room
during treatment or into the conference area when we are discussing your PHI); we
reasonably infer that it is in your best interest (i.e. to allow someone to pick up your
records because they knew you were our patient and you asked them in writing with
your signature to do so); or it is an emergency situation involving you or another person
(i.e. your minor child or ward) and, respectively, you cannot consent to your care
because you are incapable of doing so or you cannot consent to the other person’s
care because, after a reasonable attempt, we have been unable to locate you. In
these emergency situations we may, based on our professional judgment and the
surrounding circumstances, determine that disclosure is in the best interests of you or the
other person, in which case we will disclose PHI, but only as it pertains to the care being
provided and we will notify you of the disclosure as soon as possible after the care is
completed. As per HIPAA law 164.512(j) (i)… (A) Is necessary to prevent or lessen a serious or imminent
threat to the health and safety of a person or the public and (B) Is to person or persons reasonably able
to prevent or lessen that threat.

Minimum Necessary Rule
Our staff will not use or access your PHI unless it is necessary to do their jobs (i.e. doctors
uninvolved in your care will not access your PHI; ancillary clinical staff caring for you will not
access your billing information; billing staff will not access your PHI except as needed to
complete the claim form for the latest visit; janitorial staff will not access your PHI). All of our
team members are trained in HIPAA Privacy rules and sign strict Confidentiality Contracts with
regards to protecting and keeping private your PHI. So do our Business Associates and their
Subcontractors. Know that your PHI is protected several layers deep with regards to our business
relations. Also, we disclose to others outside our staff, only as much of your PHI as is necessary to
accomplish the recipient’s lawful purposes. Still in certain cases, we may use and disclose the
entire contents of your medical record:
• To you (and your legal representatives as stated above) and anyone else you list on a
Consent or Authorization to receive a copy of your records
• To healthcare providers for treatment purposes (i.e. making diagnosis and treatment
decisions or agreeing with prior recommendations in the medical record)
• To the U.S. Department of Health and Human Services (i.e. in connection with a HIPAA
• To others as required under federal or state law
• To our privacy officer and others as necessary to resolve your complaint or accomplish
your request under HIPAA (i.e. clerks who copy records need access to your entire
medical record)
In accordance with HIPAA law, we presume that requests for disclosure of PHI from another
Covered Entity (as defined in HIPAA) are for the minimum necessary amount of PHI to
accomplish the requestor’s purpose. Our Privacy Officer will individually review unusual or nonrecurring
requests for PHI to determine the minimum necessary amount of PHI and disclose only
that. For non-routine requests or disclosures, our Privacy Officer will make a minimum necessary
determination based on, but not limited to, the following factors:
• The amount of information being disclosed
• The number of individuals or entities to whom the information is being disclosed
• The importance of the use or disclosure
• The likelihood of further disclosure
• Whether the same result could be achieved with de-identified information
• The technology available to protect confidentiality of the information
• The cost to implement administrative, technical and security procedures to protect
If we believe that a request from others for disclosure of your entire medical record is
unnecessary, we will ask the requestor to document why this is needed, retain that
documentation and make it available to you upon request.

Incidental Disclosure Rule
We will take reasonable administrative, technical and security safeguards to ensure the privacy
of your PHI when we use or disclose it (i.e. we shred all paper containing PHI, require employees
to speak with privacy precautions when discussing PHI with you, we use computer passwords
and change them periodically (i.e. when an employee leaves us), we use firewall and router
protection to the federal standard, we back up our PHI data off-site and encrypted to federal
standard, we do not allow unauthorized access to areas where PHI is stored or filed and/or we
have any unsupervised business associates sign Business Associate Confidentiality Agreements).
However, in the event that there is a breach in protecting your PHI, we will follow Federal Guide
Lines to HIPAA Omnibus Rule Standard to first evaluate the breach situation using the Omnibus
Rule, 4-Factor Formula for Breach Assessment. Then we will document the situation, retain
copies of the situation on file, and report all breaches (other than low probability as prescribed
by the Omnibus Rule) to the US Department of Health and Human Services at:
We will also make proper notification to you and any other parties of significance as required by

Business Associate Rule
Business Associates are defined as: an entity, (non-employee) that in the course of their work will
directly / indirectly use, transmit, view, transport, hear, interpret, process or offer PHI for this
Business Associates and other third parties (if any) that receive your PHI from us will be prohibited
from re-disclosing it unless required to do so by law or you give prior express written consent to
the re-disclosure. Nothing in our Business Associate agreement will allow our Business Associate
to violate this re-disclosure prohibition. Under Omnibus Rule, Business Associates will sign a strict
confidentiality agreement binding them to keep your PHI protected and report any compromise
of such information to us, you and the United States Department of Health and Human Services,
as well as other required entities. Our Business Associates will also follow Omnibus Rule and have
any of their Subcontractors that may directly or indirectly have contact with your PHI, sign
Confidentiality Agreements to Federal Omnibus Standard.

Super-confidential Information Rule
If we have PHI about you regarding communicable diseases, disease testing, alcohol or
substance abuse diagnosis and treatment, or psychotherapy and mental health records (super confidential information under the law), we will not disclose it under the General or Healthcare
Treatment, Payment and Operations Rules (see above) without your first signing and properly
completing our Consent form (i.e. you specifically must initial the type of super-confidential
information we are allowed to disclose). If you do not specifically authorize disclosure by
initialing the super-confidential information, we will not disclose it unless authorized under the
Special Rules (see above) (i.e. we are required by law to disclose it). If we disclose super confidential
information (either because you have initialed the consent form or the Special Rules
authorizing us to do so), we will comply with state and federal law that requires us to warn the
recipient in writing that re-disclosure is prohibited.

Changes to Privacy Policies Rule
We reserve the right to change our privacy practices (by changing the terms of this Notice) at
any time as authorized by law. The changes will be effective immediately upon us making
them. They will apply to all PHI we create or receive in the future, as well as to all PHI created or
received by us in the past (i.e. to PHI about you that we had before the changes took effect). If
we make changes, we will post the changed Notice, along with its effective date, in our office
and on our website. Also, upon request, you will be given a copy of our current Notice.

Authorization Rule
We will not use or disclose your PHI for any purpose or to any person other than as stated in the
rules above without your signature on our specifically worded, written Authorization /
Acknowledgement Form (not a Consent or an Acknowledgement). If we need your
Authorization, we must obtain it via a specific Authorization Form, which may be separate from
any Authorization / Acknowledgement we may have obtained from you. We will not condition
your treatment here on whether you sign the Authorization (or not).

Marketing and Fund Raising Rules
Limitations on the disclosure of PHI regarding Remuneration
The disclosure or sale of your PHI without authorization is prohibited. Under the new HIPAA
Omnibus Rule, this would exclude disclosures for public health purposes, for treatment / payment
for healthcare, for the sale, transfer, merger, or consolidation of all or part of this facility and for
related due diligence, to any of our Business Associates, in connection with the business
associate’s performance of activities for this facility, to a patient or beneficiary upon request,
and as required by law. In addition, the disclosure of your PHI for research purposes or for any
other purpose permitted by HIPAA will not be considered a prohibited disclosure if the only
reimbursement received is “a reasonable, cost-based fee” to cover the cost to prepare and
transmit your PHI which would be expressly permitted by law. Notably, under the Omnibus Rule,
an authorization to disclose PHI must state that the disclosure will result in remuneration to the
Covered Entity. Notwithstanding the changes in the Omnibus Rule, the disclosure of limited data
sets (a form of PHI with a number of identifiers removed in accordance with specific HIPAA
requirements) for remuneration pursuant to existing agreements is permissible until September 22,
2014, so long as the agreement is not modified within one year before that date.

Limitation on the Use of PHI for Paid Marketing
We will, in accordance with Federal and State Laws, obtain your written authorization to use or
disclose your PHI for marketing purposes, (i.e.: to use your photo in ads) but not for activities that
constitute treatment or healthcare operations. To clarify, Marketing is defined by HIPAA’s
Omnibus Rule, as “a communication about a product or service that encourages recipients . . .
to purchase or use the product or service.” Under the Omnibus Rule, we will obtain a written
authorization from you prior to recommending you to an alternative therapist, or non-associated
Healthcare Covered Entity.

Under Omnibus Rule we will obtain your written authorization prior to using your PHI or making
any treatment or healthcare recommendations, should financial remuneration for making the
communication be involved from a third party whose product or service we might promote (i.e.:
businesses offering this facility incentives to promote their products or services to you). This will
also apply to our Business Associate who may receive such remuneration for making a treatment
or healthcare recommendations to you. All such recommendations will be limited without your
expressed written permission.

We must clarify to you that financial remuneration does not include “as in-kind payments” and
payments for a purpose to implement a disease management program. Any promotional gifts
of nominal value are not subject to the authorization requirement, and we will abide by the set
terms of the law to accept or reject these.

The only exclusion to this would include: “refill reminders”, so long as the remuneration for making
such a communication is “reasonably related to our cost” for making such a communication. In
accordance with law, this facility and our Business Associates will only ever seek reimbursement
from you for permissible costs that include: labor, supplies, and postage. Please note that
“generic equivalents”, “adherence to take medication as directed” and “self-administered
drug or delivery system communications” are all considered to be “refill reminders.”
Face-to-face marketing communications, such as sharing with you, a written product brochure
or pamphlet, is permissible under current HIPAA Law.

Flexibility on the Use of PHI for Fundraising
Under the HIPAA Omnibus Rule use of PHI is more flexible and does not require your authorization
should we choose to include you in any fundraising efforts attempted at this facility? However,
we will offer the opportunity for you to “opt out” of receiving future fundraising communications.
Simply let us know that you want to “opt out” of such situations. There will be a statement on
your HIPAA Patient Acknowledgement Form where you can choose to “opt out”. Our
commitment to care and treat you will in no way effect your decision to participate or not
participate in our fundraising efforts.

Improvements to Requirements for Authorizations Related to Research
Under HIPAA Omnibus Rule, we may seek authorizations from you for the use of your PHI for
future research. However, we would have to make clear what those uses are in detail.
Also, if we request of you a compound authorization with regards to research, this facility would
clarify that when a compound authorization is used, and research-related treatment is
conditioned upon your authorization, the compound authorization will differentiate between the
conditioned and unconditioned components.

If you got this Notice via email or website, you have the right to get, at any time, a paper copy
by asking our Privacy Officer. Also, you have the following additional rights regarding PHI we
maintain about you:

To Inspect and Copy
You have the right to see and get a copy of your PHI including, but not limited to, medical and
billing records by submitting a written request to our Privacy Officer. Original records will not
leave the premises, will be available for inspection only during our regular business hours, and
only if our Privacy Officer is present at all times. You may ask us to give you the copies in a
format other than photocopies (and we will do so unless we determine that it is impractical) or
ask us to prepare a summary in lieu of the copies. We may charge you a fee not to exceed
state law to recover our costs (including postage, supplies, and staff time as applicable, but
excluding staff time for search and retrieval) to duplicate or summarize your PHI. We will not
condition release of the copies on summary of payment of your outstanding balance for
professional services if you have one). We will comply with Federal Law to provide your PHI in an
electronic format within the 30 days, to Federal specification, when you provide us with proper
written request. Paper copy will also be made available. We will respond to requests in a timely
manner, without delay for legal review, or, in less than thirty days if submitted in writing, and in
ten business days or less if malpractice litigation or pre-suit production is involved. We may deny
your request in certain limited circumstances (i.e. we do not have the PHI, it came from a
confidential source, etc.). If we deny your request, you may ask for a review of that decision. If
required by law, we will select a licensed health-care professional (other than the person who
denied your request initially) to review the denial and we will follow his or her decision. If we
select a licensed healthcare professional who is not affiliated with us, we will ensure a Business
Associate Agreement is executed that prevents re-disclosure of your PHI without your consent by
that outside professional.

To Request Amendment / Correction
If another doctor involved in your care tells us in writing to change your PHI, we will do so as
expeditiously as possible upon receipt of the changes and will send you written confirmation
that we have made the changes. If you think PHI we have about you is incorrect, or that
something important is missing from your records, you may ask us to amend or correct it (so long
as we have it) by submitting a “Request for Amendment / Correction” form to our Privacy
Officer. We will act on your request within 30 days from receipt but we may extend our response
time (within the 30-day period) no more than once and by no more than 30 days, or as per
Federal Law allowances, in which case we will notify you in writing why and when we will be
able to respond. If we grant your request, we will let you know within five business days, make
the changes by noting (not deleting) what is incorrect or incomplete and adding to it the
changed language, and send the changes within 5 business days to persons you ask us to and
persons we know may rely on incorrect or incomplete PHI to your detriment (or already have).
We may deny your request under certain circumstances (i.e. it is not in writing, it does not give a
reason why you want the change, we did not create the PHI you want changed (and the entity
that did can be contacted), it was compiled for use in litigation, or we determine it is accurate
and complete). If we deny your request, we will (in writing within 5 business days) tell you why
and how to file a complaint with us if you disagree, that you may submit a written disagreement
with our denial (and we may submit a written rebuttal and give you a copy of it), that you may
ask us to disclose your initial request and our denial when we make future disclosure of PHI
pertaining to your request, and that you may complain to us and the U.S. Department of Health
and Human Services.

To an Accounting of Disclosures
You may ask us for a list of those who got your PHI from us by submitting a “Request for
Accounting of Disclosures” form to us. The list will not cover some disclosures (i.e. PHI given to
you, given to your legal representative, given to others for treatment, payment or health-care operations purposes). Your request must state in what form you want the list (i.e. paper or
electronically) and the time period you want us to cover, which may be up to but not more than
the last six years (excluding dates before April 14, 2003). If you ask us for this list more than once
in a 12-month period, we may charge you a reasonable, cost-based fee to respond, in which
case we will tell you the cost before we incur it and let you choose if you want to withdraw or
modify your request to avoid the cost.

To Request Restrictions
You may ask us to limit how your PHI is used and disclosed (i.e. in addition to our rules as set forth
in this Notice) by submitting a written “Request for Restrictions on Use, Disclosure” form to us (i.e.
you may not want us to disclose your surgery to family members or friends involved in paying for
our services or providing your home care). If we agree to these additional limitations, we will
follow them except in an emergency where we will not have time to check for limitations. Also,
in some circumstances we may be unable to grant your request (i.e. we are required by law to
use or disclose your PHI in a manner that you want restricted, you signed an Authorization Form,
which you may revoke, that allows us to use or disclose your PHI in the manner you want
restricted; in an emergency).

To Request Alternative Communications
You may ask us to communicate with you in a different way or at a different place by submitting
a written “Request for Alternative Communication” Form to us. We will not ask you why and we
will accommodate all reasonable requests (which may include: to send appointment reminders
in closed envelopes rather than by postcards, to send your PHI to a post office box instead of
your home address, to communicate with you at a telephone number other than your home
number). You must tell us the alternative means or location you want us to use and explain to
our satisfaction how payment to us will be made if we communicate with you as you request.

To Complain or Get More Information
We will follow our rules as set forth in this Notice. If you want more information or if you believe
your privacy rights have been violated (i.e. you disagree with a decision of ours about inspection
/ copying, amendment / correction, accounting of disclosures, restrictions or alternative
communications), we want to make it right. We never will penalize you for filing a complaint. To
do so, please file a formal, written complaint within 180 days with:

The U.S. Department of Health & Human Services
Office of Civil Rights
200 Independence Ave., S.W.
Washington, DC 20201

Or, submit a written Complaint form to us at the following address:
Hands for Life Therapy, LLC
3 North River Street , Unit 5
Plains, PA 18705
Phone: 570-820-5900
Fax: 888-875-5883
Email: handsforlifetherapy@gmail.com

You may get your “HIPAA Complaint” form by calling our privacy officer.
These privacy practices are in accordance with the original HIPAA enforcement effective April
14, 2003, and undated to Omnibus Rule effective March 26, 2013 and will remain in effect until
we replace them as specified by Federal and/or State Law.

Faxing and Emailing Rule
When you request us to fax or email your PHI as an alternative communication, we may agree
to do so, but only after having our Privacy Officer or treating doctor review that request. For this
communication, our Privacy Officer will confirm that the fax number or email address is correct
before sending the message and ensure that the intended recipient has sole access to the fax
machine or computer before sending the message; confirm receipt, locate our fax machine or
computer in a secure location so unauthorized access and viewing is prevented; use a fax
cover sheet so the PHI is not the first page to print out (because unauthorized persons may view
the top page); and attach an appropriate notice to the message. Our emails are all encrypted
per Federal Standard for your protection.

Practice Transition Rule
If we sell our practice, our patient records (including but not limited to your PHI) may be
disclosed and physical custody may be transferred to the purchasing healthcare provider, but
only in accordance with the law. The healthcare provider who is the new records owner will be
solely responsible for ensuring privacy of your PHI after the transfer and you agree that we will
have no responsibility for (or duty associated with) transferred records. If all the owners of our
practice die, our patient records (including but not limited to your PHI) must be transferred to
another healthcare provider within 90 days to comply with State & Federal Laws. Before we
transfer records in either of these two situations, our Privacy Officer will obtain a Business
Associate Agreement from the purchaser and review your PHI for super-confidential information
(i.e. communicable disease records), which will not be transferred without your express written
authorization (indicated by your initials on our Consent form).

Inactive Patient Records
We will retain your records for seven years from your last treatment or examination, at which
point you will become an inactive patient in our practice and we may destroy your records at
that time (but records of inactive minor patients will not be destroyed before the child’s
eighteenth birthday). We will do so only in accordance with the law (i.e. in a confidential
manner, with a Business Associate Agreement prohibiting re-disclosure if necessary).

If we use or disclose your PHI for collections purposes, we will do so only in accordance with the
©All Rights Reserved