HIPAA and Privacy Policy

HIPAA Privacy Policies and Procedures

Our Policy on Confidentiality

We are committed to maintaining the complete confidentiality of our patient’s health care information. As part of our commitment to patient confidentiality:

  • We will not discuss the names of our patients with anyone that is not part of our practice.
  • All information about our patients and their health conditions will be used within our practice in a professional manner.
  • Patient information will never be used for marketing unless we have the appropriate authorization signed by the patient.

Should we ever inadvertently make a mistake regarding the confidentiality of a patient’s health information, we will immediately do everything possible to correct the error.


There are many rules regarding the confidentiality of patient information. While our policies and procedures try to anticipate how to comply with these rules, please remember that our first and most important responsibility is to the health needs of the patient.

Prior to seeing the doctor on the patient’s initial visit, the patient will complete the following forms:

HIPAA Notice of Privacy Policies form, General Intake form, Third Party Authorization form, Consent for Chiropractic Treatment form, Oswestry, WC or PI form if applicable

When the patient has completed the forms, the responsible CA will review the forms for completeness and will explain and have the patient sign and date the forms.

  • HIPAA Notice of Privacy Policies
  • General Intake Form
  • Third Party Authorization Form
  • Consent for Chiropractic Treatment
  • Oswestry
  • WC or PI Form if applicable
  • Any other authorization forms used by the practice

The patient will be given a copy of the Notice of Privacy Practices. In the event the patient refuses to sign our privacy notice, a record will be made of the reason the patient refused to sign and we will treat the patient as we would anyone else. In the case of an emergency where the patient is seen by the doctor before he/she has the opportunity to complete their administrative paperwork, we will attempt to have the consent and authorization forms signed and dated before that patient leaves the office.

Restrictions & Requests for Changes to a Patient Record

A patient may occasionally ask us not to send their health care information to certain health care providers or third party payers. A patient might also ask us to make changes in their health care records. If the patient requests that we restrict distribution of their records, or place a limitation on other uses of their health care information please:

  1. Ask the patient to write down their request. This is necessary to make sure that we know exactly what the patient is requesting so that the doctor and/or the office can make a decision on whether or not to honor the request.
  1. The patient should be told that the doctor and/or the office must review the request before you can agree to it. Very nicely, let the patient know that the law has special requirements when a patient asks for a restriction and that you will let them know as soon as possible whether or not you can honor their restriction.

If we must deny the patient’s request to amend their file, we must give the patient a written explanation for our denial. The explanation will have to be prepared by the doctor since the reason will undoubtedly concern the patient’s clinical information. We have other requirements that must be part of the written explanation, so be sure to check the HIPAA Reference Guide before giving the explanation to the patient.

Documentation of any request from a patient is absolutely critical. All of the written information we receive from the patient should be immediately placed in the patient’s file. If we receive verbal requests from a patient, the date, time, and content of the patient’s instructions should be written down and placed in the patient’s file. Any information in the patient’s file that concerns privacy must be retained for six years from the date it was created.

Internal security for patient information

All patient information should be properly stored when it is not being used for clinical or administrative purposes. This includes those occasions when a staff person is away from their desk for lunch, or steps away from a work area to perform another task. Patient files should not be left on the doctor’s desk unless there is a secure area for the files within the office or the doctor’s office is locked when it is not occupied. The last person to leave at night should verify that all data is stored properly and that the building is properly locked.

Resolving conflicts between consents and authorizations

Should we receive a patient consent or authorization in the mail, the responsible CA must determine if the terms of the consent or authorization are different than the terms we use. If so, we follow the more restrictive language unless we can obtain a new consent or authorization from the patient. If the patient gives us instructions by telephone, the responsible CA will immediately make a written record of the patient’s instructions as well as the date and time of the call. This information should be attached to the patient’s consent form. A new written consent or authorization should be obtained from the patient as soon as they come in for their next treatment.


We must have our patients sign authorizations for all of the following activities (delete those that do not apply):

  • You need help in obtaining reimbursement for the patient’s care from the WCA.
  • You use the patient’s name in any type of testimonial.

The patient cannot participate in the activity listed above unless we have a signed and dated authorization.

Insurance help from the WCA

It is our policy to have our patients sign the WCA Authorization Form before receiving services from us. If a patient has not signed the WCA Authorization Form we must delete the following information from the EOB or insurance correspondence before sending it to the WCA:

  • Names
  • Addresses
  • All dates
  • Phone numbers
  • Fax numbers
  • E-mail addresses
  • Social security numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • URLs
  • Biometric identifiers, including finger and voice prints

Internal security for patient information

All patient information should be properly stored when it is not being used for clinical or administrative purposes. This includes those occasions when a staff person is away from their desk for lunch, or steps away from a work area to perform another task. Patient files should not be left on the doctor’s desk unless there is a secure area for the files within the office or the doctor’s office is locked when it is not occupied. The last person to leave at night should verify that all data is stored properly and that the building is properly locked.

While we are all part of a team, the law does not allow each member of our team to have complete access to all of the information about a patient. Internal communications about patients and/or their health condition should be limited to those individuals whose job descriptions entitle them to have this information. Please do everything possible to respect the privacy of our patients when discussing health information on the phone, with patients, or with other members of the staff when others are present. Whenever possible, patient health care or billing information should be discussed with them in a private area.

All of our computer data must be backed up as part of our closing procedures each day. Backup tapes should be stored in a secure, fireproof container. Weekly and/or monthly backup tapes should be stored in a secure, off site storage area.

Limits on health care information

We must always limit the amount of a patient’s health care information that is disclosed to the “minimum necessary” to accomplish the intended purpose. When another provider requests the patients’ health care records, the “minimum necessary” rule does not apply and the entire clinical record may be sent. When an insurance company requests records, it is likely that they will specify the dates for which they require records. If the insurer is specific as to the dates of information they would like, we do not have to verify that this is the “minimum necessary” information. If the insurance company does not specify the dates they need to review then only the clinical records that are related to the patient’s current problem should be sent.

Before any records are released to an attorney, we must have a signed release from the patient. Because the HIPAA privacy laws require us to send the “minimum necessary” health information, the authorization from the patient must specifically states the dates for which records should be sent.

The “minimum necessary” rules apply to us internally as well. If a staff person is only entitled to have access to certain parts of the patient’s health information we must honor that restriction. Our staff members are given access to a patient’s health information based on their job responsibilities. If you have questions about what health information may be given to another staff person, please ask the doctor and/or the office manager.

The Patient’s Right to Access Their Health Records

A patient has the right to a copy of their health records at any time – even if they have an unpaid balance on their account. A patient may not take the originals of their records or x-rays because the law requires that we retain them for seven years.

We should do everything possible to immediately comply with a patient’s request for a copy of their records. If we cannot give them a copy immediately we should explain the reason for the delay and let the patient know when their records can be picked up or, when they will be mailed by us.

Our charge for a copy of the patient’s records is $8.40 or $0.45 for the first 50 pages, 50+ pages is an additional $0.25 per page. Because the law places restriction on what we may charge for patient records, a patient may ask you to justify our fee for records. If this question is asked please let the patient know that our fee for copying records is based on the actual cost of supplies and labor for the copying and postage if the patient has asked that the information be mailed.

Providing Information to Patients about Disclosures of Their Health Records

A patient has a right to ask us for information regarding the disclosures that have been made of their health information for the previous sex years (after the compliance date) from the date of their request. The most important thing to remember is that this does not include disclosures related to their treatment or disclosures made to insurance companies or other third party payors. This would primarily concern disclosures made to attorneys, for marketing purposes, or if we engaged in fund raising. Because the HIPAA privacy laws require us to handle these requests in a special manner, please let the doctor and/or the office manager know whenever a patient requests information regarding the disclosures of their health information.

Requests to send information to another address

Occasionally a patient may ask us to send information to someplace other than their home or, to fax them their statements rather than mail them. Please do everything possible to accommodate the patient’s request. We do not have the right to know why the patient is making their request, so please do not ask. If there is some reason why you think we cannot accommodate the patient, please discuss the request with the office manager or the doctor.

Deceased Patients

All of the privacy rules apply to deceased patients. Before we can release any of their information, we must have an authorization from the deceased patient’s personal representative.

Complaints from Patients

Naturally we want to do everything possible to avoid a complaint form a patient regarding our privacy policy. If a patient asks you how to make a complaint, please tell them the following:

  • The complaint must name the doctor or staff person and describe what the patient believes the person did improperly.
  • The law requires that all complaints be in writing.
  • The complaint must be filed within 180 days of when the patient knew the problem occurred.

Please tell the patient filing a complaint that we will do everything possible to resolve the problem. Let them know that the doctor will be in touch with them as soon as possible. If a patient files a complaint, it should be given to the doctor immediately.

Changes to Our Notice

Whenever we change our notice ewe will immediately replace the notice that is on public display and make that notice available to patients on request. We will retain a copy of each of our notices for the six years required by the law.

HIPAA Disciplinary Guidelines

It is unfortunate, but it may be necessary to discipline an employee that violates a patient’s right to privacy or does not follow these policies and procedures. We will do our best to understand any extenuating circumstances before we take disciplinary action against you.

  • Our disciplinary actions can include:
  • Warnings (oral)
  • Reprimands (written)
  • Probation
  • Demotion
  • Temporary suspension
  • Discharge of employment
  • Restitution of damages
  • Referral for criminal prosecution.

Any disciplinary action will be documented in the employment file of the staff person. The fill will contain specific information including:

  • The date of the incident
  • The name of the reporting party
  • The name of the person responsible for taking action
  • Follow-up action taken


Our Location