STEPHEN HUBER DDS HIPAA COMPLIANCE BINDER

Office Address: 13400 Roe Ave, Leawood, KS 66209
Phone: (913) 469-8884
HIPAA Privacy Officer: Stefanie Wickliffe
HIPAA Security Officer: Stefanie Wickliffe
Effective Date: 2/2/2026

TABLE OF CONTENTS

  1. Introduction and Purpose
  2. Notice of Privacy Practices
  3. Patient Rights
  4. Privacy Policies and Procedures
  5. Security Policies and Procedures
  6. Workforce Training
  7. Business Associate Agreements
  8. Breach Notification Policy
  9. Minimum Necessary Standard
  10. Authorization and Consent Forms
  11. Safeguards for Protected Health Information
  12. Complaint Process
  13. Sanctions Policy
  14. Record Retention
  15. Forms and Templates

1. INTRODUCTION AND PURPOSE

This HIPAA Compliance Binder contains the policies, procedures, and documentation used by Stephen Huber DDS to comply with the Health Insurance Portability and Accountability Act (HIPAA), the HIPAA Privacy Rule, the HIPAA Security Rule, and the HITECH Act.

All members of the workforce must follow the policies contained in this binder.

2. NOTICE OF PRIVACY PRACTICES

Our office maintains a current Notice of Privacy Practices (NPP) that describes how patient information may be used and disclosed.

  • The NPP is provided to every new patient.
  • A copy is posted in the reception area.
  • A copy is available on request.
  • Acknowledgment of receipt is documented in the patient record.

3. PATIENT RIGHTS

Patients of Stephen Huber DDS have the right to:

  • Receive a copy of the Notice of Privacy Practices
  • Inspect and obtain copies of their records
  • Request amendments to their records
  • Request restrictions on certain disclosures
  • Request confidential communications
  • Receive an accounting of disclosures
  • File a complaint without retaliation

All requests will be documented and responded to in accordance with HIPAA requirements.

4. PRIVACY POLICIES AND PROCEDURES

Use and Disclosure of PHI Protected Health Information (PHI) may be used or disclosed for:

  • Treatment
  • Payment
  • Health care operations
  • As required by law

Any other use requires written patient authorization.

Verification Staff must verify the identity and authority of any person requesting PHI.

Incidental Disclosures Reasonable safeguards will be used to limit incidental disclosures.

5. SECURITY POLICIES AND PROCEDURES

  • Administrative Safeguards
  • Assignment of HIPAA Security Officer
  • Risk analysis performed annually
  • Workforce training
  • Sanction policy
  • Physical Safeguards
  • Restricted access to clinical areas
  • Workstations positioned to protect screens
  • Locked file cabinets
  • Technical Safeguards
  • Unique user IDs and passwords
  • Automatic logoff
  • Antivirus and firewall protection
  • Encrypted backups

6. WORKFORCE TRAINING

All employees, contractors, and volunteers must:

  • Receive HIPAA training upon hire
  • Complete annual refresher training
  • Sign confidentiality agreements

Training records are maintained in this binder.

7. BUSINESS ASSOCIATE AGREEMENTS

Any vendor that may access PHI must sign a Business Associate Agreement before services begin. Examples include:

  • Billing companies
  • IT providers
  • Practice management software vendors – Patterson Eaglesoft
  • IT services and support – IMS
  • Shredding services- Handled in house

A log of all Business Associates is maintained in this binder.

8. BREACH NOTIFICATION POLICY

A breach is an impermissible use or disclosure of PHI.

If a suspected breach occurs:

  1. The incident must be reported immediately to the Privacy Officer.
  2. An investigation will be conducted.
  3. Risk assessment will be performed.
  4. Notifications will be made as required to: • Affected individuals • The Department of Health and Human Services • The media (if applicable)

All breaches will be documented.

9. MINIMUM NECESSARY STANDARD

Staff will access and disclose only the minimum amount of PHI necessary to perform their job duties.

Role-based access levels:

  • Dentist: full access
  • Hygienists/Assistants: clinical information only
  • Front desk: demographic and billing information

10. AUTHORIZATION AND CONSENT

Written authorization is required for uses such as:

  • Release of records to third parties
  • Marketing
  • Sale of PHI

Standard authorization forms are included in this binder.

11. SAFEGUARDS FOR PHI

  • Paper Records
  • Stored in secure areas
  • Never left unattended
  • Shredded when disposed
  • Electronic Records
  • Password protected
  • Not accessed on public computers
  • Encrypted when transmitted
  • Verbal Communications
  • Conversations held discreetly
  • Messages left with limited information

12. COMPLAINT PROCESS

Patients may file complaints with:

  • Stephen Huber DDS Privacy Officer
  • The U.S. Department of Health and Human Services

All complaints will be documented and investigated.

13. SANCTIONS POLICY

Workforce members who violate HIPAA policies are subject to disciplinary action up to and including termination.

14. RECORD RETENTION

HIPAA-related documentation will be retained for a minimum of six (6) years, including:

  • Training records
  • Authorizations
  • Breach investigations
  • Policies and procedures

15. FORMS AND TEMPLATES

The following forms are maintained with this binder:

  • Notice of Privacy Practices Acknowledgment
  • Authorization to Release Information
  • Business Associate Agreement Template
  • Employee Confidentiality Agreement
  • HIPAA Training Log
  • Breach Incident Report Form
  • Patient Request Log

ACKNOWLEDGMENT

I acknowledge that I have received and reviewed the HIPAA policies and procedures of Stephen Huber DDS and agree to comply with them.

Employee Name: __________________________ Signature: _______________________________ Date: ___________________________________

This binder shall be reviewed and updated annually by the HIPAA Privacy and Security Officers.