Both Dr. Ortiz and Dr. Jones are associated with ABMS and ABPS; all other credentials are associated with Dr. Ortiz.

North Raleigh Plastic Surgery HIPAA Policy

1. Patient Privacy and Confidentiality

    •    Purpose: To ensure all patient health information (PHI) remains confidential and is used solely for treatment, payment, and healthcare operations.

    •    Application: Protect all forms of PHI, whether in paper, electronic, or oral communication.

2. Access Control

    •    Authorized Personnel: Only healthcare providers and staff with a need-to-know basis can access patient information.

    •    Access Logging: Track who accessed patient data and when, especially if it’s electronic.

3. Security Measures

    •    Electronic Health Records (EHR): The practice should use secure EHR systems to ensure data integrity and privacy. This includes encryption and passwords.

    •    Physical Security: Offices and storage areas where patient data is held should be locked and restricted to authorized personnel.

4. Patient Rights

    •    Right to Access: Patients have the right to request copies of their health records and to request amendments to their health information.

    •    Right to Confidentiality: Ensure patients are aware of how their data is used and who it is shared with. Written consent is required for the release of information to third parties outside of treatment.

5. Data Retention and Disposal

    •    Retention: HIPAA requires that patient records are kept for a minimum of six years.

    •    Disposal: All outdated patient records must be securely destroyed, either through shredding physical documents or using secure deletion methods for electronic records.

6. Training and Compliance

    •    Employee Training: Staff must be trained on HIPAA policies, including handling PHI, responding to security breaches, and maintaining confidentiality.

    •    Regular Audits: The practice should conduct regular audits to ensure compliance with HIPAA regulations.

7. Breach Notification

    •    Incident Reporting: In the event of a data breach, the practice must notify affected patients within 60 days and inform the Department of Health and Human Services (HHS).

8. Business Associate Agreements (BAAs)

    •    Third-party Contractors: If the practice uses third-party services (e.g., billing companies, IT services), a Business Associate Agreement should be in place to ensure they comply with HIPAA standards.

Contact