Privacy & Security

Notice of Privacy Practices and Privacy Policy

Dreamline Dental Sleep Clinic

Effective Date: January 20, 2026

Last Updated: January 20, 2026

1Introduction

Dreamline Dental Sleep Clinic ("we," "us," or "our") is committed to protecting your privacy and maintaining the security of your personal and health information. This combined Notice of Privacy Practices and Privacy Policy explains how we collect, use, disclose, and safeguard your information in compliance with:

The Health Insurance Portability and Accountability Act (HIPAA)
Missouri state privacy laws
Other applicable federal and state regulations

This Notice describes our privacy practices and applies to all records of your care generated by our practice.

By using our services, visiting our website, or enrolling in our patient portal, you acknowledge and consent to the practices described in this Privacy Policy.

YOUR RIGHTS: You have the right to receive a paper copy of this Notice at any time, even if you have agreed to receive it electronically. You may also request a copy by contacting our Privacy Officer (contact information in Section 19).

2Information We Collect

2.1 Personal Information

We collect the following personal information:

Full legal name, address, phone number, email address
Date of birth and age
Social Security Number (for insurance billing and identification purposes)
Emergency contact information
Insurance information (policy numbers, group numbers, subscriber information)
Payment and billing information (payment methods, billing address)
Government-issued identification (driver's license, passport for identity verification)
Employer information (if required for insurance)
Preferred language and communication preferences

2.2 Protected Health Information (PHI)

We collect and maintain protected health information including:

Comprehensive medical and dental history
Sleep disorder symptoms, diagnoses, and severity assessments
Sleep study results and polysomnography data
Treatment plans and clinical notes
Prescription and medication information (current and historical)
Dental impressions, oral appliance specifications, and fitting records
Provider notes and treatment progress documentation
Laboratory test results and diagnostic imaging
Referrals from and to other healthcare providers
Appointment history and attendance records
Insurance claims and payment history
Clinical photographs and radiographic images
Medicare Beneficiary Identifiers (MBI) or Medicaid ID numbers

2.3 Website and Portal Usage Information

When you visit our website or use our patient portal, we may collect:

IP address, browser type, and operating system
Device type and unique device identifiers
Pages visited and time spent on our website
Referring website addresses and search terms
Clickstream data and navigation patterns
Cookies and similar tracking technologies (see Section 8)
Portal login timestamps and activity logs
Session duration and interaction history

Important Distinction: Website usage information from public pages is NOT considered Protected Health Information (PHI). However, activity within the authenticated patient portal is logged and protected as PHI.

3How We Use Your Information

We use your information for the following purposes as permitted and required by law:

3.1 Treatment

To provide, coordinate, and manage your dental sleep medicine care, including:

Diagnosing and treating sleep-disordered breathing conditions
Fabricating and fitting custom oral appliance
Coordinating care with sleep physicians, primary care doctors, and specialists
Providing follow-up care and adjustments
Conducting sleep studies and diagnostic assessments
Prescribing medications or therapies
Managing emergencies and urgent care situations
Consulting with other healthcare providers involved in your treatment

3.2 Payment

To process billing, obtain payment, and manage financial aspects of your care:

Submitting and processing insurance claims to Medicare, Medicaid (MO HealthNet), and private insurers
Verifying insurance eligibility and benefits
Obtaining pre-authorizations and prior approvals
Processing credit card and electronic payments
Managing payment plans and financial assistance programs
Collection activities for outstanding balances (if applicable)
Coordinating with Medicare Secondary Payer (MSP) requirements
Responding to insurance audits and payment disputes

3.3 Healthcare Operations

To improve our services, maintain quality care, and conduct business operations:

Quality improvement and patient safety initiatives
Training healthcare providers and staff members
Conducting internal audits and compliance monitoring
Accreditation, licensing, and certification activities
Business planning and development
Customer service and patient satisfaction surveys
Resolving patient complaints and grievances
Risk management and legal compliance
De-identified data analysis for research purposes (no PHI disclosed)
Fraud and abuse detection and prevention programs

3.4 Appointment Reminders and Communications

To facilitate your care and keep you informed:

Sending appointment confirmations, reminders, and cancellation notifications
Providing test results and follow-up instructions
Communicating treatment recommendations and care plans
Sending refill reminders for oral appliance maintenance
Notifying you of new services or changes to our practice

Note: You have the right to opt out of appointment reminders and marketing communications (see Section 5).

3.5 Legal and Regulatory Compliance

To comply with legal obligations:

Responding to court orders, subpoenas, and legal processes
Reporting to public health authorities (communicable diseases, abuse, etc.)
Cooperating with law enforcement and legal investigations
Workers' compensation claims processing
Complying with Medicare/Medicaid program integrity requirements
Meeting HIPAA and state privacy law requirements
Responding to government audits and oversight activities

3.6 Public Health and Safety

When required or permitted by law:

Reporting communicable diseases to health departments
Reporting suspected abuse, neglect, or domestic violence to authorities
Preventing or lessening serious threats to health or safety
Notifying appropriate authorities about potential exposure to communicable diseases
Reporting adverse events related to medical devices (FDA)
Supporting disaster relief efforts

5Your Privacy Rights Under HIPAA

Under the Health Insurance Portability and Accountability Act (HIPAA) and Missouri state law, you have the following rights regarding your health information:

5.1 Right to Access Your Medical Records

You have the right to inspect and obtain a copy of your health information, including:

Medical and dental records
Billing records and claims history
Treatment notes and care plans
Test results and diagnostic reports

How to Request:

Submit a written request to our Privacy Officer (contact information in Section 19)
Specify what records you want and in what format (paper or electronic)

Our Response Timeline:

We will respond within 30 days of receiving your request
We may extend this by an additional 30 days if needed (we will notify you)

Fees:

First copy is FREE for paper or electronic records
Reasonable, cost-based fees may apply for additional copies
We will inform you of any fees before processing

Denials:

In limited circumstances, we may deny access (we will explain why in writing)
You have the right to request a review of certain denials

5.2 Right to Amend Your Health Information

If you believe your health information is incorrect or incomplete, you may request an amendment.

How to Request:

Submit a written request explaining what should be changed and why
We will respond within 60 days (may extend once for 30 additional days)

Our Response:

If we approve, we will make the amendment and notify relevant parties
If we deny, you may submit a written statement of disagreement
We will include your statement with your records and in future disclosures

5.3 Right to Request Restrictions

You may request that we limit how we use or disclose your health information for treatment, payment, or healthcare operations.

Important Notes:

We are NOT required to agree to most restriction requests
If we agree, we will honor the restriction unless needed for emergency treatment
Exception: If you pay out-of-pocket in full for a service, you can request we NOT disclose that information to your health insurer (we MUST agree to this request)

How to Request:

Submit your request in writing to our Privacy Officer
Specify what information and what uses/disclosures you want to restrict

5.4 Right to Confidential Communications

You have the right to request that we communicate with you in a certain way or at a certain location.

Examples:

Send communications to an alternate address
Call only your cell phone (not home or work)
Send emails instead of postal mail
Provide appointment reminders by text message only

How to Request:

Submit a written request specifying your preferred method of communication
We will accommodate reasonable requests without asking for an explanation
We may require information on how payment will be handled

5.5 Right to an Accounting of Disclosures

You have the right to request a list of certain disclosures we have made of your health information.

What's Included:

Disclosures for purposes OTHER than treatment, payment, or healthcare operations
Disclosures made in the past 6 years (or shorter period if you request)

What's NOT Included:

Disclosures you authorized in writing
Disclosures for treatment, payment, or healthcare operations
Disclosures made to you or your personal representative
Disclosures for facility directories or to family/friends
Disclosures for national security or law enforcement purposes

How to Request:

Submit a written request to our Privacy Officer
First accounting in a 12-month period is FREE
Reasonable fees may apply for additional accountings

Our Response:

We will provide the accounting within 60 days (may extend once for 30 days)

5.6 Right to a Copy of This Notice

You have the right to receive a paper copy of this Notice of Privacy Practices at any time, even if you previously agreed to receive it electronically.

How to Request:

Ask any staff member during your visit
Download from our website at www.dreamlinedental.com/privacy
Contact our Privacy Officer to have a copy mailed to you

5.7 Right to Revoke Authorization

If you have provided written authorization for us to use or disclose your information, you may revoke that authorization at any time.

How to Revoke:

Submit a written revocation to our Privacy Officer
The revocation is effective immediately upon receipt
Exception: We cannot take back disclosures already made based on your authorization

5.8 Right to Opt Out of Marketing and Fundraising

Marketing Communications: We will ONLY send marketing materials with your written authorization. You may opt out at any time.
Fundraising: We do not currently conduct fundraising activities. If this changes, you will have the right to opt out.

5.9 Right to Be Notified of a Breach

You have the right to be notified if there is a breach of your unsecured protected health information (see Section 15 for details).

5.10 Right to File a Complaint

You have the right to file a complaint if you believe your privacy rights have been violated. You will NOT be retaliated against for filing a complaint.

6Data Security Measures

We implement comprehensive technical, physical, and administrative safeguards to protect your information from unauthorized access, use, or disclosure.

6.1 Technical Safeguards

Encryption:

Data in Transit: All data transmitted over the internet uses TLS 1.3 encryption (latest security standard)
Data at Rest: All databases and file storage encrypted with AES-256 encryption
Mobile Devices: All laptops, tablets, and portable devices use full-disk encryption

Access Controls:

Role-Based Access Control (RBAC): Access limited based on job function and need-to-know
Unique User Credentials: Every workforce member has unique login credentials
Strong Password Requirements: Minimum length, complexity, and regular password changes required
Multi-Factor Authentication (MFA): Available and required for administrative access
Automatic Logout: Sessions automatically terminate after 15 minutes of inactivity

System Security:

Firewalls: Network firewalls protect against unauthorized access
Intrusion Detection: Real-time monitoring for suspicious activity
Anti-Malware Protection: Enterprise-grade antivirus and anti-malware on all systems
Secure Configurations: Systems hardened according to security best practices
Patch Management: Regular security updates and vulnerability patching

Audit and Monitoring:

Comprehensive Audit Logging: All access to and modifications of PHI are logged
Log Retention: Audit logs retained for minimum 7 years
Security Monitoring: 24/7 monitoring for security incidents
Regular Log Reviews: Periodic review of access logs for anomalies

Database and Infrastructure Security:

AWS RDS: HIPAA-eligible managed database with encryption and automated backups
Point-in-Time Recovery: Database can be restored to any point within retention period
Automated Backups: Daily encrypted backups stored in geographically separate locations
Disaster Recovery: Tested disaster recovery procedures with defined recovery objectives

6.2 Physical Safeguards

Mobile Dental Unit Security:

Secure, locked storage for electronic devices and paper records
Vehicle access controls and alarm systems
Equipment secured when vehicle unattended
Locked cabinets for patient files and sensitive materials

Facility Security (if applicable):

Controlled access to facilities with keycard or biometric systems
Visitor check-in and escort procedures
Security cameras in appropriate locations (NOT in clinical areas)
After-hours alarm systems

Workstation Security:

Privacy screens to prevent unauthorized viewing
Clean desk policy for physical records
Secure workstation locations away from public view
Locked screen savers when workstations unattended

Device Management:

Inventory tracking for all devices containing PHI
Remote wipe capability for lost or stolen mobile devices
Secure disposal procedures for retired equipment
Asset decommissioning with data destruction verification

Physical Record Security:

Locked file cabinets and storage rooms
Restricted access to medical records areas
Secure transport protocols for physical records
Secure shredding or destruction of records when retention period expires

6.3 Administrative Safeguards

Policies and Procedures:

Comprehensive HIPAA Security and Privacy Policies
Written procedures for all safeguards
Regular policy review and updates
Incident response and breach notification procedures
Sanctions policy for privacy and security violations

Workforce Management:

Designated Privacy Officer and Security Officer responsible for HIPAA compliance
Background Checks: Criminal background checks for workforce members with PHI access
Confidentiality Agreements: All workforce members sign confidentiality agreements
Annual Training: Mandatory privacy and security training for all workforce members
Access Termination: Immediate removal of access when employment ends
Sanctions: Progressive discipline for policy violations

Risk Management:

Annual Risk Assessments: Comprehensive security risk analysis
Risk Mitigation: Implementation of measures to reduce identified risks
Security Audits: Regular internal and external security assessments
Vulnerability Scanning: Periodic scanning for system vulnerabilities
Penetration Testing: Third-party security testing (as appropriate)

Vendor Management:

Business Associate Agreements: Required for all vendors accessing PHI
Vendor Security Assessment: Evaluation of vendor security practices
Vendor Monitoring: Ongoing oversight of Business Associate compliance
Contract Management: Tracking of BAA terms and renewal dates

Contingency Planning:

Disaster Recovery Plan: Documented procedures for system recovery
Emergency Mode Operations: Procedures for accessing PHI during emergencies
Data Backup and Recovery: Regular testing of backup and restore procedures
Business Continuity: Plans for continuing operations during disruptions

Mobile Service Security:

VPN (Virtual Private Network) required for remote access to health records system
Encrypted connections for all point-of-care documentation
Mobile device management (MDM) for company-issued devices
Geographic restrictions on data access when appropriate
Secure protocols for transporting physical records and equipment between locations

7Patient Portal Privacy and Security

Our secure patient portal provides convenient 24/7 access to your health information and allows you to communicate with our care team.

7.1 Portal Access and Authentication

Account Creation:

Portal access requires in-person identity verification or multi-step identity proofing
You will create a unique username and strong password
Password must meet complexity requirements (minimum 12 characters, mixed case, numbers, symbols)

Login Security:

Secure login page with TLS 1.3 encryption
Multi-factor authentication (MFA) available for enhanced security (recommended)
Account lockout after 5 failed login attempts
Automatic session timeout after 15 minutes of inactivity
Secure logout required when finished (especially on shared devices)

7.2 What You Can Access Through the Portal

Medical Records:

Comprehensive medical and dental history
Sleep study results and diagnostic reports
Treatment plans and clinical notes
Prescription history and current medications
Lab results and diagnostic images
Visit summaries and discharge instructions

Communication:

Send secure messages to your care team
Receive responses from providers and staff
Upload documents or photos for provider review
Request prescription refills or oral appliance adjustments

Health Management:

Update personal and contact information
Manage communication preferences
Complete intake forms and questionnaires
Track symptoms and treatment progress

Billing and Payments:

View current balance and billing statements
Review insurance claims and Explanation of Benefits (EOB)
Make secure online payments
View payment history
Set up payment plans (if eligible)

Appointments:

View upcoming appointments
Request new appointments (subject to provider approval)
Cancel or reschedule appointments
Receive appointment reminders

7.3 Proxy Access for Family Members

Parents/Legal Guardians:

Parents automatically have access to minor children's records (under age 18)
Access may be restricted for adolescents based on state law and sensitive services

Legal Representatives:

Healthcare Power of Attorney holders may access records with proper documentation
Court-appointed guardians may access records with court order

Proxy Request Process:

Submit written request with legal documentation
Identity verification required
Proxy access granted after approval by Privacy Officer

Proxy Responsibilities:

Maintain confidentiality of patient information
Do not share login credentials
Use information only for patient's benefit

7.4 Portal Security Features

Data Protection:

All portal data transmitted using TLS 1.3 encryption (bank-level security)
Data stored with AES-256 encryption at rest
No PHI accessible to third-party analytics platforms
Session data encrypted and automatically cleared after logout

Audit Logging:

All portal access and activity logged for security monitoring
Logs include date, time, IP address, and actions performed
Suspicious activity triggers security alerts
Audit logs retained for 7 years per HIPAA requirements

Security Monitoring:

24/7 system monitoring for security threats
Automatic detection of unusual access patterns
Geo-location alerts for access from unexpected locations
Real-time intrusion detection and prevention

7.5 Your Portal Responsibilities

Protect Your Account:

Keep credentials confidential – never share username or password
Use strong, unique password – do not reuse passwords from other sites
Enable multi-factor authentication – adds extra layer of security
Log out completely – especially important on shared or public computers
Clear browser cache – on shared devices after accessing portal
Keep contact info current – ensures you receive important notifications

Secure Device Usage:

Avoid public computers – library, hotel, internet café computers not recommended
Secure your devices – use device passwords/PINs, enable auto-lock
Update software – keep operating system and browser current
Use secure networks – avoid public Wi-Fi when accessing portal; use VPN if necessary

Report Security Concerns:

Notify us immediately if you suspect unauthorized access to your account
Report lost/stolen devices that had portal access
Contact us if you receive suspicious emails claiming to be from our portal

7.6 Portal Communications

Secure Messaging Guidelines:

NOT for emergencies – call 911 for medical emergencies
Response time: Messages typically answered within 1-2 business days
Business hours only – messages sent after hours reviewed next business day
Message retention: All portal messages become part of your medical record

✅ What to Use Secure Messaging For:

Non-urgent medical questions
Prescription refill requests
Appointment scheduling questions
Billing inquiries
Follow-up on treatment

❌ What NOT to Use Secure Messaging For:

Medical emergencies or urgent concerns (call 911 or our office)
Time-sensitive issues requiring same-day response
New or worsening severe symptoms

7.7 Portal Availability and Downtime

Portal available 24/7/365 except during scheduled maintenance
Planned maintenance typically occurs during off-peak hours (late night)
We will notify users in advance of planned downtime when possible
Emergency maintenance may occur without advance notice

8Website Privacy and Cookies

This section applies to our public website (www.dreamlinedental.com) and explains what information we collect from visitors.

8.1 Website vs. Patient Portal Distinction

Public Website (NON-PHI):

Our public website collects general usage information that is NOT Protected Health Information
This information helps us understand how visitors use our site and improve user experience
Website analytics do NOT access any patient portal or health information

Patient Portal (PHI):

Our secure patient portal (accessed through authenticated login) contains your Protected Health Information
Portal activity is logged and protected as PHI under HIPAA
NO third-party analytics or tracking on authenticated portal pages

8.2 Information Collected on Public Website

Automatically Collected:

IP Address: Your computer's internet protocol address
Browser Information: Browser type, version, and language settings
Device Information: Device type, operating system, screen resolution
Usage Data: Pages visited, links clicked, time spent on pages
Referral Data: Website that referred you to our site, search terms used
Geographic Location: General location (city/state) based on IP address

Voluntarily Provided:

Contact form submissions (name, email, phone, message)
Newsletter signup information
Appointment request forms (contact info, preferred dates)

8.3 Cookies and Tracking Technologies

What Are Cookies: Cookies are small text files stored on your device that help websites remember your preferences and improve your experience.

Types of Cookies We Use:

Essential Cookies (Required)

Session management and security
Remember your language and accessibility preferences
Prevent fraud and enhance security
These cookies are necessary for website functionality

Analytics Cookies (Optional)

Google Analytics to understand website traffic and usage patterns
Track which pages are most visited and helpful
Identify technical issues and improve website performance
Measure effectiveness of our content

Marketing Cookies (Optional)

Remember your preferences for future visits
Deliver relevant information based on your interests
Measure effectiveness of advertising campaigns (if applicable)

Third-Party Cookies:

We use Google Analytics for website analytics
Google may place cookies to track website usage
Google's use of cookies is subject to their privacy policy

8.4 Managing Cookies

How to Control Cookies:

Browser Settings: All modern browsers allow you to refuse or delete cookies
Opt-Out Tools: Use browser opt-out extensions or Google Analytics opt-out
Do Not Track: We honor Do Not Track (DNT) browser signals

Effect of Disabling Cookies:

Essential cookies are required for website to function properly
Disabling analytics cookies will not affect website functionality
Some features may not work as expected if all cookies disabled

Cookie Management Resources:

Chrome: Settings > Privacy and Security > Cookies
Firefox: Settings > Privacy & Security > Cookies
Safari: Preferences > Privacy > Cookies
Edge: Settings > Privacy & Security > Cookies

8.5 Third-Party Websites and Links

External Links:

Our website may contain links to third-party websites (sleep medicine associations, insurance companies, etc.)
We are NOT responsible for privacy practices of external sites
External sites have their own privacy policies
We encourage you to review privacy policies of any third-party sites you visit

Social Media:

Links to our social media profiles (Facebook, Instagram, LinkedIn, etc.)
Social media platforms have their own privacy policies and data practices
Information you share on social media is governed by their terms

8.6 Online Advertising (If Applicable)

We do NOT currently use retargeting or remarketing pixels
We do NOT sell website visitor data to third parties
If we implement online advertising in the future, we will update this policy

8.7 Website Security

Our public website uses HTTPS/SSL encryption for secure browsing
Contact forms and data submissions are encrypted during transmission
We implement security measures to protect against unauthorized access
However, NO method of internet transmission is 100% secure

9Third-Party Service Providers

We use carefully selected third-party service providers ("Business Associates" under HIPAA) to help us deliver high-quality healthcare services and manage our operations. All Business Associates sign HIPAA-compliant agreements requiring them to protect your information.

9.1 Technology Infrastructure Providers

Cloud Hosting and Data Storage:

Amazon Web Services (AWS) – Secure cloud infrastructure for data storage and application hosting
HIPAA-compliant Business Associate Agreement in place
Data stored in HIPAA-eligible AWS regions
AES-256 encryption at rest, TLS 1.3 in transit
SOC 2 Type II certified for security controls

Database and Backup Services:

Secure PostgreSQL database management on AWS RDS
Automated encrypted backups with point-in-time recovery
Geographically redundant storage for disaster recovery

IT Security and Monitoring:

Network security and intrusion detection systems
24/7 security monitoring and incident response
Vulnerability scanning and penetration testing services
Security information and event management (SIEM)

9.2 Payment Processing Services

Credit Card Processing:

Stripe, Inc. – Payment card processing for patient payments
HIPAA Business Associate Agreement in place
PCI-DSS Level 1 certified (highest payment security standard)
Payment data encrypted and tokenized
We do NOT store complete credit card numbers

Insurance Claims Processing:

Electronic claims clearinghouses for Medicare, Medicaid, and private insurance
Claims data transmitted via secure, encrypted connections
HIPAA-compliant EDI (Electronic Data Interchange) transactions

Payment Collection (if applicable):

Third-party collection agencies (only after exhausting internal collection efforts)
Minimum necessary information disclosed for collection purposes
All agencies required to sign Business Associate Agreements

9.3 Communication and Patient Engagement

Email Services:

Secure email service providers for appointment reminders and patient communications
Email encryption for messages containing PHI
HIPAA-compliant Business Associate Agreements

SMS/Text Messaging (if applicable):

HIPAA-compliant text messaging platforms for appointment reminders
Patients must opt-in to receive text messages
Messages encrypted in transit

Video Conferencing (if applicable):

HIPAA-compliant video conferencing platforms for telehealth consultations
End-to-end encryption for video and audio
No recording of sessions without patient consent

9.4 Healthcare Operations and Clinical Services

Dental Laboratories:

In-state and out-of-state dental laboratories for custom oral appliance fabrication
Minimum necessary PHI shared (dental impressions, prescription specifications)
All laboratories sign Business Associate Agreements
Secure transmission of digital impressions and specifications

Medical Equipment Suppliers:

Durable medical equipment (DME) vendors for oral appliances and supplies
Sleep study equipment providers and monitoring device manufacturers
Medical device manufacturers for warranty, recalls, or safety notifications

Referring Provider Networks:

Electronic health information exchange with referring physicians
Secure messaging systems for care coordination
Shared health records platforms (with patient consent)

9.5 Practice Management and Administrative Services

Practice Management Software:

Electronic health record (EHR) and practice management systems
Patient scheduling and appointment management platforms
Document management and storage systems
Clinical workflow and task management tools

Billing and Revenue Cycle Management:

Medical billing and coding services
Insurance verification and eligibility checking
Account management and patient statement generation

Business Support Services:

Transcription services (if applicable) for clinical documentation
Medical record scanning and digitization
Secure document shredding and disposal services
IT support and managed services providers

Professional Services:

Legal counsel for compliance and regulatory matters
Accounting and auditing services
Healthcare consultants and compliance advisors
Quality improvement and accreditation consultants

9.6 Business Associate Oversight

We maintain strict oversight of all Business Associates:

Contract Requirements:

Written Business Associate Agreement before any PHI disclosure
Specific permitted uses and required safeguards
Obligation to report security incidents and breaches
Return or destruction of PHI when services end
Right to audit and inspect safeguards

Ongoing Monitoring:

Regular review of Business Associate compliance
Security assessments and vendor risk evaluations
Incident and breach reporting procedures
Contract renewal and termination management

Vendor Security Requirements:

Minimum security standards for all vendors
Encryption of data in transit and at rest
Access controls and authentication requirements
Audit logging and monitoring capabilities
Disaster recovery and business continuity plans

10Payment Processing and Financial Information

10.1 Payment Methods Accepted

Credit cards (Visa, MasterCard, American Express, Discover)
Debit cards
Health Savings Account (HSA) and Flexible Spending Account (FSA) cards
Electronic funds transfer (ACH)
Cash or check (in-person payments)

10.2 Payment Card Security

PCI-DSS Compliance:

Our payment processor (Stripe) is PCI-DSS Level 1 certified
Highest level of payment card industry security standards
Regular security audits and compliance assessments

How We Protect Payment Information:

Tokenization: Credit card numbers converted to secure tokens
Encryption: All payment data encrypted during transmission (TLS 1.3)
No Storage: We do NOT store complete credit card numbers in our systems
Secure Processing: Payment data processed entirely through certified payment processor

10.3 Payment Information as PHI

When Payment Information Becomes PHI:

Payment information is Protected Health Information when linked to your identity and health services:

Invoices and Statements: Show dates of service, procedure codes, and treatment descriptions
Insurance EOBs: Explanation of Benefits statements detail services provided
Payment Receipts: Link payment to specific healthcare services
Billing Records: Complete history of charges, payments, and services

Protection of Payment PHI:

Same HIPAA security and privacy protections as medical records
Access limited to authorized billing and administrative staff
Audit logging of all access to financial records
Secure retention and disposal when retention period expires

10.4 Insurance Billing and Claims

Claims Submission:

Electronic submission to Medicare, Medicaid, and private insurers
Secure EDI (Electronic Data Interchange) transactions
HIPAA-compliant transaction standards

Medicare/Medicaid Specific:

Medicare Beneficiary Identifier (MBI) securely transmitted
Compliance with CMS regulations for claims and documentation
MO HealthNet (Medicaid) provider enrollment requirements
Coordination of benefits for dual-eligible patients

Information Shared with Insurers:

Patient demographic and insurance information
Diagnosis codes (ICD-10) for medical necessity
Procedure codes (CDT for dental, CPT for medical)
Dates and locations of service
Provider information and credentials
Supporting documentation as required for claims adjudication

10.5 Financial Assistance and Payment Plans

Application Information:

Financial assistance applications require income and household information
Information maintained confidentially and used ONLY for financial assistance determination
Not shared outside our organization without your authorization

Payment Plans:

Payment plan agreements require verification of financial information
Automatic payment options available for convenience
Payment plan information maintained as part of billing records

10.6 Collections (if applicable)

Internal Collections:

Multiple patient notifications before external collection referral
Opportunity to establish payment plan or request financial assistance

External Collections:

If account referred to collection agency, only minimum necessary information disclosed
Collection agencies required to sign Business Associate Agreement
You have rights under Fair Debt Collection Practices Act (FDCPA)

10.7 Credit Reporting

We do NOT report to credit bureaus. However, if your account is referred to a collection agency, they may report to credit bureaus in accordance with applicable law.

10.8 Financial Record Retention

Retention Period

Billing and payment records retained for minimum 7 years per Missouri law

Security

Electronic and paper billing records subject to same security protections

Disposal

Secure destruction when retention period expires

11Multiple Provider Access

Dreamline Dental Sleep Clinic operates with multiple healthcare providers and support staff. We maintain strict controls over who can access your information and for what purposes.

11.1 Who Has Access to Your Information

Your Treating Provider(s):

Full access to your complete medical record
Ability to view, create, and modify all clinical documentation
Access to all test results, treatment plans, and clinical notes

On-Call or Covering Providers:

May access your records when providing care in your regular provider's absence
Access limited to information necessary for continuity of care
All access logged in audit system

Clinical Support Staff:

Dental Assistants: Access to treatment plans, oral appliance specifications, and patient care instructions
Clinical Coordinators: Access to appointment scheduling, treatment planning, and care coordination
Medical Assistants: Access to vital signs, medical history, and patient intake information

Administrative Staff:

Front Desk/Scheduling: Access to demographic information, contact details, and appointment schedules
Billing Staff: Access to billing records, insurance information, and payment history
Medical Records Staff: Access to complete records for records management and release of information

Management and Compliance:

Privacy Officer: Access for privacy compliance, patient rights requests, and complaint investigations
Security Officer: Access for security monitoring, incident response, and compliance audits
Practice Administrator: Limited access for quality improvement and operational oversight

11.2 Need-to-Know Principle

Minimum Necessary Standard:

Access limited to minimum information necessary to perform job duties
Role-based access controls enforce need-to-know restrictions
Regular review of access permissions and user roles

Access Controls:

Each workforce member has unique login credentials
Access permissions based on job function and responsibilities
Automatic access termination when job duties change or employment ends

11.3 Workforce Training and Confidentiality

HIPAA Training:

Annual mandatory privacy and security training for all workforce members
Job-specific training on appropriate uses and disclosures
Training on patient rights and complaint procedures
Documentation of training completion maintained

Confidentiality Agreements:

All workforce members sign confidentiality agreements upon hire
Agreements remain in effect after employment ends
Violations subject to disciplinary action up to and including termination

Code of Conduct:

Professional standards for handling patient information
Prohibition on snooping or unauthorized access
Requirement to report suspected privacy violations

11.4 Audit Logging and Monitoring

Access Monitoring:

All access to patient information logged with user ID, date, time, and information accessed
Regular audit log reviews for inappropriate access
Automated alerts for unusual access patterns
Investigation of all suspected unauthorized access

Sanctions Policy:

Progressive discipline for privacy and security violations
Sanctions may include:
- Verbal or written warning
- Suspension or access restriction
- Termination of employment
- Reporting to law enforcement (for criminal violations)

11.5 Requesting Access Restrictions

Your Right to Request Restrictions:

You may request that specific providers or staff members not access your records
We will consider your request but are not always able to honor it
Restrictions that would interfere with treatment or operations may be denied

Out-of-Pocket Payment Exception:

If you pay in full out-of-pocket for a service, you can request we NOT share that information with your health insurer
We MUST honor this request (unless required by law to disclose)
Request must be made before or at time of service

How to Request:

Submit written request to Privacy Officer
Specify what information and which individuals should be restricted
We will respond in writing within 30 days

12Missouri-Specific Privacy Protections

In addition to federal HIPAA protections, Missouri state law provides enhanced privacy protections for certain types of health information and establishes additional patient rights.

12.1 Mental Health Information (Mo. Rev. Stat. § 630.140)

Enhanced Protections:

Mental health treatment records have additional restrictions on disclosure
Specific written authorization required for release to third parties
Authorization must specify purpose and persons to whom disclosure is made

Applicability to Sleep Medicine:

Some sleep disorders may be diagnosed or treated in conjunction with mental health conditions
Insomnia, depression, and anxiety often co-occur with sleep-disordered breathing
Mental health information treated with heightened confidentiality

Disclosure Without Authorization Permitted Only For:

Treatment by other mental health providers
Court orders with proper legal authority
Imminent danger to patient or others
Compliance with mandatory reporting laws

12.2 HIV/AIDS Information (Mo. Rev. Stat. § 191.656)

Strict Confidentiality Requirements:

HIV test results and AIDS-related information require specific written authorization for disclosure
Authorization must be separate from general medical records release
Must specify exact information to be disclosed and recipient

Limited Exceptions for Disclosure Without Authorization:

Healthcare providers for treatment purposes
Public health authorities for disease surveillance and partner notification
Court order with specific findings
Funeral directors for handling of remains

Our Practice:

We do not routinely test for HIV
If HIV status is relevant to sleep medicine treatment, we will discuss confidentiality protections

12.3 Genetic Information (Mo. Rev. Stat. § 375.1309)

Protection from Insurance Discrimination:

Genetic test results cannot be disclosed to insurance companies without specific written authorization
Life, disability, and long-term care insurers cannot require genetic testing or disclosure
Health insurers subject to federal GINA (Genetic Information Nondiscrimination Act) protections

Applicability to Sleep Medicine:

Genetic factors may influence susceptibility to sleep apnea and related conditions
Any genetic testing or family history information protected under enhanced standards

12.4 Substance Abuse Treatment Records (42 CFR Part 2)

Federal Protections Apply:

Federally-assisted substance abuse treatment programs subject to strict confidentiality rules
Protections MORE restrictive than general HIPAA requirements
Specific written consent required for most disclosures

Our Practice:

We screen for alcohol and substance use as part of sleep disorder evaluation
Substance use information protected under HIPAA (and Part 2 if applicable)
Information not disclosed without your authorization except as permitted by law

12.5 Minors and Adolescent Privacy

Parental Access to Minor Records:

Parents/legal guardians generally have access to minor children's health records
Exception: Missouri law may limit parental access for certain sensitive services:
- Substance abuse treatment (age 17+)
- Mental health treatment (in some circumstances)
- Pregnancy-related care

Adolescent Patients:

We balance parents' rights with adolescents' privacy interests
Will discuss confidentiality with both parent and adolescent patient
May recommend partial restrictions on parental access when appropriate for adolescent care

Transition to Adult Care:

At age 18, patients become adults with full privacy rights
Parents lose automatic access to records (except with patient authorization)
We will discuss transition and help establish appropriate access for ongoing parental involvement

12.6 Record Retention - Missouri Requirements

General Retention:

7 Years

Medical and dental records retained for minimum 7 years from date of last treatment

For Minors:

Age 21+

Records retained until patient reaches age 21 OR 7 years from last treatment, whichever is longer

Permanent Retention Considerations:

Ongoing treatment relationships
Pending litigation or investigations
Specific patient request
Unique or significant medical conditions requiring long-term documentation

12.7 Missouri Data Breach Notification Law (Mo. Rev. Stat. § 407.1500)

State Law Requirements:

Notification to Missouri residents "without unreasonable delay" following breach of personal information
Personal information includes: Social Security number, driver's license, financial account information
May require notification even if HIPAA breach notification threshold not met

Our Commitment:

Comply with both federal HIPAA and Missouri state breach notification requirements
Provide notice by most effective means available (mail, email, telephone)
Offer identity theft prevention services if appropriate

12.8 Missouri Patient Rights

Right to Medical Records (Mo. Rev. Stat. § 191.227):

Right to access medical records within 30 days of request
Reasonable copying fees permitted (not to exceed actual costs)
Consistent with HIPAA right of access (HIPAA provides first copy free)

Right to Amend Records:

Missouri law supports patients' right to correct inaccurate information
Procedures consistent with HIPAA amendment rights

13Electronic Communications and Consent

13.1 Email Communications

Standard Email Risks:

Standard email is NOT completely secure
Email may be intercepted, forwarded, or accessed by unauthorized parties
Email servers may retain copies of messages

Our Email Practices:

Administrative communications (appointment confirmations) may be sent via standard email
We limit PHI in standard email communications
Encrypted email available for sensitive communications upon request

Your Consent:

By providing your email address, you consent to receive appointment reminders and administrative communications via email
You acknowledge email is not completely secure
You may opt out of email communications at any time

What NOT to Send via Standard Email:

Detailed medical questions or symptoms (use patient portal secure messaging instead)
Sensitive personal information (Social Security numbers, financial account numbers)
Urgent medical concerns (call our office or 911 for emergencies)

13.2 SMS Text Messaging

Text Message Risks:

Text messages may be stored on mobile devices and visible to others with access to device
Messages may be delivered to wrong number if contact information outdated
Cellular networks are not completely secure

Our Text Messaging Practices:

Appointment reminders sent via text message (if you opt in)
Text messages contain limited information (date, time, office name)
Detailed PHI NOT included in text messages

Your Consent:

You must affirmatively opt in to receive text messages
Standard text messaging rates may apply (check with your carrier)
You may opt out at any time by replying "STOP" or contacting our office

13.3 Telephone Communications

Voicemail Messages:

We may leave voicemail messages with appointment reminders
Messages include minimal information (date, time, callback number)
We do NOT leave detailed medical information on voicemail unless you specifically request

Your Preferences:

You may specify:

Which phone number(s) to call
Whether we can leave voicemail messages
What information can be included in messages
Alternative contact methods if phone not available

Confidential Communications:

You have right to request confidential communications
May request we contact you only at specific number, time, or location
We will accommodate reasonable requests

13.4 Patient Portal Secure Messaging

What to Use Secure Messaging For:

Non-urgent medical questions
Prescription refill requests
Follow-up on recent visit or treatment
Coordination of care
Billing questions

What NOT to Use Secure Messaging For:

Medical emergencies (call 911)
Urgent same-day concerns (call our office)
Severe or worsening symptoms

13.5 Video Telehealth (If Applicable)

HIPAA-Compliant Video Platforms:

We use only HIPAA-compliant, encrypted video conferencing for telehealth
End-to-end encryption protects privacy of consultations
No recording without your specific consent

Your Telehealth Responsibilities:

Join video visits from private location
Use secure internet connection (not public Wi-Fi)
Ensure no unauthorized persons can see or hear consultation
Close other applications during visit

Consent for Telehealth:

Separate consent required for telehealth services
You may decline telehealth and request in-person visit

13.6 Opting Out of Electronic Communications

How to Opt Out:

Email communications: Click "unsubscribe" link in emails or contact our office
Text messages: Reply "STOP" to any text message or contact our office
Phone calls: Request to be placed on our do-not-call list
Voicemail messages: Request no voicemail messages in your patient file

Effect of Opting Out:

You will still receive critical communications necessary for your care
May receive communications via alternative methods (postal mail)
Opting out may delay receipt of time-sensitive information

13.7 Updating Communication Preferences

Keep Contact Information Current:

Promptly notify us of changes to:

Phone numbers (home, mobile, work)
Email addresses
Mailing addresses
Emergency contacts

Update Methods:

Through patient portal
By calling our office
In person at your next appointment
Via secure email or postal mail

14Data Retention

We retain your health information for the period required by law, professional standards, and operational needs.

14.1 General Retention Period

Medical and Dental Records:

Minimum retention: 7 years from date of last treatment or service
Required by Missouri law and professional dental standards
Applies to all components of medical record:

Clinical notes and treatment documentation
Diagnostic images and test results
Correspondence with other providers
Consent forms and authorizations

14.2 Extended Retention for Minors

Patients Under Age 18:

Records retained until patient reaches age 21 OR 7 years from last treatment, whichever is longer
Ensures availability through transition to adulthood
Complies with Missouri law protecting minors' interests

Example:

Patient last seen at age 16: Records retained until age 23 (age 21 + 2 years since last treatment)
Patient last seen at age 17: Records retained until age 24 (7 years from last treatment)

14.3 Extended Retention Circumstances

Records may be retained longer than minimum period when:

Ongoing Treatment:

Active patients' records retained indefinitely for continuity of care
Records from prior episodes of care maintained for reference

Legal Requirements:

Pending or ongoing litigation requiring record preservation
Government investigation or audit
Compliance with legal hold notice
Statute of limitations not yet expired

Significant Medical Conditions:

Unique or unusual conditions requiring long-term documentation
Conditions with potential long-term effects or complications
Complex cases serving as reference for future treatment decisions

Patient Request / Implanted Devices:

Patient may request extended retention of records
We will accommodate reasonable requests
Records related to implanted medical devices retained for device lifetime
Includes oral appliances with permanent components

14.4 Types of Records and Retention Periods

Clinical Records: 7 years minimum (longer for minors)

Progress notes and clinical documentation
Treatment plans and care coordination
Diagnostic test results and images
Consultation reports from other providers

Billing and Financial Records: 7 years minimum

Invoices and billing statements
Insurance claims and EOBs
Payment records and receipts
Financial assistance documentation

Authorization and Consent Forms: 7 years from date signed

Treatment consent forms
Authorization for release of information
Patient portal enrollment agreements
Electronic communications consents

Administrative Records & Audit Logs: 7 years

Patient registration and demographic information
Insurance verification documentation
Access logs for electronic health information
Security incident reports and investigations
Training records and attestations

14.5 Record Format and Storage

Electronic Records:

Stored in secure, encrypted databases on HIPAA-compliant cloud infrastructure
Regular backups ensure availability and disaster recovery
Retained in accessible format throughout retention period

Paper Records:

Stored in secure, locked facilities with limited access
Climate-controlled environment to prevent deterioration
Scanned and converted to electronic format when possible

Hybrid Records:

Some records may exist in both paper and electronic format
Both formats retained for legal compliance
Electronic version considered primary record when available

14.6 Record Destruction

Electronic Records:

Secure deletion using data sanitization software
Overwriting of storage media to prevent recovery
Destruction of backup media when retention period expires
Certificate of destruction maintained for compliance

Paper Records:

Shredding using cross-cut or micro-cut shredders
Secure shredding service for large volumes
On-site destruction when possible for security
Certificate of destruction from shredding vendor

Disposal Verification:

Documentation of destruction date and method
Verification that destruction completed securely
Maintained audit trail of destroyed records

14.7 Accessing Old Records

Within Retention Period:

Records fully accessible through patient portal or by request
Same access rights apply throughout retention period
No additional fees for accessing older records (within reason)

After Retention Period:

Records may no longer be available after secure destruction
We cannot recreate or reconstruct destroyed records
Recommend patients maintain personal copies of important records

Best Practice for Patients:

Download or request copies of important records for personal retention
Maintain copies of diagnostic images, pathology reports, and operative reports
Keep records of implanted devices and ongoing treatments

15Breach Notification

We are committed to protecting your information with comprehensive security safeguards. However, in the unlikely event of a breach of your unsecured protected health information, we will notify you and take appropriate action as required by law.

15.1 What Constitutes a Breach

Breach Definition: A breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises the security or privacy of the information.

Factors We Evaluate:

Nature and extent of the information involved
Who accessed or received the information
Whether information was actually acquired or viewed
Extent to which risk has been mitigated

When We Do NOT Notify:

Information was encrypted or otherwise rendered unusable/unreadable
Risk assessment determines low probability of compromise to privacy or security
Unintentional acquisition/access by workforce member acting in good faith within scope of authority
Inadvertent disclosure to another authorized person at our organization who would not reasonably be expected to retain the information

15.2 Federal HIPAA Breach Notification Requirements

Individual Notice:

Timeline:

Written notification within 60 days of discovering the breach
"Discovery" is first day breach is known or should have been known by our organization

Notification Method:

First-class mail to last known address
Email if you have agreed to electronic notice and we have valid email address
Substitute notice if contact information is insufficient:
- For fewer than 10 individuals: Telephone or other alternative contact
- For 10 or more individuals: Conspicuous posting on our website for 90 days AND notice to major media outlets in your area

Notice Content: We will provide written notice including:

Brief description of what happened and when breach was discovered
Types of protected health information involved (e.g., name, Social Security number, medical history)
Steps you should take to protect yourself from potential harm
Brief description of what we are doing to:
- Investigate the breach
- Mitigate harm to affected individuals
- Prevent future breaches
Contact information for you to ask questions (name, phone, email, or address)

HHS Notification:

Large Breaches (500+ individuals): Notice to U.S. Department of Health and Human Services (HHS) within 60 days of discovery
Information posted on HHS public website "Wall of Shame"
Small Breaches (fewer than 500 individuals): Annual notification to HHS of all small breaches occurring during the calendar year
Notice due no later than 60 days after end of calendar year

Media Notice (500+ individuals):

Notice to prominent media outlets serving the area where affected individuals reside
Notice provided same time as individual notice
Media release includes same information as individual notice

15.3 Missouri State Breach Notification Law (Mo. Rev. Stat. § 407.1500)

Additional State Requirements:

Scope:

Missouri law applies to "personal information" which includes:

Social Security number
Driver's license number or state ID number
Financial account numbers (credit card, bank account)

May require notification even if HIPAA breach threshold not met

Timeline:

Notification required "without unreasonable delay"
Missouri does not specify exact timeline, but we follow HIPAA 60-day requirement as minimum standard

Notification Method:

Written notice via postal mail
Electronic notice (email) if consumer has consented
Telephone notice as supplement or alternative
Substitute notice if contact information insufficient (consistent with HIPAA requirements)

Notice to Attorney General:

For breaches affecting more than 1,000 Missouri residents, notice to Missouri Attorney General required

Consumer Credit Reporting Agencies:

For large breaches, notification to major credit reporting agencies may be appropriate

15.4 Our Breach Response Process

Immediate Response (0-24 hours):

Contain the breach to prevent further unauthorized access
Secure affected systems and data
Assemble breach response team

Investigation and Assessment (1-10 days):

Investigate root cause and scope of breach
Identify all individuals affected
Assess types of information compromised
Conduct risk assessment to determine probability of harm
Document all findings and actions taken

Notification (within 60 days):

Prepare individual notifications
Notify HHS and media (if applicable)
Notify Missouri Attorney General (if required)
Notify law enforcement (if criminal activity suspected)

Mitigation and Prevention:

Offer credit monitoring or identity theft protection services (if appropriate)
Implement corrective actions to prevent similar breaches
Provide additional training to workforce
Update policies and procedures
Enhance technical safeguards

15.5 What You Should Do If Notified of a Breach

Review the Notice Carefully:

Understand what information was involved
Note the date of the breach and when it was discovered
Read recommendations for protecting yourself

Take Protective Action:

Monitor financial accounts for unauthorized activity
Review credit reports from all three credit bureaus (Equifax, Experian, TransUnion)
Place fraud alert or credit freeze on your credit file (if appropriate)
Change passwords for online accounts (especially if passwords may have been involved)
Enroll in credit monitoring (if offered by our organization)
Watch for identity theft warning signs

Contact Us:

Call the number provided in the breach notice with questions
Request additional information if needed
Inform us if you experience identity theft or fraud

Report Suspected Identity Theft:

Federal Trade Commission: IdentityTheft.gov or 1-877-ID-THEFT
Local law enforcement: File police report if you're victim of identity theft
Credit bureaus: Report fraud to credit reporting agencies

15.6 Resources for Breach Response

Credit Monitoring Services:

Equifax: www.equifax.com, 1-800-685-1111
Experian: www.experian.com, 1-888-397-3742
TransUnion: www.transunion.com, 1-800-916-8800

Fraud Alerts and Credit Freezes:

Free fraud alerts available from all three credit bureaus
Credit freezes prevent new accounts from being opened in your name
Contact any one credit bureau to place fraud alert (they notify others)

Identity Theft Resources:

Federal Trade Commission: IdentityTheft.gov, 1-877-ID-THEFT
IRS Identity Theft: www.irs.gov/identity-theft-fraud-scams
Social Security Administration: 1-800-772-1213

Missouri Resources:

Missouri Attorney General Consumer Protection: 1-800-392-8222
Missouri Department of Commerce and Insurance: 1-800-726-7390

15.7 Prevention is Our Priority

Our Commitment:

Comprehensive security program to prevent breaches
Regular risk assessments and security audits
Continuous workforce training on privacy and security
Incident detection and response capabilities
Multiple layers of technical, physical, and administrative safeguards

Your Role in Prevention:

Protect your login credentials
Don't share passwords or portal access
Use secure internet connections
Keep contact information current
Report suspicious activity immediately

16Children's Privacy

We provide care to patients of all ages, including children and adolescents. We take special care to protect the privacy of our younger patients while involving parents and guardians appropriately in their care.

16.1 Parental Rights and Responsibilities

For Patients Under Age 18:

Parental Access to Records:

Parents and legal guardians generally have the right to access their minor child's health information
Parents may review records, request copies, and receive communications about child's care
Access includes all medical records, treatment plans, and billing information

Parental Authorization:

Parents or legal guardians provide consent for treatment of minor children
Parents sign authorizations for release of information
Parents manage patient portal access for young children

Verification of Parental Authority:

We verify parental relationship and legal authority before granting access
May require documentation such as:

Birth certificate or court documents
Custody agreements (in cases of divorce or separation)
Guardianship papers (for non-parent guardians)

16.2 Adolescent Privacy Considerations

Balancing Privacy and Parental Involvement:

For adolescent patients (approximately ages 13-17), we balance:

Parents' right to be involved in their child's healthcare
Adolescents' developing autonomy and privacy interests
Legal requirements and professional standards
Best practices for adolescent healthcare

Confidential Services Under Missouri Law:

Missouri law provides adolescents with independent consent authority for certain services:

Substance abuse treatment (age 17 and older) - Mo. Rev. Stat. § 630.140
Mental health treatment (in some circumstances)
Pregnancy-related care (prenatal care, delivery, postpartum care)

For these services, adolescents may:

Consent to treatment without parental notification
Request confidentiality from parents
Have independent access to related health information

Our Approach:

We discuss confidentiality expectations with both adolescent and parent
We encourage open communication within families when appropriate
We respect adolescents' privacy interests while keeping parents appropriately involved
We may recommend partial restrictions on parental access when clinically appropriate

16.3 Proxy Portal Access for Minors

Young Children (typically under age 12):

Parents have full proxy access to patient portal
Parents can view all health information
Parents can send/receive secure messages on child's behalf
Parents manage appointments and billing

Adolescents (typically ages 12-17):

Parents may have proxy access, but we may recommend:

Graduated reduction in parental access as child matures
Adolescent having separate portal account for confidential communications
Specific restrictions based on sensitive health information

Adolescents may request their own portal access separate from parents

Transitioning Access:

We work with families to gradually shift access and responsibility
Adolescents can learn to manage their own health information
Parents remain involved in appropriate ways

16.4 Transition to Adult Care at Age 18

Important Changes at Age 18:

On the adolescent's 18th birthday:

Patient becomes legal adult with full privacy rights
Parental access automatically terminates (unless patient provides authorization)
Patient assumes responsibility for all healthcare decisions and communications
Patient controls access to all health information, including records from before age 18

What Happens:

Parents can no longer access patient portal unless patient grants permission
We cannot discuss patient's care with parents without patient's authorization
Patient must sign all authorizations and consent forms
Billing statements may be sent to patient (not parents) unless otherwise arranged

Transition Process:

We contact patients approaching age 18 to discuss transition
We encourage patients to discuss with parents before birthday
Patient can grant parents ongoing portal access or specific authorizations
Patient can designate parents as emergency contacts or authorized representatives

Continuing Parental Involvement:

If young adult patients want parents to remain involved:

Sign HIPAA authorization for release of information to parents
Add parents as proxy users on patient portal (patient controls access level)
Designate parents as emergency contacts
Provide written consent for us to discuss care with parents

16.5 Information Collection from Children

Website and Online Services:

Our public website is not directed to children under 13
We do not knowingly collect personal information from children under 13 through our website
Patient portal enrollment for minors managed by parents/guardians

Compliance with COPPA:

We comply with Children's Online Privacy Protection Act (COPPA)
Parental consent obtained before collecting personal information from children under 13
Parents can review, request deletion, or refuse further collection of child's information

Minimizing Data Collection:

We collect only information necessary for healthcare purposes
Children's information subject to same security protections as adult information
Special care taken with sensitive information about minors

16.6 Custody and Separated Parents

Non-Custodial Parents:

Non-custodial parents generally retain access rights unless:

Court order specifically restricts access
Custody agreement limits healthcare decision-making
Safety concerns exist (documented restraining order, etc.)

Divorced or Separated Parents:

We follow custody agreements and court orders
May provide duplicate communications to both parents (when appropriate)
Will not disclose information against court order

Documentation Required:

Current custody agreement or divorce decree
Court orders regarding healthcare decision-making
Any restraining orders or protective orders

Our Policy:

We maintain neutrality in custody disputes
We follow court orders and legal documentation
We encourage parents to communicate directly about coordination of care
We may require court clarification if conflicting requests received

17Changes to This Privacy Policy

17.1 Right to Revise This Notice

We reserve the right to revise or update this Privacy Policy at any time. Changes may be necessary due to:

Changes in applicable laws or regulations
New technologies or service offerings
Organizational changes or operational improvements
Enhanced security measures or privacy protections

17.2 Effective Date of Changes

Material Changes:

Material changes to our privacy practices will be effective for ALL protected health information we maintain
This includes information created or received before the effective date of the new policy
We cannot commit to different privacy practices for information collected under previous policies

Notice of Material Changes:

We will notify you of material changes through:

Posting updated Privacy Policy on our website with new effective date
Posting notice in our office and mobile dental unit
Email notification (if you've provided email address)
Notice at your next appointment
Other appropriate methods to ensure you receive notice

17.3 Accessing Current Privacy Policy

Website:

Current version always available at www.dreamlinedental.com/privacy
Clear indication of "Last Updated" date
May include summary of recent changes

Patient Portal:

Link to current Privacy Policy provided in patient portal
Notification when policy has been updated
May require acknowledgment of updated policy

In Our Office:

Posted in reception area and patient care areas
Available at mobile dental unit locations
Paper copies available upon request

Upon Request:

Paper copy available at any time
Electronic copy can be emailed
Copy provided at each appointment upon request

17.4 Version History

Documentation:

We maintain archive of previous policy versions
Effective dates and material changes documented
Available for reference if needed for legal or compliance purposes

Your Rights:

You have the right to know which version of the Privacy Policy was in effect at any given time
You may request information about past privacy practices

17.5 Questions About Changes

If you have questions about changes to this Privacy Policy:

Contact our Privacy Officer (see Section 19)
Request explanation of specific changes
Discuss how changes affect your privacy rights
Request paper copy of current or previous versions

18Our Legal Duties

We are required by federal and state law to:

18.1 Maintain Privacy of Protected Health Information

Implement appropriate safeguards to protect your health information
Limit access to your information to authorized individuals
Protect information from unauthorized use or disclosure
Maintain confidentiality of all patient communications and records

18.2 Provide You with Notice of Privacy Practices

Provide you with this Notice describing our legal duties and privacy practices
Make Notice available at our facilities and on our website
Provide paper copy upon request
Make good faith effort to obtain written acknowledgment of receipt

18.3 Abide by Terms of This Notice

Follow the privacy practices described in this Notice
Apply current Notice to all protected health information we maintain
Not use or disclose your information except as described in this Notice or as permitted by law

18.4 Notify You of Breaches

Inform you if there is a breach of your unsecured protected health information
Provide notification within required timeframes
Explain what happened and steps you should take

18.5 Not Use or Disclose Information for Marketing Without Authorization

Obtain your written authorization before using your information for marketing purposes
Give you right to opt out of marketing communications
Never sell your health information without specific authorization

18.6 Not Use or Disclose Psychotherapy Notes Without Authorization

Protect psychotherapy notes (if applicable) with heightened privacy standards
Require your specific authorization for most uses or disclosures
Maintain separate protections beyond general health information

18.7 Maintain Reasonable and Appropriate Safeguards

Implement technical, physical, and administrative safeguards
Protect electronic health information from unauthorized access
Ensure confidentiality, integrity, and availability of information
Regular assessment and updates to security measures

18.8 Restrictions on Certain Uses and Disclosures

Must Honor Your Request to Restrict Disclosure to Health Plan:

If you pay out-of-pocket in full for a service
And you request we not share information with your health insurer
We MUST comply (unless required by law to disclose)

Minimum Necessary Standard:

Make reasonable efforts to use, disclose, or request only minimum information necessary
Exception: Minimum necessary does not apply to:

Disclosures to healthcare providers for treatment
Disclosures to you
Disclosures pursuant to your authorization
Disclosures required by law

18.9 Accountability and Compliance

Designate Privacy Officer and Security Officer responsible for compliance
Train workforce on privacy and security requirements
Implement sanctions for violations of privacy policies
Maintain policies and procedures implementing HIPAA requirements
Document compliance activities and maintain for required retention periods

18.10 No Waiver of Rights

You do not waive any privacy rights by receiving treatment
We do not condition treatment on your acknowledgment of this Notice
Exception: Treatment solely for research purposes may require participation in the research study including signing authorizations

19Complaints and Contact Information

You have the right to file a complaint if you believe your privacy rights have been violated.

WE WILL NOT RETALIATE AGAINST YOU FOR FILING A COMPLAINT.

19.1 Your Right to File a Complaint

You will not be denied treatment or services
You will not face discrimination or other negative consequences
Your care will not be affected in any way

19.2 How to File a Complaint with Our Organization

Contact Our Privacy Officer:

Privacy Officer

Dreamline Dental Sleep Clinic

Email: info@dreamlinedental.com

Phone: (660) 358-1277

What to Include in Your Complaint:

Your name and contact information
Description of the privacy concern or violation
Date(s) when the incident occurred
Names of individuals involved (if known)
Any relevant documentation

Our Response:

We will acknowledge receipt within 5 business days
We will investigate promptly and thoroughly
Written response within 30 days (or explanation if more time needed)
All complaints documented and reviewed for compliance

19.3 How to File a Complaint with the Federal Government

Office for Civil Rights (OCR)

U.S. Department of Health and Human Services

200 Independence Avenue, S.W.

Room 509F, HHH Building

Washington, D.C. 20201

Phone: 1-877-696-6775 (toll-free)

Website: https://www.hhs.gov/ocr/privacy/hipaa/complaints/

Online Complaint Portal: https://ocrportal.hhs.gov/ocr/portal/lobby.jsf

OCR Regional Office for Missouri:

Region VII Office

Office for Civil Rights

U.S. Department of Health and Human Services

601 East 12th Street, Room 248

Kansas City, MO 64106

Phone: (816) 426-7277

TDD: (816) 426-7065

Filing with OCR:

Must be filed within 180 days of when you knew the violation occurred
Can request extension of filing deadline
Can file online, by mail, fax, or email
OCR will investigate and may take enforcement action

19.4 Missouri State Resources

Missouri Attorney General - Consumer Protection Division

Phone: 1-800-392-8222

Website: www.ago.mo.gov

Missouri Department of Health and Senior Services

Phone: (573) 751-6400

Website: health.mo.gov

19.5 Additional Contact Information

General Inquiries:

Email: info@dreamlinedental.com
Phone: (660) 358-1277
Website: www.dreamlinedental.com

Other Services:

Patient Portal Support: Technical assistance available during business hours
Billing Questions: Billing Department - info@dreamlinedental.com
Medical Records Requests: Privacy Officer (contact above)
Business Hours: Mon-Fri: 8AM-6PM | Sat: By Appointment

19.6 Language Assistance

Non-English Speakers: Translation services available for major languages
Interpreter services can be arranged for appointments
This Privacy Policy available in [INSERT LANGUAGES] upon request

Accessibility:

Large print versions available
Audio version available upon request
Accessible format for individuals with disabilities

20Acknowledgment of Privacy Practices

20.1 Notice Acknowledgment

First Visit or Portal Enrollment: At your first visit or when you enroll in our patient portal, we will:

Provide you with a copy of this Notice of Privacy Practices
Request your written acknowledgment that you received this Notice
Make good faith effort to obtain your acknowledgment
Document our efforts to obtain acknowledgment

If You Decline to Acknowledge:

We will NOT refuse treatment if you decline to acknowledge receipt
We will document that notice was provided and acknowledgment was offered
Exception: Treatment solely for research purposes may require acknowledgment as condition of participation

20.2 Electronic Acknowledgment

Patient Portal Enrollment: Electronic acknowledgment accepted when enrolling in patient portal
Must affirmatively acknowledge before portal access granted
Electronic signature legally equivalent to written signature
Copy of acknowledgment provided to you electronically

20.3 Periodic Re-Acknowledgment

Updated Policies:

If Privacy Policy materially revised, we may request new acknowledgment
Acknowledgment confirms you received notice of changes
Not required for treatment to continue

Recommended Practice:

Review this Privacy Policy annually
Check website for updates
Contact Privacy Officer with questions about any changes

Effective Date

January 20, 2026

Last Updated: January 20, 2026

Summary of Key Points

Your Information is Protected

We protect your health information with comprehensive security measures
We use and disclose your information only as permitted by law
We never sell your health information

Your Rights

Access and obtain copies of your health records
Request corrections to your information
Request restrictions on uses and disclosures
Receive confidential communications
File complaints without retaliation

Our Responsibilities

Maintain privacy and security of your information
Notify you of breaches
Follow the terms of this Privacy Policy
Provide you with this Notice

Questions or Concerns?

Contact our Privacy Officer:

info@dreamlinedental.com

(660) 358-1277

Patient Acknowledgment

I acknowledge that I have received and reviewed the Notice of Privacy Practices and Privacy Policy for Dreamline Dental Sleep Clinic.

Signature will be obtained separately through patient intake process or patient portal enrollment.

For more information about HIPAA and your privacy rights, visit www.hhs.gov/ocr/privacy

For the most current version of this Privacy Policy, visit www.dreamlinedental.com/privacy

Notice of Privacy Practices and Privacy Policy

1Introduction

2Information We Collect

2.1 Personal Information

2.2 Protected Health Information (PHI)

2.3 Website and Portal Usage Information

3How We Use Your Information

3.1 Treatment

3.2 Payment

3.3 Healthcare Operations

3.4 Appointment Reminders and Communications

3.5 Legal and Regulatory Compliance

3.6 Public Health and Safety

4How We Share Your Information

4.1 Healthcare Providers

4.2 Federal and State Health Programs

4.3 Insurance Companies

4.4 Dental Laboratories and Medical Equipment Suppliers

4.5 Business Associates

4.6 Legal and Regulatory Authorities

4.7 Other Disclosures

5Your Privacy Rights Under HIPAA

5.1 Right to Access Your Medical Records

How to Request:

Our Response Timeline:

Fees:

Denials:

5.2 Right to Amend Your Health Information

5.3 Right to Request Restrictions

5.4 Right to Confidential Communications

5.5 Right to an Accounting of Disclosures

What's Included:

What's NOT Included:

5.6 Right to a Copy of This Notice

5.7 Right to Revoke Authorization

5.8 Right to Opt Out of Marketing and Fundraising

5.9 Right to Be Notified of a Breach

5.10 Right to File a Complaint

6Data Security Measures

6.1 Technical Safeguards

Encryption:

Access Controls:

System Security:

Audit and Monitoring:

Database and Infrastructure Security:

6.2 Physical Safeguards

Mobile Dental Unit Security:

Facility Security (if applicable):

Workstation Security:

Device Management:

Physical Record Security:

6.3 Administrative Safeguards

Policies and Procedures:

Workforce Management:

Risk Management:

Vendor Management:

Contingency Planning:

Mobile Service Security:

7Patient Portal Privacy and Security

7.1 Portal Access and Authentication

Account Creation:

Login Security:

7.2 What You Can Access Through the Portal

Medical Records:

Communication:

Health Management:

Billing and Payments:

Appointments:

7.3 Proxy Access for Family Members

Parents/Legal Guardians:

Legal Representatives:

Proxy Request Process:

Proxy Responsibilities:

7.4 Portal Security Features

Data Protection:

Audit Logging:

Security Monitoring:

7.5 Your Portal Responsibilities

Protect Your Account:

Secure Device Usage: