Privacy Policy

Notice of Privacy Practices and Privacy Policy for Irene S. Olaes, DMD

Irene S. Olaes, DMD
12335 World Trade Dr. Ste 1B
San Diego, CA 92128
Phone: (858) 487-4683
Email: [email protected]

Effective Date: June 1, 2025

1. Introduction

We respect your privacy and are committed to protecting your personal and health information. This Privacy Policy explains how our dental office collects, uses, discloses, and safeguards your information in compliance with federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), and California state privacy requirements, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

2. Our Legal Obligations

We are legally required to protect the privacy of your Protected Health Information (PHI)

We must provide you with this Notice of Privacy Practices explaining how we use and disclose your PHI

We comply with applicable federal and state laws, including HIPAA, CCPA, CPRA, and California privacy regulations, and follow the strictest standard when they differ

We reserve the right to change our privacy practices and will notify you of significant updates

3. Information We Collect

We collect and retain the following types of personal and health information:

Personal identifiers such as your name, address, phone numbers, email, date of birth, and government-issued identification

Dental and medical histories, treatment records, examination findings, radiographs (X-rays), charts, and clinical photographs

Insurance and payment information, including billing records and payment history

Communication records, including appointment scheduling and correspondence with other healthcare providers when needed

Emergency contact information and authorized representative designations

Records of your privacy preferences and communication choices

Website usage information through cookies and similar technologies when you visit our website

Information collected through online forms, appointment booking systems, and patient portals

4. Website Cookies and Digital Technologies

Cookies and Analytics: Our website uses cookies and similar technologies to improve functionality, analyze website traffic, and enhance your online experience. We may use services like Google Analytics to understand how visitors use our website, which helps us improve our online services.

Do Not Track Signals: Our website does not currently respond to "Do Not Track" browser signals, but you can manage tracking preferences through your browser settings or by contacting us directly.

Online Forms and Booking Systems: When you use our online appointment booking system, contact forms, or patient portal, we collect the information necessary to provide these services and communicate with you about your dental care.

Social Media and Marketing Technologies: We may use social media pixels or similar technologies to provide relevant information about our services. You can opt out of these communications through your social media privacy settings or by contacting our office.

5. Cloud Services and Data Storage

Your health information may be securely stored using cloud-based services to improve our practice operations and ensure data backup and security. These services may include:

Practice management software and electronic health record systems

Secure cloud storage services (such as Google Workspace, Microsoft 365, or similar HIPAA-compliant platforms)

Email and communication platforms

Credit card processing and payment systems

Insurance verification and claims processing services

All cloud service providers are required to sign Business Associate Agreements and protect your information according to HIPAA standards, regardless of where their servers are located. We ensure that all data storage meets or exceeds federal and California privacy and security requirements.

6. Use and Disclosure of Your Information

Permitted Uses and Disclosures

We use and disclose your PHI:

For Treatment: To provide, coordinate, and manage your dental care, including communication with other healthcare providers, specialists, laboratories, and emergency care providers.

For Payment: To bill and collect payment from you, your insurance company, or other third parties, including verification of benefits and pre-authorization requests.

For Healthcare Operations: To manage the office, improve quality, conduct training, perform administrative functions, and conduct internal audits.

As Required by Law: To report communicable diseases, abuse, neglect, or comply with court orders, legal investigations, and public health requirements.

To Prevent Harm: To avert a serious threat to your health or safety or that of others.

Family and Friends: We may share your PHI with family members, friends, or other persons you identify who are involved in your care or payment for care, provided you give us verbal or written permission, or in emergency situations when we determine it is in your best interest.

Additional Disclosures Without Your Authorization

We may also use or disclose your PHI without your authorization for:

Public Health Activities: To public health authorities for disease prevention and control, vaccine monitoring, and reporting of vital statistics.

Health Oversight Activities: To health oversight agencies for licensing, certification, auditing, and monitoring activities authorized by law, including state dental boards and federal agencies.

Judicial and Administrative Proceedings: In response to court orders, subpoenas, discovery requests, or other lawful process, but only after attempts to notify you or obtain protective orders.

Law Enforcement: To law enforcement officials for specific law enforcement purposes, including identifying suspects, victims, or witnesses; reporting crimes on our premises; or in emergency circumstances.

Coroners and Medical Examiners: To coroners, medical examiners, or funeral directors as necessary for them to carry out their duties.

Workers' Compensation: For workers' compensation claims if you are injured at work and we provide treatment related to that injury.

Specialized Government Functions: For national security activities, protective services for government officials, or military purposes if you are armed forces personnel.

Research: For research purposes only when an institutional review board has approved the research and established protocols to protect your privacy.

Inmates: If you are an inmate of a correctional institution, we may disclose your PHI to the institution or its agents when necessary for your health or the health and safety of others.

Limited Sharing - Minimum Necessary Standard

We limit the use and disclosure of your PHI to the minimum amount necessary to accomplish the intended purpose:

Treatment Communications: When coordinating your care with other providers, we share only the specific information needed for your treatment, such as relevant medical history, current medications, or specific treatment plans.

Payment Processing: For billing and insurance purposes, we share only the information required to process claims, verify benefits, or collect payment, such as treatment dates, procedures performed, and diagnostic codes.

Healthcare Operations: For quality improvement, training, or administrative purposes, we use only the information necessary for the specific operational activity.

Limited Data Sets: In some cases, we may share limited data sets (with direct identifiers removed) for research, public health activities, or healthcare operations, but only under formal agreements that protect your privacy.

Emergency Situations: In medical emergencies, we may share more comprehensive information to ensure you receive appropriate care, but will limit disclosure to what emergency personnel need to treat you safely.

Uses and Disclosures Requiring Your Written Authorization

The following uses and disclosures will be made only with your written authorization:

Marketing: Communications about products or services that encourage you to purchase or use a product or service (this does not include communications about your treatment or case management).

Sale of PHI: We do not and will not sell your protected health information to third parties.

Fundraising: If we engage in fundraising activities, we will only contact you for fundraising purposes with your prior written authorization.

Psychotherapy Notes: If applicable, any use or disclosure of psychotherapy notes requires separate authorization.

Research: Research studies not directly related to your treatment require separate authorization explaining the research purpose and procedures.

Most Other Purposes: Any other use or disclosure not described in this notice requires your written authorization.

You may revoke any authorization in writing at any time, except to the extent we have already acted based on your authorization.

5. Clinical Photography and Imaging

Treatment Documentation: We may take clinical photographs as part of your dental care for treatment planning, progress monitoring, and record keeping.

Educational and Marketing Use: Any use of clinical photographs for educational purposes, case presentations, or marketing materials requires your separate written authorization, which you may revoke at any time.

Patient Rights: You have the right to request copies of clinical photographs in your record and to restrict certain uses of these images.

6. Genetic Information

We follow federal and state laws regarding genetic information:

Genetic information cannot be used or disclosed for underwriting purposes

We will not request genetic testing unless medically necessary for your dental treatment

Any genetic information in your health record receives the same privacy protections as other PHI

Genetic information includes family medical history that may indicate genetic predisposition to disease

7. Amendment and Correction Process

If you believe information in your record is incorrect or incomplete:

How to Request: Submit a written request describing the specific information and explaining why it should be changed.

Our Response Time: We will respond within 60 days, with a possible 30-day extension if needed.

Approval: If we approve your request, we will make the amendment and notify relevant parties who received the incorrect information.

Denial: If we deny your request, we will provide written reasons. You may submit a written statement of disagreement, which will be included in your record.

Valid Reasons for Denial: We may deny amendment requests if the information was not created by us, is not part of your medical record, would not be available for inspection, or is already accurate and complete.

6. Minor Patient Privacy Rights

Parental Access: Parents or legal guardians generally have the right to access their minor child's health information, except in circumstances where California law grants minors the right to consent to their own care.

Adolescent Privacy: For patients aged 12 and older, certain dental and medical services may be provided with enhanced privacy protections as required by California law.

Confidential Communications: Minor patients may request that communications about their care be directed to alternative locations or methods to protect their privacy.

11. Patient Rights

HIPAA Rights

You have the right to:

Access and obtain copies of your PHI, with some legal exceptions

Request corrections or amendments to your records if you believe the information is incomplete or inaccurate

Receive a list of disclosures of your PHI made by our office, except for certain permitted disclosures

Request restrictions on how we use or disclose your PHI; however, we are not always required to agree

Receive communications from us at an alternative location or in a confidential manner

Revoke any prior authorizations in writing, except where we have already acted

File a complaint if you believe your privacy rights have been violated

California Consumer Privacy Rights

Under California law, you also have the right to:

Right to Know: Request information about the categories and specific pieces of personal information we collect, use, and disclose about you.

Right to Delete: Request deletion of your personal information, subject to certain healthcare exceptions required by law.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Note: Healthcare information is subject to specific federal and state regulations that may limit some deletion rights to ensure continuity of care and legal compliance.

Appeals Process for Denied Requests

If we deny your privacy request, you have the right to appeal our decision:

How to Appeal: Submit a written appeal to our Privacy Officer within 60 days of receiving our denial, explaining why you believe our decision was incorrect.

Our Response: We will review your appeal and respond within 30 days with our final decision and detailed reasoning.

External Appeals: If you remain unsatisfied with our response, you may file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights or the California Attorney General's Office.

12. Electronic Access and Patient Portal

If we provide electronic access to your health information through a patient portal or similar system:

You will receive secure login credentials and are responsible for maintaining their confidentiality

Electronic communications carry inherent security risks, which we will explain to you

You may choose to opt out of electronic communications at any time

We implement reasonable security measures but cannot guarantee complete security of electronic transmissions

13. Safeguards and Security Measures

We implement the following safeguards to protect your PHI:

Administrative: Privacy policies, staff training, disciplinary measures, and a designated Privacy Officer.

Physical: Secure storage of paper records, controlled access to office and record storage areas, and secure disposal procedures.

Technical: User authentication, password protections, encryption of electronic records, secure data backups, and access monitoring.

Access Controls: Only authorized personnel are allowed access to your health information, with access logged and monitored.

14. Business Associates

We may share your PHI with carefully selected third-party vendors who assist us in our operations, including:

Billing and collection services

Information technology providers and cloud storage services

Practice management software vendors

Dental laboratories and imaging services

Credit card processing companies

Legal and accounting services

Insurance verification services

These Business Associates are required to sign agreements to protect your PHI in accordance with HIPAA and may not use your information for any purpose other than providing services to our practice.

15. Breach Notification

If a breach of your unsecured PHI occurs:

We will notify you in writing within 60 days of discovering the breach

The notice will include a description of what happened, the information involved, steps we are taking to address the breach, and steps you can take to protect yourself

We will take all required steps under federal and state law to mitigate potential harm

We will also notify appropriate regulatory authorities as required by law

16. Retention of Records

We retain health records and privacy documentation according to the following schedule:

Adult patient records: Minimum of seven years from last treatment

Minor patient records: Minimum of seven years from last treatment or until age 21, whichever is longer

Radiographs: Minimum of seven years

Financial records: Minimum of seven years

Privacy documentation: Minimum of six years

Clinical photographs: As long as medically relevant or until authorization is revoked

Records may be retained longer as required by law or for legal proceedings.

17. Electronic Communication and Data Policy

Consent to Receive SMS Messages

By providing your mobile phone number, you consent to receive SMS/text messages from our office. We distinguish between two types of SMS communications:

Healthcare Communications: Appointment reminders, confirmations, treatment notifications, and office updates related to your care (permitted under HIPAA).

Marketing Communications: Promotional messages about services, special offers, or general practice information (requires separate consent under marketing regulations).

Information Collected via SMS

We collect phone numbers, appointment details, treatment-related data necessary for scheduling, and your communication preferences as part of SMS interactions.

Use of SMS Data

Healthcare-related SMS communications are used exclusively to support your dental care and are considered part of your medical record

Marketing SMS communications are used only with your explicit consent and you may opt out separately

We do not sell or share your SMS information with third parties for their marketing purposes

Opt-Out and Assistance

You may opt out of all SMS messages at any time by replying "STOP" to any message

You may opt out of marketing messages only by replying "STOP MARKETING"

For help or to change preferences, reply "HELP" or contact our office directly at (858) 487-4683

SMS Data Security

We protect SMS data with reasonable administrative, technical, and physical safeguards and restrict access to authorized personnel only.

Legal Compliance

Our SMS practices comply with HIPAA, the Telephone Consumer Protection Act (TCPA), and other relevant communications laws.

18. Complaints and Contact Information

If you have questions about this Privacy Policy or wish to file a complaint:

Contact our Privacy Officer: Irene S. Olaes, DMD
12335 World Trade Dr. Ste 1B
San Diego, CA 92128
Phone: (858) 487-4683
Email: [email protected]

Federal Complaints: You may also file a complaint with the U.S. Department of Health & Human Services Office for Civil Rights.

California Complaints: For California privacy law complaints, you may contact the California Attorney General's Office.

Non-Retaliation: We will not retaliate against you for filing any complaint or exercising your privacy rights.

19. Policy Updates

We reserve the right to change this Privacy Policy at any time. Material changes will be:

Posted in our office waiting area

Available on our website

Provided to you upon request

Communicated via your preferred contact method for significant changes affecting your rights

You may request a current copy of this policy at any time.

Acknowledgment: By continuing to receive services at our practice, you acknowledge that you have received and understand this Privacy Policy.