HIPAA Compliance

At DermaCare, we comply fully with the Health Insurance Portability and Accountability Act (HIPAA) to ensure the confidentiality, integrity, and availability of your protected health information (PHI).

Our policies and procedures are designed to safeguard your information and provide you with control over your personal health data. We understand that your medical information is highly sensitive and we treat it with the utmost care and respect.

We implement comprehensive administrative, physical, and technical safeguards to protect your PHI:

We implement multiple layers of protection for your PHI, including:

• Access Controls: Role-based authentication systems ensuring only authorized personnel can access patient information
• Data Encryption: 256-bit encryption for data in transit and at rest
• Staff Training: Comprehensive HIPAA training for all employees with regular refresher courses
• Audit Controls: Continuous monitoring and logging of all PHI access and activities
• Secure Storage: Protected physical and digital storage systems with automatic backup
• Business Associate Agreements: HIPAA-compliant contracts with all third-party vendors
• Incident Response: Formal procedures for security incident detection and response
• Regular Risk Assessments: Ongoing evaluation of security vulnerabilities and threats

As a patient, you have important rights under HIPAA. We are committed to respecting and protecting these rights:

Right to Access Your Health Information:

• Inspect and obtain copies of your health records
• Request information in specific formats when possible
• Direct us to transmit copies to third parties you designate

Right to Request Amendment:

• Request corrections to your health information
• Add statements to your record if we decline your amendment request

Right to Request Restrictions:

• Request limits on how we use or disclose your PHI
• Request restrictions on information shared with family members
• We will accommodate reasonable requests when possible

Right to Confidential Communications:

• Request alternative means of communication
• Specify preferred contact methods and locations
• We will accommodate reasonable requests

Right to an Accounting of Disclosures:

• Request a list of certain disclosures of your PHI
• Covers disclosures for purposes other than treatment, payment, or operations
• One free accounting per 12-month period

Right to File a Complaint:

• File complaints about our privacy practices
• Contact the U.S. Department of Health and Human Services
• No retaliation for filing complaints

We work with trusted business associates who provide services on our behalf. All business associates are required to comply with HIPAA regulations and sign comprehensive Business Associate Agreements (BAAs) to protect your PHI.

Our Business Associates Include:

• IT Service Providers: Technology vendors who maintain our systems and provide technical support
• Cloud Storage Providers: Secure data storage and backup services
• Billing Companies: Third-party billing and payment processing services
• Legal Counsel: Attorneys who may need access to PHI for legal representation
• Consultants: Healthcare consultants who help improve our operations
• AI Technology Partners: IBM Watson Assistant and other AI service providers

We employ robust, multi-layered security measures to protect your information from unauthorized access, including:

Technical Security:

• Encryption Technologies: AES-256 encryption for data at rest and TLS 1.3 for data in transit
• Firewall Protection: Advanced next-generation firewalls with intrusion detection
• Multi-Factor Authentication: Required for all system access
• Automated Patch Management: Regular security updates and vulnerability remediation
• Network Segmentation: Isolated networks for different types of data and operations

Monitoring and Auditing:

• 24/7 Security Monitoring: Continuous surveillance of all systems and networks
• Access Logging: Detailed logs of all PHI access and modifications
• Regular Security Audits: Third-party security assessments and penetration testing
• Risk Assessments: Annual comprehensive risk analysis and mitigation planning

Physical Security:

• Secure Facilities: Access-controlled buildings with security systems
• Workstation Security: Automatic screen locks and secure device management
• Media Controls: Secure handling and disposal of storage devices
• Environmental Controls: Climate and power protection for servers

In the unlikely event of a security incident or data breach, we have comprehensive procedures in place:

• Immediate Response: Containment and assessment within 24 hours
• Investigation: Thorough analysis to determine scope and cause
• Notification: Timely notification to affected patients and regulatory authorities as required
• Remediation: Implementation of corrective measures to prevent future incidents
• Documentation: Complete record-keeping of all breach response activities

If you have any questions or concerns about our HIPAA compliance, want to exercise your privacy rights, or need to file a complaint, please contact our Privacy Officer:

Filing Complaints with HHS:

You also have the right to file a complaint with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated: