HIPAA FAQ's

Common questions we have received regarding HIPAA and PIPEDA compliance. Use the search box below to look up common HIPAA questions based on keywords.



Have There Been Any HIPAA Breaches in Dental Practices?

Yes. Over 200,000 individuals were affected by HIPAA breaches in 39 dental practices between 2009 and 2013, as of March 19, 2014., according to the U.S. Department of Health and Human Services.

Why Should You Care?

The trusted relationship you create with your patients is just as important in the electronic world as it is in the real world. HIPAA legislation in both the real and electronic world is about restricting access to Protected Health Information (PHI) to the people that must have it to deliver health services. Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant in the "real world", please contact him for more information and guidance. In the electronic world compliance requires: encryption, access, transmission, storage and disposal of PHI.

What are the New HIPAA Omnibus Rules?

The HIPAA Omnibus rules provided furter legislation on privacy, security, and breach notification policies and procedures. Including: Copies of e-PHI, Emailing PHI, Breach Notifications, Marketing Communications, Disclosures to Health Plans, Sales of PHI, Childhood immunizations, Decedents, Charging for Copies of e-PHI or PHI and Research Authorizations.

Where Do I Start in My Dental Practice?

Have a HIPAA Meeting in Your Dental Practice. Start the conversation in your practice - review the omnibus guide, send the HIPAA Compliance Software Checklist to vendors, designating a project manager and determine next steps and set goals.

Who are Considered Business Associates?

"Business Associates" - refers specifically to a person or organization that works with your practice and involves the use or disclosure of patient information.The HIPAA Omnibus Rules provide further legislation for the relationship between doctors and business associates.

What is a Notice of Privacy Practice?

Your practice is required to develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices. Doctors will have to post the revised NPP, and make copies available at their office, to all new patients and to anyone else on request. Doctors who maintain a website are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule.

What are the Fines for Not Following the Omnibus Rules?

There are four penalty tiers: Lowest Tier: In cases in which the doctor did not and reasonably could not know of the breach, a penalty of not less than $100 or more than $50,000 for each violation Intermediate Tier: Cases in which the doctor "knew, or by exercising reasonable diligence would have known" of the violation, but the doctor did not act with wilful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation. Two Highest Tiers: Acted with Willful neglect and corrected the problem within the 30-day cure period, a penalty of not less than $10,000 or more than $50,000 for each violation. Acted with Willful neglect and did NOT correct the problem within the 30-day cure period, a penalty of not less than $50,000 for each violation; the penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1.5 million in a calendar year.

What Does Compliance Mean in the "Real World" and "Electronic World" ?

It all comes down to doctor-patient confidentiality. As electronic transmission has replaced more traditional methods of information transfer, regulations have emerged that have set standards for electronic information security that extend doctor-patient confidentiality into the electronic world. HIPAA, HITECH, PIPEDA and a number of other provincial and state regulations set laws regarding the way your practice should control sensitive patient information. 

Is Patient Consent All I Need?

No. Consent is needed to get the patient's approval to send patient information to associated treatment providers. Dentist CAN get the consent to send patient their information over email. Patients CAN NOT consent to a dentist sending information to any other medical professional through un-secure methods.

Why is Email NOT Compliant?

Even if your computer is secure, your message passes through dozens of unknown servers en-route to its destination. These "middle-man" servers make up the backbone of the email system, but are not secure therefore not compliant. Dentists have a duty to take precautions to safeguard private patient data.

Please explain how Secure-Mail™ offers HIPAA compliance? Is it just encryption or does it include auditability etc.?

Secure-Mail™ has been specifically developed to be HIPAA compliant as it provides users with encryption, auditability, data backup and storage, identity authentication, emergency access, and more. Please visit our HIPAA Compliance Software Checklist for more information on the HIPAA requirements.

Is there a contract for Secure-Mail™ that is month to month?

Yes. You can purchase Secure-Mail™ with a month to month subscription for only $39.99/month. This is a very popular way to purchase Secure-Mail™. To get stared with your subscription today please visit the Plans and Pricing page.

Do you offer a free trial?

Yes. Use this link for a free trial of Brightsquid Secure-Mail™.

Do you offer personal demos of Brightsquid for my office?

Yes. Use this link for to sign up for a personalised demo of Brightsquid Secure-Mail™.

Can you enter a colleague's regular email address into the Secure-Mail™ address bar?

Yes. Secure-Mail™ has been designed to work with you and your colleague's regular email address. Simply enter your colleague's email address into the Secure-Mail™ address bar and click send. Your colleague will receive a notification alerting them of the Secure-Mail™ message in their regular email inbox, smartphone or tablet.

Do you have to have a Brightsquid account for each staff member?

With your dentist subscription you will get 5 accounts (1 doctor and 4 support staff) for your practice. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts, or if there is more than one doctor working in your clinic, please contact our office and we can help you set this up.

Is Secure-Mail™ for emailing patients or just other entities?

Secure-Mail™ was designed to facilitate the secure exchange of information between dentists, specialists and dental labs. We are very excited to announce the introduction of doctor-patient communication through Secure-Mail™ in early 2014. Please contact our office for more information and/or to register for our next webinar on the HIPAA guidelines for doctor-patient communication.

I am a specialist, how does Brightsquid work with my referring dentists?

Brightsquid has a subscription package designed for dental specialists like yourself, with a number of specific features to help build and maintain your referrals. Please contact our office for more information as well as a demo highlighting these exciting features.

Is there a limit to the number of messages I can send using Brightsquid or other storage limits?

No. There are no limits to the number of messages you can send using your $39.99 Dentist account of Brightsquid Secure-Mail™. Brightsquid offers customers unlimited data with their registration, the only limit we place on this is to prevent abuse and takes effect at the terabyte level. Please contact our office if you would like more information on data storage.

Is it safe to put the patients CD or USB in your computer? If the patient claims the data is from their other health care provider-perhaps they are seeking a 2nd option from you or are referred to you as a specialist?

From a HIPAA standpoint there are no rules against putting CDs or USBs into your computer. We would recommend taking precautions as you could expose your computer to malware or viruses. It is much safer to send information through a service like Secure-Mail™. We have a number of customers who prefer Secure-Mail™ as they do not have to worry about sending USB drives back to the sender, as well as making sure the information is properly copied onto a CD or drive. Brightsquid Secure-Mail™ does a number of checks on the file to ensure that it does not contain viruses or malware.

What about sending marketing email on blood drives, food drives, etc?

As there is no treatment information in the email, this type of communication would be considered a marketing email. Because of that, you will want to get specific consent to send this type of email to your patients.

Is your bank a Business Associate as they may be processing patient checks?

No, typically banks are not considered Business Associates, as they normally don't deal with treatment information. There is separate legislation and standards dealing with security of financial information, such as Payment Card Industry Data Security Standard (PCI-DSS).

How does the e-mail encryption rule affect our automated patient communication systems, such as Demandforce and Lighthouse 360? Must patients participating in e-mail or text messaging sign a release acknowledging the risk of their PHI exposure?

Patients should sign a release to consent to communication through email or SMS. Your team should be familiar with the risks associated with email to appropriately inform your patients. If you are sending appointment reminders, that should be fine in accordance with HIPAA. We recommend avoiding the inclusion of any treatment information/Protected Health Information (PHI) in reminders through email. Please contact your vendor directly for more information on their HIPAA compliance. For your other software vendors, please refer to our HIPAA Software Compliance Checklist.

How does HIPPA address PHI when audited by either local/state/fed gov?

There is a specific exception that grants the government rights to access Protected Health Information (PHI) during an audit.

What is included in Protected Health information (PHI)?

Protected Health Information (PHI) includes any information related to your patient's past, present or future health/medical records or payment history. Under HIPAA law there are 18 identifiers: patient names, geographical identifiers (smaller than state), dates (other than year), phone numbers, fax numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate or licence numbers, vehicle identifiers, device identifiers, web addresses (URLs), internet protocol (IP) address numbers, biometric identifiers, photographs of patient's face as well as any other unique or identifying characteristic, code or number. For more information please visit the U.S. Department of Health & Human Services.

What about using WiFi? Can this be intercepted by others when using an open network?

Yes. We would recommend setting up a separate wireless network for your patients and staff to use for non-clinic purposes. This is a very simple procedure using a router in your practice. You may already have the equipment in your office to set up a 'guest' network and if you don't have the equipment, it is quite affordable to purchase. By setting up a guest network you may also provide your patients free wireless while they are in your practice.

If I send digital images to a lab or dental office, does it require a special notice about privacy attachment? To clarify, for example, sending CEREC scans to a lab; does this need to be encrypted and/or have a privacy notice attached?

It will depend on the type of information you are sending. If the files contain Protected Health Information (PHI), then yes. The problem typically is that the scan will contain patient information of some sort, for example a patient name. Even if you cannot see the patient information, it may still be attached to the patient images but not visible in the scanning system. The challenge is, however, that the information is still available using simple tools to read it, and therefore it would not be HIPAA compliant. We would recommend contacting CEREC or other vendors directly for more information on privacy and compliance with their scanning equipment. For your other software vendors, please refer to our HIPAA Software Compliance Checklist.

I heard that Google advertises to people based on PHI, is this true?

Yes. Recently the Interim Privacy Commissioner in Canada has lead an investigation into Google's advertising policies stating, "Most Canadians consider health information to be extremely sensitive. It is inappropriate for this type of information to be used in online behavioural advertising." For more information on the investigation please visit the recent news article.

How do we communicate with a specialist who we want to refer to without violating HIPAA?

Brightsquid Secure-Mail™ is the HIPAA compliant way to communicate with your specialists. Whether you are sending a patient referral or just following up on a treatment, Brightsquid allows you and your colleagues to safely communicate with specialised tools to facilitate the relationship. These tools include: secure messaging in a HIPAA compliant manner, Image Studio where you can view and manipulate photos including 3d images, dashboards to help you stay updated on treatment and a Treatment Sequencer where you can schedule patient care. For more information on communicating with your colleagues through Brightsquid please contact us.

How does Secure- Mail recipient get a password to decrypt message?

Your colleague will set up their own password the first time they log onto Brightsquid Secure-Mail™. After your colleague sets up their password they simply have to use it next time they sign into the platform. Once they enter their password, the message will automatically decrypt. This is done to maintain HIPAA compliance; it also has the advantage that you do NOT have to maintain passwords for your colleagues. For more information on Secure-Mail™ please contact us.

Why would I use Secure-Mail™ over another HIPAA compliant service?

There are number of reasons that set Secure-Mail™ apart from any competitors in the market. The first being the commitment Secure-Mail™ has to HIPAA compliance and email security. We would recommend sending our Software Checklist to other vendors to make sure their service is meeting industry standards for HIPAA compliance. There are a number of different software providers that state "HIPAA Compliance", but as the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" it can be difficult to substantiate this claim. The second advantage Secure-Mail™ has is that it is developed exclusively for the dental community with large 500MB attachment sizes and image viewers for 3d STL files, DICOM studies and more. When you purchase your Secure-Mail™ account you are also getting a package which includes 5 unique user subscriptions and 25 sponsored/registered accounts that you can provide free to any of your colleagues. For more information on the features and benefits of Secure-Mail™ please contact our office.

Is sending sensitive patient information through e-mail against Canadian law?

In Canada, there are multiple legal regimes that cover privacy. PIPEDA laws govern all information that is collected, whether that be an airline, bank or dental office. In addition to that, many provinces have their own legislation that specifically applies additional measures to protect health information, such as Personal Health Information Protection Act - Ontario, 2004 (PHIPA). Further, most provinces also have professional bodies like the Royal College of Dental Surgeons of Ontario (RCDSO) which have very detailed requirements for the protection of patient information. In creating the Secure-Mail™ service, we have considered all of these regulatory bodies and have placed the most stringent requirements within the system. From the RCDSO's document entitled Electronic Records Management, published in March 2012 comes the following excerpt: "The use of e-mail in our society is commonplace. It is a convenient, inexpensive and quick means of communication. However, as a general rule, e-mail is not a secure means of communication, and maybe vulnerable to interception and hacking by unauthorized third parties. Accordingly, dentists should avoid using e-mail to communicate the personal health information of patients, unless they are employing a secure email service with strong encryption. The information and privacy commissioner of Ontario (IPC) has advised that even if patients are willing to accept the risk of unauthorized disclosure of their personal health information in exchange for the convenience of communication via email, this does not alleviate health information custodians of their duty to take steps that are reasonable in the circumstances to safeguard personal health information in their custody and control".

Is it a HIPAA violation to tell a patient that another patient also comes to the practice?

Yes, it could be considered a violation. HIPAA requires that you protect the privacy of your patient's health information. You should not discuss your patient with other patients; even simple information such as whether or not they are a patient could be considered a breach of information. If your patient has signed an agreement to be a reference/ provide a testimonial then it would be okay to let other patients know about that they do go to your practice.

What about a no cavities club with pictures on the wall?

We would recommend getting your patient consent to post the pictures. Most patients are happy to provide consent to the use of their photos.

Some people bring in their thumb drives with x-rays. Is this safe?

From a HIPAA standpoint there are no rules against putting CDs or USBs into your computer. We would recommend taking precautions as you could expose your computer to malware or viruses. It is much safer to send information through a service like Secure-Mail™. We have a number of customers who prefer Secure-Mail™ as they do not have to worry about sending USB drives back to the sender, as well as making sure the information is properly copied onto a CD or drive. Brightsquid Secure-Mail™ does a number of checks on the file to ensure that it does not contain viruses or malware.

Is a photograph of a patients teeth only considered PHI when it has no other identifier? Can this data be shared with a lab without violating HIPAA?

It would depend on the picture whether or not it would be considered identifiable or not. This would depend on any markings or unique characteristics of the image. The challenge usually is that without patient identifiers, how would the recipient know who the message was referring to? To reduce your liability it would be recommended sending the photos using Brightsquid Secure-Mail™. It is also important to send your lab high resolution photos which is not always possible using traditional email services. Brightsquid Secure-Mail™ not only provides a HIPAA compliant exchange of information, it also allows you to attach up to 500MB in every message. This way your lab will always receive high quality photos from you making it easier for your lab to produce the quality your patient desires.

Is the lab a business associate? Do we need to get a business agreement with our lab?

Typically laboratories are considered Covered Entities and not Business Associates. That being said there is nothing wrong with getting your lab to sign a Business Associates Agreement, and most labs are happy to do so. For more information on Business Associate and Covered Entities please visit the US. Department of Health and Human Services website.

Can we share patient information via fax (if not regular email) with an adequate cover letter?

For sending faxes it all depends on how it is being used. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes. On August 14, 2013 the U.S. Department of Health and Human Services (HHS) settled with health plan on a photocopier breach case. According to the HHS "This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent," said OCR Director Leon Rodriguez. "HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information." For more information on this case as well as the $1,215,780 fines please visit the HHS website.

In the NPP, should a regular private practice mention about research, even if they don't conduct any research nor have any plans to do so in the future?

No. If your practice does not conduct any research or plan to conduct any research then there is no reason to include it as part of your Notice of Privacy Practices (NPP). Your NPP should reflect your practice and its policies and be unique to your situation. The NPP that we provide is simply a guideline that was put together from the U. S. Department of Health and Human Services. Use this link to download a copy of the Notice of Privacy Practice.

What about remote access to the software? Is that ok to use?

You can use remote access to access your patients' Protected Health Information (PHI) while away from your computer. Please note that there are specific requirements regarding automatic log-off and logging which are required. Please check with your provider, such as "LogMeIn" for specific information regarding HIPAA. You can also send your vendor a copy of the HIPAA Compliance Software Checklist.

Does my patient have to sign the Notice of Privacy Practices?

According to the U.S. Department of Health and Human Services your practice should "make a good faith effort to obtain the individual’s written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained". For more information on the Notice of Privacy Practices please visit the U. S. Department of Health and Human Services' website.

Is UPS / FedEx a business associate?

No. As UPS/FedEx does not have direct access to Protected Health Information (PHI) they are not considered Business Associates. Be sure to keep PHI sealed inside your letters/packages and do not write PHI on postcards or packaging.

What are the HIPAA risks with LightHouse or other reminder companies?

Patient reminders tend to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out a recall post card, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. Secure-Mail™ works in conjunction with your patient reminder system so that you can continue to use your current patient reminder system when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

What about reminding a patient to take their pre-meds?

It is best not to discuss medication in unsecure communication. If you need to make a note on medication, it is best to be as generic as possible e.g. "Please be sure to take your medication as recommended.

How HIPPA compliant it is to have patient's name written in their dentures?

It is HIPAA compliant to include your patient's name in a denture; this is also required in some states. As the denture is typically the property of the patient there is no HIPAA concern with including their name on the device.

Once you post the Notice of Privacy Practices in the office, do you still have to hand over the notice to each patient or only if they ask?

You should provide a copy of the Notice of Privacy Practices (NPP) during your patient's first visit to your practice, as well as providing them with a copy of your NPP when asked. Please be sure your NPP is posted in your office and on your website. We (Brightsquid) have developed a Patient Privacy Brochure that you can make available in your waiting rooms and/or at the front reception desk. Please note that unlike the NPP, the Patient Privacy Brochure is not required by HIPAA and should be used only as a tool to inform your patients of your commitment to their privacy while differentiating your practice (marketing material). To download a copy of the NPP or Patient Privacy Brochure please visit the Omnibus Guide page.

What kind of info can be sent in a postcard?

It is important NOT to include any Protected Health Information (PHI) in postcards, this is also an important principal that applies to any communication sent that can be easily intercepted such as unsecure email. PHI includes any information related to your patient's past, present or future health/medical records or payment history. Under HIPAA law there are 18 identifiers that are considered PHI: patient names, geographical identifiers (smaller than state), dates (other than year), phone numbers, fax numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate or licence numbers, vehicle identifiers, device identifiers, web addresses (URLs), internet protocol (IP) address numbers, biometric identifiers, photographs of patient's face as well as any other unique or identifying characteristic, code or number. For more information please visit the U.S. Department of Health & Human Services.

Is it a HIPAA violation when you submit insurance claims by regular mail vs submitting them electronically?

No. You can still use regular mail (post) when you send Protected Health Information (PHI). When sending files electronically it is best to use Brightsquid Secure-Mail™ to safeguard your patient's PHI. In addition to being HIPAA compliant Secure-Mail™ is also more convenient than regular mail as you can send up to 500MB per email and view the files in our Image Studio. This way you always know that your colleague has received the information and can access it at any time to comment or modify it as needed.

What action are there to take if you have an HIPAA violation complaint?

The U.S. Department of Health and Human Services offers the following information about Breach Notification Requirements: "Following a breach of unsecured protected health information covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities that a breach has occurred". For more information please visit the U.S. Department of Health & Human Services.

How can I get my computer data encrypted? In terms of encryption, are there special considerations with Mac hardware?

Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant. Please contact him for more information and guidance on proper safeguards within your dental practice.

Are there offices using patient id numbers instead of names when sending images to other doctors or labs?

We have not come across many dental practices that are using patient id numbers. Typically labs prefer to have the patient name as opposed to an id number, but this will vary based on the lab you are using. You can check with your lab to see if they would use a number instead of a patient name. We often see labs use id numbers instead of patient names in their communication with milling centres, but this also might vary depending on the lab.

What about safeguarding Protected Health Information (PHI) in these open concept treatment areas? We have orthodontic clients that have chairs in an open room.

The open concept design is very popular in orthodontic practices. The best way to handle this type of situation will be training your staff on privacy etiquette i.e. appropriate sound levels when communicating sensitive information. You might also want to look into background music to muffle the sound from the treatment area. We would also recommend having at least one private room that could be used in special situations.

How do you handle a patient who is elderly and hard of hearing?

This would be a perfect situation to use a private room. If your patient is having a hard time hearing you or your staff, try bringing them to a private room where you can discuss their treatment. Your patient might also appreciate this gesture as it might be easier for them to hear without the background noise.

Please talk about forms that patients can sign giving office authorization to talk to another person about their PHI or treatment.

You should have your patient sign a written authorization form for the use or disclosure of Protected Health Information (PHI) not otherwise allowed by the Privacy Rule. The Privacy Rule allows for the use and disclosure of PHI for treatment, payment and health care operations, you may still obtain voluntary consent for these activities if you would like. You must get written consent from you patient for specific disclosures such as communicating with your patient in an unsecure manner (regular email), to conduct research, fund raise or market products or services to your patients. If you are looking to share your patient's information with other individuals (patient's family, friends etc.) be sure that you have identified who the patient would like the information shared with and their relationship. For more information please visit the U.S. Department of Health and Human Service's website.

Can a paper schedule be hung in the operatory?

Yes, as long as no unauthorized individuals and no patients have access to the area where the schedule is posted. In typical operatories, putting the schedule in a locked drawer would be the best solution. If it is only accessible to authorized individuals, then it is okay. To maintain the security of Protected Health Information (PHI) it is important to restrict access to patient names, including patient schedules.

Can names and addresses be on the outside of charts?

Yes, as long as the charts are stored in a secure manner. Make sure that they are located in a staff only area of your practice and that they are not left unattended in a public area such as a hallway or waiting room. Be sure not to have any special markings or labels on the charts that might expose Protected Health Information (PHI).

If a patient sends us their charting info by email including health history, have they forfeited their privacy rights?

No. Your patient can send you correspondence through email, as is their right to share their health information with you the way they want to. By using email to communicate to you, however, your patient does not consent to nor forfeit their privacy rights. Your patient can sign written consent to allow you to communicate with them through email, but they cannot consent to the use of unsecure email to communicate about their treatment between practitioners.

Please explain encryption and how it relates to paper charts and printed materials.

When dealing with paper copies of Protected Health Information (PHI) encryption is not related, but the same principle is applied. In the same way that you encrypt your electronic files to protect and safeguard health information, you must take precautions within your office in the way you distribute, store and dispose of paper charts and printed materials. Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant please contact him for more information and guidance on proper safeguard within your dental practice.

I'm a specialist and we regularly send patients info such as radiographs to the general dentist through Drobox. Does this violate HIPAA?

A radiograph may have Protected Health Information (PHI) embedded on the image, or in the metadata attached to the file. Even if you cannot see the PHI on the radiograph, this does not mean that there is no PHI associated with the image. Because of that, we recommend that you always use secure transmission methods. If you are using non secure email services such as Gmail, Hotmail, Dropbox you are not complying with HIPAA legislation. Please use this software checklist when determining if your software or email provider is HIPAA compliant . Of course, we would strongly recommend that you use Secure-Mail™ for this type of information sharing.

Is it against HIPAA legislation to use a patient's first and last name when calling them from the lobby to the treatment area?

No. It is not against HIPAA laws to use your patient's name when calling them from the lobby or waiting room to the treatment area, as long as you do not include any further information about your patient's treatment. For example calling for "Jim Smith" is entirely acceptable, whereas calling for "Jim Smith for the HIV test" is not.

If your software is in the cloud do you need a local back-up?

No. The cloud serves as an excellent way to back-up and store Protected Health Information (PHI). When using the cloud to store your sensitive patient data you eliminate the risk of theft and disaster recovery of your data. Please note, however, that you must choose your cloud vendor wisely to ensure that the service you are using has been backed-up and is HIPAA compliant. Use this checklist to get a list of questions to ask your vendor to ensure that they are HIPAA compliant. Please follow this link to access the checklist.

We have old x-ray images, we separate the films from their holders and the x-rays are destroyed by a compliant company but the x-ray holders have the patient name and the date the x-rays were taken. Can we throw those in the trash? They are not a recycle

As the x-ray holders contain Protected Health Information (PHI) including the patient's name and treatment date we would not recommend throwing them into the trash. We would recommend either removing/destroying any PHI from the holders so that no identifiable information could be viewed and/or breaking the holders so that the information is no longer identifiable (ie. shredding) before disposing of the holders.

What about using WiFi? Can this be intercepted by others when using an open network?

Yes. We would recommend setting up a separate wireless network for your patients and staff to use for non-clinic purposes. This is a very simple procedure using a router in your practice. You may already have the equipment in your office to set up a 'guest' network and if you don't have the equipment, it is quite affordable to purchase. By setting up a guest network you may also provide your patients free wireless while they are in your practice. If some of your staff are using their own equipment on the 'private clinic' network we recommend the laptop be encrypted.

Can I get the software checklist? Is this something that I can use to see if my Email provider is HIPAA compliant?

Yes. The HIPAA Compliance Software Checklist can be used to determine if your email provider or software provider is HIPAA complaint. Please follow this link to the checklist.

If you load patient information to a web site is that HIPAA compliant?

Possibly. Whenever you are storing Protect Health Information (PHI) you need to make sure that the website is encrypted. There are additional specific guidelines that HIPAA requires, please use this checklist to make sure that your website is HIPAA compliant.

I write a column on an online magazine that has an 'Ask The Doctor' question. Are their questions an issue?

Potentially. To protect yourself, we would recommend that you take the following steps:
  1. Advise patients asking questions to use an 'alias' that would not identify them. In the event the questions are asked in private, when you publish your online magazine article, do not use the patient name or location. Of course, this means that if someone has sent you their images, you must obscure any Protected Health Information (PHI) from the image before publishing the article.
  2. In addition, you would want to be clear in the 'terms and conditions' that the information that they are providing will be used for an article, so your users must consent to the publication of that information.

Is Secure-Mail™ intended to be used for communications with parties such as attorneys?

Certainly. We designed Secure-Mail™ specifically for the dental community, creating unique features that are designed for dental professionals. When developing these tools we recognized how Secure-Mail™ would facilitate the secure exchange of information among different professions. We have a number of customers who use the 500MB attachments to send large files such as accounting records and legal files.

If someone has Gmail that has a ceiling storage capacity - would it no longer be applicable if using Secure-Mail™ since it is being used as the 'medium'? For example, cone beam technology can take up so much space.

Yes. When you use Secure-Mail™ you get unlimited storage for all of your large files including x-rays, STL 3d images, DICOM studies and Cone Beam CT scans. These files are backed up and securely stored on the Brightsquid platform and do not get stored or included in your Gmail or email provider. Although notifications are still sent to your Gmail address, these messages are very small and have almost no effect on storage in your Gmail account.

If my office signs up for this software, can we customize the origin of the email address with our business?

When you use Secure-Mail™ to share your sensitive patient files you do not need to change your email address. Secure-Mail™ works with your current email, sending notifications and updates to that email. When sending Secure-Mail™ there are many ways to customize and brand your messages including logos, clinic information and profile pictures. We would be happy to arrange a demonstration of this please contact our office for more information.

How many e-mail addresses can be issued for each office using Secure-Mail™?

With your dentist subscription you get a package that includes accounts for one doctor and 4 support staff members. Your emails can be set up so that information sent to one email can be sent to all. For more information please visit the plans and pricing page.

Do both sender and recipient have to have Secure-Mail™? Does everyone you send and receive messages with Secure-Mail™ need to have an account?

Your colleague needs to have a Secure-Mail™ account to receive Secure-Mail™ messages. We do this to maintain HIPAA compliance. By having all communication pass through Secure-Mail™ it maintains a secure and auditable record of Protected Health Information (PHI). With your paid subscription you can give your colleagues free sponsored/registered accounts, so they can communicate with you at no cost.

What is the cost for additional contacts on Secure-Mail™?

There are currently over 3,000 dental professionals actively using Secure-Mail™ who you can connect with for free at any time once you join the platform. We also offer you 25 free sponsored/registered accounts that you can offer to your colleagues. If you would like additional registered accounts please contact our office for further pricing.

Can Secure-Mail™ be used from a home computer?

Yes. As a cloud-based platform, you can access your Secure-Mail™ account from anywhere at any time, including mobile devices. Simply log into Secure-Mail™ using your favorite internet browsers, compose your secure message, attached up to 500 MB and send Protected Health Information (PHI) to your colleagues.

Is there a limit on how many emails you can send a month using Secure-Mail™?

No. There are no limits on the number of messages you can send using Secure-Mail™. Your Secure-Mail™ account also includes unlimited data storage and large 500 MB attachments per message.

If a specialist that does not have Secure-Mail™ or only has a free subscription through my office – and they email info to my office, does it go through Secure-Mail™ because we subscribe or would it just go through our regular email and therefore be non-com

If your specialist is using their free sponsored/registered account to communicate with your clinic it would be completely HIPAA compliant though our Secure-Mail™ service. Your current email account is not affected and any communication sent directly through your traditional email would not be HIPAA compliant. Once your specialist signs up for a free or sponsored account through your office, you would want them to continue to use the Secure-Mail™ service for any patient specific emails.

What happens if my lab interacts with a third party service like a Milling Center? Is there any responsibility for my lab to respect these items?

The obligation for doctor-patient confidentiality and compliance starts with your dental practice and the trust that you have established between you and your patient. We recommend getting your dental lab to sign a Business Associates agreement. When your lab signs this agreement they agree to appropriately safeguard Protected Health Information (PHI) as required through HIPAA legislation. In keeping with that, they must adhere to HIPAA laws when communicating with their milling center.

If you need to send a single email to a dentist when a patient moves to a new city, but you have already used all 25 sponsored users, how can you send it to them?

With your dental account you can add unlimited “free” accounts. You would use these accounts for the occasional message as you have described. With the free account, their information is entirely secure, but it is only archived for 14 days. You can send messages to any colleague you would like to connect with through Secure-Mail™, if your colleague has a free, sponsored or full (paid) account. If you are connecting with your sponsor or any colleague with a full (paid) account all of your communication will be archived and stored on the system. If you would like more than 25 sponsors please contact our office.

I don't understand the difference between the 25 sponsor limit and the free email recipients?

Sponsored/registered users are people you select to invite to Brightsquid and provide them a Brightsquid account based on your membership at no cost to them. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered user is stored and archived on the system. If the person receiving the email is a free/non-registered user their communication will not be accessible after 14 days.

Is encrypted email sent and accessed through webmail that has SSL connection HIPAA compliant?

Perhaps. SSL offers encryption in transit which is just one important safeguard of being compliant. But, just having an encrypted transmission of information is not enough to be compliant with HIPAA, HITECH and PIPEDA legislation, information must also be stored on an encrypted storage device, as well the information must have additional auditing etc. Please use this HIPAA Compliance Software Checklist as a guide with your email provider.

Is your email system secure from the NSA?

Yes. Our servers are not hosted in the United States and therefore safe from the National Security Agency (NSA).

Why would I use your system over another HIPAA compliant service?

There are number of reasons that set Secure-Mail™ apart from any competitors in the market. The first being the commitment Secure-Mail™ has to HIPAA compliance and email security. We would recommend sending our Software Checklist to other vendors to make sure their service is meeting industry standards for HIPAA compliance. There are a number of different software providers that state "HIPAA Compliance", but as the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" it can be difficult to substantiate this claim. The second advantage Secure-Mail™ has is that it is developed exclusively for the dental community with large 500MB attachment sizes and image viewers for 3d STL files, DICOM studies and more. When you purchase your Secure-Mail™ account you are also getting a package which includes 5 unique user subscriptions and 25 sponsored/registered accounts that you can provide free to any of your colleagues. For more information on the features and benefits of Secure-Mail™ please contact our office.

How do the colleague profile pictures work?

After joining the Secure-Mail™ service your colleague simply uploads a picture to their profile which will then automatically appear in any correspondence with them. As Secure-Mail™ is committed to HIPAA compliance and providing our customers with the simplified solutions to compliance, we have introduced a number of unique features to our service. We understand that we all have multiple colleagues with similar email addresses and to reduce errors like sending Protected Health Information (PHI) to the wrong contact, we have introduced profile pictures that appear when sending or receiving messages.

Can you use your current email addresses with Secure-Mail™?

Yes. Secure-Mail™ works with your current email address to send updates and notifications.

Do you offer a free trial?

Yes. We offer a limited free 90 day trial account that you can sign up for directly through our website. Please note that this is a ‘limited’ account and does not include any of the features available in a full Brightsquid account. Sign up for a free trial account.

Does the recipient of an encrypted email need to have the same email server to decrypt the message? or can any email program open the email?

Encryption and decryption work through the sharing of a secret code. If the message recipient has the code they can read the message. With some systems this is done automatically so that once the code is created, the information is automatically encrypted and decrypted. With Secure-Mail™, we have embedded the secret code in our system. Once you and your colleague join our service, you can use it without worrying about the mechanics of encryption and decryption.

What are the financial benefits of switching to Secure-Mail™?

Secure-Mail™ was specifically developed with a very low price to help dentists get HIPAA compliant in an easy and affordable manner. The price tag can be misleading when it comes to the significant benefit of the service. When you are purchasing a Secure-Mail™ subscription you are protecting your dental practice and managing your security risk. Recently as part of the final rule (Omnibus Rule) the U. S. Government of Health and Human Services has increased the maximum penalty for a HIPAA violation to $1.5 Million. There was also an increase in the assessed penalty rates including:

How many emails can you send per month with Secure-Mail™?

With Secure-Mail™ users can send unlimited messages to colleagues. Included in the subscription is unlimited data storage.

Do registered users have to pay for the Brightsquid?

No, sponsored/registered users are people you select to invite to Brightsquid for free. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered user is stored and archived on the system.

Why the name "Brightsquid"?

We choose the name Brightsquid when we were first developing the company. After we had drawn out our vision (online portal where dentists, specialists and labs could securely share sensitive patient data and collaborate with their colleagues), we noticed that it looked a lot like a squid. The founder of the company, Dr. Deepak Kaura, came from radiology and liked the fact that some squids can produce bioluminescence to illuminate dark water. Click here for more information on how we got our name.

Is encryption necessary if no mobile devices are used for PHI only in office computers?

Yes. According to HIPAA/HITECH and PIPEDA law, data at rest or data in motion must be encrypted. If you are storing Protected Health information (PHI) you must encrypt this data in your office computer. PHI can include: patient name, specific demographic, and any images that can be used to identify your patient.

Do you need to encrypt data stored on desktop computers?

Possibly. If you're storing any Protected Health Information (PHI) on the desktop system, it must be encrypted. PHI can include: patient name, specific demographic, and any images that can be used to identify your patient. However, if you are using a standard client server relationship most information stored on the desktop computer does not contain PHI. Please note that in that type of system the server must be encrypted.

Is there a problem if a staff member brings in a personal laptop to connect to the internet on our network that is connected to our sever with patient info?

We would recommend setting up a separate wireless network for your patients and staff to use. This is a very simple procedure and a router to do this is affordable. By setting up a guest network you may also provide your patients free wireless while they are in your practice. If some of your staff are using their own equipment on the network we recommend the laptop be encrypted.

Are encrypted Word files HIPAA compliant?

Encrypted Word files are fine and meet the encryption requirements through HIPAA. If you are sending an encrypted word file through email please be sure that you are not providing any Protected Health Information (PHI) in the subject and body of the email or providing the password to access the encrypted information. Also, for HIPAA compliance please note that you still need to ensure that all of your files are backed up and an auditable log of all access to patient information exists.

Is Fax considered HIPAA complaint just like a phone call?

For both fax machines and telephone communication it all depends on how it is being used. If you are talking about sensitive patient information in a waiting room or in front of people who do not need access to the information, that would NOT be HIPAA compliant. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes.

Would it be sufficient to have an on-site hard drive backup and a portable hard drive that I take home with me every day? Or is online cloud backup required? If have local back up, why do I need the cloud?

A cloud backup is not required. The problem with local back-up is disaster recovery, if there is a major disaster, a fire, flood or even theft a local back-up does not always protect your office. The method suggested would work as long as the data removed from the office is encrypted. If you do take data outside your office on a thumb drive or any other storage device, make sure that it is encrypted.

I back-up nightly to a thumb drive which I then take home. I rotate over 2 thumb drives, the other stays locked in my office desk drawer. Safe?

Possibly. All data on the thumb drive must be encrypted. The largest number of HIPAA complaints are due to mobile devices that are lost or stolen: laptops, phones, tablets, USB drives etc. Whether lost or stolen these devices must be protected through encryption. Our recommendation of course is to keep data secure on a cloud based platform like Brightsquid.

Some thumb drives have a "vault" which needs a password. Would this "vault" be sufficient with HIPAA compliance?

Yes, if your USB device is encrypting the data, with specific passwords to extend the security. It should be okay to use with Protected Health Information (PHI). Please check with your provider for specific information regarding HIPAA compliance.

The USA has one lawyer per 264 people, which is the highest in the world. In the future, when we have one lawyer per 10 people, what will Doctors who are trying to make a living and take care of their patients be required to do at that point?

It would be a mistake to consider HIPAA a piece of legislation that exists to make lives more difficult for medical professionals. The regulations exist as an extension of doctor patient confidentiality. If the patient is providing you with sensitive information, then it is your duty to maintain this data. We can get caught up with the laws, but it comes down to maintaining this confidentiality in the electronic and digital world. It would be a mistake to consider HIPAA a piece of legislation that exists to make lives more difficult for medical professionals. Those obligations already exist when medical professionals take their oath.

We use our patient's name when sending information to our lab. Is there a concern with sharing this information through email?

Yes. Sending the patient's name through email is a violation. Your patient's name is considered Protected Health Information (PHI). In accordance with HIPAA law, you must de-identify information when sending it through email. If you share PHI through Secure-Mail™ you can include PHI in your correspondence.

What about the requirement to send e-prescriptions to pharmacies?

Pharmacies are considered Covered Entities according to HIPAA legislation, and information sent to them should be safeguarded with the same care you would take in transmitting Protected Health Information (PHI) to other Covered Entities such as doctors and colleagues. Be sure that you are not including any PHI in regular emails you send to pharmacies which would include a patient's name or prescription information. We would recommend using Secure-Mail™ to facilitate the secure exchange of PHI to any Covered Entity including a pharmacy.

Does the HIPAA manual need updating each year, such as the OSHA manual?

Yes. Anything that was created before March 23 of 2013 is outdated as the HIPAA Omnibus rules changed many things. In addition there are certain items that you need to update yearly, such as a risk analysis. Dr. Lavine has many of his clients using a web-based manual since it would keep things current and needs yearly updates.

Can you explain how the recipient responds to the initial email they receive with Secure-Mail™? When sending a patient an email, how does patient open the message?

Sending Secure-Mail™ Messages to Colleagues

Sending Secure-Mail™ messages to Patient

What information does the receiving dentist have to provide to receive the Secure-Mail™ message?

The first time the recipient of the message accesses Secure-Mail™ we request that they provide some practice details such as their name and address when they set up their account. They will also be prompted to create their own password. We do this to help maintain HIPAA compliance. If it is a patient who is accessing a message they will have to confirm their birth date to make sure they are the correct individual accessing the information. This is only required the first time the access their account. The next time your colleague/patient access Secure-Mail™ they will only have to provide their username and password.

You mentioned different Brightsquid packages for specialists; how can we contact you regarding more information?

Brightsquid has a subscription package designed for dental specialists with a number of specific features to help build and maintain your referrals. Please contact our office for more information as well as a demo highlighting these exciting features.

During the presentation you entered a patient's name in subject box, isn't that a HIPAA violation?

Typically including a patient name in an email message or as part of the subject line does expose Protected Health Information (PHI). That is one of the differences between Secure-Mail™ and your typical email provider. When using Secure-Mail™ you can include the patient's name as part of the content in your subject line and Secure-Mail™ message. The subject line will not be disclosed over regular email, protecting the sensitive health information of your patients.

I heard that Google might advertise based on PHI that is included in emails is this true?

Yes. Recently the Interim Privacy Commissioner in Canada has lead an investigation into Google's advertising policies stating, "Most Canadians consider health information to be extremely sensitive. It is inappropriate for this type of information to be used in online behavioural advertising." For more information on the investigation please visit the recent news article.

How many employees can use the Secure-Mail™ within the practice? Can I have Secure-Mail™ for each of my staff or do I have to buy a subscription for every person? How many different email accounts can you have on secure mail?

With your Dentist subscription package for only $39.99 you will receive 5 internal accounts (1 doctor and 4 support staff). If you need more than 5 accounts or if there is more than one doctor working in your clinic, please contact our office.

Is there a charge for the HIPAA Omnibus guide?

No. There is no charge for the HIPAA Omnibus Guide, we offer this free guide as an extension of our service to you. The HIPAA Omnibus Guide includes:

Use this link to download the documents in the HIPAA Omnibus Guide.

Is there a cost for upgrades to Secure-Mail™ service?

No. We are happy to offer free updates to Secure-Mail™ every six to eight weeks to all of our customers as we release new product improvements.

Do you have a read receipt function?

Not as of today, but it is on our roadmap. We offer free upgrades every six to eight weeks to all of our customers as we release new product improvements. Keep watching!

Can you add a signature or a logo with your message?

Yes you can add a signature to your Secure-Mail™ messages. This acts as the 'Email Message" part of Secure-Mail™ and can be edited at any time. We are still working on the ability to add a logo to your messages, a few of our users have found a way to do this, but we are in the process of simplifying the steps and improving the quality of the final image.

Are there any set up fees to get my practice started using Secure-Mail™?

No. There are never any installation fees to use Brightsquid Secure-Mail™. We only charge the monthly fee of $39.99 for the product. For more information on Secure-Mail setup please contact our office.

If I have a referring dentist who wants to send me some information, can they log in to their email account and send me a message without having an initial email to respond to?

Yes. Secure-Mail™ offers full collaboration and two-way communication. Your referring dentists can initiate a message to you and/or respond to a message you send. It works very much like your current email in this way - with an important distinction of HIPAA compliance. For more information on communicating with your referring dentists please contact our office, as we have many additional services offered to dental specialists like yourself.

Will Brightsquid sign a Business Associates Agreement?

Yes. We are happy to sign a Business Associates Agreement (BAA) with your practice when you setup your Brightsquid Secure-Mail™ account. Please contact our office for more information on where to send you're BAA or if you have any questions on how to sign up for your account.

Often there are multiple office personnel receiving the mail at the same location depending on day or time. Will they each have a password?

Yes. We would recommend having each of your staff set up a unique username and password to access Secure-Mail™. Having a unique access code is a requirement of HIPAA legislation and is an important step to protect the privacy of your patient's sensitive information. It also provides a smooth transition if there is ever a change in office staff.

I was advised that Microsoft 365 Outlook is HIPPA compliant. Can you advise me if that is true?

It will depend on how you use it. Microsoft Office 365 does have tools that help protect your sensitive patient information, please check with Microsoft directly for more information on how they meet HIPAA compliance. We would also recommend having them sign a Business Associates Agreement with your practice. You can also send your vendor a copy of the HIPAA Compliance Software Checklist.

Does your email import our contact list from Outlook? Can you import the email address from other email program?

Yes. You can pull your contacts from other accounts (Gmail, Outlook, etc.) and import them directly into Secure-Mail™. Save time and keep a full contact list in one convenient location.

Is there a limit on the number of emails that are stored and a time limit before emails are purged or deleted?

No. As a paying user there are no limits to the number of emails you can send or a time limit on storage. When we developed Secure-Mail™ we wanted to create a way for doctors to easily and securely communicate, we did not want to limit this experience.

Is it okay to send PHI to the patient un-secure as long as we have informed the patient about the possibility of the email being intercepted? This should fall under the "duty to warn" portion of the HIPAA Omnibus Rule.

Yes, as long as your patient has been informed of the risks associated with using email to send Protected Health Information (PHI). If you have warned your patient, and the patient still wishes that you use email to send PHI, you can follow their request to use email. We would recommend getting this request in writing to protect your practice. Please note that your practice is still responsible for the message as it is saved on your email account. If your email “sent items” folder syncs with your phone, tablet, laptop or desktop – and your phone, tablet, laptop or desktop is stolen or lost, you will still have to report the loss to Health and Human Services as a breach under the HIPAA laws. If a breach occurs your practice will still be made accountable to safeguard your patient's PHI.

Under the breach notification rules, you will have to provide:

For more information on the breach notification requirements please visit the U.S. Department of Health and Human Services website.

Is this webinar being recorded?

Yes. Please use the video viewer above to watch the recording of the webinar. If you would like copies of the individual slides used during the presentation please contact our office.

Can you list more than one recipient? For example to a doctor and the doctor's schedule coordinator?

Yes. During the presentation we only addressed the email to one contact, but you can easily send the message to as many contacts (doctors and patients) that you would like. Simply enter your contact's email addresses into the address bar and click send.

Is Secure-Mail™ is fully accessible on smartphones, iPad, etc?

Yes. Secure-Mail™ has been built with a responsive design and can be viewed on your mobile devices such as smartphones and tablets.

What Practice Management Software programs do you connect with?

We are currently working through all of our Practice Management Software connections to Secure-Mail™. Please contact our office to see if your specific software will connect with Secure-Mail™.

Do you need a Business Associates Agreement with each insurance company that you submit claims or just to the clearinghouse for e-claims?

As both the insurance company and clearinghouse are considered to be a Covered Entities you do not need to get them to sign a Business Associates Agreement with your practice.

Is this considered PHI? What about reminding a patient about taking a pre-med which the patient asked us to remind them about?

Discussions with your patient about pre-med information would be considered Protected Health Information (PHI). If your patient has specifically asked you to email them reminders of their medication, you can communicate with them over email as long as you explain the risks associated with the exchange prior to the exchange occurring. Please note that your practice is still responsible for the message as it is sent to your patient or saved on your email account. If a breach occurs your practice will still be made accountable to safeguard your patient's PHI.

In regards to appointment reminders, may I send in an email message something to the effect of you are due for your 3 month perio maintenance?

We would recommend that you try to be generic as possible. Ask yourself if you need to include "perio" in the message, would it be possible just to write “For your continued dental care see you next Thursday.” The risks associated with including “perio” in the message would be up to the discretion of the individual, but it is best to err on a side of caution to protect your practice and your patient.

Do you have a recommendation for an "encrypted email" solution for office to office communications?

Yes. We recommend Brightsquid Secure-Mail™. Brightsquid goes beyond encryption and provides a fully HIPAA compliant platform designed especially for dental professionals. For only $39.99/month you receive:

  • 5 internal accounts (1 doctor + 4 support staff).
  • Secure-Mail™ messaging to protect your practice and maintain confidentiality of health records.
  • Unlimited data storage available from anywhere and at any time.
  • 500 MB Attachments to all Secure-Mail™ messages.
  • "My 25" external accounts for your colleagues.
  • Image Studio where you can view, annotate, manipulate files such as STL (3d), JPEG, PNG and DICOM studies.
  • How much data can I send/store using Secure-Mail™ from Brightsquid?

    Brightsquid Secure-Mail™ is very unique in the amount of information you can send and store. Using Brightsquid Secure-Mail™ you can attach and send 500MB of data to each message. Typically with traditional email, you can only send 5 to 10 MB of data, using Secure-Mail™ you can send 50x more information in a single message. Secure-Mail™ allows you to send all of those high resolution photos or even a full CBCT scan in a single email.

    If we use Secure-Mail™, and the person we send the e-mail to isn't secure, we would not be compliant, right?

    No. When you use Secure-Mail™ from Brightsquid, all Protected Health Information (PHI) stays on our secure platform, so no PHI is released. When you address a Secure-Mail™ message to a user for the first time, they will receive a notification to their regular email address. In the notification there will be a link to the secure information. The first time your colleague uses this link they will provide some practice details and a password to maintain HIPAA compliance. After your colleague has provided their information, they simply have to click on the link to access the secure PHI. For more information, or to see a quick demo on how this works, please contact our office.

    Does the person receiving the email have to be enrolled with Secure-Mail™ to see the photos you are sending them?

    Yes. Your colleague will need to join the network, and this can be done in a number of different ways. We do this to maintain HIPAA compliance.

    Do you have to have an account for each staff member?

    With your dentist subscription you will get 5 accounts (1 doctor and 4 support staff) for your practice. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts, or if there is more than one doctor working in your clinic, please contact our office.

    Do both parties have to pay for this service?

    No. You can use "My 25" colleagues to provide accounts to your colleagues at no cost to them. "My 25" is included in your Dentist subscription to Brightsquid Secure-Mail™ and there is no additional cost for the service. If you need more than 25 colleague accounts please contact our office and we will design a subscription that meets your need and your budget.

    So if my oral surgeon has an account, and he communicates with me do I need to pay for a subscription?

    No. If your Oral Surgeon has an account they can offer you a free account to communicate with their practice. This would be part of the Specialist subscription to Brightsquid. If you would like to communicate with other dental practices, labs or specialists on Brightsquid you may purchase your own subscription to maintain and provide HIPAA compliant communication with these other dental professionals.

    Can you send a Secure-Mail™ message to someone's regular email address? Can the existing practice email address be used with your Secure-Mail™ program?

    Yes. Simply enter your colleagues regular email address into the Secure-Mail™ address bar and click "Send" to send the message to your colleague.

    How many accounts do I get with the Dentists Subscription for 39.99?

    With your Dentist Subscription you get 5 accounts (1 doctor and 4 support staff) for only $39.99/month. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts or if there is more than one doctor working in your clinic, please contact our office.

    What if recipient of an e-mail does not have a Secure-Mail™ account? Does the email recipient have to have a Secure-Mail™ account, or have pre-registered, in order to receive the email securely? Do both parties have to be registered with Secure-Mail™ to

    Yes and no. Yes your Secure-Mail™ recipient will sign up for their own Secure-Mail™ account, but no they do not have to pre-register. For more information please see question 4. If you would like to send a Secure-Mail™ message to a colleague who does NOT have a Secure-Mail™ account simply enter your colleague's regular email address and click "Send". Your colleague will then receive a link in their regular email to the secure information protected on the Brightsquid platform. To maintain HIPAA compliance it is important that our colleague sign up for their own Secure-Mail™ account.

    How many employees can use the Secure-Mail™ within the practice? Can I have Secure-Mail™ for each of my staff or do I have to buy a subscription for every person?

    With your Dentist subscription package for only $39.99 you will receive 5 internal accounts (1 doctor and 4 support staff). If you need more than 5 accounts or if there is more than one doctor working in your clinic, please contact our office.

    Are your employees considered to be part of the 25? Do I have to buy Secure-Mail™ for each of my staff?

    No. With your Dentist subscription package you receive 5 internal accounts (1 doctor and 4 support staff) in addition to the "My 25" colleagues (external accounts).

    How does Secure-Mail™ compare to other email vendors?

    As the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" we would recommend sending other vendors our HIPAA Compliance Software Checklist.

    Is there a contract for Secure-Mail™ that is month to month?

    Yes. You can purchase Secure-Mail™ with a month to month subscription for only $39.99/month. This is a very popular way to purchase Secure-Mail™, to get stared with your subscription today please visit the Plans and Pricing page.

    Can you change out the 25 mail recipients? If one of the invitees moves away, can I drop them and change it to another?

    Yes. You can change your "My 25" colleagues whenever you would like. Please contact our office for more information.

    How does the pricing work when a patient wants their records/x-rays sent to another dentist who is not one of our "named" receivers?

    We would recommend that the recipient of the message uses a "Free" account to do this, as opposed to the "My 25" accounts. When you send information to a user with a free account it does not count towards your 25 colleagues. The only difference when communicating with a free account is that communication will not be stored or accessible after 14 days. We find that 14 days is enough time to send a patient's records to another dental office. Also if you want to follow up on the transfer, you can always send them another message. If you would like more information on this example please contact our office.

    I'm an Endodontist, and have more than 25 referrals that I communicate with. What about additional offices?

    As a dental specialist we understand your need for more than 25 colleagues. We have designed a special Brightsquid account for specialists with an unlimited number of colleagues (sponsored accounts); please contact our office for more information.

    I am a specialty office (Orthodontics) & we have 400 local dentists that we could potentially send a letter or images to. What is the cost if we send to hundreds of doctors vs. the 25 you mentioned? If I'm a specialist can I get more than 25 colleagues?

    We have a subscription package designed for dental specialists like yourself. With this subscription you will receive an unlimited number of accounts to offer to your colleagues. Please contact our office for more information on the features available with this subscription.

    If the office you are communicating with already has Secure-Mail™, does it still count against the 25 limit?

    No. When you colleague has already purchased their own account on Brightsquid, they do not count towards your "My 25" colleagues. Currently there are thousands of users on Brightsquid using Secure-Mail™ every day to share Protected Health Information (PHI).

    How can you get your referrals to be compliant? There are some referrals that just started using email.

    To help your referring dentist become HIPAA compliant we would recommend providing them with free accounts sponsored by your practice. With your specialist subscription you will receive an unlimited number of sponsored accounts that you can offer to your dentists. This is a great way to differentiate your practice and provide your referring dentist with a higher level of service. For more information on this and other features available to dental specialists, please contact our office.

    What are possible breaches aside from loss of a notebook/laptop or flash drive or back up drive? What are some examples of a breach? Please send me the details of the Breach Notifications.

    According to the U/S. Department of Health & Human Services a breach is defined as follows: "A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the Protected Health Information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual."

    One of the most common privacy breaches that occur is lost or stolen mobile device, but there are many other situations that could be considered a breach. Other common breaches include: unauthorized access/disclosure of both hard copies and electronic files, hacking (IT incident), and/or improper disposal. For a list of breached affecting 500 or more individuals please visit The US Department of Health and Human Services.

    How does one correct the loss of a computer or back up drive that was lost?

    According to HIPAA law, if there is a breach of unsecure Protected Health Information (PHI), notice must be provided to affected individuals. There are specific requirements for the breach notification, these include: individual notice, media notice, notice to the secretary and notification to a business associate. For more information on breach notifications, please visit the U.S Department of Health and Human Services website on Breach Notification Rules.

    Can you fax the Business Associates Agreement?

    Yes. Be sure to safeguard information when using fax machines. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes. We have included a copy of a Business Associates Agreement, in the HIPAA Omnibus Guide.

    Would someone who worked at the front desk as a temp need to sign a BA agreement?

    If the temporary is working with an agency then yes. If the front desk temp has access to Protected Health Information (PHI), then you would need to sign a Business Associates Agreement with the temporary staffing agency. If the temporary worker is independent, then you should ensure that he/she is familiar with your HIPAA practices. For a copy of a Business Associates Agreement please visit the page on the HIPAA Omnibus Guide.

    We are looking into a phone service that is cloud based. Does that have to be HIPAA compliant? Would we need a BA agreement?

    It depends on the relationship and the exchange of information with the phone service. If the phone service has access to Protected Health Information (eg. texting PHI) then yes, we would recommend signing a Business Associates Agreement with the vendor. If they do not have any access to PHI, then you do not need to sign a Business Associates Agreement with them. For a copy of a Business Associates Agreement please visit the HIPAA Omnibus Guide page.

    If we get a hygiene sub from a dental agency, then we need the agency to sign the BA agreement or have the sub hygienist herself sign the agreement?

    If you are working with an agency that is providing hygiene employees, then it would be okay to simply have the agency sign the Business Associates Agreement. Most staffing agencies will be happy to sign a Business Associates Agreement, and will have arrangements set out with all their members. If you have any questions regarding the Business Associates Agreements discuss them with your staffing agency.

    Does an internist require business agreement?

    It will depend on if the intern has access to Protected Health Information (PHI). If your intern has access to PHI, then you should have your intern sign a Business Associates Agreement, or ensure that they have gone through a HIPAA orientation and understand your privacy practices. For an example of a Business Associate Agreement please visit our HIPAA Omnibus Guide page.

    Can I have an example of a Business Associates Agreement?

    Yes. For a copy of a Business Associates Agreement that you can use in your dental practice please visit the HIPAA Omnibus Guide page.

    Do you have to have business associate agreements with other dental offices?

    No. Typically you are sharing information with another Covered Entity by HIPAA to deliver patient treatment. In that case no Business Associates Agreement is required.

    Could a temporary hygienist who temps with the same dentist off and on, sign a BA with a beginning and ending date such as January 1, 2014 through December 31, 2014?

    Yes. A temporary hygienist should sign a Business Associates Agreement. Most agreements do have a term date that will need to be filled out, and will work perfectly for your temporary staff. For a copy of a Business Associates Agreement please visit our HIPAA Omnibus Guide page.

    If you have individuals who are "job shadowing", does the individual need to sign BA?

    Yes. If the individual has access to Protected Health information (PHI), we would recommend having them sign a Business Associates Agreement. Alternatively, you could ensure that the individual is has gone through a HIPAA orientation and understands your privacy practices.

    Is a clearing house considered to be a Business Associate? Is my insurance clearinghouse a BA?

    No. A clearing house is typically considered a Covered Entity through HIPAA and not considered a Business Associate.

    Is an IT services firm considered a BA?

    It depends on the relationship with the IT service firm. If the IT service has access to Protected Health information (PHI) than yes, you would need a signed Business Associates Agreement with the firm. For a copy of a Business Associates Agreement please visit the HIPAA Omnibus Guide page.

    Do you have a sample BA agreement?

    Yes. Please visit our HIPAA Omnibus Guide page for a copy of a Business Associates Agreement.

    Is a supply company sales representative required to sign BA agreement?

    It would depend on the relationship with the sales representative. If the sales representative has access to Protected Health Information (PHI) then yes, they would need to sign a Business Associates Agreement. This might occur if the sales representative consults on a patient's treatment and/or the tools involved. In the standard relationship with a sales representative, with no access to Protected Health Information (PHI), you would not need a signed Business Associate Agreement with them.

    My Invisalign represented reviews my patient cases from outside my office and makes comments to me through emails, would they need to sign a Business Associates Agreement?

    Yes. If your Invisalign representative has access to Protected Health information (PHI), such as reviewing patient cases, which is very common with an Invisalign representative, you would need to sign a Business Associate Agreement with them.

    How do we know if our clearinghouse, where we send our e-claims, has been 2013 HIPAA compliant? Is there specific certification?

    We would recommend contacting your clearing house to see what they have done to be HIPAA compliant. According to the U.S. Department of Health and Human Services (HHS) there are no specific certification that are recognized by the HHS, "It is important to note that HHS does not endorse or otherwise recognize private organizations' "certifications" regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a "certification" by an external organization does not preclude HHS from subsequently finding a security violation".

    Should patients be given a new Notice of Privacy Practices, even though one was signed before the Omnibus?

    Yes. The Notice of Privacy Practices (NPP) must be amended with the Omnibus Rules as discussed during the webinar. Doctors will have to post the updated NPP, and make copies available to all new patients and anyone who requests copy. It is also recommended that you post the updated NPP on your website if you maintain one. For a template of a current NPP from the U.S. Department of Health and Human Services please visit our HIPAA Omnibus Guide page.

    The link to the web site www.hhs.gov/hipaa does not seem to be working; it is stating page not found. What is the correct address for this information?

    The correct address for information on the Notice of Privacy Practices from the U.S. Department of Health and Human Services is: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.

    Where can I find the NPP to post in my office?

    We are including a copy of a Notice of Privacy Practices as part of the Omnibus guide. This guide was created by the US Department of Health and Human Services. For a copy of this guide, please visit the HIPAA Omnibus Guide page.

    Can we mail out recall postcards? What if we use a confirmation system that sends emails and texts, is this an issue?

    Recall information tends to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out a recall post card, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. The way Secure-Mail™ works is that you can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

    What if a patient comments that patient post via email through systems like Smile Reminder. Is it okay for us to post these on our website? Smile Reminder said it is okay but I am nervous?

    We would recommend getting your patient's permission before posting any comments on your website. Most patients are happy to provide consent, and are often flattered at the request.

    Does marketing include appointment reminders?

    Marketing communication, as discussed in the webinar and addressed by the new omnibus rules do not specifically deal with appointment reminders. The only change the omnibus rules do state that the Notice of Privacy Practices (NPP) no longer have to include a statement that a covered entity will provide appointment reminders. Please be careful when sending out patient reminders not to include Protected Health Information (PHI) and are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

    Patients can request an appointment through our website - it comes through email to our office, is that a problem?

    It will depend on the type of information sent. If the message being sent contains Protected Health Information (PHI) then it is important that there are safeguards in place to protect it. You need to ensure that all systems that you use comply with the HIPAA requirements. We would recommend sending a copy of the HIPAA Compliance Software Checklist to your website and email provider to make sure they are protecting your patient's information as well as getting your vendors to sign a Business Associate Agreement. You can access both of these documents on the HIPAA Omnibus Guide page.

    What about texting? What if we use a confirmation system that sends emails and texts. Is this an issue? Is text messaging a breach?

    Text messaging can result in a breach of Protected Health Information (PHI). Please use caution whenever texting PHI. Recall information tends to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out recall information, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over text, and are using the correct number when sending the messages. Because mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. The way Secure-Mail™ works is that you can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

    Do you have to have permission from the patient to market through email?

    Yes. The new Omnibus rules further limit marketing communications with your patients without written authorization. You must ensure that the patient has given you their consent specifically to receive marketing emails from your practice. Be sure not to send Protected Health Information (PHI) through unencrypted emails and be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. It would also be recommended to get your email vendor to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

    What if the patient writes on their own Postcard things like "bring in your night guide?

    We are unsure of the exact scenario, but if a patient writes on a postcard and sends it in the mail, it is their right as the information belongs to them.

    So, no appointment reminders to patients who have provided email addresses, because theirs is not encrypted?

    Not exactly, appointment reminders tend to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out an appointment reminder, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. You can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

    What about before and after pictures on our website?

    We would recommend getting your patient consent to post the pictures. Most patients are happy to provide consent to the use of their photos and are often flattered by the request.

    Please send information regarding the marketing communication and omnibus rule changes.

    For more information the Omnibus rules on marketing communication please visit the US Department of Health and Human Services.

    I Didn't hear much information about this from the ADA?

    The American Dental Association does have their own HIPAA Omnibus kit available for dentists for download at $300 for members. For more information please visit their website.

    How many single dentist offices have been fined for HIPAA violations in the US?

    For list of recent HIPAA fines please visit the page HIPAA/PIPEDA Enforcement HIPAA/PIPEDA Enforcement. There have also been a number of different dental practices who have experience a breach involving more than 500 individuals, for a list of breached affecting 500 or more individuals, please visit The US Department of Health and Human Services.

    Under the new HIPAA Omnibus rules, is it mandatory to send emails encrypted or just recommended?

    The HIPAA Omnibus laws do allow doctors to email to patients through unencrypted manner as long as the patient signs consent and understands the risks involved when emailing Protected Health Information (PHI). It is recommended that emails containing PHI are encrypted to eliminate the risk of a breach and the subsequent effect to the patient's privacy, fines and reputational damage. When communicating with other dental professionals, we would recommend using Brightsquid Secure-Mail™. Secure-Mail™ offers dental practices a secure exchange of PHI in a HIPAA compliant environment. For more information on the features and pricing available for your dental practice please visit the Brightsquid for Dental Clinics page.

    Phone calls leaving messages to remind the patient can be left, as long as treatment is not described. Or, is that no, because you would be indicating the patient's name on the message machine? For dental maintenance or hygiene appointments?

    Leaving messages on patient procedures should be done with caution. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. For more information on leaving phone messages please visit the US Department of Health and Human Services.

    Does our release for records form need to state the advised risk and form of transmission?

    Yes. HIPAA makes it clear that before you can use unsecure email to communicate patient information you must advise your patients of the risks involved with unsecure email. We would only recommend this for communicating with patients. To communicate with colleagues, we recommend using a HIPAA compliant system, such as Secure-Mail™.

    What about communication with insurance companies?

    There are specific guidelines around insurance providers, for more information on sharing patient information with insurance companies please visit the US Department of Health and Human Services.

    How do I know if my e-mail service provides encryption?

    Most email providers do not provide encryption. We would recommend sending your email vendor a copy of the HIPAA Compliance Software Checklist and getting them to sign a Business Associates agreement. Encryption alone is not enough to be considered HIPAA compliant, be sure that your provider is offering auditability, automatic log off and unique user access. Secure-Mail™ offers dental practices a secure exchange of Protected Health Information (PHI) in a HIPAA compliant environment. For more information on the features and pricing available for your dental please visit Brightsquid for Dental Clinics.

    How do I get the HIPAA Omnibus guide?

    To get a copy of the Omnibus Guide and download the materials available please visit the HIPAA Omnibus Guide page.

    Do you have a list of recent fines?

    Yes. For more information please visit our page HIPAA and PIPDA Enforcement.

    What is the HIPA Omnibus compliance date again?

    The HIPAA omnibus final rules went into effect March 26, 2013 with compliance required by September 23, 2013.

    Can an IT person make Outlook encrypted?

    It might be possible for your IT person to encrypt Outlook; be sure that they are encrypting information as it is being stored and through transit. That being said, encryption alone is not enough to be HIPAA compliant, there are a number of different criteria that HIPAA looks for these include: encryption, auditability, unique user access and more, please visit our HIPAA Compliance Software Checklist.

    I transmit no PHI by any electronic means - only by First Class US mail. Up to now, I am not deemed to be a covered entity. Has that changed?

    According the US Department of Health and Human Services a covered entity is a "Health care providers who transmit any health information electronically in connection with certain transactions, health plans, or health care clearinghouses". The definition of a covered entity has not changed with the recent HIPAA Omnibus rules. Most health care providers are considered Covered Entities, as "electronic exchange" includes: health care claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment or disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization. If your practice does not exchange any of this type of information electronically, then no, you would not be considered a Covered Entity.

    When a patient calls into schedule an appointment, what identifying info can I request without violating HIPAA?

    During an in person meeting or over a phone conversation it is okay to discuss Protected Health Information (PHI), such as a patient's name, age, demographic or treatment information. Do take precautions not to share this information to people who should not have access to it; in a waiting room or other public area.

    I want to make sure that it is okay to send PHI to patient through email, if the patient signs the waiver?

    If your patient signs a consent form, that advises them of the risks associated with using email, stating that they would like Protected Health Information (PHI) sent to them through email, then you can follow their request and email PHI to them.

    How do the new rules protect patient information? For example now we cannot discuss appointments or anything about patients to spouses. What if we send an email to a wife and husband has access to email how is this affected and how are we protected what d

    It is important to have your patient sign a consent form. In this form the patient can provide their preferred method of contact. If they have provided consent to use an email address that is shared with their spouse, then it is fine to use. Please be sure that your consent form includes the risks involved with unencrypted email and that your patient is aware of the risk before email them Protected Health Information (PHI).

    Where can I get a copy of the HIPAA Omnibus Guide?

    To get a copy of the Omnibus Guide and download the materials available please visit the HIPAA Omnibus Guide page.

    Are there random HIPAA inspections of offices occurring?

    There are random HIPAA audits of medical and dental practices, but the majority of HIPAA investigations are started by an upset patient. All it takes if for one patient to complain to start an investigation into your practice. If a breach of Protected Health Information (PHI) occurs, it will also be very damaging for your dental practice and to privacy of your patient's records. It is important to safeguard PHI to protect your patients and your practice in today's digital age. In addition, most of the PHI breaches relate to loss or theft of data.

    How do you know if a provider's email is encrypted or not?

    We would recommend contacting your provider. You can send them a copy of the HIPAA Compliance Software Checklist and be sure to get them to sign a Business Associates Agreement with your practice. You can access both of these documents on the HIPAA Omnibus Guide page.

    Does my practice need to have a written log of possible HIPAA discrepancies & our solutions?

    Yes. You need to keep a written log. One of the most common HIPAA concerns is complacency, and the lack of care. As HIPAA has a number of different requirement and recommendations having a list of possible discrepancies and solutions is an excellent resource.

    When sending the e-PHI that the patient requested, how do you send it? Via encrypted email or just regular email?

    It will depend on how the patient has requested the information. The patient has the right to request the information through unencrypted email, if they are aware of the risk and have signed a consent form requesting the information through regular email.

    Do you have any reseller or affiliate programs?

    We have a number of different partnerships throughout the dental industry. Please contact our office for more information.

    After completing a risk assessment checklist, what do you have to do next?

    Once you have completed the HIPAA Compliance Checklist, you will need to address the areas of the checklist that your practice did not do well on. We would recommend assigning a project manager within your practice to manage the steps required. We would also recommend using Brightsquid Secure-Mail™ to safeguard Protected Health Information (PHI) that you share outside of your practice. You will need to update your Notice of Practice Policies and Business Associates Agreement, please visit our HIPAA Omnibus Guide page to download templates for your practice. For more information on your next steps, please watch our recent webinar "Your First 3 Steps to Get Your Dental Practice HIPAA Compliant".

    What about information that comes through a portal from a company to you? Email of a cone beam scan from a center where the scan is taken.

    The information stored and shared needs to be encrypted. Please check with your provider and we would recommend giving them a copy of the HIPAA Compliance Software Checklist and Business Associates Agreement.

    If I send digital images to a lab or dental office, does it require a special notice about privacy attachment?

    Whenever you are sharing Protected Health Information (such as an image of a patient's face) it is important that the information is safeguarded. These safeguard include auditability of who has had access to the information, encryption to secure the information as well as a number of other security protocols. The best way to share PHI is using Secure-Mail™ from Brightsquid. Secure-Mail™ has been specially designed as a HIPAA compliant way for dental professionals to exchange sensitive health information. Not only is Secure-Mail™ compliant; it also allows users to send and attach up to 500MB per message (attach all your high resolution images in one message) and view and manipulate images in the Brightsquid Image Studio, where you can annotate and manipulate images.

    Can charts be filed behind a front desk? The names on the files are not readable where patients stand.

    Yes. As long as no one can access the Protected Health Information (PHI) from behind the desk and there is restricted access. We would also recommend not having marks and/or labels visible on the files that would release any PHI to unauthorized individuals.

    NY State will require e-scripts how will they be secure?

    We don't have any specific information about the NY State e-script initiative. We recognize that the information stored and shared needs to be encrypted. Please check with your provider and we would recommend giving them a copy of the HIPAA Compliance Software Checklist as well as signing a Business Associates Agreement with the vendor providing your e-script.

    Can we post daily schedules with names and phone number in an operating room?

    Yes, as long as no unauthorized individuals and no patients have access to the area where the schedule is posted. If it is only accessible to authorized individuals, then it is okay. We would recommend keeping an "Authorized Access" logbook. To main the security of Protected Heath Information (PHI) it is important to restrict access to it.

    Do you have an offer for Educational Institutions?

    Yes. Please contact our office for more information on Brightsquid for Educational Institutions.

    Please define Covered Entity?

    According to the U.S. Department of Health and Human Services (HHS) a Covered Entity is considered to be one of the following:

    For more information on Covered Entities please visit the U.S. Department of Health and Human Services website.

    Do you need written patient consent to use Brightsquid to correspond with colleagues regarding PHI?

    No. When you use Brightsquid Secure-Mail™ you do not need to get written consent to correspond with your colleagues. Secure-Mail™ has been designed as a HIPAA compliant way for dental professionals to communicate with patients, dentists, specialists and labs. As Secure-Mail™ safeguards your patients' Protected Health Information (PHI) there is no risk to the security of your patients' information and is therefore allowed by the HIPAA privacy rules.

    What if someone other than the patient clicks on the Secure-Mail™ link and accesses the patient's PHI?

    Brightsquid Secure-Mail™ is designed so that only the individual who was sent the message can access the Protected Health Information (PHI). The first time your patient clicks the Secure-Mail™ link in their traditional email they will need to provide their date of birth to confirm their identity. The next time they access Secure-Mail™ their account will be protected by a secure password that the patient creates on their first visit.

    Is the sender liable if the recipient failed to secure their email account?

    No. If you are sending Protected Health Information (PHI) in a secure and HIPAA compliant manner, you will not be liable for the receiver's security standards. We would recommend using Brightsquid Secure-Mail™ to protect your patient's PHI, while giving your colleagues and patient a secure way to receive the information. With your $39.99 Secure-Mail™ subscription you can provide your colleagues and patients with their own Secure-Mail™ account, please contact our office for more information.

    What Practice Management Software does Brightsquid Secure-Mail™ connect with?

    Please contact our office directly to discuss the Brightsquid Secure-Mail™ connection with your specific Practice Management Software.

    We currently have an email service (not Brightsquid) but some offices tell us they can't open the emails. Go Daddy offices especially. Do you ever run into this where some offices can't open emails from your service?

    No. We have never had a customer who could not open a Secure-Mail™ message. As of March 2014, Brightsquid Secure-Mail™ has over 3,200 users in 11 countries with VERY few support calls.

    Please review the security of attachments with Secure-Mail™?

    All attachments, files or information stored on Brightsquid Secure-Mail™ are safeguarded and stored in a HIPAA compliant manner. Brightsquid is committed to helping our customers comply with privacy and security regulations set forth in the Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act. We are proud to meet, and in most cases exceed, the security standards requirements. Our methods of controlled user access, high end data encryption, documented activity logs and the use of secure, dedicated servers are just a few of the many ways we protect the integrity of your patients' health-related information stored on our system.

    How many email addresses are provided for $39.99?

    With your dentist subscription you will get 5 accounts (1 doctor and 4 support staff) for your practice. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts, or if there is more than one doctor working in your clinic, please contact our office and we can help you set this up.

    How do you become a subscriber to Secure-Mail™?

    Simply click "Sign Up" on the top right hand corner of this site and select the type of subscription you would like to purchase (monthly or yearly). After you provide your credit card information you will be contacted by a member of our team who will provide your account information and help you get started using the system. If you have any questions, please contact our office.

    How is Secure-Mail™ so secure?

    Brightsquid is committed to helping our customers comply with privacy and security regulations set forth in the Health Insurance Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA) and The Health Information Technology for Economic and Clinical Health (HITECH) Act. We are proud to meet, and in most cases exceed, the security standards requirements. Our methods of controlled user access, high end data encryption, documented activity logs and the use of secure, dedicated servers are just a few of the many ways we protect the integrity of your patients' health-related information stored on our system.

    What if you don't have a practice management system but are very interested in using Secure-Mail?

    You do not need to be using any Practice Management Software (PMS) to use Brightsquid Secure-Mail™. Brightsquid is a web-based communication platform that you can access using your favorite web browser: Chrome, Firefox, Internet Explorer. Our Secure-Mail™ service is also designed to work with your mobile phone or tablet. As of May, 2014, Brightsquid is also introducing a desktop application where you can launch Secure-Mail™ directly from your desktop or within your PMS, the choice is up to you.

    Are we liable for all the patients in which information was sent to us from our referring office unencrypted and our computer was stolen from our office?

    Yes. You are responsible to safeguard information stored by your practice. If you use Brightsquid Secure-Mail™ we safeguard and protect all information stored on our platform, including any information that your colleagues send to you through Secure-Mail™. For more information on data encryption and storage please contact our office.

    Is there an installation fee for Secure-Mail™?

    No. There are never any installation fees to use Brightsquid Secure-Mail™. We only charge the monthly fee of $39.99 for the product. For more information on Secure-Mail™ setup please contact our office.

    Do you have to pay for the Patient Privacy Materials?

    No. There is no charge for the Patient Privacy Materials, we offer these materials as an extension of our service to you. The Patient Privacy Materials include:

    Use this link to download the HIPAA Patient Privacy Materials.

    What is a Notice of Privacy Practices?

    Your practice is required to develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices. Doctors will have to post the Notice of Privacy Practices (NPP), and make copies available at their office, to all new patients and to anyone else on request. Doctors who maintain a website are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule. For more information please visit the U.S. Department of Health and Human Service's website.

    What is HIPAA?

    The Health Insurance Portability and Accountability Act of 1996 was enacted by the United States Congress and signed by President Bill Clinton in 1996. The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. For more information please visit the U.S. Department of Health and Human Service's website.