Webinar: Send HIPAA Compliant Emails from Your Practice Management Software
It has never been easier to send HIPAA compliant messages. Join the webinar on February 25, 2014 to learn how to use your Practice Management Software to securely communicate with your patients, dentists, specialists and labs.
During the webinar, Dr. Lorne Lavine and Mr. Rohit Joshi, LL.B will provide the HIPAA compliant tools and guidance you need for your dental practice.
Included in the Webinar:
- HIPAA Omnibus Guidelines
- Practice Management Connection
- Sending Emails and Referrals to Colleagues
- Securely Communicating with Your Patients
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
HIPAA Omnibus Guidelines
The HIPAA Omnibus rules provided furter legislation on privacy, security and breach notification policies. Including:
- Copies of e-PHI
- Emailing PHI
- Breach Notifications
- Marketing Communications
- Disclosures to Health Plans
- Sales of PHI
- Childhood immunizations
- Charging for Copies of e-PHI or PHI
- Research Authorizations
- Business Associates
Why Email is NOT HIPAA Compliant
- Even if your computer is secure, your message passes through dozens of unknown servers en-route to its destination
- These "middle-man" servers make up the backbone of the email system, but are not secure therefore not compliant
- Dentists have a duty to take precautions to safeguard private patient data
Secure Communication with Your Patients
- PHI in appointment reminders
- Treatment follow-up information
- Patient referrals and treatment records
- Images and x-rays
- Treatment consultations
- Prescription information
- Payment information
Secure Communication with Your Colleagues
- Patient referrals
- Lab requisitions
- Images and x-rays
- Patient treatment consultations
- Patient allergies and prescriptions
- Radiology consultations
- Patient record transfers
Please define Covered Entity?
According to the U.S. Department of Health and Human Services (HHS) a Covered Entity is considered to be one of the following:
- Health Care Provider -This includes providers such as: doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies. Please note that healthcare providers are considered Covered Entities if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
- Health Plan - This includes: health insurance companies, HMOs, company health plans and government programs that pay for health care, such as Medicare, Medicaid and the military or veteran's health care programs.
- Health Care Clearinghouse - This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
For more information on Covered Entities please visit the U.S. Department of Health and Human Services website.
What about the requirement to send e-prescriptions to pharmacies?
Pharmacies are considered Covered Entities according to HIPAA legislation, and information sent to them should be safeguarded with the same care you would take in transmitting Protected Health Information (PHI) to other Covered Entities such as doctors and colleagues. Be sure that you are not including any PHI in regular emails you send to pharmacies which would include a patient's name or prescription information. We would recommend using Secure-Mail™ to facilitate the secure exchange of PHI to any Covered Entity including a pharmacy.
Does the HIPAA manual need updating each year, such as the OSHA manual?
Yes. Anything that was created before March 23 of 2013 is outdated as the HIPAA Omnibus rules changed many things. In addition there are certain items that you need to update yearly, such as a risk analysis. Dr. Lavine has many of his clients using a web-based manual since it would keep things current and needs yearly updates.
Can you explain how the recipient responds to the initial email they receive with Secure-Mail? When sending a patient an email, how does patient open the message?
Sending Secure-Mail Messages to Colleagues
- When you send a message using Secure-Mail™ your colleague will receive a notification in their regular email inbox (the email address that you addressed the message to in Secure-Mail™).
- When your colleague opens the email they will receive the information you included in the 'Email Message' section of Secure-Mail™ along with a link to the 'Secure-Mail™ Message' and attachments. Once your colleague clicks on the link they will be taken to the Secure-Mail™ message and any attachments you included in the correspondence.
- If it is your colleague's first time using Secure-Mail™ they will be prompted to enter their practice information and to setup a password. Your colleague will only have to provide their practice information the first time they access Secure-Mail™; we do this to help maintain HIPAA compliance.
- Now that your colleague has set up their Secure-Mail™ account, they will only have to click the link and provide their password to get access to any further messages you send to them.
Sending Secure-Mail messages to Patient
- When you send a message using Secure-Mail™ your patient will receive a notification in their regular email inbox (the email address that you addressed the message to in Secure-Mail™).
- When your patient opens the email they will receive the information you included in the 'Email Message' section of Secure-Mail™ along with a link to the 'Secure-Mail™ Message' and attachments. Once your patient clicks on the link they will be taken to the Secure-Mail™ message and any attachments you included in the correspondence.
- If it is your patient's first time using Secure-Mail™ they will be prompted to provide their birthdate to confirm their identity and to setup a password. Your patient will only have to provide this information the first time they access Secure-Mail™; we do this to help maintain HIPAA compliance.
- Now that your patient has set up their Secure-Mail™ account, they will only have to click the link and provide their password to get access to any further messages you send to them.
What information does the receiving dentist have to provide to receive the Secure-Mail message?
The first time the recipient of the message accesses Secure-Mail™ we request that they provide some practice details such as their name and address when they set up their account. They will also be prompted to create their own password. We do this to help maintain HIPAA compliance. If it is a patient who is accessing a message they will have to confirm their birth date to make sure they are the correct individual accessing the information. This is only required the first time the access their account. The next time your colleague/patient access Secure-Mail™ they will only have to provide their username and password.
You mentioned different Brightsquid packages for specialists; how can we contact you regarding more information?
Brightsquid has a subscription package designed for dental specialists with a number of specific features to help build and maintain your referrals. Please contact our office for more information as well as a demo highlighting these exciting features.
During the presentation you entered a patient's name in subject box, isn't that a HIPAA violation?
Typically including a patient name in an email message or as part of the subject line does expose Protected Health Information (PHI). That is one of the differences between Secure-Mail™ and your typical email provider. When using Secure-Mail™ you can include the patient's name as part of the content in your subject line and Secure-Mail™ message. The subject line will not be disclosed over regular email, protecting the sensitive health information of your patients.
I heard that Google might advertise based on PHI that is included in emails is this true?
Yes. Recently the Interim Privacy Commissioner in Canada has lead an investigation into Google's advertising policies stating, "Most Canadians consider health information to be extremely sensitive. It is inappropriate for this type of information to be used in online behavioural advertising." For more information on the investigation please visit the recent news article.
How many employees can use the Secure-Mail within the practice? Can I have Secure-Mail for each of my staff or do I have to buy a subscription for every person? How many different email accounts can you have on secure mail?
With your Dentist subscription package for only $39.99 you will receive 5 internal accounts (1 doctor and 4 support staff). If you need more than 5 accounts or if there is more than one doctor working in your clinic, please contact our office.
Is there a charge for the HIPAA Omnibus guide?
No. There is no charge for the HIPAA Omnibus Guide, we offer this free guide as an extension of our service to you. The HIPAA Omnibus Guide includes:
- HIPAA Compliance Checklist - Use this Checklist from HIPAA News to help determine if your dental practice is HIPAA compliant.
- HIPAA Compliance Software Checklist - Send this checklist to your software vendors to see what they are doing to maintain HIPAA compliance.
- Patient Privacy Brochure- We created this brochure as a way to help your patient's understand that your practice is committed to the privacy of their records. Feel free to have copies of this brochure available to your patients in your waiting room.
- Notice of Privacy Practices - This Notice of Privacy Practice (NPP) has been created by the US Department of Health and Human Services. Your practice's NPP must be updated to reflect the recent HIPAA Omnibus final rules.
- Business Associate Agreement - This Business Associate Agreement has been created by the US Department of Health and Human Services. Your practice should update the agreement you sign with Business Associate to reflect the recent HIPAA Omnibus rules.
Use this link to download the documents in the HIPAA Omnibus Guide.
Is there a cost for upgrades to Secure-Mail service?
No. We are happy to offer free updates to Secure-Mail™ every six to eight weeks to all of our customers as we release new product improvements.
Do you have a read receipt function?
Not as of today, but it is on our roadmap. We offer free upgrades every six to eight weeks to all of our customers as we release new product improvements. Keep watching!
Can you add a signature or a logo with your message?
Yes you can add a signature to your Secure-Mail™ messages. This acts as the 'Email Message" part of Secure-Mail™ and can be edited at any time. We are still working on the ability to add a logo to your messages, a few of our users have found a way to do this, but we are in the process of simplifying the steps and improving the quality of the final image.
Are there any set up fees to get my practice started using Secure-Mail?
No. There are never any installation fees to use Brightsquid Secure-Mail™. We only charge the monthly fee of $39.99 for the product. For more information on Secure-Mail setup please contact our office.
If I have a referring dentist who wants to send me some information, can they log in to their email account and send me a message without having an initial email to respond to?
Yes. Secure-Mail™ offers full collaboration and two-way communication. Your referring dentists can initiate a message to you and/or respond to a message you send. It works very much like your current email in this way - with an important distinction of HIPAA compliance. For more information on communicating with your referring dentists please contact our office, as we have many additional services offered to dental specialists like yourself.
Will Brightsquid sign a Business Associates Agreement?
Yes. We are happy to sign a Business Associates Agreement (BAA) with your practice when you setup your Brightsquid Secure-Mail™ account. Please contact our office for more information on where to send you're BAA or if you have any questions on how to sign up for your account.
Often there are multiple office personnel receiving the mail at the same location depending on day or time. Will they each have a password?
Yes. We would recommend having each of your staff set up a unique username and password to access Secure-Mail. Having a unique access code is a requirement of HIPAA legislation and is an important step to protect the privacy of your patient's sensitive information. It also provides a smooth transition if there is ever a change in office staff.
I was advised that Microsoft 365 Outlook is HIPPA compliant. Can you advise me if that is true?
It will depend on how you use it. Microsoft Office 365 does have tools that help protect your sensitive patient information, please check with Microsoft directly for more information on how they meet HIPAA compliance. We would also recommend having them sign a Business Associates Agreement with your practice. You can also send your vendor a copy of the HIPAA Compliance Software Checklist.
Does your email import our contact list from Outlook? Can you import the email address from other email program?
Yes. You can pull your contacts from other accounts (Gmail, Outlook, etc.) and import them directly into Secure-Mail™. Save time and keep a full contact list in one convenient location.
Is there a limit on the number of emails that are stored and a time limit before emails are purged or deleted?
No. As a paying user there are no limits to the number of emails you can send or a time limit on storage. When we developed Secure-Mail™ we wanted to create a way for doctors to easily and securely communicate, we did not want to limit this experience.
Is it okay to send PHI to the patient un-secure as long as we have informed the patient about the possibility of the email being intercepted? This should fall under the "duty to warn" portion of the HIPAA Omnibus Rule.
Yes, as long as your patient has been informed of the risks associated with using email to send Protected Health Information (PHI). If you have warned your patient, and the patient still wishes that you use email to send PHI, you can follow their request to use email. We would recommend getting this request in writing to protect your practice. Please note that your practice is still responsible for the message as it is saved on your email account. If your email “sent items” folder syncs with your phone, tablet, laptop or desktop – and your phone, tablet, laptop or desktop is stolen or lost, you will still have to report the loss to Health and Human Services as a breach under the HIPAA laws. If a breach occurs your practice will still be made accountable to safeguard your patient's PHI.
Under the breach notification rules, you will have to provide:
- Individual Notice - Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information.
- Media Notice - Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.
- Notice to the Secretary - In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.
- Notification by a Business Associate - If a breach of unsecured protected health information occurs at or by a business associate, the business associate must notify the covered entity following the discovery of the breach.
For more information on the breach notification requirements please visit the U.S. Department of Health and Human Services website.
Is this webinar being recorded?
Yes. Please use the video viewer above to watch the recording of the webinar. If you would like copies of the individual slides used during the presentation please contact our office.
Can you list more than one recipient? For example to a doctor and the doctor's schedule coordinator?
Yes. During the presentation we only addressed the email to one contact, but you can easily send the message to as many contacts (doctors and patients) that you would like. Simply enter your contact's email addresses into the address bar and click send.
Is Secure-Mail is fully accessible on smartphones, iPad, etc?
Yes. Secure-Mail™ has been built with a responsive design and can be viewed on your mobile devices such as smartphones and tablets.
What Practice Management Software programs do you connect with?
We are currently working through all of our Practice Management Software connections to Secure-Mail. Please contact our office to see if your specific software will connect with Secure-Mail™.
Do you need a Business Associates Agreement with each insurance company that you submit claims or just to the clearinghouse for e-claims?
As both the insurance company and clearinghouse are considered to be a Covered Entities you do not need to get them to sign a Business Associates Agreement with your practice.
Is this considered PHI? What about reminding a patient about taking a pre-med which the patient asked us to remind them about?
Discussions with your patient about pre-med information would be considered Protected Health Information (PHI). If your patient has specifically asked you to email them reminders of their medication, you can communicate with them over email as long as you explain the risks associated with the exchange prior to the exchange occurring. Please note that your practice is still responsible for the message as it is sent to your patient or saved on your email account. If a breach occurs your practice will still be made accountable to safeguard your patient's PHI.
In regards to appointment reminders, may I send in an email message something to the effect of you are due for your 3 month perio maintenance?
We would recommend that you try to be generic as possible. Ask yourself if you need to include "perio" in the message, would it be possible just to write “For your continued dental care see you next Thursday.” The risks associated with including “perio” in the message would be up to the discretion of the individual, but it is best to err on a side of caution to protect your practice and your patient.