Webinar: HIPAA Breach! It Happened to Our Dental Practice
Six years ago I was the Office Manager for a Dental Practice that had a HIPAA breach. On one terrible day, we walked into the office to find all of the computers stolen, and with them all of our patients' data. The events that followed changed the practice and changed me forever. During the Webinar, I will share:
- The many events that led up to the HIPAA breach
- The day of the computer theft
- The year of difficult events that followed
During the webinar Angela Donovan, Dr. Lorne Lavine and Mr. Rohit Joshi, LL.B will answer your questions about HIPAA compliance and provide solutions to secure your Dental Practice.
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
Patient Privacy Laws - HIPAA, HITECH, PIPEDA etc.
Email is NOT compliant with patient privacy laws and does NOT maintain doctor-patient confidentiality.
- HIPAA - Health Insurance Portability and Accountability Act (1996)-USA
- HITECH - Health Information Technology for Economic and Clinical Health Act & HITECH Safe Harbor -USA
- PIPEDA - Personal Information Protection and Electronic Documents Act - Canada
- Additionally there is significant Provincial/State legislation as well as professional dental bodies that have established very specific guidelines for the handling of patient information.
- PHI - Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
There are many examples of penalties and corrective action issued for organizations that were not following patient privacy laws. For more information please visit the HIPAA/PIPEDA Enforcement page.
Most HIPAA breaches result from theft or loss of computers, tablets or smart phones, not from audits
- Over 200,000 patients have been affected by breaches from dental practice
Angela Donovan experienced a HIPAA breach within a dental practice
- There were many simple things that could have been done to prevent the loss of patient data.
- After the theft of their computers, the practice sent a letter to their patients explaining that their information may have been lost – which led to answering calls from very angry patients
- In the course of the next few months, steps were taken to get the practice to be HIPAA compliant.
- Although Angela has moved on to a new practice, the lessons learned have significantly changed how she perceives HIPAA compliance
Secure-Mail is a safe and convenient way to transfer information between dentist, specialist and lab.
Do recipients of secure-mail messages need a contract with Brightsquid Secure-Mail to receive the mail?
Yes. With every paid account, you have the ability to invite your recipients to use Secure-Mail for free. We do this to maintain HIPAA compliance, so if, in the future, you need to track all of your correspondence with a specific patient or provider, we can provide a complete log of all users that have interacted with you. The first time you send them a Secure-Mail message, they will be asked to enter a little bit of information about themselves then pick a password. After completing these steps, which will take a maximum of 30 seconds, the recipient will be able to read the message. After this initial registration, the next time they receive a message from you, they'll simply be asked for their password and will immediately get taken to the message you sent them.
Isn't taking a backup of the patient information home also a security risk?
Yes. Before taking any patient data off site it must be encrypted. By encrypting the information on the back up you've appropriately protected the information from being read and it is no longer a security risk.
What if the patient wants their record/xrays emailed to them - should it still be encrypted? What if they don't want to subscribe to Secure-Mail?
The patient has the right to ask for and receive any of their own patient information. To communicate with the patient, our first recommendation is that you use an encrypted service, like Secure-Mail, to communicate with them. The patient is able to join the service for free and they keep their current email address. When they click on the link that they receive in their regular e-Mail, they will be taken directly to the new Secure-Mail that you sent them. From there, they will have a complete archive of all of their communication with your office.
If the patient insists that they cannot use Secure-Mail, HIPAA Omnibus rules mandate the following rules:
- Explain the risks of using an un-secure method of communication. Explain that the information could be intercepted by someone and the theft may or may not be detected.
- Have them sign a consent form which specifically indicates that they have been warned about the risks of information loss.
- Send the information requested (but do not send any more information than absolutely requested).
Are DemandForce, Solution Reach, Lighthouse and RecallSystem.com (and other automatic email patient communication systems) HIPAA compliant with the information that is included in the messages?
The HIPAA Omnibus Rules make specific mention of patient appointment reminders. Patient appointment reminders are allowed under HIPAA guidelines but our recommendation is that the minimum amount of information be included with the automated reminder.
If the server is encrypted and it is stolen, would we still need to contact all of our patients?
The quick answer is "no" you would not have to engage in the breach notification process which would force you to contact all of your patients, make a statement to the media, etc. In our experience, this is rarely the case. In the cases that we are aware of, the server may be stolen, along with the desktop or laptop computer which connects to the server. In the case where there are other computers stolen, along with the server, all of the other computer systems would have to be encrypted as well to ensure that there was no breach.
Can the server information be encrypted to avoid a breach if stolen?
Yes, the server can be encrypted to prevent a breach.
Are we considered "not secure" if we are using Microsoft Outlook to send e-mails to lab, specialists, etc?
Almost always, yes, you would be considered "non-secure". Microsoft Outlook connects to an email system which actually sends and receives the email. There are services like gmail, outlook.com, aol and others which Microsoft Outlook will connect to and bring the email to your desktop computer. The problem is not Outlook, it is usually those other systems which are actually transmitting the email that are unsecure.
Does the person you're sending the secure-mail to need to have subscribed/paid as well?
The recipient of the Secure-Mail does need to be a registered user, but doesn't have to pay to register. We need the user to register so that we have a complete log of all of the people who interacted with the email for HIPAA purposes. But, the good news is that registration takes about 15 seconds, and hundreds of people are registering for the system every week.
There has always been confusion about sign-in sheets...are these allowed under HIPAA laws?
The standard we impose is: "Only the people who need to see patient data [ANY patient data] should see patient data." So it follows that no patient NEEDS to see any other patient data. With that in mind, we would not recommend the traditional use of sign-in sheets. We've seen good examples of sign-in sheets where the patient signs in on a label, which can then be peeled off and affixed in a more private location after the person has signed in.
As long as recipient responds to my Secure-Mail, does their response stay encrypted?
Yes. The recipient will receive an email to their normal email address which takes them to the Secure-Mail portal so that all interactions with the email will be logged. When they reply to that email, it will be encrypted, as well as maintaining automated backups, logging and auditing – all of the HIPAA requirements.
Sorry - I missed it. Are you limited to number of "receiving" email accounts, i.e. people you send emails to?
For the Secure-Mail account, you are typically restricted to 25 registered users. Typically, we see this as 4-5 specialists, 2-3 labs and 3-5 other business associates like accountants and lawyers. In addition you have the ability to add up to 2000 patients. Our average user tends to have about 15 contacts that they use with Secure-Mail, leaving the flexibility of another 10 users. If you would like to purchase an additional 25 users, you can add to your Secure-Mail plan for $14.99/month. If you have much larger communication needs, like a specialist or a lab, we have specific programs for those types of offices which enable unlimited connections. Please contact our office at 1-800-238-6503 or firstname.lastname@example.org for more information.
How do you prove the identification of the patient presenting the insurance card is the patient they say they are?
We would recommend visually confirming the identity with a government issued ID, and making specific notes about it as required. We've also seen some offices make a scan of the image, then ensure that it is stored in a HIPAA compliant encrypted manner.
How do I know if my fax/scanner encrypts info?
Your fax/scanner likely doesn't encrypt information. Unless you subscribe to a specific Fax Encryption service, typically your fax will run through the phone lines unencrypted. This is not seen to be a problem with respect to HIPAA.
Are insurance companies required to encrypt?
Yes, all Protected Health Information (PHI) must be encrypted by Insurance companies.
If someone sends us an unencrypted email with EPHI, are we at fault? Said another way, are we liable if the unencrypted email was read by others on the way to us?
A few answers to that question depending on how you look at the scenario. Since we can only take responsibility for information that we have sent or information that we have in our control, if someone sending a message has that message compromised prior to reaching you, the liability lies with the sender of the information. However, if the sender of the information has information that has reached you through an unencrypted email, then as soon as it is on your premises it is your issue. You have a duty to protect all of the patient information that comes to your practice, even if it comes to you in an unsecure manner.