Webinar: Top 10 Dental Breaches

Over 250,000 patients were affected by HIPAA breaches in dental practices between 2010 and 2015.

Included in the webinar:

Top 10 List - 10 Worst Dental Breaches. Learn from their experience and safeguard your practice.

Ask an Expert - Dedicated time where you can ask your burning questions to HIPAA expert and lawyer Mr. Rohit Joshi, LL.B


Subscribe to Brightsquid Today!

Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.

Sign Up


What is a HIPAA Breach?

“A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised” – HHS.com

Top 10 List - Worst Dental Breaches. Learn from their experience and safeguard your practice

  • #10 – Obvious Error
  • #9 – Mailing Mishap
  • #8 – Christmas Stress and Fines
  • #7 – Website Hack
  • #6 – 3rd Times a Charm
  • #5 – Unauthorized Access to Files
  • #4 – Bankrupt Practice
  • #3 – 30 Years of Patient Data
  • #2 – Unencrypted Backup
  • #1 – Sued by the State

Ask an Expert - Dedicated time where you can ask your burning questions to HIPAA experts Dr. Lorne Lavine and Mr. Rohit Joshi, LL.B.

  1. How do I protect my staff knowing that there is an AIDS patient, if I can't flag the file? Could you keep a red sticker on the outside of a file (without the word "AIDS") and only the staff would know what it meant?

    The problem with a red label on the outside of a file is that as soon as someone find out what the label represents, the information is not secure. People who do not need to know Protected Heath Information (PHI), such as HIV status, cannot have access to PHI. A solution to this problem, and the corrective action that the practice took after the breach, is to put the red label inside the patient file. This way you can still alert the staff, but people who do not need to access the information (other patients) cannot see it on the outside of the file.

  2. How can you keep 10 year or older charts, how do we store them safely? Is a locked file cabinet safe?

    A locked filing cabinet is a good place to start, make sure that you restrict access to the keys and that it is anchored to the wall and cannot be stolen. Please note that you are also required to keep a backup of your files at a different location for disaster recovery (a fire), be sure that your offsite backup is also encrypted and secure.

  3. Can my practice use sign in sheets at the front desk?

    We would not recommend the use of a sign in sheet that would make patient names available to other patients. There are some solutions with labels, but you must make sure that information or patient lists are not available to people who do not need access to them.

  4. How can I protect my practice, so I don't work with companies that might put my practice at risk ex. not disposing of data?

    To protect your practice, please have all of your business associates sign a Business Associates Agreement (BAA). Please visit the US Department of Health and Human Services (HHS) for more information.

  5. Our Business Associates have their BAA online. Are those acceptable enough (ex. software company, electronic claims clearinghouse)?  Should we draft our own BAA and get them to actually sign it?

    We would recommend a practice to use their own Business Associates Agreement so that you know what is included in the agreement. We would also recommend having your Business Associate individually sign all agreements with your office.

  6. What is the Canadian version of HIPAA? What does PIPEDA stand for?

    PIPEDA is a Canadian Act that sets out ground rules for how private sector organizations may collect, use or disclose personal information. PIPEDA stands for Personal Information Protection and Electronic Documents Act. For more information on the act please visit the Canadian Government website.

  7. Are we still allowed to send monthly re-care postcards addressed to patients: "Time for your dental checkup, please call us".  I noticed the new 2013 ADA HIPAA NPP deleted the statement about Appointment Reminders.

    Make sure that you are sending the minimum amount of information necessary. Do NOT send Protected Health information (PHI) in patient reminders (re-care postcards). If you need to send something specific like what to eat before an appointment, as you might be providing information on what is being treated, we would recommend using Brightsquid Secure-Mail. Also, please note that you are not allowed to market to unknown patients.

  8. What is an excellent Firewall that you would recommend to your customers? Is True Crypt still a valid encryption solution?

    The US Department of Health and Human Services (HHS) does not certify products or firewalls as safe or HIPAA complaint. True Crypt or the new Vera Crypt are free and good options according to Dr. Lavine (The Digital Dentist), please feel free to contact him for further information thedigitaldentist.com.

  9. How do you know that your server is encrypted? Is there a test?

    We are not aware of a test that you can perform on your server. Typically if you are not aware of the encryption (have not paid for or set up the service), your server is probably not encrypted.

  10. Are patients required to sign a privacy policy acknowledgement yearly?

    Best practice would be to have your patients sign the Notice of Privacy Policy yearly. According to the US Department of Health and Human Services (HHS) “Most covered health care providers must give notice to their patients at the patient’s first service encounter (usually at your first appointment).  In emergency treatment situations, the provider must give the patient the notice as soon as possible after the emergency.  It must also post the notice in a clear and easy to find location where patients are able to read it.” It also states that “A covered entity must give a copy of the notice to anyone who asks for one.  If a covered entity has a web site for customers, it must post its notice in an obvious spot there.” You are also required to have your patients sign acknowledging that they have received the notice, if they refuse to sign, just make a note of the situation. If your policy changes, or if the rules governing your policy change, you must have your patients resign acknowledging they have received the updated policy. For more information please visit the HHS website.

  11. Is there a limit to the number of colleagues I can communicate with using Brightsquid Secure-Mail?

    No, you can communicate with an unlimited number of colleague recipients with your Basic or Premium Brightsquid Secure-Mail account. We have also included 2,000 patients with your subscription.

  12. Is the discount limited to a certain number of months?

    The discount is ongoing forever. It is for as long as you are a subscriber to Brightsquid Secure-Mail.