Webinar: 10 Burning Questions About HIPAA Compliance & Your Dental Practice
Your practice requires a secure and compliant way to communicate private patient information. HIPAA compliance has been a hot topic in the dental industry, but there still is confusion on what that means for your dental practice.
During the webinar, Dr. Lavine and Mr. Rohit Joshi will provide some background of HIPAA laws and give solutions about how to lower your risk and get compliant.
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
Why Should You Care?
The trusted relationship you create with your patients is just as important in the electronic world as it is in the real world. HIPAA legislation in both the real and electronic world is about restricting access to Protected Health Information (PHI) to the people that must have it to deliver health services. Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant in the "real world", please contact him for more information and guidance. In the electronic world compliance requires: encryption, access, transmission, storage and disposal of PHI.
What Does Compliance Mean in the "Real World" and "Electronic World"?
It all comes down to doctor-patient confidentiality. As electronic transmission has replaced more traditional methods of information transfer, regulations have emerged that have set standards for electronic information security that extend doctor-patient confidentiality into the electronic world. HIPAA, HITECH, PIPEDA and a number of other provincial and state regulations set laws regarding the way your practice should control sensitive patient information. Audits are being conducted by governmental bodies, for more information on HIPAA audits and fines regarding HIPAA compliance please refer to question 3.
Is Anyone Watching?
Yes. There are a number of small and large organizations that have been fined for failing to be compliant, but all it takes is ONE upset patient to trigger an investigation into your practice. Recent enforcement.
What is the Difference between Compliance and Security?
Companies like to use the words "compliance" and "security" interchangeably, but they are very different. Security is just one important component of compliance. Compliance includes important safeguards including security as well as patient consent, encryption, access, transmission, storage and disposal of Protected Health Information. Some systems are secure, but they don't offer full compliance.
Is Patient Consent all I Need?
No. Patient consent is not enough to make your practice HIPAA compliant. Patients can NOT consent to the transfer and storage of Protected Health Information (PHI) in an unsecure manner. In a practical sense, this means that patients cannot consent to a doctor sharing their PHI in an unsecure format, such as email. Please refer to question 7 for more information.
What are the HIPAA Requirements?
HIPAA sets national standards for the security of electronic Protected Health Information (PHI). There are specific guidelines and rules on how your practice handles the access, transmission, storage and disposal of PHI. Contact our office
Why Email is NOT Compliant?
Even if your computer is secure, your message passes through dozens of unknown servers en-route to its destination. These "middle-man" servers make up the back-bone of the email system, but are not secure therefore not compliant. Dentists have a professional duty to take precautions to safeguard private patient data.
What are the Benefits of Firewalls?
The benefit of having a firewall in your practice is that it protects your internal practice network from intruders. Firewalls are a must have for your office. Firewalls do nothing to protect data as it is sent out of your office.
How do You Make Your Dental Practice Compliant?
There are "real world" and "electronic world" components to HIPAA compliance; to be compliant you need both. Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant in the "real world" please contact him for more information and guidance.
In the electronic world, we recommend using Secure-Mail™. Secure-Mail™ is the compliant messaging system designed to enable dentists, specialists and labs to easily and safely share private patient information. Exclusively available through Brightsquid, Secure-Mail™ works just like e-mail with an important distinction - all communications meet compliance standards.
- Every message is encrypted.
- Every message is logged and auditable.
- All connections are controlled by Brightsquid.
Can Compliance be Convenient?
Yes. In the electronic world using Secure-Mail™ from Brightsquid you get more than what your current email service is providing.
- Operates Just Like Your Current Email - Simply compose, attach and send.
- Unlimited Storage - Store and archive your data.
- Attach and Send 500MB per Message - Attach and share common file types like JPG, PNG, DOC, PDF files and large STL 3d images and DICOM studies..
- Image Studio - View, annotate and manipulate files within Secure-Mail's JPEG, DICOM and STL image viewers.
- Works with Your Existing Email Address - You will be notified of any new messages or updates in your current email account, simply click on the link and you'll be taken directly to your Secure-Mail™ message.
- Compliant Communication for Health and Dental Records - Secure-Mail™ is not only secure it is compliant with HIPAA, HITECH and PIPEDA legislation.
In the Secure-Mail™ market, how is Brightsquid positioned? How long has it been in the market and what differentiates it from others?
Brightsquid's Secure-Mail™ is a pioneer in the dental industry. There are no other systems currently on the market that matches compliant email with: 3D image viewing, active notifications, image annotation, audit tracking and large file transfer (500MB!). Brightsquid was released into the market in 2012 and has over 1,500 users in 9 countries around the world. Dentists around the world are using Brightsquid to securely share 800 files per week.
How many emails can you send per month?
With Secure-Mail™ users can send unlimited messages out to colleagues with unlimited data storage.
What is the cost of Secure-Mail™? Annual fee?
Secure-Mail™ is available for $39.99/month and if you purchase an annual account it works out to $33.33/month ($399.99/year).
Does this service then only work if the recipient also has Secure-Mail™?
Yes. Your colleague needs to have a Secure-Mail™ account to receive Secure-Mail™ messages. We do this to maintain HIPAA compliance, by having all communication pass through the system it maintains a secure and auditable record of PHI (Protected Health Information). You can offer your colleagues free sponsored/registered accounts.
What are sponsored users?
Sponsored/registered users are people you select to invite to Brightsquid for free. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered user is stored and archived on the system. If you do not register a user to your account, their communication will not be accessible after 14 days.
Is it secure even if the lab has a Gmail account?
Secure-Mail™ is secure even if your lab uses a Gmail account. When you send a Secure-Mail™ message, your colleague will receive an email notice in their traditional email, with a link to the Secure-Mail™ message. As you would expect, your colleague simply clicks on the link to view the message in Secure-Mail™ The email that your colleagues receive contains no PHI (Protected Health Information), all PHI is safely held in Brightsquid's Secure-Mail™.
The people who join for free, do they have to open a new email account?
Secure-Mail™ will automatically send updates and notifications to your current email. If you join Secure-Mail™ with the limited free account, you will not be compliant, as it does not store your messages past 14 days. The free account is offered as an introduction to Brightsquid and does not feature all the tools and compliant features of Brightsquid. For $39.99/month you will receive a full Dentists subscription to Brightsquid Dental Link.
Is Secure-Mail the only fully compliant HIPAA email app on the market today?
Yes, as far as we know, Secure-Mail™ is the only messaging services designed specifically for dentists, specialists and labs. There are other services available, but they do not have all the features that Secure-Mail™ includes, nor do they meet the regulations set out in HIPAA, HITECH and PIPEDA.
How long does it take for a CBCT scan to be sent and/or viewed?
To upload a CT scan should take anywhere between 5-15 minutes. It all depends on the speed of your internet connection.
If I sign up for Secure-Mail™, does that mean my specialists need an account too?
Yes and no. Yes, they need to be a member of the Secure-Mail™ network, but no, they don't have to purchase an account. You can add them to your registered/sponsored users. However, we would recommend Brightsquid to your specialists as there are many features of Brightsquid specifically designed with your lab and specialists in mind.
Can you use this to send info to patients then? Would that fall under the 25 then?
Brightsquid is a secure network of dentists, specialists and dental labs. In the past we have stayed away from opening up the system to patients. With the introduction of Secure-Mail™ in February, doctor-patient communication might be an interesting opportunity. At the current time, we recommend that you do not use our service for patient communication.
What if you need to send a message to a provider that is not in the network of Secure-Mail™?
You can send 'one-time' messages to your colleagues through Secure-Mail™. For one time use, the users will not be counted against your 25 sponsored/registered users. If you would like to manage your sponsored/registered colleagues, please contact our office for more information. Alternatively you can purchase more registered users to your account, please contact our office for pricing 1-800-238-6503 or email firstname.lastname@example.org
As a Periodontal office, can I email you for more information on the extra features for Specialists?
Thank you for your interest in a Brightsquid Specialist subscription. The best way to get a full understanding of the tools and features available to Periodontist or other specialties on Brightsquid is to set up a live demo. Please contact our office at 1-800-238-6505 or email email@example.com to set up your demonstration.
How can I tell if my email server is compliant?
Most common email services like Gmail, Hotmail, Outlook and Apple Mail are NOT compliant, and many of those systems will state this on their website. Compliance requires: security, auditing, storage data deletion of Protected Health Information. If a user can forward your email it and be viewed by outside parties, it is most likely not compliant.
Any comment on breech of patient info from misuse of mobile devices?
The largest number of HIPAA complaints are due to mobile devices that are lost or stolen: laptops, phones, tablets, USB drives etc. Whether lost or stolen these devices must be protected through encryption. Our recommendation of course is to keep data secure on a cloud based platform like Brightsquid.
I think Complacency is the biggest challenge here with many practice owners. Any suggestions on how to respond?
Very true, it can be easy to become complacent when it comes to compliance, but there is really no excuse. If dental practices have the answers to their HIPAA concerns and have the tools to fix them, it should be easy to follow the regulations set out through HIPAA. The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) is very strict on HIPAA violations, and many of the fines we see are based on complacency and potential breaches of patient privacy. The OCR wants to see that your office has made patient privacy a concern and has set guidelines and rules to follow.
Is it ok to share patient info with insurance providers? Should information sent to insurance companies by email be handled the same way? Do you need hipaa agreements with each insurance company?
There are specific guidelines around insurance providers, please visit http:// www.hhs.gov/ocr/privacy/hipaa/faq/disclosures/274.html for more information on sharing patient information with insurance companies.
Do you have a sample of a consent form? Where can we obtain the verbiage for the consent form for patient if we use service like Secure-Mail™?
There were many questions with respect to getting consent from the patient. This is a complex question and even a more complex answer - and probably the subject matter of another very interesting webinar.
Consent is used in a number of ways in Dentistry. Most commonly, we've seen consent used to describe:
A blanket consent that enables a practice to collect, store and share the patient's contact information and medical information. Medical information sharing will be restricted to other dental and medical practitioners as well as insurance companies that require the information to treat the patient.
Consent to a specific course of dental treatment (often referred to as "Informed Consent")
With respect to informed consent, we offer the following academic paper for your review. In our searching we've found this document to be the most authoritative on the matter. In the appendix of the document, the author offers a template to use for informed consent. http://www.cda-adc.ca/jcda/vol-70/issue-2/89.html
Can you just have a general consent in new patient forms that if necessary, the patients allow transmission of records? And would this have to annually renewed like a medical history is?
Do you need consent each time information is sent? A general consent form should be sufficient to cover your patient, as long as they are a member of your clinic. If there are any new policy changes, like the use of email, you should obtain a renewal of the consent. Please note that patients can NOT consent to their Protected Health Information being shared in a non-compliant manner.
Is consent necessary when sending patient information to another health care provider who is or will be providing treatment?
Consent is still recommended. When it comes to sensitive patient information, there is great concern for patients to receive the best care possible. If consent is not possible and/or it would delay care, it is not always required.
I just took a HIPAA class Sunday and I was told you do not need consent for information shared between referring dentists. Is this true?
This is a complex question. We have evaluated the arguments for and against getting consent. Without getting into the detailed arguments for it, let’s just say that there is a “best practice approach” which includes patient consent. There is great concern for patients to receive the best care possible. If consent is not possible and/or it would delay care, it is not always required. For more information please refer to question 18.
When you say "consent", does that mean written and signed consent? or just verbal?
We would recommend obtaining written consent. During the webinar consent was considered to be written. Verbal consent opens your practice up to liability issues.
As a business partner (also known as covered entity), I find myself in a bad situation when I ask about putting in place an agreement but am often told - we don't do that. Any suggestions?
There could be a number of different answers to this question. Please call us for more information: 1-800-238-6503 or email firstname.lastname@example.org.
Are there compliance concerns for in-office CAD/CAM and digital impression systems?
The information stored and shared needs to be encrypted. Please check with your manufacturer.
If another practice sends me an unsecured email and my practice receives the patient records, who is responsible? Did my practice violate HIPAA as well?
The person who sends the file is responsible. When your patient entrusts you with their personal information it is up to you to keep it safe, so the best practice would be to reply to the non-compliant email with a Secure-Mail™ message. Also, if you are planning to store the information, remember that once it is on your premises, it needs to be stored in a HIPAA compliant manner.
Please list the encryption programs?
Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant in their practice, please contact him for more information and guidance on encryption programs.
Even if images are sent by a mail carrier you don't necessarily know who all saw the images?
Yes. That is true; you do not necessarily know who saw a mailed image. There are specific laws regarding rights and regulations on postal services. There are laws to protect mail fraud and the opening of mail packages. When you send Protected Health Information in a sealed envelope you are taking the care required to protect sensitive patient information, as opposed to sending over an unsecure email service.
You also lose track of your document if you put it in the post, right?
Yes. You can lose track of a document in the post, but there are specific laws regarding rights and regulations on postal services. There are laws to protect mail fraud and the opening of mail packages. When you send Protected Health information in a sealed envelope you are taking the care required to protect sensitive patient information, as opposed to sending over an unsecure email service.
Would password protected PDF's be considered a secure method in which to share records? Password could be given verbally
Protected PDFs are better than no password protection. Even if the password is given verbally, you may still lose track of the document when you send it through traditional email services and I’m not sure how secure the password is. In order to be HIPAA compliant you need an auditable record of who was able to view all Protected Health Information (PHI).
Is communicating over SSL sufficient for compliance?
No. SSL offers encryption in transit which is just one important safeguard of being compliant. But, just having an encrypted transmission of information is not enough to be compliant with HIPAA, HITECH and PIPEDA legislation.
If an Endodontist asks for an x-ray I cannot email it or I just need consent?
As your X-ray contains Protected Health Information you would not be compliant. Consent is just one of the many components of compliance. We recommend getting consent from your patients in order to share their Protected Health Information with other practices and labs. But you still must transfer the information in a secure manner. Email is NOT compliant with HIPAA, HITECH and PIPEDA laws, nor is it a secure way to transfer sensitive patient information.
We are using Google Apps Email. It is secure to the extent that it is SSL encrypted. Is it HIPAA Compliant?
There appears to be a way to configure Google apps that seems to offer compliance. Please note that it must be configured by someone with HIPAA compliance expertise. We would not recommend the use of Google apps as we have some questions about the Business Associate Agreement that need to be addressed. This is also only available through a paid version of the Google apps and not offered through the free service. There are also encryption add-ons that need to be in place.
What about Go-Daddy email?
Go-Daddy is absolutely NOT a HIPAA compliant email service.
What's the deal with x-rays being encrypted? How do you know if your e-mail sends pictures, x-rays in an encrypted form?
Typical emails services do not encrypt your messages. If you search online you can see the different encryption options. Encryption is just one important part of compliance.
What about faxes sent from a med lab with results regarding biopsies, etc.?
Faxing Protected Health Information can be compliant, as long as the fax machine is located in a secure environment and only authorized individuals can see incoming faxes. We would recommend Dr. Lavine as he has a considerable amount of experience helping dental practices get HIPAA compliant please contact him for more information and guidance on faxing Protected Health Information.
What about hardware implemented firewalls?
The benefit of having a firewall in your practice is that it protects your internal practice network from intruders. Firewalls are a must have for your office, however, having a firewall in your office does nothing to safeguard Protected Health Information when it is sent out of your office.
Is there a secure email service that is okay to use? What is a good source to use to send email?
We recommend Secure-Mail™ from Brightsquid. Secure-Mail™ looks and feels just like email, but is compliant with the regulations set out in HIPAA, HITECH and PIPEDA.