Webinar: Your First 3 Steps to Get Your Dental Practice HIPAA Compliant
HIPAA legislation provides specific guidelines to protect patient privacy in your dental practice. We understand that the HIPAA/PIPEDA requirements can feel a little overwhelming at times. We have focused the webinar on practical solutions to help you get started.
Please join Dr. Lorne Lavine and Mr. Rohit Joshi, LL.B. as they break down the regulations and provide the first 3 steps to follow to become HIPAA /PIPEDA compliant in your dental practice.
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
Start! Plan Your First HIPAA Meeting in Your Practice
Start the conversation. Motivate your staff around HIPAA/PIPEDA regulations. Set a meeting in your practice to discuss HIPAA compliance and what it means in your dental office.
- Build awareness and education around compliance by watching recent webinars:"10 Burning Question about HIPAA Compliance and Your Dental Practice", "Your First 3 Steps to Get HIPAA Compliant in Your Dental Practice" and review common HIPAA questions here
- Designate a Project Manager
- Complete a HIPAA checklist
- Set a timeline and determine next steps and goals
Safeguard Protected Health Information in Your Practice
Maintain HIPAA compliance by restricting access to Protected Health Information (PHI) within your dental practice.
- Disposal - (Do not throw PHI into the trash)
- Do NOT discuss PHI in public areas
- Do NOT leave PHI Unattended in public areas
- Secure the physical location and storage of PHI
- Be careful using labels or markings on files containing PHI
- Secure the physical location and access to fax machines
- Secure the physical location and access to computers and monitors
- Safeguard PHI on Mobile Devices (laptops, mobile phones, tablets, portable USB storage, etc.)
- Encrypt PHI in your practice
- Back-up PHI in your practice
Safeguard Protected Health Information in Collaboration
Maintaining HIPAA compliance and Protected Health Information (PHI) during collaboration.
- Your Email is NOT HIPAA Compliant!
- Secure-Mail™ is HIPAA Compliant! Learn more
How many emails can you send per month with Secure-Mail?
With Secure-Mail™ users can send unlimited messages to colleagues. Included in the subscription is unlimited data storage
If we use Secure-Mail, can we send a message to a specialist who uses a different email security company or do they also need to have Secure-Mail? Do our colleagues have to join the network?
Your colleague needs to have a Secure-Mail™ account to receive Secure-Mail™ messages. We do this to maintain HIPAA compliance. By having all communication pass through Secure-Mail™ it maintains a secure and auditable record of PHI (Protected Health Information). With your paid subscription you can give your colleagues free sponsored/registered accounts, so they can communicate with you for free
Are there any alternatives to Rohit's service? (secure-mail.com)
Brightsquid's Secure-Mail™ is a pioneer in the dental industry. There are no other systems currently on the market that match compliant email with: 3D image viewing, active notifications, image annotation, audit tracking and large file transfer (500MB!). Brightsquid was released into the market in 2012 and has over 1,500 users in 9 countries around the world. Dentists around the world are using Brightsquid to securely share 800 files per week.
As far as we know, Secure-Mail™ is the only messaging services designed specifically for dentists, specialists and labs. There are other services available, but they do not have all the features that Secure-Mail™ includes, nor do they meet the regulations set out in HIPAA, HITECH and PIPEDA
Do registered users have to pay for the service?
No, sponsored/registered users are people you select to invite to Brightsquid for free. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered user is stored and archived on the system.
Why the name "Brightsquid"?
We choose the name Brightsquid when we were first developing the company. After we had drawn out our vision (online portal where dentists, specialists and labs could securely share sensitive patient data and collaborate with their colleagues), we noticed that it looked a lot like a squid. The founder of the company, Dr. Deepak Kaura, came from radiology and liked the fact that some squids can produce bioluminescence to illuminate dark water. Click here for more information on how we got our name
Is encryption necessary if no mobile devices are used for PHI only in office computers?
Yes. According to HIPAA/HITECH and PIPEDA law, data at rest or data in motion must be encrypted. If you are storing Protected Health information (PHI) you must encrypt this data in your office computer. PHI can include: patient name, specific demographic, and any images that can be used to identify your patient.
Do you need to encrypt data stored on desktop computers?
Possibly. If you're storing any Protected Health Information (PHI) on the desktop system, it must be encrypted. PHI can include: patient name, specific demographic, and any images that can be used to identify your patient. However, if you are using a standard client server relationship most information stored on the desktop computer does not contain PHI. Please note that in that type of system the server must be encrypted.
Is there a problem if a staff member brings in a personal laptop to connect to the internet on our network that is connected to our sever with patient info?
We would recommend setting up a separate wireless network for your patients and staff to use. This is a very simple procedure and a router to do this is affordable. By setting up a guest network you may also provide your patients free wireless while they are in your practice. If some of your staff are using their own equipment on the network we recommend the laptop be encrypted.
Are encrypted Word files HIPAA compliant?
Encrypted Word files are fine and meet the encryption requirements through HIPAA. If you are sending an encrypted word file through email please be sure that you are not providing any Protected Health Information (PHI) in the subject and body of the email or providing the password to access the encrypted information. Also, for HIPAA compliance please note that you still need to ensure that all of your files are backed up and an auditable log of all access to patient information exists.
If a patient requests that we email a treatment plan to them, do we have to encrypt the documents?
HIPAA laws do not cover doctor-patient communication. We recommend a "best practice" approach to be sure you get patient consent to the use of email, before you send them their treatment plan. Doctor to patient communication is an interesting subject and we are currently looking at ways to add patient communication into Secure-Mail™.
Does HIPAA have an issue when I send a recall postcard by mail saying that the recipient is due for a 'check-up'?
Recall information tends to fall under a grey area with HIPAA. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. HIPAA does not provide direct rules on communication between a doctor and their patient. It should be fine to send out a recall post card, as long as you are not providing more information than is necessary. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure.
Is Fax considered HIPAA complaint just like a phone call?
For both fax machines and telephone communication it all depends on how it is being used. If you are talking about sensitive patient information in a waiting room or in front of people who do not need access to the information, that would NOT be HIPAA compliant. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes.
We access our files from home/laptop via GoToMyPC - is this safe? What would be a good "remote" way to access my office?
You can use remote access to access your Protected Health Information (PHI) while away from your computer. Please check with your provider, such as "GoToMyPC" for specific information regarding HIPAA. During the webinar Dr. Lavine also suggested LogMeIn as an alternative method for remote access.
What if the files are encrypted before it is sent?
If you are encrypting files you can send them using traditional forms of email. According to HIPAA best practices, email can be used as long as: your patient has consented to the use of email, verification of the email addresses of recipients, deidentify the information, transmit the minimum necessary and encrypt and decrypt the electronic personal health information that you transmit. Please be sure that you are not including any Protected Health Information (PHI) in the subject or body of the email or the password to decrypt the information. Please contact our office to discuss how Secure-Mail™ can improve your communication and efficiency.
Would it be sufficient to have an on-site hard drive backup and a portable hard drive that I take home with me every day? Or is online cloud backup required? If have local back up, why do I need the cloud?
A cloud backup is not required. The problem with local back-up is disaster recovery, if there is a major disaster, a fire, flood or even theft a local back-up does not always protect your office. The method suggested would work as long as the data removed from the office is encrypted. If you do take data outside your office on a thumb drive or any other storage device, make sure that it is encrypted.
I back-up nightly to a thumb drive which I then take home. I rotate over 2 thumb drives, the other stays locked in my office desk drawer. Safe?
Possibly. All data on the thumb drive must be encrypted. The largest number of HIPAA complaints are due to mobile devices that are lost or stolen: laptops, phones, tablets, USB drives etc. Whether lost or stolen these devices must be protected through encryption. Our recommendation of course is to keep data secure on a cloud based platform like Brightsquid.
Some thumb drives have a "vault" which needs a password. Would this "vault" be sufficient with HIPAA compliance?
Yes, if your USB device is encrypting the data, with specific passwords to extend the security. It should be okay to use with Protected Health Information (PHI). Please check with your provider for specific information regarding HIPAA compliance.
The USA has one lawyer per 264 people, which is the highest in the world. In the future, when we have one lawyer per 10 people, what will Doctors who are trying to make a living and take care of their patients be required to do at that point? What will we be paying per month to be 'In Compliance' with whatever is forced upon us then? Not that I don't appreciate the help, but it does beg the question doesn't it?
It would be a mistake to consider HIPAA a piece of legislation that exists to make lives more difficult for medical professionals. The regulations exist as an extension of doctor patient confidentiality. If the patient is providing you with sensitive information, then it is your duty to maintain this data. We can get caught up with the laws, but it comes down to maintaining this confidentiality in the electronic and digital world. It would be a mistake to consider HIPAA a piece of legislation that exists to make lives more difficult for medical professionals. Those obligations already exist when medical professionals take their oath.
We use our patient's name when sending information to our lab. Is there a concern with sharing this information through email?
Yes. Sending the patient's name through email is a violation. Your patient's name is considered Protected Health Information (PHI). In accordance with HIPAA and PIPEDA law, you must de-identify information when sending it through email. If you share PHI through Secure-Mail™ you can include PHI in your correspondence.