Webinar: 5 Things You Do Every Day That Are NOT HIPAA Compliant
Every day your dental practice performs routine tasks that are in conflict with dentist-patient confidentiality rules. Finding solutions to these common tasks is not difficult, but you need to be aware of them.
Learn how to safeguard your dental practice against 5 common HIPAA violations. Join Dr. Lorne Lavine and Mr. Rohit Joshi, LL.B. as they discuss these common tasks and provide easy to implement solutions for each of them.
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
There Are Common Tasks that Your Dental Office Could be Doing Every Day That Are NOT HIPAA Compliant:
Sending Sensitive Patient Information through Email
Using email to share Protected Health Information (PHI) is against the law. Even if your computer is secure, your message passes through dozens of unknown servers en-route to its destination. These "middle-man" servers make up the backbone of the E-Mail system, but are not secure therefore not compliant. Dentists have a duty to take precautions to safeguard private patient data.
Using Dropbox to Share and Store Patient Data
Using file storage sites such as Dropbox, SkyDrive and Google Drive to share and store Protected Health Information (PHI) is not HIPAA compliant. HIPAA Compliance requires a number of specific safeguards and features that common file sharing sites might NOT have including: auditabiliy, automatic log off, data disposal, encryption and basic privacy.
Not Backing-Up Patient Data Regularly
HIPAA laws require you to backup patient data. When backing-up your data you should consider: Offsite storage locations, data access, encryption and test recovery.
Not Encrypting Patient Data that is Stored and Shared
HIPAA laws require Encryption of records to protect PHI from being exposed. The largest number of fines and censures related to HIPAA violations are due to lost and stolen mobile devices: cell phones, lap tops, USB memory sticks etc.
Not Restricting Access to Patient Information
HIPAA laws require you to restrict access to patient information. When restricting access and maintaining security of Protected Health Information (PHI) in your dental Practice it is important to consider: disposal of data (do not throw PHI in the trash), discussing PHI in public areas, leaving PHI unattended in public areas, physical location and storage of PHI, location and access of fax machines, location and access of computers/monitors and PHI on mobile devices.
Is sending sensitive patient information through e-mail against Canadian law?
In Canada, there are multiple legal regimes that cover privacy. PIPEDA laws govern all information that is collected, whether that be an airline, bank or dental office. In addition to that, many provinces have their own legislation that specifically applies additional measures to protect health information, such as Personal Health Information Protection Act - Ontario, 2004 (PHIPA). Further, most provinces also have professional bodies like the Royal College of Dental Surgeons of Ontario (RCDSO) which have very detailed requirements for the protection of patient information. In creating the Secure-Mail™ service, we have considered all of these regulatory bodies and have placed the most stringent requirements within the system. From the RCDSO's document entitled Electronic Records Management, published in March 2012 comes the following excerpt: The use of e-mail in our society is commonplace. It is a convenient, inexpensive and quick means of communication. However, as a general rule, e-mail is not a secure means of communication, and maybe vulnerable to interception and hacking by unauthorized third parties. Accordingly, dentists should avoid using e-mail to communicate the personal health information of patients, unless they are employing a secure email service with strong encryption. The information and privacy commissioner of Ontario (IPC) has advised that even if patients are willing to accept the risk of unauthorized disclosure of their personal health information in exchange for the convenience of communication via email, this does not alleviate health information custodians of their duty to take steps that are reasonable in the circumstances to safeguard personal health information in their custody and control.
What is included in Protected Health information (PHI)?
Protected Health Information (PHI) includes any information related to your patient's past, present or future health/medical records or payment history. Under HIPAA law there are 18 identifiers: patient names, geographical identifiers (smaller than state), dates (other than year), phone numbers, fax numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate or licence numbers, vehicle identifiers, device identifiers, web addresses (URLs), internet protocol (IP) address numbers, biometric identifiers, photographs of patient's face as well as any other unique or identifying characteristic, code or number. For more information please visit the U.S. Department of Health & Human Services http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-identification/guidance.html
To my understanding, this HIPAA HITECH ACT does not go into effect until Sept 2013. Please discuss.
Not quite. Health Insurance Portability and Accountability Act (HIPAA) was set into law by President Bill Clinton in 1996, the Health Information Technology for Economic and Clinical Health Act (HITEH ACT) was established in 2009 by President Barack Obama. In 2013 HIPAA was updated, often referred to as the Omnibus rule, this rule came into effect on March 26, 2013 with the compliance date of September 23, 2013.
If a patient sends us their charting info by email including health history, have they forfeited their privacy rights?
No. Your patient can send you correspondence through email, as is their right to share their health information with you the way they want to. By using email to communicate to you, however, your patient does not consent to nor forfeit their privacy rights. Your patient can sign written consent to allow you to communicate with them through email, but they cannot consent to the use of unsecure email to communicate about their treatment between practitioners.
Please explain encryption and how it relates to paper charts and printed materials.
When dealing with paper copies of Protected Health Information (PHI) encryption is not related, but the same principle is applied. In the same way that you encrypt your electronic files to protect and safeguard health information, you must take precautions within your office in the way you distribute, store and dispose of paper charts and printed materials. Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant please contact him for more information and guidance on proper safeguard within your dental practice.
I'm a specialist and we regularly send patients info such as radiographs to the general dentist through Drobox. Does this violate HIPAA?
A radiograph may have Protected Health Information (PHI) embedded on the image, or in the metadata attached to the file. Even if you cannot see the PHI on the radiograph, this does not mean that there is no PHI associated with the image. Because of that, we recommend that you always use secure transmission methods. If you are using non secure email services such as Gmail, Hotmail, Dropbox you are not complying with HIPAA legislation. Please use this software checklist when determining if your software or email provider is HIPAA compliant . Of course, we would strongly recommend that you use Secure-Mail™ for this type of information sharing.
Is it against HIPAA legislation to use a patient's first and last name when calling them from the lobby to the treatment area?
No. It is not against HIPAA laws to use your patient's name when calling them from the lobby or waiting room to the treatment area, as long as you do not include any further information about your patient's treatment. For example calling for "Jim Smith" is entirely acceptable, whereas calling for "Jim Smith for the HIV test" is not.
If your software is in the cloud do you need a local back-up?
No. The cloud serves as an excellent way to back-up and store Protected Health Information (PHI). When using the cloud to store your sensitive patient data you eliminate the risk of theft and disaster recovery of your data. Please note, however, that you must choose your cloud vendor wisely to ensure that the service you are using has been backed-up and is HIPAA compliant. Use this checklist to get a list of questions to ask your vendor to ensure that they are HIPAA compliant. Please follow this link to the checklist.
We have old x-ray images, we separate the films from their holders and the x-rays are destroyed by a compliant company but the x-ray holders have the patient name and the date the x-rays were taken. Can we throw those in the trash? They are not a recycle material.
As the x-ray holders contain Protected Health Information (PHI) including the patient's name and treatment date we would not recommend throwing them into the trash. We would recommend either removing/destroying any PHI from the holders so that no identifiable information could be viewed and/or breaking the holders so that the information is no longer identifiable (ie. shredding) before disposing of the holders.
What about using WiFi? Can this be intercepted by others when using an open network?
Yes. We would recommend setting up a separate wireless network for your patients and staff to use for non-clinic purposes. This is a very simple procedure using a router in your practice. You may already have the equipment in your office to set up a 'guest' network and if you don't have the equipment, it is quite affordable to purchase. By setting up a guest network you may also provide your patients free wireless while they are in your practice. If some of your staff are using their own equipment on the 'private clinic' network we recommend the laptop be encrypted.
Can I get the software checklist? Is this something that I can use to see if my Email provider is HIPAA compliant?
Yes. The HIPAA Compliance Software Checklist can be used to determine if your email provider or software provider is HIPAA complaint.Please follow this link to the checklist
If you load patient information to a web site is that HIPAA compliant?
Possibly. Whenever you are storing Protect Health Information (PHI) you need to make sure that the website is encrypted. There are additional specific guidelines that HIPAA requires, please use this checklist to make sure that your website is HIPAA compliant.
I write a column on an online magazine that has an 'Ask The Doctor' question. Are their questions an issue?
Potentially. To protect yourself, we would recommend that you take the following steps:
- Advise patients asking questions to use an 'alias' that would not identify them. In the event the questions are asked in private, when you publish your online magazine article, do not use the patient name or location. Of course, this means that if someone has sent you their images, you must obscure any Protected Health Information (PHI) from the image before publishing the article.
- In addition, you would want to be clear in the 'terms and conditions' that the information that they are providing will be used for an article, so your users must consent to the publication of that information.
Is Secure-Mail™ intended to be used for communications with parties such as attorneys?
Certainly. We designed Secure-Mail™ specifically for the dental community, creating unique features that are designed for dental professionals. When developing these tools we recognized how Secure-Mail™ would facilitate the secure exchange of information among different professions. We have a number of customers who use the 500MB attachments to send large files such as accounting records and legal files.
If someone has Gmail that has a ceiling storage capacity - would it no longer be applicable if using Secure-Mail™ since it is being used as the 'medium'? For example, cone beam technology can take up so much space.
Yes. When you use Secure-Mail™ you get unlimited storage for all of your large files including x-rays, STL 3d images, DICOM studies and Cone Beam CT scans. These files are backed up and securely stored on the Brightsquid platform and do not get stored or included in your Gmail or email provider. Although notifications are still sent to your Gmail address, these messages are very small and have almost no effect on storage in your Gmail account.
If my office signs up for this software, can we customize the origin of the email address with our business?
When you use Secure-Mail™ to share your sensitive patient files you do not need to change your email address. Secure-Mail™ works with your current email, sending notifications and updates to that email. When sending Secure-Mail™ there are many ways to customize and brand your messages including logos, clinic information and profile pictures. We would be happy to arrange a demonstration of this please contact our office for more information.
How many e-mail addresses can be issued for each office using Secure-Mail™?
With your dentist subscription you get a package that includes accounts for one doctor and 4 support staff members. Your emails can be set up so that information sent to one email can be sent to all. For more information please visit the plans and pricing page
Do both sender and recipient have to have Secure-Mail™? Does everyone you send and receive messages with Secure-Mail™ need to have an account?
Your colleague needs to have a Secure-Mail™ account to receive Secure-Mail™ messages. We do this to maintain HIPAA compliance. By having all communication pass through Secure-Mail™ it maintains a secure and auditable record of Protected Health Information (PHI). With your paid subscription you can give your colleagues free sponsored/registered accounts, so they can communicate with you at no cost.
What is the cost for additional contacts on Secure-Mail™?
There are currently over 1,500 dental professionals actively using Secure-Mail™ who you can connect with for free at any time once you join the platform. We also offer you 25 free sponsored/registered accounts that you can offer to your colleagues. If you would like additional registered accounts please contact our office for further pricing.
Can Secure-Mail™ be used from a home computer?
Yes. As a cloud-based platform, you can access your Secure-Mail™ account from anywhere at any time, including mobile devices. Simply log into Secure-Mail™ using your favorite internet browsers, compose your secure message, attached up to 500 MB and send Protected Health Information (PHI) to your colleagues.
Is there a limit on how many emails you can send a month using Secure-Mail™?
No. There are no limits on the number of messages you can send using Secure-mail™. Your Secure-Mail™ account also includes unlimited data storage and large 500 MB attachments per message.
If a specialist that does not have Secure-Mail™ or only has a free subscription through my office – and they email info to my office, does it go through Secure-Mail™ because we subscribe or would it just go through our regular email and therefore be non-compliant with HIPAA?
If your specialist is using their free sponsored/registered account to communicate with your clinic it would be completely HIPAA compliant though our Secure-Mail™ service. Your current email account is not affected and any communication sent directly through your traditional email would not be HIPAA compliant. Once your specialist signs up for a free or sponsored account through your office, you would want them to continue to use the Secure-Mail™ service for any patient specific emails.
What happens if my lab interacts with a third party service like a Milling Center? Is there any responsibility for my lab to respect these items?
The obligation for doctor-patient confidentiality and compliance starts with your dental practice and the trust that you have established between you and your patient. We recommend getting your dental lab to sign a Business Associates agreement. When your lab signs this agreement they agree to appropriately safeguard Protected Health Information (PHI) as required through HIPAA legislation. In keeping with that, they must adhere to HIPAA laws when communicating with their milling center.
Is Secure-Mail™ for communication between doctors AND also with patients? Can you use Secure-Mail™ to email patients?
Secure-Mail™ was developed to facilitate the secure and convenient way to communicate sensitive patient information between dentists, specialists and dental labs. At this time we currently do not recommend that you use Secure-Mail™ to communicate with patients, but we are currently looking into developing dentist-patient communication.
If Secure-Mail™ does not support doctor-patient email communications at this time, what other services provide both hipaa compliance and patient communication? Any currently available doctor-patient hipaa compliant email services? What hipaa compliant doctor-patient services are currently available?
HIPAA regulations do not provide specific laws in regards to dentist-patient communication. In researching the industry we have found an opportunity to improve communication between doctors and their patients in a secure and convenient manner. We are always updating and improving our product and are excited to develop exciting new features for our customers. Please contact our office for more information.
If a new patient contacts you by email, is a response through unsecure email a violation of HIPAA?
Perhaps. It depends on if you are including any Protected Health Information (PHI) in your response. If you are giving treatment details through email, in which the patient has not consented to the use of, then it could be considered in violation of various laws. If you are simply giving your address or hours of operations in the response there would be no HIPAA violation.
If you need to send a single email to a dentist when a patient moves to a new city, but you have already used all 25 sponsored users, how can you send it to them?
With your dental account you can add unlimited “free” accounts. You would use these accounts for the occasional message as you have described. With the free account, their information is entirely secure, but it is only archived for 14 days. You can send messages to any colleague you would like to connect with through Secure-Mail™, if your colleague has a free, sponsored or full (paid) account. If you are connecting with your sponsor or any colleague with a full (paid) account all of your communication will be archived and stored on the system. If you would like more than 25 sponsors please contact our office.
I don't understand the difference between the 25 sponsor limit and the free email recipients?
Sponsored/registered users are people you select to invite to Brightsquid and provide them a Brightsquid account based on your membership at no cost to them. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered user is stored and archived on the system. If the person receiving the email is a free/non-registered user their communication will not be accessible after 14 days.
Is encrypted email sent and accessed through webmail that has SSL connection HIPAA compliant?
Perhaps. SSL offers encryption in transit which is just one important safeguard of being compliant. But, just having an encrypted transmission of information is not enough to be compliant with HIPAA, HITECH and PIPEDA legislation, information must also be stored on an encrypted storage device, as well the information must have additional auditing etc.Please use this HIPAA Compliance Software Checklist as a guide with your email provider.
Is your email system secure from the NSA?
Yes. Our servers are not hosted in the United States and therefore safe from the National Security Agency (NSA).
Why would I use your system over another HIPAA compliant service like Hushmail?
There are number of reasons that set Secure-Mail™ apart from any competitors in the market. The first being the commitment Secure-Mail™ has to HIPAA compliance and email security. We would recommend sending our Software Checklist to other vendors to make sure their service is meeting industry standards for HIPAA compliance. There are a number of different software providers that state "HIPAA Compliance", but as the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" it can be difficult to substantiate this claim. The second advantage Secure-Mail™ has is that it is developed exclusively for the dental community with large 500MB attachment sizes and image viewers for 3d STL files, DICOM studies and more. When you purchase your Secure-Mail™ account you are also getting a package which includes 5 unique user subscriptions and 25 sponsored/registered accounts that you can provide free to any of your colleagues. For more information on the features and benefits of Secure-Mail™ please contact our office.
How does it work if we use Smile Reminders? Are appointment reminders (text and email) HIPAA compliant? If not, are they with your system?
Recall information tends to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. HIPAA does not provide direct rules on communication between a doctor and their patient. It should be fine to send out a recall post card, as long as you are not providing more information than is necessary. Please ensure that you have a patient’s consent to communicating appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient’s consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. The way Secure-Mail™ works is that you can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law.
How do the colleague profile pictures work?
After joining the Secure-Mail™ service your colleague simply uploads a picture to their profile which will then automatically appear in any correspondence with them. As Secure-Mail™ is committed to HIPAA compliance and providing our customers with the simplified solutions to compliance, we have introduced a number of unique features to our service. We understand that we all have multiple colleagues with similar email addresses and to reduce errors like sending Protected Health Information (PHI) to the wrong contact, we have introduced profile pictures that appear when sending or receiving messages.
Can you use your current email addresses with Secure-Mail™?
Yes. Secure-Mail™ works with your current email address to send updates and notifications.
Do you offer a free trial?
Yes. We offer a limited free 90 day trial account that you can sign up for directly through our website. Please note that this is a ‘limited’ account and does not include any of the features available in a full Brightsquid account. Sign up for a free trial account.
Does the recipient of an encrypted email need to have the same email server to decrypt the message? or can any email program open the email?
Encryption and decryption work through the sharing of a secret code. If the message recipient has the code they can read the message. With some systems this is done automatically so that once the code is created, the information is automatically encrypted and decrypted. With Secure-Mail™, we have embedded the secret code in our system. Once you and your colleague join our service, you can use it without worrying about the mechanics of encryption and decryption.
What are the financial benefits of switching to Secure-Mail™?
Secure-Mail™ was specifically developed with a very low price to help dentists get HIPAA compliant in an easy and affordable manner. The price tag can be misleading when it comes to the significant benefit of the service. When you are purchasing a Secure-Mail™ subscription you are protecting your dental practice and managing your security risk. Recently as part of the final rule (Omnibus Rule) the U. S. Government of Health and Human Services has increased the maximum penalty for a HIPAA violation to $1.5 Million. There was also an increase in the assessed penalty rates including:
- Unknown offense - $100 to 50,000 per violation could be distributed.
- Reasonable cause leading to penalty - $1,000 to $50,000 per violation could be distributed.
- Willful neglect with a correction within 30 days of discovery - $10,000 to $50,000 per violation could be distributed.
- Willful neglect that was not corrected within the required time - $50,000 to $1.6 million per violation could be distributed.
Secure-Mail™ was also developed to replace non-compliant services including unsecure email, unsecure file storage services, data encryption and data back-up. The costs of these services separately can easily be double or triple the cost of Secure-Mail™.