Webinar: Missed the Omnibus? - Your Practical Guide to the New HIPAA Rules

As of September 23, 2013 your dental practice is expected to be in compliance with the HIPAA Omnibus Rules. These recent changes will affect the way you run your business. During the webinar Dr. Lavine and Rohit Joshi LL.B. will discuss how to protect your practice and maintain compliance.

During the webinar you will receive a guide with the steps that your practice can take to meet the new HIPAA Omnibus Rules

  • HIPAA Checklist
  • Cloud Software Checklist
  • Notice of Privacy Practices
  • What to Tell Your Patients About the Privacy of Their Records

To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.


Subscribe to Brightsquid Today!

Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.

Sign Up


  1. HIPAA Overview
    • HIPAA - Health Insurance Portability and Accountability Act (1996)-USA
    • HITECH- Health Information Technology for Economic and Clinical Health Act & HITECH Safe Harbor -USA
    • PIPEDA - Personal Information Protection and Electronic Documents Act - Canada
    • Additionally there is significant Provincial/State legislation as well as professional dental bodies that have established very specific guidelines for the handling of patient information.
    • PHI - Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
  2. Omnibus Changes -There are three areas that doctors will need to focus on to comply with the new rules:
    • Privacy, Security, and Breach Notification policies and procedures (and in some cases, new workflows and forms)
    • Notice of Privacy Practices (NPP)
    • Business Associate (BA) Agreements
  3. Plan Your First HIPAA Meeting within Your Dental Practice - Omnibus Guide:
    • HIPAA Compliance Checklist - for inside your practice
    • HIPAA Software Checklist - to send to vendors
    • Webinar Series
    • Patient Privacy Brochure
    • Notice of Privacy Practices
    • Business Associate Agreement
    • Use this link to get your HIPAA Omnibus Guide
  4. HIPAA Compliant Solutions - Using Secure-Mail™ in your practice to safeguard the exchange of Protected Health information (PHI).

Secure-Mail™

  1. Do you have a recommendation for an "encrypted email" solution for office to office communications?

    Yes. We recommend Brightsquid Secure-Mail™. Brightsquid goes beyond encryption and provides a fully HIPAA compliant platform designed especially for dental professionals. For only $39.99/month you receive:

    • 5 internal accounts (1 doctor + 4 support staff).
    • Secure-Mail™ messaging to protect your practice and maintain confidentiality of health records.
    • Unlimited data storage available from anywhere and at any time.
    • 500 MB Attachments to all Secure-Mail™ messages.
    • "My 25" external accounts for your colleagues.
    • Image Studio where you can view, annotate, manipulate files such as STL (3d), JPEG, PNG and DICOM studies.
  2. How much data can I send/store using Secure-Mail™ from Brightsquid?

    Brightsquid Secure-Mail™ is very unique in the amount of information you can send and store. Using Brightsquid Secure-Mail™ you can attach and send 500MB of data to each message. Typically with traditional email, you can only send 5 to 10 MB of data, using Secure-Mail™ you can send 50x more information in a single message. Secure-Mail™ allows you to send all of those high resolution photos or even a full CBCT scan in a single email.

  3. If we use Secure-Mail™, and the person we send the e-mail to isn't secure, we would not be compliant, right?

    No. When you use Secure-Mail™ from Brightsquid, all Protected Health Information (PHI) stays on our secure platform, so no PHI is released. When you address a Secure-Mail™ message to a user for the first time, they will receive a notification to their regular email address. In the notification there will be a link to the secure information. The first time your colleague uses this link they will provide some practice details and a password to maintain HIPAA compliance. After your colleague has provided their information, they simply have to click on the link to access the secure PHI. For more information, or to see a quick demo on how this works, please contact our office.

  4. Does the person receiving the email have to be enrolled with Secure-Mail™ to see the photos you are sending them?

    Yes. Your colleague will need to join the network, and this can be done in a number of different ways. We do this to maintain HIPAA compliance.

    • My 25 - With your Dentist subscription to Brightsquid you get the "My 25" package. This allows the account holder to choose up to 25 colleagues that they regularly communicate with on confidential matters. When you register a user, you are providing them with a subscription to Brightsquid, where all communication between you and your registered recipient is stored and archived on the system. Typically 25 colleagues are more than enough for most dental practices. In a typical scenario, we see a dental practice communicate with a maximum of 5 labs and 5-10 specialists. This still leaves 10 additional users to add to "My 25".
    • Free Accounts - if you are just sending the occasional email, your colleague can sign up for a free account on Brightsquid. With this free account communication is not stored on the system and will not be accessible after 14 days.
    • Your colleague can purchase their own account. This is the most common situation, as most dental professionals prefer their own account. With the low cost to get started with Secure-Mail™ we find this option very popular.
  5. Do you have to have an account for each staff member?

    With your dentist subscription you will get 5 accounts (1 doctor and 4 support staff) for your practice. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts, or if there is more than one doctor working in your clinic, please contact our office.

  6. Do both parties have to pay for this service?

    No. You can use "My 25" colleagues to provide accounts to your colleagues at no cost to them. "My 25" is included in your Dentist subscription to Brightsquid Secure-Mail™ and there is no additional cost for the service. If you need more than 25 colleague accounts please contact our office and we will design a subscription that meets your need and your budget.

  7. So if my oral surgeon has an account, and he communicates with me do I need to pay for a subscription?

    No. If your Oral Surgeon has an account they can offer you a free account to communicate with their practice. This would be part of the Specialist subscription to Brightsquid. If you would like to communicate with other dental practices, labs or specialists on Brightsquid you may purchase your own subscription to maintain and provide HIPAA compliant communication with these other dental professionals.

  8. Can you send a Secure-Mail™ message to someone's regular email address? Can the existing practice email address be used with your Secure-Mail™ program?

    Yes. Simply enter your colleagues regular email address into the Secure-Mail™ address bar and click "Send" to send the message to your colleague.

  9. How many accounts do I get with the Dentists Subscription for 39.99?

    With your Dentist Subscription you get 5 accounts (1 doctor and 4 support staff) for only $39.99/month. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts or if there is more than one doctor working in your clinic, please contact our office.

  10. What if recipient of an e-mail does not have a Secure-Mail™ account? Does the email recipient have to have a Secure-Mail™ account, or have pre-registered, in order to receive the email securely? Do both parties have to be registered with Secure-Mail™ to use it?

    Yes and no. Yes your Secure-Mail™ recipient will sign up for their own Secure-Mail™ account, but no they do not have to pre-register. For more information please see question 4. If you would like to send a Secure-Mail™ message to a colleague who does NOT have a Secure-Mail™ account simply enter your colleague's regular email address and click "Send". Your colleague will then receive a link in their regular email to the secure information protected on the Brightsquid platform. To maintain HIPAA compliance it is important that our colleague sign up for their own Secure-Mail™ account.

  11. How many employees can use the Secure-Mail™ within the practice? Can I have Secure-Mail™ for each of my staff or do I have to buy a subscription for every person?

    With your Dentist subscription package for only $39.99 you will receive 5 internal accounts (1 doctor and 4 support staff). If you need more than 5 accounts or if there is more than one doctor working in your clinic, please contact our office.

  12. Are your employees considered to be part of the 25? Do I have to buy Secure-Mail™ for each of my staff?

    No. With your Dentist subscription package you receive 5 internal accounts (1 doctor and 4 support staff) in addition to the "My 25" colleagues (external accounts).

  13. How does Secure-Mail™ compare to Email Pros?

    As the Office for Civil Rights (OCR) and U.S. Department of Health & Human Services (HHS) do not endorse or certify any persons or products as "HIPAA compliant" we would recommend sending the Email Pros our HIPAA Compliance Software Checklist.

  14. Is there a contract for Secure-Mail™ that is month to month?

    Yes. You can purchase Secure-Mail™ with a month to month subscription for only $39.99/month. This is a very popular way to purchase Secure-Mail™, to get stared with your subscription today please visit the Plans and Pricing page.

  15. Can you change out the 25 mail recipients? If one of the invitees moves away, can I drop them and change it to another?

    Yes. You can change your "My 25" colleagues whenever you would like. Please contact our office for more information.

  16. How does the pricing work when a patient wants their records/x-rays sent to another dentist who is not one of our "named" receivers?

    We would recommend that the recipient of the message uses a "Free" account to do this, as opposed to the "My 25" accounts. When you send information to a user with a free account it does not count towards your 25 colleagues. The only difference when communicating with a free account is that communication will not be stored or accessible after 14 days. We find that 14 days is enough time to send a patient's records to another dental office. Also if you want to follow up on the transfer, you can always send them another message. If you would like more information on this example please contact our office.

  17. I'm an Endodontist, and have more than 25 referrals that I communicate with. What about additional offices?

    As a dental specialist we understand your need for more than 25 colleagues. We have designed a special Brightsquid account for specialists with an unlimited number of colleagues (sponsored accounts); please contact our office for more information.

  18. I am a specialty office (Orthodontics) & we have 400 local dentists that we could potentially send a letter or images to. What is the cost if we send to hundreds of doctors vs. the 25 you mentioned? If I'm a specialist can I get more than 25 colleagues?

    We have a subscription package designed for dental specialists like yourself. With this subscription you will receive an unlimited number of accounts to offer to your colleagues. Please contact our office for more information on the features available with this subscription.

  19. If the office you are communicating with already has Secure-Mail™, does it still count against the 25 limit?

    No. When you colleague has already purchased their own account on Brightsquid, they do not count towards your "My 25" colleagues. Currently there are thousands of users on Brightsquid using Secure-Mail™ every day to share Protected Health Information (PHI).

  20. How can you get your referrals to be compliant? There are some referrals that just started using email.

    To help your referring dentist become HIPAA compliant we would recommend providing them with free accounts sponsored by your practice. With your specialist subscription you will receive an unlimited number of sponsored accounts that you can offer to your dentists. This is a great way to differentiate your practice and provide your referring dentist with a higher level of service. For more information on this and other features available to dental specialists, please contact our office.

Breach Notifications

  1. What are possible breaches aside from loss of a notebook/laptop or flash drive or back up drive? What are some examples of a breach? Please send me the details of the Breach Notifications.

    According to the U/S. Department of Health & Human Services a breach is defined as follows: "A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the Protected Health Information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual."

    One of the most common privacy breaches that occur is lost or stolen mobile device, but there are many other situations that could be considered a breach. Other common breaches include: unauthorized access/disclosure of both hard copies and electronic files, hacking (IT incident), and/or improper disposal. For a list of breached affecting 500 or more individuals please visit The US Department of Health and Human Services.

  2. How does one correct the loss of a computer or back up drive that was lost?

    According to HIPAA law, if there is a breach of unsecure Protected Health Information (PHI), notice must be provided to affected individuals. There are specific requirements for the breach notification, these include: individual notice, media notice, notice to the secretary and notification to a business associate. For more information on breach notifications, please visit the U.S Department of Health and Human Services website on Breach Notification Rules.

Business Associate Agreement

  1. Can you fax the Business Associates Agreement?

    Yes. Be sure to safeguard information when using fax machines. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes. We have included a copy of a Business Associates Agreement, in the HIPAA Omnibus Guide.

  2. Would someone who worked at the front desk as a temp need to sign a BA agreement?

    If the temporary is working with an agency then yes. If the front desk temp has access to Protected Health Information (PHI), then you would need to sign a Business Associates Agreement with the temporary staffing agency. If the temporary worker is independent, then you should ensure that he/she is familiar with your HIPAA practices. For a copy of a Business Associates Agreement please visit the page on the HIPAA Omnibus Guide.

  3. We are looking into a phone service that is cloud based. Does that have to be HIPAA compliant? Would we need a BA agreement?

    It depends on the relationship and the exchange of information with the phone service. If the phone service has access to Protected Health Information (eg. texting PHI) then yes, we would recommend signing a Business Associates Agreement with the vendor. If they do not have any access to PHI, then you do not need to sign a Business Associates Agreement with them. For a copy of a Business Associates Agreement please visit the HIPAA Omnibus Guide page.

  4. If we get a hygiene sub from a dental agency, then we need the agency to sign the BA agreement or have the sub hygienist herself sign the agreement?

    If you are working with an agency that is providing hygiene employees, then it would be okay to simply have the agency sign the Business Associates Agreement. Most staffing agencies will be happy to sign a Business Associates Agreement, and will have arrangements set out with all their members. If you have any questions regarding the Business Associates Agreements discuss them with your staffing agency.

  5. Does an internist require business agreement?

    It will depend on if the intern has access to Protected Health Information (PHI). If your intern has access to PHI, then you should have your intern sign a Business Associates Agreement, or ensure that they have gone through a HIPAA orientation and understand your privacy practices. For an example of a Business Associate Agreement please visit our HIPAA Omnibus Guide page.

  6. Can I have an example of a Business Associates Agreement?

    Yes. For a copy of a Business Associates Agreement that you can use in your dental practice please visit the HIPAA Omnibus Guide page.

  7. Do you have to have business associate agreements with other dental offices?

    No. Typically you are sharing information with another Covered Entity by HIPAA to deliver patient treatment. In that case no Business Associates Agreement is required.

  8. Could a temporary hygienist who temps with the same dentist off and on, sign a BA with a beginning and ending date such as January 1, 2013 through December 31, 2013?"

    Yes. A temporary hygienist should sign a Business Associates Agreement. Most agreements do have a term date that will need to be filled out, and will work perfectly for your temporary staff. For a copy of a Business Associates Agreement please visit our HIPAA Omnibus Guide page.

  9. If you have individuals who are "job shadowing", does the individual need to sign BA?

    Yes. If the individual has access to Protected Health information (PHI), we would recommend having them sign a Business Associates Agreement. Alternatively, you could ensure that the individual is has gone through a HIPAA orientation and understands your privacy practices.

  10. Is a clearing house considered to be a Business Associate? Is my insurance clearinghouse a BA?

    No. A clearing house is typically considered a Covered Entity through HIPAA and not considered a Business Associate.

  11. Is an IT services firm considered a BA?

    It depends on the relationship with the IT service firm. If the IT service has access to Protected Health information (PHI) than yes, you would need a signed Business Associates Agreement with the firm. For a copy of a Business Associates Agreement please visit the HIPAA Omnibus Guide page.

  12. Do you have a sample BA agreement?

    Yes. Please visit our HIPAA Omnibus Guide page for a copy of a Business Associates Agreement.

  13. Is a supply company sales representative required to sign BA agreement?

    It would depend on the relationship with the sales representative. If the sales representative has access to Protected Health Information (PHI) then yes, they would need to sign a Business Associates Agreement. This might occur if the sales representative consults on a patient's treatment and/or the tools involved. In the standard relationship with a sales representative, with no access to Protected Health Information (PHI), you would not need a signed Business Associate Agreement with them.

  14. My Invisalign represented reviews my patient cases from outside my office and makes comments to me through emails, would they need to sign a Business Associates Agreement?

    Yes. If your Invisalign representative has access to Protected Health information (PHI), such as reviewing patient cases, which is very common with an Invisalign representative, you would need to sign a Business Associate Agreement with them.

  15. How do we know if our clearinghouse, where we send our e-claims, has been 2013 HIPAA compliant? Is there specific certification?

    We would recommend contacting your clearing house to see what they have done to be HIPAA compliant. According to the U.S. Department of Health and Human Services (HHS) there are no specific certification that are recognized by the HHS, "It is important to note that HHS does not endorse or otherwise recognize private organizations' "certifications" regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a "certification" by an external organization does not preclude HHS from subsequently finding a security violation".

Notice of Privacy Practices

  1. Should patients be given a new Notice of Privacy Practices, even though one was signed before the Omnibus?

    Yes. The Notice of Privacy Practices (NPP) must be amended with the Omnibus Rules as discussed during the webinar. Doctors will have to post the updated NPP, and make copies available to all new patients and anyone who requests copy. It is also recommended that you post the updated NPP on your website if you maintain one. For a template of a current NPP from the U.S. Department of Health and Human Services please visit our HIPAA Omnibus Guide page.

  2. The link to the web site www.hhs.gov/hipaa does not seem to be working; it is stating page not found. What is the correct address for this information?

    The correct address for information on the Notice of Privacy Practices from the U.S. Department of Health and Human Services is: http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.

  3. Where can I find the NPP to post in my office?

    We are including a copy of a Notice of Privacy Practices as part of the Omnibus guide. This guide was created by the US Department of Health and Human Services. For a copy of this guide, please visit the HIPAA Omnibus Guide page.

Faxing

  1. Where does "faxing" fall within any of these guidelines?

    For fax machines it all depends on how it is being used. Fax machines need to be located in a secure environment where only authorized individuals can see incoming faxes. On August 14, 2013 the U.S. Department of Health and Human Services (HHS) settled with health plan on a photocopier breach case. According to the HHS "This settlement illustrates an important reminder about equipment designed to retain electronic information: Make sure that all personal information is wiped from hardware before it's recycled, thrown away or sent back to a leasing agent," said OCR Director Leon Rodriguez. "HIPAA covered entities are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals' data, and have appropriate safeguards in place to protect this information." For more information on this case as well as the $1,215,780 fines please visit the HHS website.

Appointment Reminders

  1. 42. Can we mail out recall postcards? What if we use a confirmation system that sends emails and texts, is this an issue?

    Recall information tends to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out a recall post card, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. The way Secure-Mail™ works is that you can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

  2. What if a patient comments that patient post via email through systems like Smile Reminder. Is it okay for us to post these on our website? Smile Reminder said it is okay but I am nervous?

    We would recommend getting your patient's permission before posting any comments on your website. Most patients are happy to provide consent, and are often flattered at the request.

  3. Does marketing include appointment reminders?

    Marketing communication, as discussed in the webinar and addressed by the new omnibus rules do not specifically deal with appointment reminders. The only change the omnibus rules do state that the Notice of Privacy Practices (NPP) no longer have to include a statement that a covered entity will provide appointment reminders. Please be careful when sending out patient reminders not to include Protected Health Information (PHI) and are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

  4. Patients can request an appointment through our website - it comes through email to our office, is that a problem?

    It will depend on the type of information sent. If the message being sent contains Protected Health Information (PHI) then it is important that there are safeguards in place to protect it. You need to ensure that all systems that you use comply with the HIPAA requirements. We would recommend sending a copy of the HIPAA Compliance Software Checklist to your website and email provider to make sure they are protecting your patient's information as well as getting your vendors to sign a Business Associate Agreement. You can access both of these documents on the HIPAA Omnibus Guide page.

  5. What about texting? What if we use a confirmation system that sends emails and texts. Is this an issue? Is text messaging a breach?

    Text messaging can result in a breach of Protected Health Information (PHI). Please use caution whenever texting PHI. Recall information tends to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out recall information, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over text, and are using the correct number when sending the messages. Because mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. The way Secure-Mail™ works is that you can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

  6. Do you have to have permission from the patient to market through email?

    Yes. The new Omnibus rules further limit marketing communications with your patients without written authorization. You must ensure that the patient has given you their consent specifically to receive marketing emails from your practice. Be sure not to send Protected Health Information (PHI) through unencrypted emails and be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. It would also be recommended to get your email vendor to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

  7. What if the patient writes on their own Postcard things like "bring in your night guide?

    We are unsure of the exact scenario, but if a patient writes on a postcard and sends it in the mail, it is their right as the information belongs to them.

  8. So, no appointment reminders to patients who have provided email addresses, because theirs is not encrypted?

    Not exactly, appointment reminders tend to fall under a grey area with privacy laws. The guiding principal is that Protected Health Information (PHI) needs to be protected and not be exposed to people who do not need access to it to provide health care. It should be fine to send out an appointment reminder, as long as you are not providing more information than is necessary. Please ensure that you have a patient's consent to communicate appointment information with them over email and text, and are using the correct address/number when sending messages. Because email addresses and mobile devices can be shared between different users, you must get the patient's consent before you communicate with them. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. You can continue to use your current recall systems when communicating appointment reminders with patients, and use Secure-Mail™ to safely send PHI to your colleagues in accordance with HIPAA law. It would also be recommended to get your recall system to sign a Business Associates Agreement and provide them a copy of the HIPAA Compliance Software Checklist. You can access both of these documents on the HIPAA Omnibus Guide page.

  9. What about before and after pictures on our website?

    We would recommend getting your patient consent to post the pictures. Most patients are happy to provide consent to the use of their photos and are often flattered by the request.

  10. Please send information regarding the marketing communication and omnibus rule changes.

    For more information the Omnibus rules on marketing communication please visit the US Department of Health and Human Services.

Other

  1. I Didn't hear much information about this from the ADA?

    The American Dental Association does have their own HIPAA Omnibus kit available for dentists for download at $300 for members. For more information please visit their website.

  2. How many single dentist offices have been fined for HIPAA violations in the US?

    For list of recent HIPAA fines please visit the page HIPAA/PIPEDA Enforcement HIPAA/PIPEDA Enforcement. There have also been a number of different dental practices who have experience a breach involving more than 500 individuals, for a list of breached affecting 500 or more individuals, please visit The US Department of Health and Human Services.

  3. Under the new HIPAA Omnibus rules, is it mandatory to send emails encrypted or just recommended?

    The HIPAA Omnibus laws do allow doctors to email to patients through unencrypted manner as long as the patient signs consent and understands the risks involved when emailing Protected Health Information (PHI). It is recommended that emails containing PHI are encrypted to eliminate the risk of a breach and the subsequent effect to the patient's privacy, fines and reputational damage. When communicating with other dental professionals, we would recommend using Brightsquid Secure-Mail™. Secure-Mail™ offers dental practices a secure exchange of PHI in a HIPAA compliant environment. For more information on the features and pricing available for your dental practice please visit the Brightsquid for Dental Clinics page.

  4. Phone calls leaving messages to remind the patient can be left, as long as treatment is not described. Or, is that no, because you would be indicating the patient's name on the message machine? For dental maintenance or hygiene appointments?

    Leaving messages on patient procedures should be done with caution. Please be advised that doctors have been charged when PHI was disclosed on a phone message, so do take precautions to limit your exposure. For more information on leaving phone messages please visit the US Department of Health and Human Services.

  5. Does our release for records form need to state the advised risk and form of transmission?

    Yes. HIPAA makes it clear that before you can use unsecure email to communicate patient information you must advise your patients of the risks involved with unsecure email. We would only recommend this for communicating with patients. To communicate with colleagues, we recommend using a HIPAA compliant system, such as Secure-Mail™.

  6. Can we receive a copy of the webinar slides?

    If you would like a copy of the slides please contact our office and we will be happy to send them to you.

  7. What about communication with insurance companies?

    There are specific guidelines around insurance providers, for more information on sharing patient information with insurance companies please visit the US Department of Health and Human Services.

  8. How do I know if my e-mail service provides encryption?

    Most email providers do not provide encryption. We would recommend sending your email vendor a copy of the HIPAA Compliance Software Checklist and getting them to sign a Business Associates agreement. Encryption alone is not enough to be considered HIPAA compliant, be sure that your provider is offering auditability, automatic log off and unique user access. Secure-Mail™ offers dental practices a secure exchange of Protected Health Information (PHI) in a HIPAA compliant environment. For more information on the features and pricing available for your dental please visit Brightsquid for Dental Clinics.

  9. How do I get the HIPAA Omnibus guide?

    To get a copy of the Omnibus Guide and download the materials available please visit the HIPAA Omnibus Guide page.

  10. Do you have a list of recent fines?

    Yes. For more information please visit our page HIPAA and PIPDA Enforcement.

  11. What is the HIPA Omnibus compliance date again?

    The HIPAA omnibus final rules went into effect March 26, 2013 with compliance required by September 23, 2013.

  12. Can an IT person make Outlook encrypted?

    It might be possible for your IT person to encrypt Outlook; be sure that they are encrypting information as it is being stored and through transit. That being said, encryption alone is not enough to be HIPAA compliant, there are a number of different criteria that HIPAA looks for these include: encryption, auditability, unique user access and more, please visit our HIPAA Compliance Software Checklist.

  13. I transmit no PHI by any electronic means - only by First Class US mail. Up to now, I am not deemed to be a covered entity. Has that changed?

    According the US Department of Health and Human Services a covered entity is a "Health care providers who transmit any health information electronically in connection with certain transactions, health plans, or health care clearinghouses". The definition of a covered entity has not changed with the recent HIPAA Omnibus rules. Most health care providers are considered Covered Entities, as "electronic exchange" includes: health care claims or equivalent encounter information, health care payment and remittance advice, coordination of benefits, health care claim status, enrollment or disenrollment in a health plan, eligibility for a health plan, health plan premium payments, referral certification and authorization. If your practice does not exchange any of this type of information electronically, then no, you would not be considered a Covered Entity.

  14. I missed the first 10 minutes, could I have that info sent to me?

    Yes. We are happy to provide a recording of the webinar, the entire HIPAA Omnibus guide and answers to all the attendee questions to any interested parties. To view the webinar please enter your email address above and click "View Now". Please contact our office if you have any questions.

  15. What is included in Protected Health information (PHI)?

    Protected Health Information (PHI) includes any information related to your patient's past, present or future health/medical records or payment history. Under HIPAA law there are 18 identifiers: patient names, geographical identifiers (smaller than state), dates (other than year), phone numbers, fax numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate or licence numbers, vehicle identifiers, device identifiers, web addresses (URLs), internet protocol (IP) address numbers, biometric identifiers, photographs of patient's face as well as any other unique or identifying characteristic, code or number. For more information please visit the U.S. Department of Health & Human Services.

  16. When a patient calls into schedule an appointment, what identifying info can I request without violating HIPAA?

    During an in person meeting or over a phone conversation it is okay to discuss Protected Health Information (PHI), such as a patient's name, age, demographic or treatment information. Do take precautions not to share this information to people who should not have access to it; in a waiting room or other public area.

  17. I want to make sure that it is OK to send PHI to patient through email, if the patient signs the waiver?

    If your patient signs a consent form, that advises them of the risks associated with using email, stating that they would like Protected Health Information (PHI) sent to them through email, then you can follow their request and email PHI to them.

  18. How do the new rules protect patient information? For example now we cannot discuss appointments or anything about patients to spouses. What if we send an email to a wife and husband has access to email how is this affected and how are we protected what do we do?

    It is important to have your patient sign a consent form. In this form the patient can provide their preferred method of contact. If they have provided consent to use an email address that is shared with their spouse, then it is fine to use. Please be sure that your consent form includes the risks involved with unencrypted email and that your patient is aware of the risk before email them Protected Health Information (PHI).

  19. Do you have an offer for Educational Institutions?

    Yes. Please contact our office for more information on Brightsquid for Educational Institutions.

  20. Where can I get a copy of the HIPAA Omnibus Guide?

    To get a copy of the Omnibus Guide and download the materials available please visit the HIPAA Omnibus Guide page.

  21. Are there random HIPAA inspections of offices occurring?

    There are random HIPAA audits of medical and dental practices, but the majority of HIPAA investigations are started by an upset patient. All it takes if for one patient to complain to start an investigation into your practice. If a breach of Protected Health Information (PHI) occurs, it will also be very damaging for your dental practice and to privacy of your patient's records. It is important to safeguard PHI to protect your patients and your practice in today's digital age. In addition, most of the PHI breaches relate to loss or theft of data.

  22. How do you know if a provider's email is encrypted or not?

    We would recommend contacting your provider. You can send them a copy of the HIPAA Compliance Software Checklist and be sure to get them to sign a Business Associates Agreement with your practice. You can access both of these documents on the HIPAA Omnibus Guide page.

  23. Does my practice need to have a written log of possible HIPAA discrepancies & our solutions?

    Yes. You need to keep a written log. One of the most common HIPAA concerns is complacency, and the lack of care. As HIPAA has a number of different requirement and recommendations having a list of possible discrepancies and solutions is an excellent resource.

  24. Do I understand correctly that all attendees will receive the HIPAA Forms and checklist that you discussed?

    Yes. We will provide a full HIPAA Omnibus guide including: HIPAA Compliance, HIPAA Software Checklist, Webinar Series, Patient Privacy Brochure, Notice of Privacy Practices and Business Associate Agreement. For a copy of this free guide please visit the HIPAA Omnibus Guide page.

  25. When sending the e-PHI that the patient requested, how do you send it? Via encrypted email or just regular email?

    It will depend on how the patient has requested the information. The patient has the right to request the information through unencrypted email, if they are aware of the risk and have signed a consent form requesting the information through regular email.

  26. Do you have any reseller or affiliate programs?

    We have a number of different partnerships throughout the dental industry. Please contact our office for more information.

  27. Will this webinar be available after this evening?

    Yes, absolutely! Simply enter your email address above and click "View Now!" to watch the recorded webinar. If you have any further questions after the webinar, please contact our office.

  28. Is there a charge for the Omnibus guide?

    No. There is no charge for the Omnibus Guide. For a copy of the materials available in the guide please visit the HIPAA Omnibus Guide page.

  29. What if I log into my office computer from home through LogMeIn?

    You can use remote access to access your Protected Health Information (PHI) while away from your computer. Please check with your provider, such as "LogMeIn" for specific information regarding HIPAA. You can send also your vendor a copy of the HIPAA Compliance Software Checklist.

  30. I am using Microsoft 365. Does it meet compliance?

    It will depend on how you use it. Microsoft Office 365 does have tools that help protect your sensitive patient information, please check with Microsoft directly for more information on how they meet HIPAA compliance. We would also recommend having them sign a Business Associates Agreement with your practice.

  31. After completing a risk assessment checklist, what do you have to do next?

    Once you have completed the HIPAA Compliance Checklist, you will need to address the areas of the checklist that your practice did not do well on. We would recommend assigning a project manager within your practice to manage the steps required. We would also recommend using Brightsquid Secure-Mail™ to safeguard Protected Health Information (PHI) that you share outside of your practice. You will need to update your Notice of Practice Policies and Business Associates Agreement, please visit our HIPAA Omnibus Guide page to download templates for your practice. For more information on your next steps, please watch our recent webinar "Your First 3 Steps to Get Your Dental Practice HIPAA Compliant".

  32. What about information that comes through a portal from a company to you? Email of a cone beam scan from a center where the scan is taken.

    The information stored and shared needs to be encrypted. Please check with your provider and we would recommend giving them a copy of the HIPAA Compliance Software Checklist and Business Associates Agreement.

  33. If I send digital images to a lab or dental office, does it require a special notice about privacy attachment?

    Whenever you are sharing Protected Health Information (such as an image of a patient's face) it is important that the information is safeguarded. These safeguard include auditability of who has had access to the information, encryption to secure the information as well as a number of other security protocols. The best way to share PHI is using Secure-Mail™ from Brightsquid. Secure-Mail™ has been specially designed as a HIPAA compliant way for dental professionals to exchange sensitive health information. Not only is Secure-Mail™ compliant; it also allows users to send and attach up to 500MB per message (attach all your high resolution images in one message) and view and manipulate images in the Brightsquid Image Studio, where you can annotate and manipulate images.

  34. Can charts be filed behind a front desk? The names on the files are not readable where patients stand.

    Yes. As long as no one can access the Protected Health Information (PHI) from behind the desk and there is restricted access. We would also recommend not having marks and/or labels visible on the files that would release any PHI to unauthorized individuals.

  35. NY State will require e-scripts how will they be secure?

    We don't have any specific information about the NY State e-script initiative. We recognize that the information stored and shared needs to be encrypted. Please check with your provider and we would recommend giving them a copy of the HIPAA Compliance Software Checklist as well as signing a Business Associates Agreement with the vendor providing your e-script.

  36. Can we post daily schedules with names and phone number in an operating room?

    Yes, as long as no unauthorized individuals and no patients have access to the area where the schedule is posted. If it is only accessible to authorized individuals, then it is okay. We would recommend keeping an "Authorized Access" logbook. To main the security of Protected Heath Information (PHI) it is important to restrict access to it.

  37. Do either of you have recommendations for offsite backup companies? Or ones to avoid?

    Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant. Please contact him for more information and guidance on proper safeguard within your dental practice.

  38. Can you tell me the products we can use to encrypt our computer?

    Dr. Lavine has a considerable amount of experience helping dental practices get HIPAA compliant. Please contact him for more information and guidance on proper safeguard within your dental practice.