Webinar: Your Top 10 Questions on HIPAA Compliance in Your Dental Practice: Ask the Experts Special
There are ten common questions that HIPAA experts, Dr. Lorne Lavine and Mr. Rohit Joshi LL.B, hear when they are visiting dental practices, hosting webinars and speaking at a live events. During the webinar on December 17, 2013 the experts will take your questions on HIPAA compliance and provide clear answers to the top ten questions they receive from dental practices
The Questions Include:
- How Should I Communicate with My Patients?
- What are the New HIPAA Omnibus Rules?
- Have There Been Any HIPAA Breaches in Dental Practices?
- Who are Considered Covered Entities and Business Associates?
To learn how to get your free CE credits please call 1-800-238-6503 or submit our contact form.
Subscribe to Brightsquid Today!
Sign up to Brightsquid and start using Secure-Mail for secure messaging with specialists, dentists and labs.
What Regulations Influence My Dental Practice?
- HIPAA - Health Insurance Portability and Accountability Act (1996)-USA
- HITECH - Health Information Technology for Economic and Clinical Health Act & HITECH Safe Harbor -USA
- PIPEDA - Personal Information Protection and Electronic Documents Act - Canada
- Additionally there is significant Provincial/State legislation as well as professional dental bodies that have established very specific guidelines for the handling of patient information
- PHI - Protected Health Information The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral
Have There Been Any HIPAA Breaches in Dental Practices?
Yes. 184,568 individuals were affected by HIPAA breaches in 29 dental practices between 2009 and 2013.
What are the New HIPAA Omnibus Rules?
The HIPAA Omnibus rules provided furter legislation on privacy, security, and breach notification policies and procedures. Including:
- Copies of e-PHI
- Emailing PHI
- Breach Notifications
- Marketing Communications
- Disclosures to Health Plans
- Sales of PHI
- Childhood immunizations
- Charging for Copies of e-PHI or PHI
- Research Authorizations
What are the Fines for Not Following the Omnibus Rules?
There are four penalty tiers:
- Lowest Tier: In cases in which the doctor did not and reasonably could not know of the breach, a penalty of not less than $100 or more than $50,000 for each violation
- Intermediate Tier: Cases in which the doctor "knew, or by exercising reasonable diligence would have known" of the violation, but the doctor did not act with wilful neglect, a penalty of not less than $1,000 or more than $50,000 for each violation.
- Two Highest Tiers:
- Acted with Willful neglect and corrected the problem within the 30-day cure period, a penalty of not less than $10,000 or more than $50,000 for each violation.
- Acted with Willful neglect and did NOT correct the problem within the 30-day cure period, a penalty of not less than $50,000 for each violation; the penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1.5 million in a calendar year.
Who are Considered Business Associates?
"Business Associates" - refers specifically to a person or organization that works with your practice and involves the use or disclosure of patient information.
The HIPAA Omnibus Rules provide further legislation for the relationship between doctors and business associates.
What is a Notice of Privacy Practice?
Your practice is required to develop and distribute a notice that provides a clear, user friendly explanation of these rights and practices.
Doctors will have to post the revised NPP, and make copies available at their office, to all new patients and to anyone else on request. Doctors who maintain a website are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule.
Where Do I Start in My Dental Practice?
Have a HIPAA Meeting in Your Dental Practice
- Start the conversation in your practice - Review Omnibus Guide
- Send HIPAA Compliance Software Checklist to Vendors
- Designating a Project Manager
- Determine next steps and set goals
Is Patient Consent All I Need?
No. Consent is needed to get the patient's approval to send patient information to associated treatment providers. but...
- Dentist CAN get the consent to send patient their information over email.
- Patients CAN NOT consent to a dentist sending information to any other medical professional through un-secure methods.
How Can I Communicate with My Patients?
- Phone Calls
- Appointment Reminders
- Communication on Privacy Policies.
Why is Email NOT Compliant?
- Even if your computer is secure, your message passes through dozens of unknown servers en-route to its destination.
- These "middle-man" servers make up the backbone of the email system, but are not secure therefore not compliant.
- Dentists have a duty to take precautions to safeguard private patient data.
Please explain how Secure-Mail™ offers HIPAA compliance? Is it just encryption or does it include auditability etc.?
Secure-Mail™ has been specifically developed to be HIPAA compliant as it provides users with encryption, auditability, data backup and storage, identity authentication, emergency access, and more. Please visit our HIPAA Compliance Software Checklist for more information on the HIPAA requirements.
Is there a contract for Secure-Mail™ that is month to month?
Yes. You can purchase Secure-Mail™ with a month to month subscription for only $39.99/month. This is a very popular way to purchase Secure-Mail™. To get stared with your subscription today please visit the Plans and Pricing page.
Do you offer a free trial?
Yes. Use this link for a free trial of Brightsquid Secure-Mail™.
Do you offer personal demo for my office?
Yes. Use this link for to sign up for a personalised demo of Brightsquid Secure-Mail™.
Can you enter a colleague's regular email address into the Secure-Mail™ address bar?
Yes. Secure-Mail™ has been designed to work with you and your colleague's regular email address. Simply enter your colleague's email address into the Secure-Mail™ address bar and click send. Your colleague will receive a notification alerting them of the Secure-Mail™ message in their regular email inbox, smartphone or tablet.
Do you have to have an account for each staff member?
With your dentist subscription you will get 5 accounts (1 doctor and 4 support staff) for your practice. We find that 5 internal accounts meets the needs for most dental practices, but if you need more than 5 accounts, or if there is more than one doctor working in your clinic, please contact our office and we can help you set this up.
Is Secure-Mail™ for emailing patients or just other entities?
Secure-Mail™ was designed to facilitate the secure exchange of information between dentists, specialists and dental labs. We are very excited to announce the introduction of doctor-patient communication through Secure-Mail™ in early 2014. Please contact our office for more information and/or to register for our next webinar on the HIPAA guidelines for doctor-patient communication.
I am a specialist, how does it work with my referring dentists?
Brightsquid has a subscription package designed for dental specialists like yourself, with a number of specific features to help build and maintain your referrals. Please contact our office for more information as well as a demo highlighting these exciting features.
Is there a limit to the number of messages I can send using Brightsquid or other storage limits?
No. There are no limits to the number of messages you can send using your $39.99 Dentist account of Brightsquid Secure-Mail™. Brightsquid offers customers unlimited data with their registration, the only limit we place on this is to prevent abuse and takes effect at the terabyte level.Please contact our office if you would like more information on data storage.
Is it safe to put the patients CD or USB in your computer? If the patient claims the data is from their other health care provider-perhaps they are seeking a 2nd option from you or are referred to you as a specialist?
From a HIPAA standpoint there are no rules against putting CDs or USBs into your computer. We would recommend taking precautions as you could expose your computer to malware or viruses. It is much safer to send information through a service like Secure-Mail™. We have a number of customers who prefer Secure-Mail™ as they do not have to worry about sending USB drives back to the sender, as well as making sure the information is properly copied onto a CD or drive. Brightsquid Secure-Mail™ does a number of checks on the file to ensure that it does not contain viruses or malware.
What about sending marketing email on blood drives, food drives, etc?
As there is no treatment information in the email, this type of communication would be considered a Marketing email. Because of that, you will want to get specific consent to send this type of email to your patients
Is your bank a Business Associate as they may be processing patient checks?
No, typically banks are not considered Business Associates, as they normally don't deal with treatment information. There is separate legislation and standards dealing with security of financial information, such as Payment Card Industry Data Security Standard (PCI-DSS).
How does the e-mail encryption rule affect our automated patient communication systems, such as Demandforce and Lighthouse 360? Must patients participating in e-mail or text messaging sign a release acknowledging the risk of their PHI exposure?
Patients should sign a release to consent to communication through email or SMS. Your team should be familiar with the risks associated with email to appropriately inform your patients. If you are sending appointment reminders, that should be fine in accordance with HIPAA. We recommend avoiding the inclusion of any treatment information/Protected Health Information (PHI) in reminders through email. Please contact your vendor directly for more information on their HIPAA compliance. For your other software vendors, please refer to our HIPAA Software Compliance Checklist
Will the slides from this presentation be available on the Brightsquid website or, can they be sent to us?
Yes. Please use the video viewer above to watch the recording of the webinar. If you would like copies of the individual slides used during the presentation please contact our office
How does HIPPA address PHI when audited by either local/state/fed gov?
There is a specific exception that grants the government rights to access Protected Health Information (PHI) during an audit.
What is included in Protected Health information (PHI)?
Protected Health Information (PHI) includes any information related to your patient's past, present or future health/medical records or payment history. Under HIPAA law there are 18 identifiers: patient names, geographical identifiers (smaller than state), dates (other than year), phone numbers, fax numbers, email addresses, Social Security Numbers, medical record numbers, health insurance beneficiary numbers, account numbers, certificate or licence numbers, vehicle identifiers, device identifiers, web addresses (URLs), internet protocol (IP) address numbers, biometric identifiers, photographs of patient's face as well as any other unique or identifying characteristic, code or number. For more information please visit the U.S. Department of Health & Human Services.
What about using WiFi? Can this be intercepted by others when using an open network?
Yes. We would recommend setting up a separate wireless network for your patients and staff to use for non-clinic purposes. This is a very simple procedure using a router in your practice. You may already have the equipment in your office to set up a 'guest' network and if you don't have the equipment, it is quite affordable to purchase. By setting up a guest network you may also provide your patients free wireless while they are in your practice.
If I send digital images to a lab or dental office, does it require a special notice about privacy attachment? To clarify, for example, sending CEREC scans to a lab; does this need to be encrypted and/or have a privacy notice attached?
It will depend on the type of information you are sending. If the files contain Protected Health Information (PHI), then yes. The problem typically is that the scan will contain patient information of some sort, for example a patient name. Even if you cannot see the patient information, it may still be attached to the patient images but not visible in the scanning system. The challenge is, however, that the information is still available using simple tools to read it, and therefore it would not be HIPAA compliant. We would recommend contacting CEREC or other vendors directly for more information on privacy and compliance with their scanning equipment. For your other software vendors, please refer to our HIPAA Software Compliance Checklist.