Request A FREE Quote
(877) 448-4968
Request Online Quote
Services
Consultation
Computers and Network
Digital Dentistry
Free Services
Telecom
Remote Access
Security
Full Support
New and Upgrade
Finance and Insurance
Digital Marketing
Serviced Cities
HIPAA Email and Data Privacy for Medical PracticesSecure your data, emails, and attachments. Choose who can view them A Large Portion of the Dental CommunityMany dental professionals have one of the following email configurations:
YAHOO, Gmail, AOL, MSN, etc...Example: smiledental_EXAMPLE@yahoo.com If you fall into the first two categories you have a Public Email Account which is non-compliant, if you have a Private Account but aren't secured you may be non-compliant or even in violation of the HIPAA act. Are you in violation of HIPAA?![]() If you email appointments, test results, case-related information, or other treatment information to patients using any of the non-HIPAA Compliant email services (see above). Then the answer is yes you are. If you are sending Patient Health Information (PHI) using free email services like Gmail, Yahoo, Hotmail, or AOL you are in violation. Even if you are using services like AT&T, Verizon, GoDaddy, or 1&1 the answer is yes. Most email providers have Non-Compliant Privacy Policies and Zero Email Security Policies, meaning your email can be intercepted. In short, this means that you can be fined up to $1.5 million during an audit! If your practice is a covered entity under HIPAA, emailing a patient or emailing patient information involves both the HIPAA Privacy and Security rules. The content of the email, including the patient’s email address, constitutes protected health information (PHI). What are the Financial Implications of HIPAA Violations?
How can Hitec-Med Help?We can ensure that your emails, attachments, and data are HIPAA Compliant, safe, secure and always available to you no matter where you are. What are some of the issues with Traditional Free Email Services?Other than the Non-HIPAA Compliance, details include:
List of Non-HIPAA Compliant Email Services
What does HIPAA Compliance with Google mean?![]() Ensuring that our customers' data is safe, secure and always available to them is one of our top priorities. To demonstrate our compliance with security standards in the industry, Google has sought and received security certifications such as ISO 27001 certification and SOC 2 and SOC 3 Type II audits. For customers who are subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), Google Apps can also support HIPAA compliance. Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google. Administrators for Google Apps for Work, Education, Government, and Google Apps Unlimited domains can request a BAAbefore using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Sites, and Google Apps Vault services. Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI. We have published our Google Apps HIPAA Implementation Guide to help customers understand how to organize data on Google services when handling PHI. This guide is intended for employees in organizations who are responsible for HIPAA implementation and compliance with Google Apps. What if your business currently uses a Gmail, Yahoo, or other generic Email Service?We help can fix that problem! Hitec-Med would love to help you get rid of your generic Gmail, Yahoo, or AOL email address and get a HIPAA compliant real, professional email addresses. For example:
When one of your potential patient's sees your email address is a generic free web based email address, their first thoughts very well may be:
We can help you set up your own professional email addresses (or multiple addresses or users in your practice). If you do not have a domain name, we can register an optimized domain or get one based on your name or practice!
![]() March 1 HIPAA Deadline for Dentists ApproachingDentists have until March 1 to report a HIPAA-compliance issue to the U.S. Department of Health and Human Services Office for Civil Rights (HHS).Specifically, HIPAA-covered practices must report any breach of its electronic patient information that may have affected fewer than 500 people by that date. Breaches that may have affected more than 500 people have more strict timelines as practices only get a 60-day window to report the incident. According to the HHS, "A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If the number of individuals affected by a breach is uncertain at the time of submission, the covered entity should provide an estimate, and, if it discovers additional information, submit updates in the manner specified below. If only one option is available in a particular submission category, the covered entity should pick the best option, and may provide additional details in the free text portion of the submission." The HHS website allows for dentists to report an incident electronically and has instructions for submitting. The breach notification rule was approved in 2009 as part of a larger set of HIPAA amendments known as the Health Information Technology for Economic and Clinical Health Act (HITECH). Congress passed HIPAA in 1996 to simplify, and thereby reduce the cost of, the administration of health care. HIPAA does this by encouraging the use of electronic transactions between health care providers and payers, thereby reducing paperwork. Congress deemed that if the electronic transmission of patient health information was to be encouraged by the legislation, there needed to be means to protect the confidentiality of that information. Secure electronic transmission of protected health information is one of the many requirements of the HIPAA Security Rule. Dental practices should review the rule requirements to ensure compliance. A major component of compliance is a documented risk analysis. HIPAA Security Rule: A Summary can be found on cda.org. HHS has on its site a Guidance on Risk Analysis. CDA has a Data Breach Notification Checklist on cda.org/practicesupport. The ADA Practical Guide to HIPAA Compliance includes information about the HIPAA Breach Notification Rule. For more information, visit cda.org/privacy-hipaa. Yahoo, Google, and Apple also claim the right to read user emails!Like Microsoft, other webmail giants all reserve the right to read user emails, if 'deemed necessary' Microsoft is not unique in claiming the right to read users' emails – Apple, Yahoo, and Google all reserve that right as well, the Guardian has determined. The broad rights email providers claim for themselves has come to light following Microsoft's admission that it read a journalist's Hotmail account in an attempt to track down the source of an internal leak. But most webmail services claim the right to read users' email if they believe that such access is necessary to protect their property. Microsoft's own terms of service allow the company to access content "when Microsoft forms a good faith belief that doing so is necessary [to] protect them… property of Microsoft". It made use of that right to read the email of an unnamed journalist who had allegedly taken possession of the source code to Windows 8 thanks to an internal leak at the firm. Following the revelation that Microsoft could, and did, read users' email, the firm's deputy general counsel told the Guardian that it would be tightening up its privacy policy. The new rules require an internal and external legal team to review any internal requests for access and commit the firm to increased transparency over future requests. But other major email providers reserve exactly the same rights. Yahoo requires users to "acknowledge, consent and agree that Yahoo may access… your account information and Content… in a good faith belief that such access… is reasonably necessary to… protect the rights… of Yahoo." Google's terms require the user to "acknowledge and agree that Google may access… your account information and any Content associated with that account… in a good faith belief that such access… is reasonably necessary to… protect against imminent harm to the… property… of Google". Apple "may, without liability to you, access… your Account information and Content… if we have a good faith belief that such access… is reasonably necessary to… protect them… property… of Apple". Of the major webmail providers, only Microsoft was prepared to share the internal procedures they have in place governing who can access users' email without a court order and what reasons they must give to do so. Yahoo declined to comment. Neither Apple nor Google had responded to requests for comment ahead of publication. "The problem is, this is a technically legal activity that we all agree to when we sign up to certain cloud services – whether knowingly or not," says Charlie Howe, director, EMEA at Skyhigh Networks, a cloud security software firm, of Microsoft's snooping. "For instance, I would guess that most people don’t actually read the full Terms and Conditions before using a new application, and they would probably be surprised by what they are actually agreeing to when they click the ‘accept’ button on certain cloud services." Microsoft has tightened its privacy policy for emails after admission it read journalist's messages Posted from: http://www.theguardian.com/technology/2014/mar/21/yahoo-google-and-apple-claim-right-to-read-user-emails So on that happy note, let’s dive in!#1: Advocate Medical Group
People Affected: 4,029,530 In the 2nd largest data breach ever reported through the HHS database, four laptops containing more than 4 million patient records were stolen. Advocate Medical Group did not notify affected patients until more than a month after the theft and stated the laptops were password protected. However, this did little to assuage fears, as device passwords are easily overcome. The lost data included social security numbers, which places the patients at higher risk of identity theft. The total number of affected individuals is eclipsed only by a 2011 incident in which 4.9 million medical records were compromised when backup tapes were reportedly stolen from an employee’s car. A class action lawsuit for the 2011 event seeks $4.9 billion ($1,000 for each person affected). #2: AHMC Healthcare
People Affected: 729,000 In October thieves accessed a sixth-floor, video-monitored office to steal two laptops, which contained Medicare patient data from six AHMC hospitals in California. The theft occurred on a Saturday and was not detected until Monday. The compromised patient data included names, diagnoses, and insurance information. About 70,000 also had their Social Security numbers compromised. AHMC stated they had recently completed a 3rd party security risk assessment but had not yet taken the step of encrypting all employee laptops. #3: Texas Health Harris Methodist Hospital Fort Worth
People Affected: 277,014 Example Microfiche sheet via Wikimedia In a bizarre incident, sheets of microfiche containing patient records from the ‘80s and ‘90s were found in several Fort Worth public areas. Upon investigation, Texas Health Fort Worth found that their vendor Shred-it had failed to destroy the microfiche as contracted. The extent of the lost microfiche is unknown but is expected to include Social Security number and other private data. #4: Indiana Family and Social Services Administration
People Affected: 187,533 A computer programming error by a business associate wreaked havoc on Indiana FSSA’s client mailers. The program glitch caused extra pages from client notifications to be mixed into mailings to other clients, compromising medical and financial information for up to 187,533 clients, and Social Security numbers for almost 4,000 of them. #5: Cogent Healthcare, Inc.
People Affected: 32,151 Patient medical treatment history was compromised when a Cogent Healthcare business associate stored the data on a non-secure site, opening up public access to the records for more than a month. The business associate, a transcription company, left a firewall open, making the supposedly-private website housing the records accessible to the human users and web crawlers. Some records were subsequently indexed by Google. #6: Orthopedics and Adult Reconstructive Surgery
People Affected: 22,000 While few details have been disclosed about this breach, it appears that patient data was compromised when a business associate lost a portable device. Ironically, it appears that the records may have been lost in the process of transferring them to a different storage platform to better comply with regulations. #7: Raleigh Orthopaedic Clinic
People Affected: 17,300 Delta Dental of Pennsylvania in another bizarre incident, a contractor hired to transfer x-rays to electronic format instead sold the x-ray films to be scrapped for their silver. The network of clinics has determined they were victims of a scam. Unfortunately, the final state of the x-rays are unknown, but are believed to have been destroyed. In another mailing mishap, a Delta Dental of Pennsylvania letter to an employer containing a listing of employee names and SSNs arrived opened, with several pages missing. #9: Lucile Packard Children’s Hospital
People Affected: 12,900 In this data breach at a Stanford University hospital, an older, out-of-use laptop was stolen from an access-controlled office. The stolen laptop, which was damaged and scheduled to be taken out of circulation, was not encrypted, leaving an unknown amount of pediatric patient data at risk. #10: United HomeCare Services, Inc.
People Affected: 12,299 In another case of encryption coming too late, a United HomeCare laptop scheduled to be encrypted was stolen from an employee’s vehicle, compromising health records and personal information of patients and family members. Like the many other HIPAA violations due to stolen laptops, the theft appeared to have been random, and not a “targeted attempt to steal information.” The Top Two Ways to Stay Off This ListWhile the number of impacted individuals will likely grow as additional violations are uncovered, so far 2013 included more than 140 separate HIPAA violations that involved more than 500 people. In all, more than 5.7 million individuals were reported to have been affected. When you dig into the full list of the violations some clear patterns appear. Around 30% of the violations were due to theft or loss of an unencrypted laptop or portable device. And, almost 20% were due to a business partner. For HIPAA-covered institutions, the two best recommendations I have for keeping yourself off this list during 2014 are:
Secure HIPAA compliant email and data encryption have become a must-have tool for dental practices. In addition to HIPAA and Omnibus Rule compliance, it also delivers unexpected features and benefits in helping dental practices improve patient experiences, increase employee productivity and reduce business expenses. |