2017 Winter Conference – Technology: Balancing Profit, Lifestyle & Patient Care

By Dr. Doug Depew

The 2017 AAO Winter Conference is quickly approaching. Our theme of this year’s meeting Technology: Balancing Profit, Lifestyle and Patient Care.  It promises to be a meeting filled with information for both newer and established practices to help make those tough decisions on what technology is important to use in our practices and when we may wish to invest in it.

The meeting will begin with keynote speaker Jack Shaw.   Mr. Shaw is a world- renowned technology futurist who will be discussing how cutting edge and disrupting technologies will change the way we do business and run our practices in the coming years.

IT guru Steve McEvoy will be answering some of those pesky questions we all have about computer hardware, effective and cost-efficient data backup, and security.   In the ever changing world of computers, what you hear at this meeting will certainly be different than what Mr. McEvoy would have talked about even a couple of years ago.

On Friday afternoon we’ll have a lively discussion by Drs. Greg Jorgensen and Neil Kravitz regarding building our practices through social media, websites, and Internet marketing. Their success in these areas has been paramount in growing their thriving practices.

Saturday morning will begin with Dr. Aaron Molen sharing his experience and thoughts on bringing emerging technology into our practices to help create more efficient and more comfortable patient care.

We’re excited to have Drs. Ed Lin and Christian Groth discussing how to integrate some of the latest technology hardware into our orthodontic practices. This includes workflows for using CBCT, Scanners and 3D Printing.

The conference will conclude with Chris Bentson and Charles Loretto with a discussion on how technology can affect the value and profitability in our practices. This should help answer the question about at what stage of practice a doctor might consider investing in advanced technology.

The location for the meeting is at the gorgeous Marriott Harbor Beach Resort and Spa in Ft. Lauderdale, Florida. The dates are February 10-11, 2017. The schedule is organized in a way to allow some time for afternoon recreation.

There will be plenty of time allotted for attendees to ask questions of the speakers to be sure all bases are covered.   To learn more and to register, visit https://www.aaoinfo.org/meetings/2017-winter-conference-technology-balancing-profit-lifestyle-patient-care

HIPAA: Encryption is NOT Required…What?!?

By Charles E. Frayer[1], JD, MS, HCISPP, CIPP, CIPM

Introduction
cfrayer
No, that headline is not a misprint. Contrary to common assumptions—and what many email encryption providers may tell you, Congress, in its infinite wisdom (stop laughing, please) decided that the Health Insurance Portability and Accountability Act (HIPAA) should not—and, therefore, it does not—require the use of encryption to secure your patients’ private medical data (aka, electronic Protected Health Information or ePHI).

WARNING: IF YOU STOP READING NOW AND SIMPLY DECIDE THAT YOU DO NOT NEED ENCRYPTION, YOU MAY WAKE UP ONE DAY TO THE WORST FINANCIAL AND PUBLIC RELATIONS NIGHTMARE IMAGINABLE. SO, READ ON…

Required vs. Addressable: What’s the Difference?
In HIPAA, Congress adopted two types of implementation specifications—“required” and “addressable.” Those labeled “required” must be implemented or it will be deemed an automatic failure to comply with the HIPAA Security Rule. On the other hand, those labeled “addressable” must be implemented only if, after a risk assessment, the covered entity (that’s you, if you’re a Health Care Provider, a Health Plan, or a Health Care Clearinghouse) has determined that encryption is a reasonable and appropriate safeguard for managing risks to the confidentiality, integrity and availability (CIA) of ePHI. A brief sidebar about the CIA triad: confidentiality protects against unauthorized disclosure; integrity protects against unauthorized modification or destruction; and availability protects against disruptions to access and use of ePHI. Okay? Now, back to our story…

However, if you determine that encryption is not reasonable and appropriate (think about this carefully), then you must document your rationale for that decision and do one of the following: (a) implement an equivalent alternative to encryption that is reasonable and appropriate; or (b) if safeguarding ePHI can otherwise be achieved, then HIPAA even allows you to choose not to use encryption or any equivalent alternative measure, provided that you also document the rationale for this decision.[1] Shocking, isn’t it? Yes, Congress effectively (is that an oxymoron?) allows you to do nothing, provided you can and do back it up.

Now, if you’ve thought about that carefully, you’re probably wondering something like, “What if HHS audits me and they don’t agree with my carefully documented rationale for deciding that encryption is not reasonable and appropriate to protect my patients’ private medical data?” Perfect question! And therein lies the problem. It is difficult (impossible?) to even imagine a situation for which it would be “reasonable and appropriate” to decide not to use encryption to protect ePHI (remember, that lowercase “e” stands for “electronic”). So, even though HIPAA does not literally require encryption, it effectively requires encryption because there is no reasonable and appropriate alternative for protecting ePHI.

In other words, when it comes to using encryption to protect ePHI, there is little (if any) difference in Congress labeling it as “addressable” rather than “required” because not using encryption is simply too risky for your patients’ ePHI and, therefore, even riskier for your business.

Encryption: HIPAA’s Data Breach Safe Harbor
Under the HIPAA Breach Notification Rule, there are essentially two types of ePHI—unsecured (i.e., unencrypted) and secured (i.e., encrypted). Under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets. This, of course, will put you at risk of federal and/or state investigations, fines, possible lawsuits, and the worst kind of public relations disaster imaginable, which will almost certainly result in lost business.

But there is good news…no…GREAT NEWS!!! Under the Breach Notification Rule, encrypted ePHI that is “breached” (e.g., lost, stolen, or accidentally/intentionally sent to the wrong recipient) is not considered a breach at all because ePHI that is encrypted cannot be read or otherwise used without the key(s) required to decrypt it. Consider some of the risks of emailing your patients’ ePHI unencrypted versus sending it via encrypted email, as follows:

Screen Shot 2016-02-18 at 4.27.19 PM

So, if you use it, encryption is your lawful HIPAA-endorsed safe harbor against everything you want to avoid in the event of a breach of ePHI. Going back to our previous segment, even if you somehow came up with that rarest of all situations—where using encryption to protect ePHI was not reasonable and appropriate, you still need to use it because doing so gives you a complete “out” when the worst of all possible ePHI scenarios—a data breach—occurs (i.e., you get to simply walk away).

In summary, although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.

[1] Charlie Frayer is a Michigan licensed attorney and Florida Authorized House Counsel serving as General Counsel and Chief Privacy Officer at Protected Trust, LLC, the leading provider of Simple Email Encryption with 24×7 free and unlimited support via phone, email, and chat.

[1] See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;

45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html