Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).

HIPAA: Encryption is NOT Required…What?!?

By Charles E. Frayer[1], JD, MS, HCISPP, CIPP, CIPM

Introduction
cfrayer
No, that headline is not a misprint. Contrary to common assumptions—and what many email encryption providers may tell you, Congress, in its infinite wisdom (stop laughing, please) decided that the Health Insurance Portability and Accountability Act (HIPAA) should not—and, therefore, it does not—require the use of encryption to secure your patients’ private medical data (aka, electronic Protected Health Information or ePHI).

WARNING: IF YOU STOP READING NOW AND SIMPLY DECIDE THAT YOU DO NOT NEED ENCRYPTION, YOU MAY WAKE UP ONE DAY TO THE WORST FINANCIAL AND PUBLIC RELATIONS NIGHTMARE IMAGINABLE. SO, READ ON…

Required vs. Addressable: What’s the Difference?
In HIPAA, Congress adopted two types of implementation specifications—“required” and “addressable.” Those labeled “required” must be implemented or it will be deemed an automatic failure to comply with the HIPAA Security Rule. On the other hand, those labeled “addressable” must be implemented only if, after a risk assessment, the covered entity (that’s you, if you’re a Health Care Provider, a Health Plan, or a Health Care Clearinghouse) has determined that encryption is a reasonable and appropriate safeguard for managing risks to the confidentiality, integrity and availability (CIA) of ePHI. A brief sidebar about the CIA triad: confidentiality protects against unauthorized disclosure; integrity protects against unauthorized modification or destruction; and availability protects against disruptions to access and use of ePHI. Okay? Now, back to our story…

However, if you determine that encryption is not reasonable and appropriate (think about this carefully), then you must document your rationale for that decision and do one of the following: (a) implement an equivalent alternative to encryption that is reasonable and appropriate; or (b) if safeguarding ePHI can otherwise be achieved, then HIPAA even allows you to choose not to use encryption or any equivalent alternative measure, provided that you also document the rationale for this decision.[1] Shocking, isn’t it? Yes, Congress effectively (is that an oxymoron?) allows you to do nothing, provided you can and do back it up.

Now, if you’ve thought about that carefully, you’re probably wondering something like, “What if HHS audits me and they don’t agree with my carefully documented rationale for deciding that encryption is not reasonable and appropriate to protect my patients’ private medical data?” Perfect question! And therein lies the problem. It is difficult (impossible?) to even imagine a situation for which it would be “reasonable and appropriate” to decide not to use encryption to protect ePHI (remember, that lowercase “e” stands for “electronic”). So, even though HIPAA does not literally require encryption, it effectively requires encryption because there is no reasonable and appropriate alternative for protecting ePHI.

In other words, when it comes to using encryption to protect ePHI, there is little (if any) difference in Congress labeling it as “addressable” rather than “required” because not using encryption is simply too risky for your patients’ ePHI and, therefore, even riskier for your business.

Encryption: HIPAA’s Data Breach Safe Harbor
Under the HIPAA Breach Notification Rule, there are essentially two types of ePHI—unsecured (i.e., unencrypted) and secured (i.e., encrypted). Under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets. This, of course, will put you at risk of federal and/or state investigations, fines, possible lawsuits, and the worst kind of public relations disaster imaginable, which will almost certainly result in lost business.

But there is good news…no…GREAT NEWS!!! Under the Breach Notification Rule, encrypted ePHI that is “breached” (e.g., lost, stolen, or accidentally/intentionally sent to the wrong recipient) is not considered a breach at all because ePHI that is encrypted cannot be read or otherwise used without the key(s) required to decrypt it. Consider some of the risks of emailing your patients’ ePHI unencrypted versus sending it via encrypted email, as follows:

Screen Shot 2016-02-18 at 4.27.19 PM

So, if you use it, encryption is your lawful HIPAA-endorsed safe harbor against everything you want to avoid in the event of a breach of ePHI. Going back to our previous segment, even if you somehow came up with that rarest of all situations—where using encryption to protect ePHI was not reasonable and appropriate, you still need to use it because doing so gives you a complete “out” when the worst of all possible ePHI scenarios—a data breach—occurs (i.e., you get to simply walk away).

In summary, although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.

[1] Charlie Frayer is a Michigan licensed attorney and Florida Authorized House Counsel serving as General Counsel and Chief Privacy Officer at Protected Trust, LLC, the leading provider of Simple Email Encryption with 24×7 free and unlimited support via phone, email, and chat.

[1] See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;

45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?

Screen Shot 2014-08-22 at 3.44.15 PMThe August 2014 complimentary lecture of the month is now online.  Click the link below to immediately begin viewing:

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?  presented by Dr. J. Martin Palomo.

 

What is “Big Data” and How Is It Related to the Practice of Orthodontics?

Dr.-Puntillo-PictureBy Anthony M. Puntillo DDS, MSD

Have you heard of the term “Big Data”?  My guess is that for many orthodontists the term is likely a bit like the term “The Cloud.”  They may have a general idea of the concept, but are not entirely sure how it is or will be important to them.  In fact, there is a strong relationship between the two terms that I will discuss later in this article.  First, however let’s look at “Big Data” by itself.  According to Wikipedia “Big data is a blanket term for any collection of data sets so large and complex that it becomes difficult to process using on-hand data management tools or traditional data processing applications.”

In 2009 the United States Congress passed the American Recovery and Reinvestment  Act (ARRA) which included the Health Information and Technology for Economic and Clinical Health Act (HITECH).  [For a detailed summary of this legislation please see Kirt Simmons blog posting from July 9, 2012 “The Electronic Patient Record: How it Affects the Private Practitioner”]. One of the requirements of HITECH is that full implementation of electronic health records (EHRs) for all patients is required by 2016.  The requirements of this act specifically pertain to healthcare providers who participate in the Medicare and Medicaid programs.  That means that currently few dentists are covered by this mandate.  However, this does not mean that we are not being affected.  Since 2009 doctors and hospitals across the country have spent billions of dollars, with the help of government subsidies, converting paper based systems to electronic digitally based health records.  These new digital systems are now collecting vast amounts of valuable data related to patient care.  Much of this information was collected before the legislation, but in a paper non-standardized format that was not easily aggregated and retrievable for meaningful analysis.  The value of all of this collected digital data is only beginning to be fully understood.  Big Data from all healthcare providers is being aggregated and programs to analyze the data are being used to improve the quality, safety, and efficiency patient care.  Hospitals are examining treatment protocols and doctors are making better informed treatment decisions based on the previous care of thousands of similar patients.

As I stated earlier, the EHR requirement of HITECH does not specifically pertain to most orthodontists so why is this important to us?  Many orthodontists have or are now also in the process of converting their practices to paperless systems (without the assistance of the government money).  Several of the orthodontic specific software vendors offer cloud based systems and here is where “Big Data” and “The Cloud” come together.  The aggregation of data from hundreds or thousands of individual private orthodontic practices into cloud servers is beginning to open the door for data analysis (mining).  Just think about how valuable that information can be to our patients and practices.  Most of the research studies published in our journals today involve treatment samples of less than one hundred.  The biannual Journal of Clinical Orthodontics Practice Study generally relies on the input for a few hundred survey responders (out of a possible pool of more than 8,000). Wouldn’t it be helpful for us to know the most efficient type of Class II corrector based on the actual metrics collected from the previous care of thousands of patients treated in practices all across the country or the globe?  Wouldn’t the knowledge that your treatment times/appointments vary significantly from the national or regional averages be useful? There is little question that access to “Big Data” analytics will offer our profession the opportunity to improve treatment quality, safety and efficiency for our patients just as it is beginning to do for the other fields of healthcare.

HIPAA Compliant Electronic Health Record Transfer

by Juan Martin Palomo DDS, MSD

J-Martin-Palomo-Headshot

My presentation at the upcoming AAO meeting in New Orleans will address common questions regarding the use of email for the transfer of patient records. The transfer of electronic health record in compliance with HIPAA (Health Insurance Portability and Accountability Act) does not seem to be a requirement for every orthodontist.  Only “covered entities” under HIPAA are subject to the standards, though it is still good business practice to make sure that health records are stored and sent using proper security, even if a provider is not a “covered entity”.

There is no “one size fits all” approach for covered entities when it comes to using appropriate safeguards for the transmission of EHR (Electronic Health Record).  The amount, type and destination of the EHR sent is used to determine what safeguards should be in place for a provider.  The Secretary of Health and Human Services (HHS) does not adopt a single industry-wide standard for encryption.  The most specific guidance available from HHS can be summarized as such:

“The Security Rule does not expressly prohibit the use of email for sending EPHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to EPHI.  The standard for transmission security also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI (Protected Health Information) as it is transmitted, select a solution, and document the decision. The Security Rule allows for EPHI to be sent over an electronic open network as long as it is adequately protected.”

The objective at task is to send sensitive information to a specific recipient, eliminating the risk of interception or visualization by others. When a client uses webmail services, all information, including email text and all attachments both received and sent are stored in the sender’s webmail service’s server.  Depending on the webmail services, this may be a secure encrypted server or not.  The AAO provides a secure encrypted server to their members that use the AAO webmail.  When an email attachment is sent, usually, a copy of the information goes from the sender’s webmail service’s server to the recipient’s email service’s server.  The message and its attachments could be intercepted during such transfer, and/or the recipient’s server could be a non-secure destination.

My presentation at the AAO annual session will present three techniques for legally transmitting patient information via email. See you on Saturday morning at the AAO.

Is That a HIPAA in Your Hip Pocket?

By Kirt E. Simmons D.D.S., Ph.D.

In this day and age it is “hip” to be connected everywhere and very easy given the nearly universal presence of powerful “smart” phones and tablets connected to the Internet.  My iPhone is in essence a much more powerful computer than my first Mac I bought in 1986 and able to communicate to others via text messaging, E-mail, internet blogs or forums, web sites (Facebook, Twitter, etc.), and voice.  In this day and age it is easily possible to access one’s patient records on such a device or a tablet, copy any of the information and relay it via any of the aforementioned methods.  It is also very easy to get high quality photographs with these devices, including of patients or any of their records.  Any of your patients with such devices can also easily capture photos of themselves or others in your treatment areas.

“Great!” You say, but beware of potential HIPAA violations with these devices.  Many health care workers and organizations in other environments (mostly medical to date) have run afoul of HIPAA in this regard and paid heavy fines, been personally sued, lost their jobs and/or lost public credibility/trust.  The classic example is the health care worker who “tweets” or posts on other social media sites about celebrities they have seen/treated in their facility (without the patient’s consent/knowledge of course!).  Even non-celebrities but extreme or “shocking” cases, easily identifiable without “naming names”, have been the subject of these illegal disclosures and resultant negative consequences.

As a health care provider, and especially if you are the owner or proprietor of your practice, you are responsible for any breaches of patient confidentiality by yourself or any of your employees and you are also responsible for that confidentiality in your facility.  For this reason many medical offices now require patients to turn off any cell phones, computers, tablet computers, or cameras while in treatment areas or leave them outside treatment areas.  The HIPAA regulations also require that ALL transmission of personal health information (PHI) be “protected”.  Common E-mail, text messaging, social media sites, etc. are not “secure and protected”.  So even if the sharing of PHI is allowed between two entities (say yourself and the patient’s general dentist), doing so by the above means is NOT allowed (but IS required to be noted and tracked by yourself!).  The ADA has some excellent resources discussing the proper sharing of PHI I encourage you to follow (ADA Technical Reports No. 1048, Attachment of DICOM Dataset Using Email, and No. 1060, Secure Exchange and Utilization of Digital Images in Dentistry, are available for download purchase from the ADA Catalog at www.adacatalog.org or by calling 1-800-947-4746).