HIPAA: Encryption is NOT Required…What?!?

By Charles E. Frayer[1], JD, MS, HCISPP, CIPP, CIPM

No, that headline is not a misprint. Contrary to common assumptions—and what many email encryption providers may tell you, Congress, in its infinite wisdom (stop laughing, please) decided that the Health Insurance Portability and Accountability Act (HIPAA) should not—and, therefore, it does not—require the use of encryption to secure your patients’ private medical data (aka, electronic Protected Health Information or ePHI).


Required vs. Addressable: What’s the Difference?
In HIPAA, Congress adopted two types of implementation specifications—“required” and “addressable.” Those labeled “required” must be implemented or it will be deemed an automatic failure to comply with the HIPAA Security Rule. On the other hand, those labeled “addressable” must be implemented only if, after a risk assessment, the covered entity (that’s you, if you’re a Health Care Provider, a Health Plan, or a Health Care Clearinghouse) has determined that encryption is a reasonable and appropriate safeguard for managing risks to the confidentiality, integrity and availability (CIA) of ePHI. A brief sidebar about the CIA triad: confidentiality protects against unauthorized disclosure; integrity protects against unauthorized modification or destruction; and availability protects against disruptions to access and use of ePHI. Okay? Now, back to our story…

However, if you determine that encryption is not reasonable and appropriate (think about this carefully), then you must document your rationale for that decision and do one of the following: (a) implement an equivalent alternative to encryption that is reasonable and appropriate; or (b) if safeguarding ePHI can otherwise be achieved, then HIPAA even allows you to choose not to use encryption or any equivalent alternative measure, provided that you also document the rationale for this decision.[1] Shocking, isn’t it? Yes, Congress effectively (is that an oxymoron?) allows you to do nothing, provided you can and do back it up.

Now, if you’ve thought about that carefully, you’re probably wondering something like, “What if HHS audits me and they don’t agree with my carefully documented rationale for deciding that encryption is not reasonable and appropriate to protect my patients’ private medical data?” Perfect question! And therein lies the problem. It is difficult (impossible?) to even imagine a situation for which it would be “reasonable and appropriate” to decide not to use encryption to protect ePHI (remember, that lowercase “e” stands for “electronic”). So, even though HIPAA does not literally require encryption, it effectively requires encryption because there is no reasonable and appropriate alternative for protecting ePHI.

In other words, when it comes to using encryption to protect ePHI, there is little (if any) difference in Congress labeling it as “addressable” rather than “required” because not using encryption is simply too risky for your patients’ ePHI and, therefore, even riskier for your business.

Encryption: HIPAA’s Data Breach Safe Harbor
Under the HIPAA Breach Notification Rule, there are essentially two types of ePHI—unsecured (i.e., unencrypted) and secured (i.e., encrypted). Under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets. This, of course, will put you at risk of federal and/or state investigations, fines, possible lawsuits, and the worst kind of public relations disaster imaginable, which will almost certainly result in lost business.

But there is good news…no…GREAT NEWS!!! Under the Breach Notification Rule, encrypted ePHI that is “breached” (e.g., lost, stolen, or accidentally/intentionally sent to the wrong recipient) is not considered a breach at all because ePHI that is encrypted cannot be read or otherwise used without the key(s) required to decrypt it. Consider some of the risks of emailing your patients’ ePHI unencrypted versus sending it via encrypted email, as follows:

Screen Shot 2016-02-18 at 4.27.19 PM

So, if you use it, encryption is your lawful HIPAA-endorsed safe harbor against everything you want to avoid in the event of a breach of ePHI. Going back to our previous segment, even if you somehow came up with that rarest of all situations—where using encryption to protect ePHI was not reasonable and appropriate, you still need to use it because doing so gives you a complete “out” when the worst of all possible ePHI scenarios—a data breach—occurs (i.e., you get to simply walk away).

In summary, although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.

[1] Charlie Frayer is a Michigan licensed attorney and Florida Authorized House Counsel serving as General Counsel and Chief Privacy Officer at Protected Trust, LLC, the leading provider of Simple Email Encryption with 24×7 free and unlimited support via phone, email, and chat.

[1] See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;

45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html

Have You Talked to Your Telecom Vendors Recently?

By Anthony M. Puntillo DDS, MSD

Dr.-Puntillo-PictureMany of you have no doubt seen the television commercials announcing the merger of AT&T and Direct TV. This merger is just another sign of the digital transformation the United States telecommunication industry is undergoing. This transformation is being driven largely by an insatiable consumer desire for data and bandwidth. If you have transitioned your practice to digital, and many have, chances are high that you discovered your office hard drive was full and needed to be upgraded. Furthermore, single location practices are becoming more rare and it can be challenging to access all of this additional data when and where you need it. This issue is even more pronounced in the increasing number of practices that utilize 3D CBCT machines, as the DICOM files generated by these machines can be as large as 700 megabytes.

My practice consists of four office locations, three doctors, and three CBCT machines. All our locations are networked to a single sever and all patient data is securely accessible at each location and externally via a virtual private network (VPN). Our Voice over IP (VoIP- see Dr. William Engilman’s post from May 2012) telephone system connects all our offices and staff seamlessly. To make all these systems work we require stable bandwidth and lots of it. That bandwidth comes at a significant monthly fixed cost for our practice. Recently, in an effort to make sure we were getting the most for our money, we asked our IT consultant to review our contracts and plans with all our telecommunication network providers (i.e. AT&T, Comcast, etc.). Their review found that by bundling some services (i.e. phone, internet access, etc.) additional bandwidth, and subsequently improved efficiency, was available for a similar monthly cost. In the cellular world, companies such as AT&T, Verizon, T Mobile, and Sprint are investing heavily in infrastructure upgrades. These upgrades are being used to offer consumers deals that were unheard of just 12 months ago. If you have not reviewed you offices telecommunication vendors and plans within the last 12 months, I would encourage you to use the slower time in your office this fall to do so. You may find significant cost savings or improved services are also available.

Simplifying Management of Satellite Offices

By Matthew Larson, DDS, MS

Matt LarsonIn the current economy, satellite offices are frequently utilized by orthodontists to increase their area of draw and patient base. Most orthodontists and consultants feel that the additional income offsets the additional overhead expense, but managing multiple office locations clearly requires more effort than maintaining only one location. However, current technology has helped make managing multiple locations easier. One dramatic example that most orthodontists now utilize is electronic charting, so that patient information is easily available at all office locations. Here are a few other tips and tricks to consider:

  • Centralized/Cloud-Based Documents: Most offices ensure that all patient information in their practice management software is either on a centralized server or cloud-based, but many offices are not as attentive to all of their supporting documents. Your satellite office should be able to run exactly like your primary office if desired. It is relatively easy with current technology to ensure all computers have access to centralized training manuals, patient handouts, and current projects. More limited access can be setup for the doctor and select staff to access more confidential information. Multiple methods can be used to achieve this, such as a shortcut to a shared document folder on the server (if a terminal server is used at the satellite office) or online cloud-based storage such as iCloud, Google Drive, or Dropbox. Please note that iCloud and Dropbox are not HIPAA compliant and Google Drive requires some adjustments to be HIPPA compliant, so these are not ideal solutions for PHI. The goal is that each practice location should have electronic resources in the same location for easy reference and there should be little to no effort to keep them synchronized.
  • Mileage tracking mobile apps: Deducting business mileage or tracking business miles on the company vehicle can provide a nice tax savings, but maintaining an accurate ledger to satisfy the IRS can be difficult. Multiple mobile apps are available to help keep an accurate log of business miles, such as Mileage Log+, MileagePad, Auto Miles, and Triplog. Some apps will automatically track when you are driving and then miles can be categorized later. Most allow you to export spreadsheets or expense reports for a nice end-of-year summary. Prices are generally under $10.
  • Remote locks and thermostats: I may be slightly biased since our practice is located in Wisconsin, but having a remote thermostat to ensure that heat is turned down when we are not at our office and that the office is warm when we arrive really helps staff morale at the start of the day! Also, there are coded locks available for your front door that allow you to remotely issue one-time use codes for contractors to access the building. Multiple permanent codes can also be set, which allows you to monitor who is entering your office. For example, cleaning staff can be given a unique code so you are aware of when they are onsite. These generally are a few hundred dollars to install, but avoiding extra trips to let in contractors or paying for additional heating/cooling bills can make it worth the expense.
  • Phone lines: Phone systems are a much larger topic, but it is worth at least briefly mentioning that having lines ring at only one location and going to voicemail if they are not answered is outdated. For offices with multiple locations, some type of VOIP system should be strongly considered, which allow lines to be answered and transferred independent of geography. Even with a traditional phone system, look into the additional features offered by the phone company. Generally, lines can be forwarded on certain days of the week and calls that are not answered in a certain amount of time can be forwarded to the other office (assuming the other office is staffed).

Overall, managing a satellite office can be less stressful using current technology, but some effort must be spent up front to design the correct systems and to implement them.

Improve your Communication through Screen Sharing

By Dr. Doug Depew
Acworth, GA

sharingiconWe all know how frustrating it can be to present your proposed treatment to one parent, while the other one is not present, hoping the first one will be able to make a decision by themselves. Typically however, that is not the case. More often we end up depending on Mom to carry home the dizzying array of information to discuss with Dad. And since she cannot regurgitate all you spent your time explaining, all Dad hears from her is the treatment fee, without hearing an explanation for the fee and all the wonderful things about you and your practice. In order to increase our success, screen sharing allows us to have one parent sitting in the room with you and the other virtually participating in the discussion.

Screen sharing software allows users to share their computer desktop with another individual through their Internet connections. When screen sharing, the other party will see what is displayed on your entire screen in real time. It’s the next best thing to meeting with someone one-on-one. Many of us have been on the receiving end of screen sharing with some of our support companies, study clubs, or for educational experiences. How about being the person to initiate it and use it to our advantage in discussing treatment?

Some screen sharing programs are totally web-based, while others may require you to download a small program. Some programs even allow you to sketch or make annotations the remote person can see. Some vendors offer screen-sharing technology either for free or they may have a cost associated with it (per-use, monthly, or annual fee for access). Any cost is usually pretty small and worth it due to some of the extra features such as the ability to record your sessions, and the high quality images and video content you can share. In either situation, you may share patient photos, digital models, patient education videos, and images of similar cases. Although the “no cost” programs may be adequate for many doctors’ needs, there may be some limitations such as:

  • You can only share with one other person at a time
  • Unable to record the sessions
  • Slow and jumpy video on the remote end
  • No ability to annotate or mark-up the screen

So how do you go about making this happen for new patients? Well, ideally we would love to have both parents attend the initial consultation appointment. Even though we might suggest such on the initial phone call, for whatever reason, it hardly ever happens. The non-attending parent is left with the main deciding factor being the fee.

Through careful scripting during the new patient phone call, confirmation phone call, and upon arriving for their initial appointment, it may be possible to have both parents actively involved in the initial consultation. With some preparation, the second parent can be at work, in front of a computer, and be ready for a call at the appointed time. Screen sharing works best if you are on the phone with the person while sharing your screen. Once the oral exam is finished, simply have Mom call Dad from her cell phone, put him on speaker, and then have him log in to your chosen screen sharing web site by giving him the necessary access code.

In doing so, you are often able to help the parents make a decision at the time of the exam, when they otherwise would not have been able to. In the case a parent is not available at the time of the exam, you can either record that portion of the appointment and make it available to them, or make an appointment to screen share at a separate time. Screen sharing potentially can save both time and money. A second appointment is not needed, there is no need to travel, and it is much more effective explaining things using visuals than to do it verbally.

Screen sharing is also quite helpful in collaborating with our colleagues such as a patient’s general dentist or other specialists. Whether it is reviewing your treatment rationale for a patient’s dentist or navigating around different views of a cone beam CT in real-time, this technology makes it much easier to explain concepts and make joint decisions.

Screen sharing can help enhance communication by sharing information that simply cannot be done just over the phone. And if a picture is worth a thousand words, a video is certainly worth a million words. Screen sharing is a cost effective and convenient way to share our findings with a parent or colleague.

As with all things technological, the number of providers is constantly changing. A simple Google search will show several you can evaluate, many with free trials. Some of the more popular that seem to have staying power are:

  • Join.me
  • Beamyourscreen.com
  • GotoMeeting.com
  • Mikogo.com




CryptoWall Virus Affecting Practices

By Steve McEvoy, Technology Consultant

steveMWe are seeing a fast spreading outbreak of a new virus called CryptoWall affecting many practices.   Similar to the Cryptolocker virus that emerged last year, this virus seeks to encrypt all your precious data on your computer, and hold it for ransom (asking you to send them $500 USD in Bitcoin to get the decryption key).

What makes this virus so alarming is that as of a few days ago ZERO out of nearly 50 antivirus programs were able to detect it. None.

How to protect yourself

Eventually the Antivirus programs will catch up and learn how to detect it, but at this point in time you need to rely on your own wits and acting responsibly.

So far the virus has been arriving as an attachment to an email message (usually a ZIP or PDF file). We’ve seen it claiming to be airline ticket confirmations, monthly statements from the power company, shipping receipts, etc. Avoid ANY email with attachments that you are not 100% expecting. If you receive an email that you are unsure of – DON’T OPEN IT – and contact the sender by other means and confirm that they did send it to you.   Reading the email doesn’t infect your PC, only opening the attachment will.

Signs that you are infected

2The virus needs time to tackle the encryption.   The longer it goes undetected, the more of your data it can encrypt.   You will notice the PC running much slower than normal (since it is using the computers processing power to encrypt your files). You may see files named DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML on the desktop, documents, pictures, mapped drives or any location where you have data saved.


What to do if you suspect an infection

Open the DECRYPT_INSTRUCTION.HTML file and note the time remaining to decrypt your data (they only allow you a short period of time to send them the money before they destroy the data permanently). Once you have that information TURN OFF THE PC. The longer it remains online the more data it can encrypt. Do not attempt to run scans and clean the system, this only buys it more time to encrypt data. Do not connect any external drives to restore backups of data as it will attempt to encrypt your backups when it sees the drives. Contact your IT person IMMEDIATELY for their assistance in recovery.

Tossing the Fax Machine and Embracing Modern Faxing

By Matthew Larson, DDS, MS

Matt LarsonIn the modern world, hearing the dial up noise of a fax machine represents a technological step back in time.  However, the widespread use of faxing will likely continue for the following reasons:

  • Universal Acceptance:  Faxing is almost universally accepted by insurance companies and dental offices, while some do not accept emails.  These fax numbers are also typically easier to locate in business directories.
  • Security:  Due to the point-to-point nature of fax protocol, attempts to intercept data will typically cause the transmission to fail.  Therefore, faxing is generally considered secure and meets HIPAA requirements for electronic transfer of data.
  • Legally Binding:  The receiving machine must properly acknowledge that a fax was successful.  This means that the message can legally be considered received, which is different than most other forms of electronic communication, such as email.

These benefits mean that the capability to fax is still important in the modern orthodontic office, but it does not necessarily mean a fax machine is needed.  Fax machines function well, but requires a modest initial cost ($45 to $200+) and the ongoing expense of an additional phone line (~$20/month).  Although it is possible to avoid an additional line by attaching a switch to an existing voice line or using a dual ring, these methods are not as consistent as a dedicated line.  This option is straightforward, but are there better modern options?

Yes!  Moving from traditional faxing to IP faxing (also known as internet faxing or FoIP – Fax over Internet Protocol) offers numerous benefits and less cost!  It allows an orthodontic office to remove the extra phone line, get rid of a fax machine, and still utilize all the previously mentioned benefits of faxing.  The switch to IP faxing has occurred slowly because previous IP faxing protocols did not interact well with traditional fax lines.  However, modern protocols (T.37 for store-and-forwarding or internet faxing, and T.38 for real-time faxing) have greatly improved reliability.  Options for moving to IP faxing include purchasing software for a computer or a VoIP server, buying a FoIP/VoIP server, buying an IP fax machine, or using a 3rd party online provider.  All these options have certain advantages, but purchasing any equipment or software for the office will incur higher up-front costs and may need ongoing service.

Personally, I feel that most orthodontic offices should consider internet faxing using an online provider.  This keeps startup costs low and requires no additional equipment (assuming you already have a computer and internet access).  There are a large number of companies to choose between, so I would suggest looking into HIPAA-complaint companies with positive reviews that offer a good price for the volume of faxes sent by your office.  Some providers even allow a small amount of online faxing for free (e.g. eFax, faxzero), but some of these accounts may be disabled after 30 days of inactivity.  Our office currently maintains a plan for $3.49/month and $0.05 per minute of faxing (Faxage), and our monthly bill has never exceeded $6.00 – much less than the cost of a phone line.   For a slightly higher base fee ($6.59/month), some companies offer integration with Dropbox, Outlook, and Google Drive (e.g. Ring Central).  Overall, these online services typically offer the following advantages:

  • An online portal where all incoming and outgoing faxes are stored.
  • Faxing using traditional email with an attachment.  (NOTE: this is sent securely from the online service, but will have the limitations of email while being emailed to the service).  A receipt is emailed back when the fax is successfully sent.
  • The ability to directly save the file to the computer and upload into practice management software without printing, keeping the practice paperless!
  • Higher quality images than traditional faxes with the ability to print on any desired printer at your office.
  • The ability to use multiple workstations to send and receive faxes.

There are two potential downsides to consider when switching to IP faxing.  First, it is very easy to create a fax number, but it may take more work to maintain a current number.  Second, these services typically provide T.37 store-and-forwarding faxing – meaning they hold the fax in a queue and it may take 1-2 hours to send.   If these concerns are not issues for your practice, consider looking into IP faxing to inexpensively and conveniently handle your faxing needs.

A License is Required to Show Movies in Your Office

Recently, a number of AAO members have received a letter from the Motion Picture Licensing Corporation (MPLC) regarding the alleged improper showing of movies in waiting rooms or other areas of the members’ orthodontic offices. The most common letter received is a strongly worded offer to enter into a licensing agreement with the MPLC in order to avoid paying a hefty penalty for future violations.

The AAO has explored the possibility of a group purchasing discount that would cover all AAO members with the MPLC, but has not yet reached an agreement.  Concomitantly, the AAO is exploring other arrangements that would allow members to offer certain videos at a much lower cost than a typical licensing agreement with the MPLC, which costs approximately $340 per year.

Below are some frequently asked questions and answers regarding the MPLC and the display of movies in orthodontic offices:

Q. Is the MPLC a legitimate organization?  Its letter seems like a scam attempt.  
A. The MPLC is a legitimate organization and is at least one of the licensing companies for a number of large media companies, including Disney. It is not a governmental body. It has been known to use tactics that could be described as aggressive with potential customers.

Q. Can I show DVDs of movies in my office?
A. Yes, but you have to have a license to do so. The MPLC and other similar vendors offer umbrella licenses for a set yearly fee. Any showing of a movie that is intended for an audience larger than family or friends, without such a license, constitutes a public performance in violation of the US Copyright Act.

Q. I received a letter from MPLC stating that I am in violation of the law for showing movies without a license, but I don’t even have a TV in my office. Where did they get their information?  
A. A number of orthodontic offices have reported that they have received the letter, but are puzzled because they do not have TVs in their offices. It is unknown how the MPLC gathers its information relative to which offices show such movies without a license.

Q. I have been showing movies. What are my options?
A. You need to either stop showing the movies or buy a license.  Continuing to show the movies without a license puts you at substantial risk for a large penalty—anywhere from $750 to $150,000. Willing infringement, or continuing to show the videos after you have been notified that you are in violation, carries the highest penalties.

Q. Does the MPLC license cover every movie?
A. No. If you buy a license from MPLC or one of its competitors, you should verify with the company which videos you are allowed to show in your office.

Q. Can I simply put my TV on cable/satellite and broadcast CNN, Nickelodeon, the Disney Channel, etc.?
A. You need to check the contract you have with your cable/satellite TV provider to make sure you have the proper service.  Service listed as “residential” typically restricts public performances—i.e., showings for an audience larger than family or friends.

Q. Can I stream movies or TV shows from Netflix or a similar provider?
A. No. Netflix and its competitors restrict usage to personal use.

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?

Screen Shot 2014-08-22 at 3.44.15 PMThe August 2014 complimentary lecture of the month is now online.  Click the link below to immediately begin viewing:

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?  presented by Dr. J. Martin Palomo.


Tips & Tricks for the Digital Office

By Aaron Molen, DDS, MS

There are several quick and easy technologies available to help you update your office without breaking the bank.  Two of my personal favorites are thin clients and dual screens.  I believe that the thin client workstation is the most underappreciated and underutilized tool in many people’s IT toolbox.  A thin client is a mini-computer about the size of a paperback book that depends on an external server to perform its computations.  Most of us are used to working on fat clients, which is simply another name for a personal computer that does all of its own computations.  Simply put, if a fat client was to lose its network connection it could still function on its own, but if a thin client loses its network connection, it is dead.  Why would you want a mini-computer that can’t function without a network connection?  Two words: cost & scalability.  56xx copy03-resized-600.jpgThin clients cost half as much as a traditional computer and due to their size can be placed just about anywhere.  Because they take their orders from a central server, they can be swapped out with ease and don’t require reprogramming.  Adding workstations becomes easy instead of a chore and allows you to scale your practice upwards as it grows.  I personally use Wyse (now owned by Dell) thin clients and link them to my primary server using Microsoft’s Terminal Services.  The latest thin clients even contain graphics cards which allow you to support multiple monitors and 3D imaging software.  The capabilities of thin clients have slowly blossomed under the radar and should be considered by any orthodontist looking to add workstations.

The idea of dual screens may seem simple but it’s vastly underutilized within orthodontic offices.  Though there is a period of adjustment the efficiency and productivity of your team members will increase once they begin using dual monitors at their workstations.  Though many offices have placed dual monitors in their doctor’s personal office they sometime underestimate the benefits of equipping their administrative and clinical teams with the same technology.  Having the ability to keep imaging software up on one screen and management software up on another is indispensable in my mind.  Most computers and thin clients support dual screens and those that don’t can be easily retrofitted to support them using an inexpensive PCI card.  There’s also no reason to settle for just two monitors.  If two is good, then at some workstations, three or four screens may be even better.