Sharing Cone-Beam CT Images Online

By Dr. Dan Gauer

When diagnosing and treatment planning interdisciplinary patients, have you ever sent your three-dimensional images to a colleague? Have any of your patients requested a copy of their records for a second opinion? Or maybe, a patient declines a radiograph because another orthodontist has recently taken a CBCT image of the patient? In all of these instances, you will need to communicate with the other office to initiate the transfer of CBCT images. The purpose of this blog is to describe different methods used to share patients’ CBCT records via online means.

Images acquired in your office are requested by a second orthodontist/dentist:

The first question that will need to be answered is whether the other office has the possibility of viewing and analyzing the images in three-dimensions. In a few instances, I have found myself trying to transfer a full three-dimensional file, when the second orthodontist just wanted a cephalogram and a panoramic radiograph. If this is the case, your software will probably allow you to create a synthetic cephalogram and panoramic radiograph that can be emailed through a HIPAA-compliant email account. If the second orthodontist requires a three-dimensional image, two case scenarios are possible:

Case scenario 1: Second orthodontist owns software to read and visualize CBCT images.

In this case, your software is able to export the CBCT Images in DICOM format (Digital Imaging and Communication in Medicine). DICOM files are large, and a file transfer application is needed. Once transferred, these can be imported into the software of the second orthodontist for visualization and analysis.

Case scenario 2: Second orthodontist does not own three-dimensional imaging software.

Under this case scenario, the second orthodontist would need both the CBCT images and a three-dimensional viewer. Three main options are available.

Option 1: If you own a CBCT machine, your software is generally able to create a file that includes both the image data and a basic viewer. The files created are large and can be transferred with a file transfer application.

Option 2: Anatomage offers the possibility of uploading your CBCT images to the cloud, and these can be accessed online through Anatomage’s application, which acts as a visualization tool. At this point the software is in Beta-version and can be accessed at www.anatomagcloud.com. You, as the generating office, will need to upload the images to the AnatomageCloud database and use this application to allow the second office to access the specific patient images. The access is granted with a link embedded in an email. After receiving authorization to access the images, the second office will be able to access the images online without the need of downloading them or installing any software.

Option 3: Dolphin Imaging software offers a complimentary viewer, https://www.dolphinusers.com/dolphin-imaging-viewer/. The receiving doctor can view 3D images by downloading and installing the Dolphin Imaging Viewer software. Files are transferred in DAZ file format. This file format is proprietary to Dolphin Imaging, and the files are created by the originating doctor through Dolphin Imaging 3D Software. This option 3 would work also in Case Scenario 1, when both doctors use Dolphin Imaging 3D software, but it is important to note that only the unprocessed images need to be transferred, such as the DICOM file; the viewer is part of the software downloaded by the receiving office.

Images acquired by other offices:

Images that you receive from other offices should be requested in DICOM format. This will permit you to be able to import these into your 3D software. If you obtain the file in a different format than DICOM (that often includes the viewer), the analysis and measurement possibilities are limited; this is because your 3D software most likely includes all the features that you may need while visualizing and measuring 3D Images. If both offices use Dolphin Imaging 3D Software, a proprietary format DAZ can be used to transfer and share images. The advantage of this approach is that all patient images, including both 3D and 2D images, are shared simultaneously.

In summary, with Cone Beam CT becoming more popular in practices, sharing 3D images with other treating doctors or practices requires some additional steps. The first step is to initiate the conversation with the second office to establish the best system to use to share images. The advantages of 3D images over traditional 2D images are beyond the scope of this blog, but once you become accustomed to a transfer and visualization system, the collaboration between doctors and patient care may improve.

Big Data Revisited

By Anthony M. Puntillo DDS, MSD

In August 2014, I wrote an introductory article for this blog entitled “What is Big Data and How is it Related to the Practice of Orthodontics?” As more orthodontic practices move to the digital collection of orthodontic treatment records (EHRs-photos, models, radiographs, treatment history) and more of our data is being stored in the “cloud”, there is a tremendous opportunity for us as a profession to access that data for the betterment of our patients and advancement of our specialty. Over the last ~3.5 years, however, there has been little visible traction by our researchers and leadership on this front. Meanwhile, there should be no doubt that corporate entities (DSOs and orthodontic vendors) understand the value of our data. Check out the recent cover article for Fortune Magazine (“Tech’s Next Big Wave: Big Data Meets Biology” -3/19/2018). The article notes that “The quest to retrieve, analyze, and leverage (medical) data has become the new gold rush.” If orthodontists are to hope to have any influence on how orthodontic treatment is delivered in the future, management of our patients’ data will be crucial. Technology has sped up every aspect of our lives. We must now start to give this issue the attention it desperately demands. But where should we begin?

If we are to tackle this challenge, there are many complex questions that will need to be answered. Our patients’ privacy is not the least of these. Even with our busy professional and personal lives, I imagine it has been hard for most to miss the recent public flogging of Mark Zuckerburg and Facebook. Both he and his company were taken to task by Congress and the media when they revealed that the personal data for 87 million of their customers had been inappropriately accessed by an outside research company. As a result of these disclosures, politicians are threatening regulations for their industry – think HIPAA for Silicon Valley. There are more than 2.5 million people who annually seek orthodontic treatment. As we look to find the best ways to utilize our patient’s treatment data to improve their care, we must make certain that it is being done in a way that is respectful of all patients’ privacy. While privacy may be where we start, there are other, even more difficult issues that need to be addressed.

The complexity of the Big Data issue will require the input from the brightest minds both from within and from outside of our profession. To that end, the Great Lakes Association of Orthodontists has put forth a resolution to this year’s American Association of Orthodontists House of Delegates. Resolution 18-18 GLAO (http://hod.live.aaoinfo.org/resolution2/18-18-glao-big-data-task-force-and-records-repository/) requests that our Association President appoint a Big Data task force. I would encourage you to review the resolution and let your representatives (HOD Delegates) know your feelings. While this issue is certain to require a significant investment of time, talent and financial resources, we cannot afford to leave this investment to outside sources. Those who control the data will control the future.

Is your Password Already Floating Around on the Internet?

By Steve McEvoy, Technology Consultant

Passwords are a pain. You need them when you turn your computer on, open your practice management software, access your email and when you access most any other Internet service like Gmail, Pandora, Dropbox, Facebook, etc. Keeping track of all of them is a hassle, and it is human nature to look for shortcuts – many people often use the same password for multiple sites.

Hackers are constantly looking for ways to steal information. Information is the new ‘gold’ on the Internet. The mention of ‘hacker’ conjures up images of a mysterious character lurking in a dark room, presumably hard at work trying to guess your username and password to gain access to your information. While this may still be the case in some situations, the hackers are smart folks, and they have moved on to where the real gold is. Rather than hacking us one person at a time, they are going after the websites where all of our collective online information lies.

Do you have an online account with any of these sites? LinkedIn, Yahoo, Dropbox, Adobe, Target, Home Depot, Comcast, Bell, Equifax or Experian? What all these sites (and many others I haven’t listed) have in common is that they were hacked, and some of the valuable information stolen included your username and passwords for their site. Ten’s of millions of usernames and passwords have been stolen. The hackers have realized that putting their efforts into breaking into a website yields much more information about you than trying to hack you directly.

How do you know if your username and password was breached?

Can you rely on the hacked website to notify you? Some sites, when they discover they have been hacked, implement a mandatory password change the next time you attempt to access the site. Has this ever happened to you? You log in to a website, and it immediately prompts you to verify your identity and change your password? It did for me a while back when I was using Dropbox. What they didn’t point out was that they had been breached, and for some period of time hackers could have accessed my data.

Can you even rely on the websites to know when they have been hacked? How would they know? It’s not like a traditional crime where you might see the broken window. Companies that aren’t making security a principal focus may be completely unaware of the breach and your user information for that site might be already out in the wild.

Troy Hunt is a security expert at Microsoft, he’s one of the white hat hackers on our side. He had the great idea to compile a list of all the available hacked accounts he could find. He scoured the ‘dark web’ to get copies of the information being sold by successful hacks (there is a thriving retail market for this fueled by BitCoin). He found nearly 5 billion accounts (that’s a B, not an M) from 265 known breaches. Then he created the website “Have I been Pwned” (www.haveibeenpwned.com). That’s not a typo, “pwned” is a slang online gaming term that roughly means “I own you” or “I conquered you” just like a hacker may have. His website is free to all. You can go to the site, enter the username that you may often use online (for example most people use their email address) and it will tell you if it knows your username was leaked in one of the breaches it knows about. I tried it with mine and found my information was leaked in the Adobe and Dropbox breaches.

You can also enter a password to see if the password is already in the known hacked password list. In the example shown here, I am testing the password that Invisalign Intraoral scanners use by default. Pwned.

A word of caution. Should we really trust that whoever is behind the website isn’t recording all the passwords tried? What if they get hacked? My advice is to be careful here and NOT test any of your CURRENT passwords you use where you have precious information kept (like your online bank account password). I know this is counter-intuitive, this is the first password you want to test to see if it’s safe.

Remember the bad habit that people have using the same username and password at multiple sites? If that’s you, and the hackers have got your username along with the password when they hacked one of these sites, I can guarantee you that these are the first things they are trying at other websites to see if they can get in (perhaps your bank). If the usernames and passwords are the same, they get immediate access without even needing to take a second guess. It happens all the time.

Consider all this carefully. Check the email you use typically for a user account at HaveIBeenPwnd.com. Perhaps check a password you use all the time. If you discover you have been pwn’d, change your passwords at all the sites that share that username immediately.

Time to Upgrade from Microsoft Office 2007

By Steve McEvoy, Technology Consultant

Almost every orthodontic practice has some version of Microsoft Office installed on one or more computers, and it’s very likely you do too.

Just like the Windows Operating System, Microsoft only provides patches and support for products for a limited amount of time.   Remember the Windows XP end of life hub-bub from a few years ago?   Well, this is the same thing with a different product.

If you use any version of Microsoft Office 2007, the extended support cycle ended on October 10th, 2017 (read the official notice here).   This means Microsoft will no longer release security updates or patches for it.   This means if some huge security vulnerability is found that might allow a hacker some form of control, they won’t be patching the hole and the only option will be to replace the software.

This is planned obsolescence.   Microsoft desperately wants to convince you to retire your really old versions and upgrade to the newest.  Of course, this comes at a cost.   Will your old version stop working?  No, it will run fine just has it always has, the only thing that stops is any form of patch or update.

You likely will see notices from practice management companies that rely on Microsoft Office as part of their requirements that they will no longer support systems that still have Office 2007 installed.   Why?  Because it’s a liability for them, and even they want you to upgrade to the latest version of Microsoft Office.

What does this mean practically?  Well, in my opinion, this is a 10+-year-old piece of software.   It’s now out of support.   It won’t work on Windows 10.   My advice would be to keep it in place on your old PCs until you replace the entire PC (because that PC is probably really old too) and buy a new version of Office at that time.  If your practice management company makes a fuss about replacing it, I would acquiesce and purchase the new version rather than fighting it.

What would an upgrade cost?   There is no ‘upgrade’ price for Microsoft Office.  You are stuck buying either their retail version, or a version that may be available with your new PC, or perhaps even their cloud version called Office 365 that allows you to install a local version on your computer.   Generally, they all work out to be about the same price – roughly $200 per PC.

What Your Email Address Says About You

By Steve McEvoy, Technology Consultant

Sending business emails ending with @Netcom.com, Aol.com, Earthlink.com and soon Yahoo.com are tell-tale signs you aren’t keeping up. People notice and may ask you if you are still driving the ‘72 Ford Pinto as well.

Using personal accounts from your Internet Service Providers (ISP) also looks old school like Comcast.net, TimeWarner.com, RoadRunner.com, SBCGlobal.net.

There is no rule making us keep up, or against driving a ‘72 Pinto, but I’d argue if you are in a marketing battle for new patients, this is just one small aspect you can easily improve.

For work, you really should have an email for your practice’s domain.   DrSmith@SmithOrtho.com or DrJones@SmileDental.com, for example. People expect this, and when they see FlyingPigs65@aol.com, you send a subtle message that isn’t positive.

You might certainly have a private, personal email account as well, but even for that, you should consider using something like BobSmith@gmail.com or JaneJones@Office.com.

This should also apply to any of your staff using email on behalf of the practice.

There may be other motivating reasons as well. Companies offering email services for free (AOL and YAHOO) that aren’t thriving financially in their core business won’t be putting development resources into keeping products current, safe and secure.  The news is full of stories about hacked email accounts and ransomware which typically makes its way into your computer via email. Companies like Google, Microsoft, and Apple have reputations to maintain and will have the resources to keep up.  If you are going to use a free email service, I might suggest you look to one of the major players.

Changing your primary email account is always a major hassle, and this is likely what has kept you from making the switch.  Setting up a new email account, and merely forwarding all the email from your old account indefinitely isn’t the right solution. Your old email account can still be hacked, and the company can still go out of business.

The steps generally are:

  • Setup your new email account – and take this opportunity to make sure the password is a hard one. I’d suggest you setup two-factor authentication with it as well.
  • Link your new account to your PC, phones, tablet, etc.
  • Using your old email, notify EVERYONE in your contact list that you are changing your email to the new one effective immediately.  You can do this in one mass email, but be smart about it and put all the recipients in the BCC list so they don’t see everyone else you emailed the list to. Make yourself the only official To:
  • Configure your old email account to forward to your new one (for a while).
  • After a month, check your old account to see if anyone you know is continuing to use the old account, then contact them directly to start using the new address.
  • After another month, turn off the forwarding from your old account and delete it at the vendors. Gone forever, but no risk of hacking.

You can also always enlist some help from your IT person, they should be well familiar with the process.

Reevaluating Your Password Management

By Dr. Matthew Larson

We live in an amazing age where the world is at our fingertips… if only we could remember our password.

It’s no surprise that passwords can be a frustrating part of our digital lives. Websites can have different requirements for passwords and then have to be changed at different intervals. In theory, there are clearly good reasons to have high standards for strong passwords. However, in real life this often means the same password is used for multiple websites and are frequently saved in other locations to remember them.

Here are a few questions to ask yourself about how you handle passwords in your office:

  1. Do you use strong passwords when needed?
  2. Do you have UNIQUE passwords for different sites?
  3. Do you change passwords when you have changes in staff?
  4. Do you keep important passwords private? (This means not posted in plain sight! In many practices the private WiFi password or Invisalign login can be easily found by opening the drawer or cabinet near the computer.)

If you answered no to most of the questions above you may want to consider a password manager app. (If you answered yes to all the questions and do NOT use some form of password manager, I would love to have your memory.) There are many good password manager programs – some are built into web browsers (Internet Explorer, Google Chrome, and Safari all have password managers) while some are 3rd party programs (some of the more popular ones are LastPass, Dashlane, 1Password, and Password Safe). These programs and apps can help manage your existing passwords and help create strong new passwords.

Here are my personal thoughts when selecting a password manager program:

  • Select a program that requires a strong master password to open the app. This rules out most default password managers within web browsers, although there are browser extensions available for many of the 3rd party programs which do require a separate logon. This master password unlocks all your other passwords, so carefully create a unique and very strong.
  • Select a company that has a strong history with good reviews. You want a company with a strong reputation that will continue to maintain high security.
  • Expect to pay a small fee for a high quality company. These programs are inexpensive overall (most range from free to about $5 for the app), so don’t get too caught up trying to find a bargain. A bargain price typically means they are either trying to grow (and then will likely increase fees later) or they are making money through other venues (and the priority may not be the password management program).
  • Use a program that works on mobile devices, Windows computers, and Macs so you can utilize it on all your devices. Additionally, make sure you can sync your database files easily in the cloud between devices.

Related to the database files, ensure the program you choose maintains an encrypted database file. This requires that you have the program and the master password to open the database. All the 3rd party programs mentioned about are encrypted with AES-256 encryption (which is much better than a word document on dropbox).

Currently, I personally use 1Password (https://1password.com/ ), mainly because I like the “Teams” option that allows you to share passwords between team members. You do this using shared “Vaults” as shown below. They charge per user so currently I only have one account for my personal use and one account that the staff uses for ordering and insurance. The program also allows you to save credit card information and profiles, so entering information on a new website goes much quicker. It is also a great way to organize NPI and license numbers for you and your team.

Another nice benefit of these managers is that you can actually load the sites and passwords very quickly and efficiently. I found myself actually saving time going through and paying bills after switching to a password manager because loading every site basically just takes a couple clicks of the mouse. A couple screenshots of how this looks on a mobile device are shown below. (I use this as quick access to my office Facebook account, since the app on my phone has my personal account saved.)

Some may have security concerns by having all your passwords stored in one spot. However, keep in mind that this is the focus of the company and they likely can manage it better than most people can with the little time they realistically devote to it. The first step to deciding if this type of program is right for you and your practice is an honest look at the security and efficiency of your current systems. If managing these passwords is stressful or they are not being stored securely, take a look into what current password manager programs can add to your practice.

2017 Winter Conference – Technology: Balancing Profit, Lifestyle & Patient Care

By Dr. Doug Depew

The 2017 AAO Winter Conference is quickly approaching. Our theme of this year’s meeting Technology: Balancing Profit, Lifestyle and Patient Care.  It promises to be a meeting filled with information for both newer and established practices to help make those tough decisions on what technology is important to use in our practices and when we may wish to invest in it.

The meeting will begin with keynote speaker Jack Shaw.   Mr. Shaw is a world- renowned technology futurist who will be discussing how cutting edge and disrupting technologies will change the way we do business and run our practices in the coming years.

IT guru Steve McEvoy will be answering some of those pesky questions we all have about computer hardware, effective and cost-efficient data backup, and security.   In the ever changing world of computers, what you hear at this meeting will certainly be different than what Mr. McEvoy would have talked about even a couple of years ago.

On Friday afternoon we’ll have a lively discussion by Drs. Greg Jorgensen and Neil Kravitz regarding building our practices through social media, websites, and Internet marketing. Their success in these areas has been paramount in growing their thriving practices.

Saturday morning will begin with Dr. Aaron Molen sharing his experience and thoughts on bringing emerging technology into our practices to help create more efficient and more comfortable patient care.

We’re excited to have Drs. Ed Lin and Christian Groth discussing how to integrate some of the latest technology hardware into our orthodontic practices. This includes workflows for using CBCT, Scanners and 3D Printing.

The conference will conclude with Chris Bentson and Charles Loretto with a discussion on how technology can affect the value and profitability in our practices. This should help answer the question about at what stage of practice a doctor might consider investing in advanced technology.

The location for the meeting is at the gorgeous Marriott Harbor Beach Resort and Spa in Ft. Lauderdale, Florida. The dates are February 10-11, 2017. The schedule is organized in a way to allow some time for afternoon recreation.

There will be plenty of time allotted for attendees to ask questions of the speakers to be sure all bases are covered.   To learn more and to register, visit https://www.aaoinfo.org/meetings/2017-winter-conference-technology-balancing-profit-lifestyle-patient-care

Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).

HIPAA: Encryption is NOT Required…What?!?

By Charles E. Frayer[1], JD, MS, HCISPP, CIPP, CIPM

Introduction
cfrayer
No, that headline is not a misprint. Contrary to common assumptions—and what many email encryption providers may tell you, Congress, in its infinite wisdom (stop laughing, please) decided that the Health Insurance Portability and Accountability Act (HIPAA) should not—and, therefore, it does not—require the use of encryption to secure your patients’ private medical data (aka, electronic Protected Health Information or ePHI).

WARNING: IF YOU STOP READING NOW AND SIMPLY DECIDE THAT YOU DO NOT NEED ENCRYPTION, YOU MAY WAKE UP ONE DAY TO THE WORST FINANCIAL AND PUBLIC RELATIONS NIGHTMARE IMAGINABLE. SO, READ ON…

Required vs. Addressable: What’s the Difference?
In HIPAA, Congress adopted two types of implementation specifications—“required” and “addressable.” Those labeled “required” must be implemented or it will be deemed an automatic failure to comply with the HIPAA Security Rule. On the other hand, those labeled “addressable” must be implemented only if, after a risk assessment, the covered entity (that’s you, if you’re a Health Care Provider, a Health Plan, or a Health Care Clearinghouse) has determined that encryption is a reasonable and appropriate safeguard for managing risks to the confidentiality, integrity and availability (CIA) of ePHI. A brief sidebar about the CIA triad: confidentiality protects against unauthorized disclosure; integrity protects against unauthorized modification or destruction; and availability protects against disruptions to access and use of ePHI. Okay? Now, back to our story…

However, if you determine that encryption is not reasonable and appropriate (think about this carefully), then you must document your rationale for that decision and do one of the following: (a) implement an equivalent alternative to encryption that is reasonable and appropriate; or (b) if safeguarding ePHI can otherwise be achieved, then HIPAA even allows you to choose not to use encryption or any equivalent alternative measure, provided that you also document the rationale for this decision.[1] Shocking, isn’t it? Yes, Congress effectively (is that an oxymoron?) allows you to do nothing, provided you can and do back it up.

Now, if you’ve thought about that carefully, you’re probably wondering something like, “What if HHS audits me and they don’t agree with my carefully documented rationale for deciding that encryption is not reasonable and appropriate to protect my patients’ private medical data?” Perfect question! And therein lies the problem. It is difficult (impossible?) to even imagine a situation for which it would be “reasonable and appropriate” to decide not to use encryption to protect ePHI (remember, that lowercase “e” stands for “electronic”). So, even though HIPAA does not literally require encryption, it effectively requires encryption because there is no reasonable and appropriate alternative for protecting ePHI.

In other words, when it comes to using encryption to protect ePHI, there is little (if any) difference in Congress labeling it as “addressable” rather than “required” because not using encryption is simply too risky for your patients’ ePHI and, therefore, even riskier for your business.

Encryption: HIPAA’s Data Breach Safe Harbor
Under the HIPAA Breach Notification Rule, there are essentially two types of ePHI—unsecured (i.e., unencrypted) and secured (i.e., encrypted). Under HIPAA, every breach of unencrypted ePHI requires you to provide time-bound notifications to: (1) affected patients; (2) the Secretary of HHS (i.e., the federal government); and/or (3) prominent local/state media outlets. This, of course, will put you at risk of federal and/or state investigations, fines, possible lawsuits, and the worst kind of public relations disaster imaginable, which will almost certainly result in lost business.

But there is good news…no…GREAT NEWS!!! Under the Breach Notification Rule, encrypted ePHI that is “breached” (e.g., lost, stolen, or accidentally/intentionally sent to the wrong recipient) is not considered a breach at all because ePHI that is encrypted cannot be read or otherwise used without the key(s) required to decrypt it. Consider some of the risks of emailing your patients’ ePHI unencrypted versus sending it via encrypted email, as follows:

Screen Shot 2016-02-18 at 4.27.19 PM

So, if you use it, encryption is your lawful HIPAA-endorsed safe harbor against everything you want to avoid in the event of a breach of ePHI. Going back to our previous segment, even if you somehow came up with that rarest of all situations—where using encryption to protect ePHI was not reasonable and appropriate, you still need to use it because doing so gives you a complete “out” when the worst of all possible ePHI scenarios—a data breach—occurs (i.e., you get to simply walk away).

In summary, although HIPAA does not literally require encryption, Congress nonetheless has effectively mandated its use because (i) it is all but impossible to think of a real-world situation where encrypting ePHI is not reasonable and appropriate; and (ii) if you choose not to use it, you are exposing your business to a plethora of regulatory, legal, public relations, and/or financial risks that are easily avoidable—by simply using encryption.

[1] Charlie Frayer is a Michigan licensed attorney and Florida Authorized House Counsel serving as General Counsel and Chief Privacy Officer at Protected Trust, LLC, the leading provider of Simple Email Encryption with 24×7 free and unlimited support via phone, email, and chat.

[1] See: 45 CFR § 164.306(d)(3) detailing the difference between “Addressable” and “Required” implementation specifications at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1306;

45 CFR § 164.312(a)(2)(iv) labeling encryption and decryption as “Addressable” at http://www.ecfr.gov/cgi-bin/retrieveECFR?n=sp45.1.164.c#se45.1.164_1312; and
the HHS HIPAA Encryption FAQ at http://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html

Sending Sensitive Patient Data via E-mail

Foto-StudOnBy Dr. Andreas Detterbeck

The communication between clinicians via E-mail is fast, easy, cheap and widely used. But sending an unencrypted E-mail is as safe as sending a postcard. So, numerous parties have full access to E-mail-correspondence at all time. Violations against the patient privacy could cause dramatic consequences – depending on national laws, some of these solutions may even result in prosecution of the clinician (see HIPAA).

There are many commercial solutions to encrypt your communication, but if you are firm and experienced in using computers – you should at least know how to download and install software – there is no need to rely on any company. You don’t have to worry about high fees or losing your correspondence if your preferred encryption-business crashes. In this blog I want to suggest a few ways how to encrypt your E-mail communication easily and (almost) free of charge:

screenshot

Encryption of E-mail Communication by S/MIME
If I don’t want that my mails can be read by anyone except the receiver of the mail I have to convert the text in some sort of coded or encrypted form. Because it is not easy to invent an encryption of your own and sharing that idea with your communication partner a standardized tool would be very helpful. And this is where the Secure/Multipurpose Internet Mail Extensions (S/MIME) come in: S/MIME offers encryption and signing of E-mails in a standardized and reproducible way. Most current E-mail programs and free Webmail providers support this process.

Subsequent I will give a step by step introduction how to implement S/MIME in your mailing process:

  1. First of all you have to make sure you are using an E-mail program with S/MIME support (Mozilla Thunderbird, Microsoft Outlook and many more)
  2. Next you have to buy or even just create a certificate from a big commercial or non-commercial certification authority (CA). You may find some references here.
  3. Now comes the hardest step – but don’t worry you’re almost done:
    Deposit this personal-certificate in your E-mail program with S/MIME support. This process is very different depending on which program is used. Here are two useful how-to-links for the most common software:

Microsoft Outlook
Mozilla Thunderbird

  1. Users who have completed these steps are then ready to send digitally signed E-mails and receive encrypted messages (You sign a message when you want to prove that the mail comes from you and no modification of the text has been done during the transit).
  2. If users want to send encrypted E-mails of their own – and not only receiving encrypted mails – the receiver needs to have an S/MIME certificate, too.

For security reasons, your user certificate will normally remain valid for one or two years and is available from the CA for a small fee or even free of charge.

Conclusion
Maybe you think this sounds all strange to me and way too much work is required. There has to be an easier, less cumbersome solution.

But we don’t have the easy solution yet.

Of course you can pay a company for securing and encrypting your communication, but what happens if the company is insolvent or they decide to wind down the operations. What happens to your documents? There are providers that will allow you access to your data, but this may not be the case for all providers, so make sure this is the case before you sign up.

For use in daily clinical practice, I definitely recommend E-mail encryption by S/MIME. It is an IT standard since 1995 and a long term support is presumably. At least the corresponding doctors should have any form of secure communication.

Do not forget: The use of cryptography before sending patient data via E-mail is mandatory! If you are not sure how to encrypt your E-mail communication it is better to relinquish sending private patient data via the internet.

This blog-entry is based on:

Electronic transfer of sensitive patient data.
Detterbeck A, Kaiser J, Hirschfelder U.
Int J Comput Dent. 2015;18(1):45-57.
http://www.ncbi.nlm.nih.gov/pubmed/25911828