The Health Insurance Portability and Accountability Act, which protects patients’ privacy at covered dental practices, imposes hefty fines — ranging from $100 to $1.5 million — for violations of HIPAA requirements.
From emailing clinical findings and a patient’s digital information to radiographic images, dentists who send patient information through unencrypted email may risk exposing the information in a data breach and may be in violation of HIPAA.
Here are five things dental practices can do to help protect patient health information when using email:
1. Do a written risk assessment: The HIPAA risk assessment must take into account all of the dental practice’s electronic patient information, such as electronic dental records, digital radiographs and email. The dental practice must assess where the information is vulnerable, the threats to the information and the likelihood and severity of the risk of compromise. The dental practice must then implement safeguards to reduce risks and vulnerabilities to a reasonable and appropriate level and also document compliance with the HIPAA security standards and specs.
2. Have reasonable safeguards: Examples of reasonable safeguards for emailing patient information may include checking the email address for accuracy before sending or limiting the amount or type of information that may be sent in an unencrypted email.
3. Train office staff: Covered dental practices must train staff on HIPAA policies and procedures. For example, dentists who use email, secure messaging services or health information exchanges must train their office staff on proper use. Some concepts may include giving recipients the courtesy of a heads-up phone call or text message before sending encrypted patient information and providing the decryption password, code or key separately from the encrypted email, such as a telephone call.
4. Send breach notification if patient information is compromised: If patient information is compromised, a dental practice must send breach notification. For example, if a dental practice sent an email containing unencrypted information about a patient to the wrong email address, the dental practice would likely have to notify the patient of the breach, and include information about the incident in the breach log of small breaches that it submits annually to the federal Office for Civil Rights (breaches affecting more than 500 individuals must be reported when the individuals are notified).
5. Honor certain patient requests for unencrypted email: HIPAA requires a dental practice to honor patient requests to communicate by alternative means or at alternative locations if the request is reasonable; for example, if a patient asks the dental practice to communicate with him or her via email (or not to communicate via email) and the practice determines that the request is reasonable. However, if a patient requests the dental practice to send his or her patient information via unencrypted email, and the dental practice has briefly warned the patient that there is some level of risk that the information could be read or otherwise accessed by a third party while in transit but the patient still prefers unencrypted email, then the dental practice must send the information that way.
For more information about HIPAA training and compliance, members can order the ADA Complete HIPAA Compliance Kit for $300 by calling 1-800-947-4746 or visiting ADAcatalog.org. A 20 percent discount is offered on all ADA Catalog HIPAA and OSHA products when promo code 16418E is used before April.
ADA Business Resources endorses PBHS Inc. as HIPAA-secure email and collaboration system provider for members. This HIPAA-compliant email solution starts at $10 per month or purchase an upgraded package that uses the even higher standards of direct messaging. For more information, contact PBHS at 1-855-WEB-4ADA or visit pbhs.com/securemail.
In addition, the ADA’s Standards Committee on Dental Informatics developed a technical report published in January to set the standard for dentists to securely exchange sensitive health information over the Internet. The report recommends the use of direct addresses issued by a certificate authority intended for use in health care only. Technical Report No. 1085, Implementation Guidelines for the Secure Transmission of Protected Health Information in Dentistry, is available at no cost for member dentists in the ADA Catalog.