How to properly store physical HIPAA documents

From Medical Economics:

ME: If physical copies are converted to electronic records, can the physical copies then be destroyed?

Rangel: Yes, you can destroy the paper records after they’re scanned. Usually, after they’ve been reviewed for a certain amount of time, generally speaking, 30 to 60 days, once you can actually qualify that all of the material is properly scanned, that the quality is there and that it is the natural representative of what was scanned. Once you have that, you can destroy those records.

Source: How to properly store physical HIPAA documents

An interesting article worth the click.

The article brings up the old worry that exposing an open file in the office is a HIPAA violation. This is true and we should always strive to keep all patient information confidential. However what the HIPAA privacy rules are really concerned with digital data and the possibility of major data breaches. The occasional exposed chart is not what the law is all about.

Nevertheless there are important issues regarding paper files and we do need to be aware of them and practice good stewardship and respect our patients.

Health Care Politics Management Security

ADA comments on HIPAA Privacy Rule

From ADA News:

The ADA is asking the U.S. Department of Health and Human Services Office for Civil Rights to consider the burdens changes to the HIPAA privacy rule will impose on covered providers, including dentists.

Source: ADA comments on HIPAA Privacy Rule

Some of the changes OCR is proposing include:

These proposed changes include a 15-day timeframe for responding to requests for access; a proposal to permit patients to access, copy and photograph their protected health information at the time of their appointments; and a proposed requirement that covered providers develop fee schedules for providing copies of protected health information. Covered entities with websites would be required to post such schedules on their websites.


Management Security

Ohio Medical Center Pays OCR $65K for HIPAA Right of Access Failure

From Health IT Security:

OCR reached a $65,000 settlement with the University of Cincinnati Medical Center, after failing to respond to a patient’s request for access to her medical records, as required by HIPAA.

Source: Ohio Medical Center Pays OCR $65K for HIPAA Right of Access Failure

Many dentists and dental team members are not aware that HIPAA rules are not just about privacy and security, They also require us to provide records upon request. A dentist could face a HIPAA violation if he/she simply looses the records due to ransomware or a catastrophic computer failure.

Hat tip to Danielle Mckinley.

Health Care Politics Security

Explaining the HIPAA Safe Harbor Act

Thank you to Danielle McKinley of PCI HIPAA

The HIPAA Safe Harbor Act amends Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act act to require the Department of Health and Human Services (HHS) to consider whether organizations have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all basic technical safeguard requirements.

This means that if a health care provider is following the basic HIPAA Privacy Rule provisions and safeguards to mitigate threats, the fine for a data breach should be lower.

Source: Explaining the HIPAA Safe Harbor Act

Future Tech General Security

Harvard curator examines the worth of a digital work of art

From Harvard Gazette:

A digital collage of 5,000 images by the artist known as Beeple fetched an eye-popping $69 million at auction last week as a non-fungible token, or NFT, a type of digital file that uses computer networks to prove a digital item’s authenticity, paid for in cryptocurrency. It was a striking sum for something that can so easily be copied and co-opted by anyone with an internet connection, according to many experts,

Source: Harvard curator examines the worth of a digital work of art – Harvard Gazette

Interesting. The curator is very reluctant to accept this as art and justify the absurd selling price. She sees it possibly as a cryptocurrency investment rather than an art investment. Maybe.

Can it be copied? If so is the original as designated by the block chain still worth more. Is it worth 69 million even if it has been copied. Will the owner or anyone for that matter be able to view it in twenty years when the technology has advanced? I cannot access data I stored on a floppy disk twenty years ago.

It relates to an issue I have been discussing for years. In a digital world who owns the data? Do you own a Kindle book that you buy from Amazon? Or do you just own the right to read it on your device? Do you own your digital impression device? What if that device can be rendered useless by a vendor who simply turns off the software connection. “Bricks” it.  It has happened.


Exposed admin password leads to massive surveillance camera breach at hundreds of businesses

From VentureBeat:

This is not good.

A small group of hackers viewed live and archived surveillance footage from hundreds of businesses — including Tesla — by gaining administrative access to camera maker Verkada

Source: Exposed admin password leads to massive surveillance camera breach at hundreds of businesses | VentureBeat

Dental offices are vulnerable to the same type of breach. If a vendor you use is compromised then your patient data could be at risk. That puts you at risk for a HIPAA violation and possibly a big fine. For example if the e-service you use to send reminders is hacked your patient data could be stolen as well. You protect yourself with a BAA (Business Associate Agreement) in which the vendor acknowledges and takes responsibility for data breaches they may have caused.

I believe the number one issue holding back more general acceptance of technology is security.

Internet Paperless Security

Every Prescription Should be Electronic

From AZDA Inscriptions:

e-Prescribing can reduce errors. Pharmacists are no longer deciphering handwriting. Phone calls, missed calls and voicemails no longer add steps to the process and the potential for your patient’s prescription getting lost or delayed during the game of “Telephone”

AZDA Inscriptions

Mandates are in place or on the way to requite eRx for all controlled substances. However the linked article makes a great case that all Rxs should be electronic. I agree.

Digital Impressions Scanners Security Software

Latest Updates to CS ScanFlow Helps Makes Scanning Faster, More Secure and Sharable

Software update from Carestream:

Typically, shiny or reflective surfaces, such as metal, full ceramic brackets and crowns and resins, would need to be sprayed with powder or microetched so as not to interfere with the digital scan. However, the new anti-reflective mode optimizes scanning shiny or reflective surfaces, eliminating a step in the process,…

…security is a concern whenever working with digital files, so CS ScanFlow v1.0.3 includes access to secure digital impression file conversion tools via cloud-based Microsoft Azure.

Follow this link for the full press release.

Source: Latest Updates to CS ScanFlow Helps Makes Scanning Faster, More Secure and Sharable

Internet Security

Brave Browser Review 2020

From Crypto Coin:

Future of Private Web Browsing?

The internet is an integral part of daily life in many ways. The brave browser offers users a way to browse the internet ad-free, by simply limiting your data exposure to advertisers. Algorithms or algo’s can’t identify you because tracking data is not sent to them, so it’s not worth an advertisement being rendered. This is what saves your battery life and loads pages faster.

Source: Brave Browser Review 2020: Future of Private Web Browsing?

The linked article provides an in depth look at both the good and the bad of the Brave Browser. Personally I have been using Brave as my primary browser for several years. I like the speed, the lack of ads and the privacy. The only issue I have -as the review notes- is that there are some plugins I use that do not work with Brave.

Brave Browser


If You Connect It, Protect It

From Norton:

How to live more securely in a connected world:

If You Connect It, Protect It

The phrase “If You Connect It, Protect It” is a call to secure any object that’s connected to the internet. This applies to the Internet of Things — IoT, for short — everyday objects that can connect to the internet and share data with each other.

For instance, you may have a smart speaker that can tell you how to make a perfect boiled egg, a digital doorbell that lets you look at your smartphone to see who’s on your porch, or home lights you can flip on at night while you’re on vacation.

It is anticipated that more than 55 billion IoT devices will be connected to the internet by 2025, according to the technology market research firm IDC. All this connectivity opens up plenty of opportunity for cybercriminals who want to spy on you from your baby monitor, break into your home through your digital door lock or recruit your old device to carry out a cyberattack.

Source: How to live more securely in a connected world: If You Connect It, Protect It

The linked article is primarily for home users however it includes plenty of tips and techniques that apply equally to  dental office users.

Good security starts with the choice of secure hardware protected by reputable anti malware applications. From there security includes back up, passwords, encryption, phishing awareness and more.

Any device which connects to the Internet including doorbells, speakers, thermostats and even impression devices or CBCT machines are members of the Internet of Things (IOT) and can be a potential security problem. They must all be protected.

Of special interest to dentists is a section telling consumers how to evaluate the security of their doctor’s office.

It is important that dentists and dental team members have a good basic understanding of all these security issues. However the security of your dental office technology system is not a DIY project. Get good professional help.


Just for Fun Security

General Internet Management Security Social Media

How to Clean Up Your Social Media Accounts Without Deleting Them

From Gizmodo: Good to know

There are many reasons to avoid wanting a social media digital paper trail of your entire life. Maybe there are posts there you think your new employer won’t like, or that your new partner’s parents won’t like, or even ones that you don’t believe in anymore. But wiping the slate clean and starting again is only one of your options—you can still tidy up your existing accounts without deleting them.

Source: How to Clean Up Your Social Media Accounts Without Deleting Them


Here’s How Much Your Personal Information Is Selling for on the Dark Web

From Experian:  Thank you to Danny Bobrow for the link.

Here are the 10 most common pieces of information sold on the dark web and the general range of what they’re worth—or rather can sell for:

Source: Here’s How Much Your Personal Information Is Selling for on the Dark Web – Experian

You can see there is a very wide range for medical records. Medical dental records most often contain complete information including name, address, birth date and so on. Cyber criminals call this a fulz and will pay more for it.

If you have 3000 patient records  (including inactive patients) on file in your computer, at an average of $500 each they may be worth 1.5 million dollars. Maybe more.


Tons of news apps caught unnecessarily snooping on iPhone clipboard

From Input:

It turns out TikTok isn’t the only app that’s snooping through your iPhone’s clipboard (that’s everything you copy and paste). ArsTechnica has discovered over 50 other iOS apps that also unnecessarily read an iOS user’s clipboard, which could include passwords and other private data such as two-factor authentication codes, cryptocurrency wallet addresses, and more.

BAD NEWS — News apps are among the many that are excessively accessing clipboards without letting users know. ArsTechnica names apps from The New York Times, The Wall Street Journal, HuffPost, and more. None of them have reportedly updated their apps (yet) to reduce or remove the amount of clipboard access.

Source: Tons of news apps caught unnecessarily snooping on iPhone clipboard

This is disturbing. First it is just wrong for these apps to be snooping and second it is possible that protected patient information could be disclosed.

Corona Pandemic Security

Malicious cyber actor using phishing emails to spoof SBA’s COVID-19 relief webpage

From CDA: Be cautious.

Individuals and small-business owners should watch for suspicious or unexpected emails that appear to be from the Small Business Administration or that direct the recipient to the SBA’s website for COVID-19 relief. The Cybersecurity and Infrastructure Security Agency in an Aug. 12 alert shared Friday by the HHS’ Office for Civil Rights warned that a malicious cyber actor is using phishing emails to spoof the SBA’s COVID-19 loan relief website…The phishing emails include a malicious link to the spoofed webpage, which the cyber actor then uses to redirect the recipient and steal credentials.

Source: Malicious cyber actor using phishing emails to spoof SBA’s COVID-19 relief webpage

Management Security

Think Ransomware Can’t Put You Out of Business?

From Yikes!

While there’s no shortage of examples of ransomware attacks, a recent study by data protection firm Veritas suggests an even bigger problem that few, if any, companies are prepared for: Customers are increasingly laying the blame on companies, specifically their CEOs, rather than on the hackers perpetrating the attacks.

Source: Think Ransomware Can’t Put You Out of Business? |

What the reported research says is that patients may blame the dentist is their data is compromised. “If they can’t keep my records safe can they really be competent dentists?” patients may be thinking. “It would probably be safer just to find a new dentist.”


Data breach lawsuit against pediatric dental center dropped, judge cites lack of evidence

From Becker’s:

The lawsuit, dismissed July 16, alleged that the more than 391,000 patients whose data was affected are facing distress and financial losses due to their personal data being in insecure hands. However, U.S. District Judge Austin Huffaker dropped the case because the plaintiffs could not prove their data had been misused.

Source: Data breach lawsuit against pediatric dental center dropped, judge cites lack of evidence

A bit of sanity. If patients are not actually damaged in any way by a data breach they have no right to compensation. No harm no foul.

HIPAA rules assume the opposite. If data is breached, even though no patients are harmed the dentist is at fault and subject to punitive fines and other administrative penalties.


TikTok: Beneath Its Fun Exterior Lies A Sinister Purpose

From Forbes: Disturbing.

TikTok is a lesson in irresponsibility, dangerous by design. And not simply by carelessness, mistake or default: this is a deep and patent irresponsibility, a philosophy focused on the constant capture of all kinds of user data. In short, not recommendable for children or adults, particularly thanks to its sinister and addictive content recommendation system.

Source: TikTok: Beneath Its Fun Exterior Lies A Sinister Purpose

Future Tech Internet Security

The Internet of Things Has a Consent Problem

The Internet of Things (IOT) has a consistent problem with security.

From  IEEE Spectrum:

IoT companies should tell users what information their devices are gathering and how they’re using it

Source: The Internet of Things Has a Consent Problem – IEEE Spectrum

Read the whole thing.

Most people would be shocked to discover all the information that their devices are sending back about them and even more shocked to find out how companies manipulate that data to determine personal details about you.

In addition to these privacy issues IOT devices are notoriously insecure providing a backdoor for hackers to get into your systems.

Hardware Management Security

3 Things Can Help Your Office Comply with HIPAA Requirements

I contributed to this article in Dentrix Magazine:

Dentists wrongly think their practice network is just another piece of equipment, such as a dental chair. It’s delivered, they unbox it, and they get it up and running. They forget that their network is a system that needs to be cared for, upgraded, and supported.

Source: Dental Office Technology: 3 Things Can Help Your Office Comply with HIPAA Requirements – Dentrix Magazine