Category: HIPAA

Sharing Cone-Beam CT Images Online

By Dr. Dan Grauer

When diagnosing and treatment planning interdisciplinary patients, have you ever sent your three-dimensional images to a colleague? Have any of your patients requested a copy of their records for a second opinion? Or maybe, a patient declines a radiograph because another orthodontist has recently taken a CBCT image of the patient? In all of these instances, you will need to communicate with the other office to initiate the transfer of CBCT images. The purpose of this blog is to describe different methods used to share patients’ CBCT records via online means.

Images acquired in your office are requested by a second orthodontist/dentist:

The first question that will need to be answered is whether the other office has the possibility of viewing and analyzing the images in three-dimensions. In a few instances, I have found myself trying to transfer a full three-dimensional file, when the second orthodontist just wanted a cephalogram and a panoramic radiograph. If this is the case, your software will probably allow you to create a synthetic cephalogram and panoramic radiograph that can be emailed through a HIPAA-compliant email account. If the second orthodontist requires a three-dimensional image, two case scenarios are possible:

Case scenario 1: Second orthodontist owns software to read and visualize CBCT images.

In this case, your software is able to export the CBCT Images in DICOM format (Digital Imaging and Communication in Medicine). DICOM files are large, and a file transfer application is needed. Once transferred, these can be imported into the software of the second orthodontist for visualization and analysis.

Case scenario 2: Second orthodontist does not own three-dimensional imaging software.

Under this case scenario, the second orthodontist would need both the CBCT images and a three-dimensional viewer. Three main options are available.

Option 1: If you own a CBCT machine, your software is generally able to create a file that includes both the image data and a basic viewer. The files created are large and can be transferred with a file transfer application.

Option 2: Anatomage offers the possibility of uploading your CBCT images to the cloud, and these can be accessed online through Anatomage’s application, which acts as a visualization tool. At this point the software is in Beta-version and can be accessed at www.anatomagcloud.com. You, as the generating office, will need to upload the images to the AnatomageCloud database and use this application to allow the second office to access the specific patient images. The access is granted with a link embedded in an email. After receiving authorization to access the images, the second office will be able to access the images online without the need of downloading them or installing any software.

Option 3: Dolphin Imaging software offers a complimentary viewer, https://www.dolphinusers.com/dolphin-imaging-viewer/. The receiving doctor can view 3D images by downloading and installing the Dolphin Imaging Viewer software. Files are transferred in DAZ file format. This file format is proprietary to Dolphin Imaging, and the files are created by the originating doctor through Dolphin Imaging 3D Software. This option 3 would work also in Case Scenario 1, when both doctors use Dolphin Imaging 3D software, but it is important to note that only the unprocessed images need to be transferred, such as the DICOM file; the viewer is part of the software downloaded by the receiving office.

Images acquired by other offices:

Images that you receive from other offices should be requested in DICOM format. This will permit you to be able to import these into your 3D software. If you obtain the file in a different format than DICOM (that often includes the viewer), the analysis and measurement possibilities are limited; this is because your 3D software most likely includes all the features that you may need while visualizing and measuring 3D Images. If both offices use Dolphin Imaging 3D Software, a proprietary format DAZ can be used to transfer and share images. The advantage of this approach is that all patient images, including both 3D and 2D images, are shared simultaneously.

In summary, with Cone Beam CT becoming more popular in practices, sharing 3D images with other treating doctors or practices requires some additional steps. The first step is to initiate the conversation with the second office to establish the best system to use to share images. The advantages of 3D images over traditional 2D images are beyond the scope of this blog, but once you become accustomed to a transfer and visualization system, the collaboration between doctors and patient care may improve.

Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).