Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).

CryptoWall Virus Affecting Practices

By Steve McEvoy, Technology Consultant

steveMWe are seeing a fast spreading outbreak of a new virus called CryptoWall affecting many practices.   Similar to the Cryptolocker virus that emerged last year, this virus seeks to encrypt all your precious data on your computer, and hold it for ransom (asking you to send them $500 USD in Bitcoin to get the decryption key).

What makes this virus so alarming is that as of a few days ago ZERO out of nearly 50 antivirus programs were able to detect it. None.

How to protect yourself

Eventually the Antivirus programs will catch up and learn how to detect it, but at this point in time you need to rely on your own wits and acting responsibly.

So far the virus has been arriving as an attachment to an email message (usually a ZIP or PDF file). We’ve seen it claiming to be airline ticket confirmations, monthly statements from the power company, shipping receipts, etc. Avoid ANY email with attachments that you are not 100% expecting. If you receive an email that you are unsure of – DON’T OPEN IT – and contact the sender by other means and confirm that they did send it to you.   Reading the email doesn’t infect your PC, only opening the attachment will.

Signs that you are infected

2The virus needs time to tackle the encryption.   The longer it goes undetected, the more of your data it can encrypt.   You will notice the PC running much slower than normal (since it is using the computers processing power to encrypt your files). You may see files named DECRYPT_INSTRUCTION.TXT and DECRYPT_INSTRUCTION.HTML on the desktop, documents, pictures, mapped drives or any location where you have data saved.


What to do if you suspect an infection

Open the DECRYPT_INSTRUCTION.HTML file and note the time remaining to decrypt your data (they only allow you a short period of time to send them the money before they destroy the data permanently). Once you have that information TURN OFF THE PC. The longer it remains online the more data it can encrypt. Do not attempt to run scans and clean the system, this only buys it more time to encrypt data. Do not connect any external drives to restore backups of data as it will attempt to encrypt your backups when it sees the drives. Contact your IT person IMMEDIATELY for their assistance in recovery.

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?

Screen Shot 2014-08-22 at 3.44.15 PMThe August 2014 complimentary lecture of the month is now online.  Click the link below to immediately begin viewing:

Electronic Records Transfer: Do You Use E-mail to Transfer Records? Is it HIPAA Compliant?  presented by Dr. J. Martin Palomo.


Is That a HIPAA in Your Hip Pocket?

By Kirt E. Simmons D.D.S., Ph.D.

In this day and age it is “hip” to be connected everywhere and very easy given the nearly universal presence of powerful “smart” phones and tablets connected to the Internet.  My iPhone is in essence a much more powerful computer than my first Mac I bought in 1986 and able to communicate to others via text messaging, E-mail, internet blogs or forums, web sites (Facebook, Twitter, etc.), and voice.  In this day and age it is easily possible to access one’s patient records on such a device or a tablet, copy any of the information and relay it via any of the aforementioned methods.  It is also very easy to get high quality photographs with these devices, including of patients or any of their records.  Any of your patients with such devices can also easily capture photos of themselves or others in your treatment areas.

“Great!” You say, but beware of potential HIPAA violations with these devices.  Many health care workers and organizations in other environments (mostly medical to date) have run afoul of HIPAA in this regard and paid heavy fines, been personally sued, lost their jobs and/or lost public credibility/trust.  The classic example is the health care worker who “tweets” or posts on other social media sites about celebrities they have seen/treated in their facility (without the patient’s consent/knowledge of course!).  Even non-celebrities but extreme or “shocking” cases, easily identifiable without “naming names”, have been the subject of these illegal disclosures and resultant negative consequences.

As a health care provider, and especially if you are the owner or proprietor of your practice, you are responsible for any breaches of patient confidentiality by yourself or any of your employees and you are also responsible for that confidentiality in your facility.  For this reason many medical offices now require patients to turn off any cell phones, computers, tablet computers, or cameras while in treatment areas or leave them outside treatment areas.  The HIPAA regulations also require that ALL transmission of personal health information (PHI) be “protected”.  Common E-mail, text messaging, social media sites, etc. are not “secure and protected”.  So even if the sharing of PHI is allowed between two entities (say yourself and the patient’s general dentist), doing so by the above means is NOT allowed (but IS required to be noted and tracked by yourself!).  The ADA has some excellent resources discussing the proper sharing of PHI I encourage you to follow (ADA Technical Reports No. 1048, Attachment of DICOM Dataset Using Email, and No. 1060, Secure Exchange and Utilization of Digital Images in Dentistry, are available for download purchase from the ADA Catalog at or by calling 1-800-947-4746).

The Electronic Patient Record: How it Affects the Private Practitioner

By Kirt E. Simmons D.D.S., Ph.D.
Prior to engaging in a discussion of this topic it is imperative to provide some definitions, as there are some common discrepancies in the terms associated with the electronic patient record.  An “electronic patient record” is simply an electronic or digital form of a health record.  This includes the following examples and their abbreviations/acronyms:  electronic medical record (EMR), electronic dental record (EDR), electronic health record (EHR), and personal health record (PHR).  A word about acronyms is appropriate now, since the US Federal Government Agencies, including the Office of the National Coordinator for Health Information Technology (ONC), are enamored with acronyms and even use acronyms in their definitions of other acronyms and even as part of other acronyms.  On the ONC website, for instance, there are five web pages of Health Information Technology (HIT) acronyms (see are the different forms of electronic patient records?  An Electronic Medical Record (EMR) is simply an electronic form of the paper medical charts classically used in a clinician’s office.  An EMR contains the medical and treatment history of the patients in a single practice. It allows clinicians to track clinical/financial/other data over time, it easily identifies patients due for preventive screenings or checkups, and it allows the clinician to check certain patient parameters—such as blood pressure readings or vaccinations, and to potentially monitor and improve the overall quality of care within that practice.  The major problem with an EMR is that the information in an EMR does not travel easily out of the practice.

An Electronic Dental Record (EDR) is simply the dental equivalent to the EMR, and describes what almost all dental professionals who are keeping “electronic records” are currently keeping.  It contains the dental and treatment history of patients in one practice (although this may be a large group practice with multiple clinicians).  It has the same problem as an EMR in that information in the EDR doesn’t travel easily out of the practice and in addition it typically does not integrate with other medical data.

An Electronic Health Record (EHR) is a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting.  Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports (per the Healthcare Information and Management Systems Society- HIMSS).  The EHR focuses on the total health of the patient in that it reaches out beyond the health organizations (clinicians’ offices or hospitals) that originally collect the information. They are “built” to share information with other health care providers and the information “moves” with the patient between health facilities/providers.  In addition, EHRs are designed to be accessed by all persons involved in a patient’s care, including the patients themselves.  Indeed, that is an explicit expectation in the Stage 1 definition of “meaningful use” of EHRs (“meaningful use” is a term developed by the ONC to describe use sufficient to apply for funds set aside to increase EHR adoption).  An EHR would ideally include all dental, medical, pharmacy, chiropractic, etc. records in essentially “real time” and be “qualified” and “certified” as such.

A “qualified” EHR, per Section 3000, Definitions, of Subtitle A, Part 1, of Title XIII in the American Recovery and Reinvestment Act (ARRA) of 2009,includes:
“An electronic record of health-related information on an individual that-
(A) Includes patient demographic and clinical health information, such as medical history and problem lists
(B) Has the capacity—
(i) to provide clinical decision support
(ii) to support physician order entry
(iii) to capture and query information relevant to health care quality
(iv) to exchange electronic health information with, and integrate such information from other sources.”

Many advantages have been touted for EHRs.  Among these are their ability to consolidate all dental, medical, pharmacy, chiropractic, etc. records in a single “location”; their ability to allow emergency departments to quickly be aware of any life threatening conditions, even if patient is unconscious; the ability of a patient to log on to their own record and see the trend of lab results over the last year for instance, which can help motivate them to take their medications and keep up with the lifestyle changes that have improved the numbers; ability of the EHR to be stored “off site” securely so it is not lost in disasters (i.e. Katrina, tornados, fires, etc.); lab results run last week are already in the record for a specialist to access without running duplicate tests; prescriptions, notes, and orders are legible; notes from a hospital stay can help inform discharge instructions and follow-up care, especially if the patient will be followed up in a different (more local) care setting; patients seeing new clinician / clinic do not have to enter their information or their child’s or carry paper copies with them; and public health officials and researchers can more readily be alerted to, respond to, and research illness trends (SARS, Swine Flu, influenza, etc.), treatment differences, outcomes differences, etc.

A Personal Health Record (PHR), sometimes called a Patient-Controlled Health Record (PCHR), is a patient created electronic record that conforms to certain interoperability standards (the same as EHRs).  It can be drawn from multiple sources.  It is managed, shared, and controlled by the individual patient.  The patient may or may not choose to grant other entities access to it since it is controlled by the patient (unlike EHRs).  The intent is to allow PHRs and EHRs to interact if desired and allowed by the patient.

There are many factors currently “driving” the change to EHRs: Congress, The American Recovery and Reinvestment Act (ARRA) 2009 (including the Health Information Technology for Economic and Clinical Health Act [HITECH]), the President, Third Party Payers (Medicaid, insurance companies, etc.), technology and software vendors, Standards Organizations – DICOM, HL7, etc., public demand (in response to Hurricane Katrina, etc.), researchers, and Public Health organizations.  One of the most prevalent of these “driving forces” is the HITECH Act.  The objectives of the HITECH Act are to leverage health information technology (IT), so health care providers will have: accurate and complete information about a patient’s health so they can give the best possible care, whether during a routine visit or a medical emergency; the ability to better coordinate the care they give (especially important if a patient has a serious medical condition); a way to securely share information with patients and their family caregivers over the Internet (for patients who opt for this convenience); the chance to allow patients and their families to more fully take part in decisions about their health care. Per the framers of this legislation, this increased access to health information will help clinicians diagnose health problems sooner, reduce medical errors, and provide safer care at lower costs.  This legislation also claims widespread use of health IT can make our health care system more efficient, reduce paperwork for patients and doctors, expand access to affordable care, and build a healthier future for our nation.

The “overseer” of the EHR in the U.S. is the Office of the National Coordinator for Health Information Technology (ONC).  This office was set up to support adoption of health IT and promotion of a nationwide health information exchange to improve health care. The ONC is part of the Office of the Secretary for the U.S. Department of Health and Human Services (HHS).  It is directed by the position of National Coordinator of the ONC and was created in 2004, through an Executive Order and legislatively mandated in the HITECH Act of 2009.  Dr. David Blumenthal is the current National Coordinator but he is stepping down in the spring of 2011.

Some important issues are how the EPR will be accessed and where it will be stored.  Individual PHRs will be kept by patients and stored by them (USB, CD, DVD, etc.).  For EHRs there are several potential options that have been proposed, including the National Health Information Network (NHIN), an as yet unidentified national repository, or within Health Information Exchanges (HIEs – which are specific regional/area/network repositories).

This has not yet been finalized as of this time but regardless it will require standards for interaccessibility of the data whether a single, central repository or multiple HIEs.

The NHIN was formed to create a common platform for health information exchange across diverse entities, within communities, and across the country.  Its purpose was to promote a more effective marketplace, greater competition, and increased choice through accessibility to accurate information on health care costs, quality, and outcomes.  In essence, this is what is generally thought of as the “ideal”- a single, national, all-inclusive database for all citizens.  An HIE on the other hand, is a state or regional program set up to ensure the development of health information exchange within and across their jurisdictions.  These are currently being advanced as a more readily implemented means of meeting the aggressive EHR implementation timelines.  Of course, in order for different HIE’s to be able to interact and “play well” with each other they all need to be “speaking the same language” and this requires accepted standards.  The standards that are relevant for EHRs include the Digital Imaging and Communication in Medicine (DICOM) standard which is the established standard for the exchange of digital information between medical imaging equipment (i.e. radiographs, photographs, digital models, cone beam computed tomographs, etc.) and other systems.  Hospitals have long used the DICOM standard in their radiology departments which allows any type of radiograph obtained at one hospital to be transported, accessed and used at any other hospital, regardless of their radiologic software program.  Another EHR standard in use is the Health Level 7 (HL7) standard, which is the established standard for data exchange, management and integration to support clinical patient care as well as the management, delivery and evaluation of healthcare service (ie billing, demographics, outcome measures, etc.).

What’s the timeline of the EHR?  In his 2004 State of the Union address then President George W. Bush set as a goal for most Americans to have a universal EHR by the year 2014.  In 2009 the Congress passed the ARRA and HITECH legislation, which established further guidelines for the development, adoption and implementation of the EHR.  Per this legislation by 2010 the Rules, definitions (especially for “Meaningful Use”– a term used in the legislation), certification process and certification bodies were identified and developed.  In 2011 Stage 1 of the implementation process will be completed.  Stage 1 consists of “Data Capture” – the electronic capture of health care information in a standardized format.   In 2013 Stage 2, “Data Aggregation” – electronic exchange of the collected health information will occur in order to improve the quality of care.  In 2015 Stage 3, “Data Use for Outcome Impact” will occur as necessary to improve the quality, safety and efficiency of healthcare through clinical decision support (CDS) and patient management tools.  By 2016 full implementation (ie all healthcare providers will be fully using and all persons will have an EHR) will be completed.  The legislation initially provides for financial incentives if healthcare providers/organizations “qualify” but these quickly change to disincentives for those who do not comply.  For instance this year (2011) for healthcare providers who do not begin (ie “write” a certain percentage of their prescriptions) e-prescribing drugs their payments through Medicaid will be reduced.

This brings us to the Medicaid EHR Incentive Program legislated by the HITECH Act.  This program provides incentive payments to eligible professionals and eligible hospitals as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology in their first year of participation and demonstrate meaningful use for up to five remaining participation years.  There are minimum Medicaid patient volumes to be eligible, which differs by state.  The program is voluntarily offered by individual states and territories and begins as early as 2011, depending on state.  Eligible professionals (including dentists) can receive up to $63,750 in funds over six years if they choose to participate in the program and meet all requirements.  There are no payment adjustments under the Medicaid EHR Incentive Program.  By contrast, just to be confusing, the Medicare EHR Incentive Program provides incentive payments to eligible professionals and eligible hospitals that demonstrate meaningful use of certified EHR technology.  Participation in the Medicare Program can begin as early as 2011 with eligible professionals able to receive up to a maximum of $44,000 over five years under the Medicare EHR Incentive Program for treating patients that qualify under Medicare.  In addition, if the eligible professionals provide services in a Health Professional Shortage Area (HSPA) they qualify for additional incentives above the $44,000 maximum under the Medicare EHR Incentive Program.  For maximum incentive payment, Medicare eligible professionals must begin participation by 2012.  For 2015 and later, Medicare eligible professionals, etc. that do not successfully demonstrate meaningful use will have a “payment adjustment” (read reduced payment or penalty) in their Medicare reimbursement.  In order to qualify for these Medicaid / Medicare EHR Incentive Program eligible healthcare providers must use a certified EHR program and demonstrate meaningful use of the program for their patients.  For dentistry, as of this writing (early 2011), there is only one EHR dental software that meets the Federal guidelines and has been certified as such.

A reasonable question for most dentists might be “Who cares?”  There is no federal deadline for adoption of EHRs by dentists who do not submit claims to Medicare and since “I don’t mess with Medicare/Medicaid” it’s not going to effect me.  Unfortunately, although you may not “mess” with the public payer programs the legislation IS going to “mess” with you!  Specifically, new privacy and security provisions (on top of current HIPPA requirements) and accessibility requirements are among the ARRA / HITECH legislation provisions.  These include privacy and security provisions extended to “business associates” (for instance laboratories, etc.), breach notification requirements, health information privacy education requirements for your staff, a requirement to honor withholding of protected health information from a health plan when a patient pays for treatment “out of pocket”, a prohibition of the sale of protected health information, a requirement for patient authorization for marketing and fundraising-related activities, new accessibility requirements (to patient information- i.e. patients may request an electronic copy of their record and it must be provided and in a timely fashion), and finally it authorizes patients the right to request an “audit trail” of all access to their record (i.e. who, when, why anyone accessed their record for any reason!).  The “final rules” have not yet been established but it behooves you to stay aware of these upcoming requirements and be prepared to meet them before they are enforced.  Theoretically a “certified” EHR program takes these requirements and provisions into account so if one purchases and implements these programs in their practice they will be able to meet many of these provisions.  Unfortunately, for any “early adopter” dentists who wish to implement a certified EHR program for their practice, there is only one at this time.  Several companies, although not currently certified, have indicated they were aware of the situation and were planning to eventually introduce a certified program. So one should check with their practice management software company for updates or “modules” to meet these requirements and insist they provide them if they indicate they are not considering these issues.

There are some other implications of this push for EHR adoption for dentistry.  These include e-Prescribing (submitting prescriptions digitally online) ability and monitoring, the adoption of the Systematized Nomenclature of Dentistry (SNODENT- designed by the ADA for use in the electronic health and dental records environment it is essentially a single accepted “dictionary” of dental terms in order to standardize/digitize everything “dental”), a requirement of Diagnosis Codes for payment (long common in Medicine, the ADA is currently updating claim forms to include up to four diagnosis codes since some large dental insurers are adding diagnosis codes to claim requirements), and requirements by insurers, Dental Boards, etc. that all images, notes, models, letters, billing, etc. be provided in a standardized digital format.It is also wise to remember some of the other intents of an EHR according to the Government are their supposed ability to “decrease costs”, potentially due to their intended ability to monitor “quality measures” and adjust healthcare practices “appropriately” (through further legislation, payment adjustments, fees, etc.).  They will also provide for “Lifetime” radiation exposure monitoring since certified EHRs will have the capability of recording radiation exposure data and reporting it.  This could potentially be a big “issue” for those dentists taking or prescribing cone beam computed tomographs (CBCTs) since the Federal Department of Agriculture (FDA- under which the HHS resides), per their  “Initiative to Reduce Unnecessary Radiation Exposure from Medical Imaging” issued in February of 2010, is looking closely at “CT”’s.  Per this publication approximately 89% of the yearly exposure of the U.S. population is due to “CT”’s despite the fact they account for only 26% of the total of all imaging procedures.  Although “Medical” Imaging is used by the FDA in the title dentistry is definitely included as evidenced by the fact Table 1 of this publication specifically includes “Dental X-ray”.  Of particular interest to orthodontists and pedodontists is the point the publication stresses the deleterious impact of ionizing radiation on younger individuals is greater than that for adults.

Since the Government will be promoting and advertising the EHR heavily in all provider settings patients will quickly expect dental offices to be EHR compliant as this becomes commonplace in the other “healthcare” settings they are exposed to.  According to the ONC more than 21,000 providers had initiated registration for the EHR Incentive Programs during the first month it was available (January, 2011) and more than 45,000 additional providers had requested information or registration help from Regional Extension Centers during this same time.  In addition, it is quickly becoming obvious that third party payers will require offices to interact with them in an EHR compliant fashion (since it will save them money/resources), due to potential legal implications many malpractice/liability insurers may require their clients to be EHR compliant, privacy/security regulations will essentially require it (for instance each office must have a “Privacy & Security Officer”- per DHHS Guideline 45 CFR, Part 146), pharmacies/DEA will likely require, and lastly new (or updates to) imaging hardware/software will require DICOM compatibility.

Lastly, on a personal note, if and when one is contemplating their own PHR options it is useful to take into account the findings of a “Roundtable on PHRs” the ONC conducted and published in their blog of Dec. 3rd, 2010.  At the PHR Roundtable, four panels of experts and industry representatives explored the growth of PHRs, focusing on the nature and adequacy of privacy and security protections.  The key message to come out of this roundtable was that PHRs grow in value when people find them useful and trustworthy.  A key message from the Roundtable was that PHRs grow in value when people find them useful and trustworthy. Their usefulness grows as they are able to readily pull information from EHRs and other sources of clinical information, as well as from monitoring devices and mobile applications. The usefulness increases even more as that information can be organized to help people with their particular health care concerns and inform clinical decision-making.