Category: Security

Sharing Cone-Beam CT Images Online

By Dr. Dan Grauer

When diagnosing and treatment planning interdisciplinary patients, have you ever sent your three-dimensional images to a colleague? Have any of your patients requested a copy of their records for a second opinion? Or maybe, a patient declines a radiograph because another orthodontist has recently taken a CBCT image of the patient? In all of these instances, you will need to communicate with the other office to initiate the transfer of CBCT images. The purpose of this blog is to describe different methods used to share patients’ CBCT records via online means.

Images acquired in your office are requested by a second orthodontist/dentist:

The first question that will need to be answered is whether the other office has the possibility of viewing and analyzing the images in three-dimensions. In a few instances, I have found myself trying to transfer a full three-dimensional file, when the second orthodontist just wanted a cephalogram and a panoramic radiograph. If this is the case, your software will probably allow you to create a synthetic cephalogram and panoramic radiograph that can be emailed through a HIPAA-compliant email account. If the second orthodontist requires a three-dimensional image, two case scenarios are possible:

Case scenario 1: Second orthodontist owns software to read and visualize CBCT images.

In this case, your software is able to export the CBCT Images in DICOM format (Digital Imaging and Communication in Medicine). DICOM files are large, and a file transfer application is needed. Once transferred, these can be imported into the software of the second orthodontist for visualization and analysis.

Case scenario 2: Second orthodontist does not own three-dimensional imaging software.

Under this case scenario, the second orthodontist would need both the CBCT images and a three-dimensional viewer. Three main options are available.

Option 1: If you own a CBCT machine, your software is generally able to create a file that includes both the image data and a basic viewer. The files created are large and can be transferred with a file transfer application.

Option 2: Anatomage offers the possibility of uploading your CBCT images to the cloud, and these can be accessed online through Anatomage’s application, which acts as a visualization tool. At this point the software is in Beta-version and can be accessed at www.anatomagcloud.com. You, as the generating office, will need to upload the images to the AnatomageCloud database and use this application to allow the second office to access the specific patient images. The access is granted with a link embedded in an email. After receiving authorization to access the images, the second office will be able to access the images online without the need of downloading them or installing any software.

Option 3: Dolphin Imaging software offers a complimentary viewer, https://www.dolphinusers.com/dolphin-imaging-viewer/. The receiving doctor can view 3D images by downloading and installing the Dolphin Imaging Viewer software. Files are transferred in DAZ file format. This file format is proprietary to Dolphin Imaging, and the files are created by the originating doctor through Dolphin Imaging 3D Software. This option 3 would work also in Case Scenario 1, when both doctors use Dolphin Imaging 3D software, but it is important to note that only the unprocessed images need to be transferred, such as the DICOM file; the viewer is part of the software downloaded by the receiving office.

Images acquired by other offices:

Images that you receive from other offices should be requested in DICOM format. This will permit you to be able to import these into your 3D software. If you obtain the file in a different format than DICOM (that often includes the viewer), the analysis and measurement possibilities are limited; this is because your 3D software most likely includes all the features that you may need while visualizing and measuring 3D Images. If both offices use Dolphin Imaging 3D Software, a proprietary format DAZ can be used to transfer and share images. The advantage of this approach is that all patient images, including both 3D and 2D images, are shared simultaneously.

In summary, with Cone Beam CT becoming more popular in practices, sharing 3D images with other treating doctors or practices requires some additional steps. The first step is to initiate the conversation with the second office to establish the best system to use to share images. The advantages of 3D images over traditional 2D images are beyond the scope of this blog, but once you become accustomed to a transfer and visualization system, the collaboration between doctors and patient care may improve.

Big Data Revisited

By Anthony M. Puntillo DDS, MSD

In August 2014, I wrote an introductory article for this blog entitled “What is Big Data and How is it Related to the Practice of Orthodontics?” As more orthodontic practices move to the digital collection of orthodontic treatment records (EHRs-photos, models, radiographs, treatment history) and more of our data is being stored in the “cloud”, there is a tremendous opportunity for us as a profession to access that data for the betterment of our patients and advancement of our specialty. Over the last ~3.5 years, however, there has been little visible traction by our researchers and leadership on this front. Meanwhile, there should be no doubt that corporate entities (DSOs and orthodontic vendors) understand the value of our data. Check out the recent cover article for Fortune Magazine (“Tech’s Next Big Wave: Big Data Meets Biology” -3/19/2018). The article notes that “The quest to retrieve, analyze, and leverage (medical) data has become the new gold rush.” If orthodontists are to hope to have any influence on how orthodontic treatment is delivered in the future, management of our patients’ data will be crucial. Technology has sped up every aspect of our lives. We must now start to give this issue the attention it desperately demands. But where should we begin?

If we are to tackle this challenge, there are many complex questions that will need to be answered. Our patients’ privacy is not the least of these. Even with our busy professional and personal lives, I imagine it has been hard for most to miss the recent public flogging of Mark Zuckerburg and Facebook. Both he and his company were taken to task by Congress and the media when they revealed that the personal data for 87 million of their customers had been inappropriately accessed by an outside research company. As a result of these disclosures, politicians are threatening regulations for their industry – think HIPAA for Silicon Valley. There are more than 2.5 million people who annually seek orthodontic treatment. As we look to find the best ways to utilize our patient’s treatment data to improve their care, we must make certain that it is being done in a way that is respectful of all patients’ privacy. While privacy may be where we start, there are other, even more difficult issues that need to be addressed.

The complexity of the Big Data issue will require the input from the brightest minds both from within and from outside of our profession. To that end, the Great Lakes Association of Orthodontists has put forth a resolution to this year’s American Association of Orthodontists House of Delegates. Resolution 18-18 GLAO (http://hod.live.aaoinfo.org/resolution2/18-18-glao-big-data-task-force-and-records-repository/) requests that our Association President appoint a Big Data task force. I would encourage you to review the resolution and let your representatives (HOD Delegates) know your feelings. While this issue is certain to require a significant investment of time, talent and financial resources, we cannot afford to leave this investment to outside sources. Those who control the data will control the future.

Am I legally responsible if I receive a patient referral from another dentist and it is sent to me unsecured?

By: Charlie Frayer, JD, MS, HCISPP, CIPP, CIPM

DISCLAIMER: Protected Trust cannot and does not provide legal advice, and the following question(s) and response(s)—like everything else we publish—are not intended as legal advice or opinion. If you need legal assistance, you should contact an attorney licensed to practice law in your jurisdiction.

For the purpose of this answer, we assume that “sent” means “emailed.” Yes, it is possible that you could be responsible if something bad happens to the patient’s electronic protected health information (ePHI) contained in the email referral, but only if it happens after you receive it.

Under HIPAA, a health care provider is called a “covered entity”. The HIPAA Privacy Rule defines “treatment” to include, “…the referral of a patient for health care from one health care provider to another.” The Privacy Rule also states that, “A covered entity is permitted to use or disclose protected health information…[f]or treatment…”. Therefore, under the scenario you describe, neither the referring dentist nor you are violating HIPAA by merely sending (disclosing) or receiving a patient’s ePHI as part of a referral. Given this good news, the core question now becomes, “Does a covered entity violate HIPAA by sending (or receiving) ePHI in an “unsecured” manner?” Again, the answer is mostly good news, but BE VERY CAREFUL AND READ THE REST OF THIS RESPONSE!!!

First, we have to know what makes ePHI “unsecured” vs. “secured”. Then, we need to know whether HIPAA requires ePHI to be secured (seems like a silly question, but you’ll probably be surprised). And, lastly, if HIPAA does not require ePHI to be secured, then what risks do you have if you face by choosing to leave it unsecured?

Unsecured vs. Secured ePHI
The HIPAA Breach Notification Rule states that, “Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary [of HHS] in the guidance issued…”. The HHS guidance emphasizes the use of encryption to make ePHI secure. So, technical details aside, the simple answer is that “unsecured” means unencrypted, and “secured” means encrypted.

HIPAA: Encryption Is NOT Required…What?!?
That’s the title of one of our blog posts from Feb.-Mar. 2016—republished by AAO, which we highly recommend that you read immediately (here or here). Although you would be crazy to not use encryption when emailing ePHI—because the risks are enormous, it is true that HIPAA does not literally require encryption (again, read our blog post here or here right now). Rather, what the federal government decided to do was strongly encourage the use of encryption by making it a get-out-of-jail-free card (apologies to Parker Bros.). Under the HIPAA Breach Notification Rule, you must notify certain persons and/or entities whenever you have a breach (e.g., a loss or theft) of unsecured (unencrypted) ePHI. For example, depending on the breach details, HIPAA requires notifying not only the affected patients, but also the federal government (HHS) and prominent members of the media. But—and here’s the GREAT NEWS—if you have a breach of secured (encrypted) ePHI, you do not have to notify anyone. Why? Because the loss or theft of encrypted ePHI—which cannot be read without the key(s)—is not considered a breach at all. So, encryption=no breach=no notifications=no problems for you.

Risks of NOT Encrypting ePHI Emails
If you’ve already read the above-mentioned blog post—and, if you haven’t, stop now and do so immediately (here or here), then you already know the frightening list of risks you face for not using encryption. In summary, in the event of a breach of ePHI:

No Encryption = Notification(s)

Notification(s) = Investigations, Fines, Lawsuits, PR Disaster, and Lost Business

Investigations, Fines, Lawsuits, PR Disaster, and Lost Business = Wasted $,$$$,$$$.

Our Recommendations

  1. Never email ePHI without using Protected Trust Healthcare Email Encryption.
  1. Require all of your fellow covered entities (e.g., health care providers and insurers), other business associates, and patients to use Protected Trust Healthcare Email Encryption.

IMPORTANT REMINDER: As a Protected Trust client, all of these third-party persons and entities can communicate securely with you, free of charge, and forever. No catch!

  1. To comply with HIPAA, make sure everyone in your office has their own Protected Trust Healthcare Email Encryption account (shared accounts are not permitted by HIPAA).