HIPPA COMPLIANCE

We are an online dental health service company as well as providing amazing products, we are following the HIPAA guidelines and protecting confidential customer information according to these guidelines. Updated: 12/2/2020

 

Link to Hippa Rights for patients

 

Below are the recommended guideline:

 

HIPAA Regulations for Dental Offices

Although many dental offices are self-contained entities, the HIPAA rules for dentists apply to any dental office that may send claims, eligibility requests, pre-determinations, claim status inquiries, or treatment authorization requests electronically.

 

If a dental office transmits any of the above transactions directly to a payer or uses the services of a business associate – who has access to individually identifiable health information – the HIPAA regulations for dental offices also apply and must be adhered to.

 

Furthermore, policies must be developed to instruct dental office employees on procedures for the use, disclosure, and safeguarding of the PHI – not only to patients and colleagues but also to business associates and third-party service providers.

 

What are the HIPAA Rules for Dentists?

The HIPAA Rule for Dentists  consists of the Privacy Rule (2003), Security Rule (2005), and Breach Notification Rule (2009). Dentists and Dental Offices should also ensure they are familiar with any relevant changes to these Rules enacted in the HITECH Act (2009) and Final Omnibus Rule (2013). The key areas of the HIPAA Privacy Rule for dentists are:

 

  • The personal identifiers are considered to be Protected Health Information.
  • The permissible uses and disclosures of Protected Health Information.
  • Safeguards to implement to protect the privacy of patient health information.
  • An explanation of the Minimum Information Necessary rule.
  • Restrictions on the use of Protected Health Information for marketing.
  • Patient access to medical information and notice of privacy practices.

 

 

Information about all these elements of the HIPAA Privacy Rule for Dentists, plus details about signing Business Associate Agreements with any non-employee who has authorized access to patients´ records, can be found in our HIPAA Compliance Guide – a comprehensive guide to the HIPAA rules for dentists, which includes an explanation of the Breach Notification Rule, and the updates to the HIPAA Privacy and Security Rules enacted in the HITECH Act and Final Omnibus Rule.

 

The HIPAA Security Rule for Dentists

The HIPAA Security Rule is primarily comprised of three sets of “requirements” – technical requirements, physical requirements, and administrative requirements. The technical requirements cover how patient information should be communicated electronically (for example email is not allowed, nor is SMS or Skype). 

 

The technical requirements also detail the processes and controls that have to be implemented in order to protect PHI when it is at rest or in transit.

 

The physical HIPAA regulations for dental offices concern the security of computer systems and the environment in which the computer systems are situated. Responsibilities included in the physical HIPAA regulations for dental offices include establishing a faculty plan and a contingency plan in the event of an emergency and implementing validation procedures to restrict physical access to PHI stored on the computer systems.

 

The administrative HIPAA rules for dentists require that system administrators are appointed to select and implement a compliant communications system. Administrators are also responsible for developing “best practice” policies, training dental office employees on the use of the compliant communication system, and monitoring activity on the system. Administrators are also responsible for ensuring HIPAA compliance by Business Associates.

 

A Solution for the HIPAA Security Rule

Whereas meeting the Business Associate, privacy, and breach notification HIPAA regulations for dental offices can be achieved without too many issues, complying with the HIPAA Security Rule can present a headache for many dental offices. A solution to the HIPAA Security Rule is to implement a system of secure messaging.

 

Unlike email, SMS, or Skype, secure messaging is conducted within a private network only accessible by authorized users. The authorized users can access patient data and communicate it with other authorized users only after they log in to secure messaging apps which require user authentication via a unique centrally-issued username and password.

 

All patient data is encrypted at rest and in transit, so it is perfectly safe to send text messages, share images or conduct video calls over public Wi-Fi services via a mobile device. The secure messaging apps can also be used on desktop computers, and a time-out feature automatically logs users out of the network when a computer or mobile device is unattended, to prevent unauthorized access to patient data.

 

In addition to safeguards that prevent patient data from being saved to an external hard drive, copied and pasted, or forward outside of the dental practice´s private network, the messaging platform through which all communications travel monitors activity on the network. Administrators can ensure that secure messaging policies are being adhered to, or PIN-lock an app if the device it is downloaded onto is lost, stolen, or disposed of.

 

Additional Benefits of Secure Messaging

Secure messaging solutions were originally developed to enable HIPAA-covered entities to comply with the industry regulations for privacy and security. However, a series of efficiency-increasing and cost-reducing benefits have resulted from the implementation of secure messaging solutions – many of which will be applicable in a dental office environment:

 

  • Dentists and dental office employees can receive secure messages on any desktop computer or mobile device – enabling them to access patient data “on the go”.
  • Images and documents can be attached to secure messages, which can then be shared among dentists if collaboration is required on the treatment of a patient.
  • Secure messages can also be used in scenarios where a patient cannot attend a dental office and their condition can be diagnosed at home or in another medical setting.
  • Time-consuming phone tag and the need for follow-up calls are significantly reduced due to automatically-produced delivery notifications and read receipts.
  • When the secure messaging solution is integrated with an EHR, authorized personnel can load patient notes directly onto the system from a mobile device.

 

These features and benefits ensure that secure messages are transmitted to the correct recipient, reduce the time and money that may be wasted between sending messages and receiving replies and protect the integrity of patient data in compliance with the HIPAA rules for dentists.

 

HIPPA guidelines link:

https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

 

The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

 

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. 

HIPPA email compliance:

 

GoDaddy - HIPAA BUSINESS ASSOCIATE AGREEMENT

 

  1. Overview
    This HIPAA Business Associate Agreement (“Agreement”) is entered into by and between GoDaddy.com, LLC, a Delaware limited liability company (“GoDaddy”) and you, and is made effective as of the date of electronic acceptance.  This Agreement sets forth each party’s respective obligations regarding the Microsoft® Office 365 email services sold and supported by GoDaddy and represented by us as being HIPAA-compliant (the “Services”), and represents the entire agreement between you and GoDaddy concerning the subject matter hereof.
    Your electronic acceptance of this Agreement signifies that you have read, understand, acknowledge, and agree to be bound by this Agreement, along with our Universal Terms of Service Agreement, which is incorporated herein by this reference, and any plan limits presented on the product landing pages, which are also incorporated herein by this reference.

    The terms “we”, “us” or “our” shall refer to GoDaddy. The terms “you”, “your”, “User” or “customer” shall refer to any individual or entity who accepts this Agreement. Nothing in this Agreement shall be deemed to confer any third-party rights or benefits.

    We may, in our sole and absolute discretion, change or modify this Agreement, any policies or agreements which are incorporated herein, and any limits or restrictions on the Services, at any time, and such changes or modifications shall be effective immediately upon posting to the GoDaddy website (“Site”). Your use of the Site or the Services after such changes or modifications shall constitute your acceptance of this Agreement and Service limitations as last revised. If you do not agree to be bound by this Agreement and the Services limitations as last revised, do not continue to use this Site or the Services.
    We may occasionally notify you of changes or modifications to this Agreement by email. It is therefore very important that you keep your shopper account information current. We assume no liability or responsibility for your failure to receive an email notification if such failure results from an inaccurate email address.

    The parties agree as follows:
  2. Definitions
    For purposes of this Agreement, any capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement and under HIPAA.
    • Business Associate” has the same meaning as the term “business associate” in 45 C.F.R. § 160.103 of HIPAA.
    • Covered Entity” has the same meaning as the term “covered entity” in 45 C.F.R. § 160.103 of HIPAA.
    • HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and the rules and the regulations thereunder, as amended (including with respect to the HITECH Act).
    • HITECH Act” means the Health Information Technology for Economic and Clinical Health Act enacted in the United States Congress, which is Title XIII of the American Recovery & Reinvestment Act, and the regulations thereunder, as amended.
    • Protected Health Information” or “PHI” will have the meaning given to it under HIPAA if provided to GoDaddy in connection with your permitted use of the Services.* “Security Rule” means 45 C.F.R., Part 164, Subpart C, under HIPAA.

 

 

  1. Applicability
    1. Parties. This Agreement applies only to the extent you are acting as a Covered Entity or Business Associate to create, receive, maintain or transmit PHI via the Services and where GoDaddy, as a result, is deemed under HIPAA to be acting as a Business Associate of you.
    2. Services Scope. As of the effective date of this Agreement, this Agreement is applicable only to the described Services. GoDaddy may expand the scope of the described Services to include other GoDaddy products or services.  If GoDaddy expands the scope of the Services, this Agreement will automatically apply to the additional products and services as of the date they are included, or the date GoDaddy has otherwise provided written communication regarding an update to the scope of the included Services (whichever date is earlier).
  2. Permitted Use and Disclosure
    1. By GoDaddy. GoDaddy may use and disclose PHI only as permitted under HIPAA as specified in the Universal Terms of Service Agreement and under this Agreement. GoDaddy may also use and disclose PHI for the proper management and administration of GoDaddy’s business and to carry out the legal responsibilities of GoDaddy, provided that any disclosure of PHI for such purpose may only occur if (1) required by applicable law; or (2) GoDaddy obtains written reasonable assurances from the person to whom PHI will be disclosed that it will be held in confidence, used only for the purpose for which it was disclosed and that GoDaddy will be notified of any breach.
    2. By You. You will not request GoDaddy or the Services to use or disclose PHI in any manner that would not be permissible under HIPAA if done by a Covered Entity itself (unless otherwise expressly permitted under HIPAA for a Business Associate).

      In connection with your management and administration of the Services for end-users, you are responsible for using the available controls within the Services to support your HIPAA compliance requirements, including enforcing appropriate controls to support your HIPAA compliance.

      You will not use the Services to create, receive, maintain or transmit PHI to other GoDaddy services outside of the included Services, except where GoDaddy has expressly entered into a separate HIPAA business associate agreement for use of such GoDaddy services. If you use the Services in connection with PHI, you will use controls available within the Services to ensure (1) all other GoDaddy products not part of the Services are disabled for all end users who use the included Services in connection with PHI (except those services where Customer and GoDaddy already have an appropriate HIPAA business associate agreement in place); and (2) you take appropriate measures to limit your use of PHI in the Services to the minimum extent necessary for you to carry out your authorized use of such PHI.

      You agree that GoDaddy has no obligation to protect PHI under this Agreement to the extent you create, receive, maintain, or transmit such PHI outside of the Services.
  3. Appropriate Safeguards
    GoDaddy and you will use appropriate safeguards designed to prevent against unauthorized use or disclosure of PHI, consistent with this Agreement, and as otherwise required under the Security Rule, with respect to the Services.
  4. Reporting
    GoDaddy will promptly notify you following the discovery of a breach resulting in the unauthorized use or disclosure of PHI in violation of this Agreement in the most expedient time possible under the circumstances, consistent with the legitimate needs of applicable law enforcement and applicable laws, and after taking any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the Services system by using commercially reasonable efforts to mitigate any further harmful effects to the extent practicable.

    You hereby agree that any such report, notification, or other notice made pursuant to this Agreement may be provided electronically.  For clarity, you and not GoDaddy are responsible for managing whether your end users are authorized to create, receive, maintain or transmit PHI within the Services and GoDaddy will have no obligations relating thereto.

    This Section will be deemed as notice to you that GoDaddy periodically receives unsuccessful attempts for unauthorized access, use, disclosure, modification, or destruction of information or interference with the general operation of GoDaddy’s information systems and the Services and even if such events are defined as a Security Incident under HIPAA, GoDaddy will not provide any further notice regarding such unsuccessful attempts.
  5. Agents and Subcontractors
    GoDaddy will take appropriate measures to ensure that any agents and subcontractors used by GoDaddy to perform its obligations under the Agreement that require access to PHI on behalf of GoDaddy are bound by written obligations that provide the same material level of protection for PHI as this Agreement.

    To the extent GoDaddy uses agents and subcontractors in its performance of obligations hereunder, GoDaddy will remain responsible for their performance as if performed by GoDaddy itself under this Agreement.
  6. Accounting Rights
    GoDaddy will make available to you the PHI via the Services so you may fulfill your obligation to give individuals their rights of access, amendment, and accounting in accordance with the requirements under HIPAA. You are responsible for managing your use of the Services to appropriately respond to such individual requests.
  7. Access to Records
    To the extent required by law, and subject to applicable attorney-client privileges, GoDaddy will make its internal practices, books, and records concerning the use and disclosure of PHI received from you, or created or received by GoDaddy on behalf of you, available to the Secretary of the U.S. Department of Health and Human Services (the “Secretary”) for the purpose of the Secretary determining compliance with this Agreement.
  8. Return/Destruction of Information
    GoDaddy agrees that upon the termination of the Agreement, GoDaddy will return or destroy all PHI received from you, or created or received by GoDaddy on behalf of you, which GoDaddy still maintains as provided in the Universal Terms of Service Agreement; provided, however, that if such return or destruction is not feasible, GoDaddy will extend the protections of this Agreement to the PHI not returned or destroyed and limit further uses and disclosures to those purposes that make the return or destruction of the PHI infeasible.

    In the event this Agreement is terminated earlier than the underlying Universal Terms of Service Agreement, you may continue to use the Services in accordance with the Universal Terms of Service Agreement, but must delete any PHI you maintain in the Services and cease to create, receive, maintain or transmit such PHI to GoDaddy or within the Services.
  9. Term
    This Agreement will expire upon the earlier of (i) your cancellation of the Services to which this Agreement applies; or (ii) your acceptance of an updated HIPAA business associate agreement that supersedes this Agreement.
  10. Interpretation
    It is the parties’ intent that any ambiguity under this Agreement is interpreted consistently with the intent to comply with applicable laws.
  11. Effect of Agreement
    This Agreement supersedes in its entirety any pre-existing HIPAA business associate agreement executed by GoDaddy and you covering the same Services.  Each covenant and agreement in this Agreement shall be construed for all purposes to be a separate and independent covenant or agreement.

    If a court of competent jurisdiction holds any provision (or portion of a provision) of this Agreement to be illegal, invalid, or otherwise unenforceable, the remaining provisions (or portions of provisions) of this Agreement shall not be affected thereby and shall be found to be valid and enforceable to the fullest extent permitted by law. 

    In the event there is a conflict between the provisions of this Agreement and the provisions of the Universal Terms of Service Agreement, the provisions of this Agreement shall control.