HIPAA and Open Dental Business Practices
Below is a summary of how Open Dental the company addresses HIPAA guidelines and standards.
Open Dental Software, Inc. follows HIPAA guidelines and standards for security and privacy, implementing physical and electronic safeguards, including encryption. Open Dental software is a tool to help you become HIPAA compliant. It is up to you to make sure your practice is secure. See HIPAA and Your Practice.
Open Dental Software, Inc. performs risk assessments
Open Dental Software, Inc. follows the NIST SP800-30 rev.1 protocol for risk assessments. This is the current, required protocol for analyzing potential PHI security risks. Following this protocol, we evaluate each risk’s likelihood and impact, and implement security measures to address them. Open Dental actively reviews and edits a remediation checklist to document vulnerabilities and track the resolutions.
Our last Risk Assessment was completed on 07/18/2017. All risks (if any) were evaluated and addressed.
Our HIPAA procedures and policies are up to date and available
Open Dental Software, Inc. requires all employees to be certified on our policies and procedures. Our documentation addresses and enforces the requirements of the HIPAA Privacy and Security Rules and the HITECH Act.
Employees are actively trained to properly handle PHI
Open Dental Software, Inc. has an effective training program that is regularly updated to ensure all employees are properly trained in the HIPAA Privacy and Security Rules. Training is tracked internally. Open Dental Software, Inc. regularly audits all employees with access to PHI to ensure that data is properly handled, including but not limited to an annual audit plan. In the event of a disaster, Open Dental, Inc. is prepared to implement contingency operations and facility security plans.
Open Dental Software, Inc. and PHI
In the process of providing customer support, Open Dental employees may be exposed to PHI, including but not limited to customer databases collected for debugging, troubleshooting or conversions;
screenshots showing patient information;
X12 files (insurance batch files);
and EOBs. All instances of data transit used for customer support are HIPAA-compliant and encrypted. We do not use email for data transit because it is not HIPAA-compliant, even if using SSL. Email is not encrypted from the email server to the recipient. If data is stored for any reason it is encrypted.
Business Associate Agreements
Open Dental Software, Inc. provides a standard Business Associate Agreement. This agreement is for our customers whose PHI we many come in contact with. See HIPAA and Your Practice.
Open Dental Software, Inc. does not share PHI with anyone, so we do not enter into Business Associate Agreements with third parties or sub-contractors.
Common Questions Asked About Open Dental's HIPAA Policies
Are your HIPAA policies and procedures up to date, effective and available?
Yes. Our policies and procedures are updated regularly and available for all employees.
Is your HIPAA training effective and up to date?
Yes. All employees are certified through an ongoing, efficacious training program.
Has a risk assessment been conducted? If so, how often does Open Dental perform internal Risk Assessments?
Yes. We perform one at least every 18 months, usually about once a year. The most recent date is shown above.
Do you have an ongoing auditing and monitoring program for HIPAA Privacy and Security?
Yes. Workstations with access to PHI are regularly audited.
As part of my HIPAA diligence, I need to know if Open Dental is covered by insurance if there is a HIPAA breach. Does Open Dental have Cyber Liability insurance?
Have you conducted due diligence on your business associates?
Yes. Open Dental Software, Inc. does not share PHI with anyone, so we do not enter into Business Associate Agreements with third parties or sub-contractors.
Has Open Dental adopted a formal approach to information security supported by one or more information security policies?
Yes. Open Dental has multiple internal security policies, which all employees must be trained on.
Has an independent review of Open Dental's information security efforts been conducted?
No. Third party reviews of Open Dental's policies are not a HIPAA requirement.
How does Open Dental stay up to date on current information such as security threats, trends, and technologies?
Our security team frequently researches new threats and technologies. Internal announcements are released to help our staff be aware of phishing attempts and other vulnerabilities.
Does Open Dental have a plan in place in case of a security breach?
Yes, we do have a formal process in case of a security breach. All employees are trained accordingly.
Are physical controls in place to safeguard PHI?
Yes. Open Dental Software, Inc. has multiple layers of physical security.
A List of Things We Don't Provide
Open Dental Software, Inc. maintains documentation for internal use only. For security purposes we do not provide the following documents to the public:
- Security Risk Assessment
- Remediation Plan
- HIPAA Master Policy and Procedure Manual
- Training Materials and Logs
- Network Vulnerability Scan
- Incident Response Plan
- Disaster Recovery
- Details of the encryption methods we use