HIPAA at Rincon Family Dental
See United States Regulatory Information.
Below is a summary of how Rincon Family Dental addresses HIPAA guidelines and standards.
Rincon Family Dental follows HIPAA guidelines and standards for security and privacy, implementing physical and electronic safeguards, including encryption. Open Dental software is a tool to help you become HIPAA compliant. It is up to you to make sure your practice is secure. See HIPAA and Your Practice.
Rincon Family Dental follows the NIST SP800-30 rev.1 protocol for risk assessments. This is the current, required protocol for analyzing potential PHI security risks. Following this protocol, we evaluate each risk’s likelihood and impact, and implement security measures to address them. Rincon Family Dental actively reviews and edits a remediation checklist to document vulnerabilities and track the resolutions.
Our HIPAA procedures and policies are up to date and available
Rincon Family Dental requires all employees to be certified on our policies and procedures. Our documentation addresses and enforces the requirements of the HIPAA Privacy and Security Rules and the HITECH Act.
Employees are actively trained to properly handle PHI
Rincon Family Dental has an effective training program that is regularly updated to ensure all employees are properly trained in the HIPAA Privacy and Security Rules. Training is tracked internally. Rincon Family Dental regularly audits all employees with access to PHI to ensure that data is properly handled, including but not limited to an annual audit plan. In the event of a disaster, Rincon Family Dental is prepared to implement contingency operations and facility security plans.
Rincon Family Dental and PHI
In the process of providing customer support, Open Dental employees may be exposed to PHI, including but not limited to customer databases collected for debugging, troubleshooting or conversions; screenshots showing patient information; X12 files (insurance batch files); and EOBs. All instances of data transit used for customer support are HIPAA-compliant and encrypted. We do not use email for data transit because it is not HIPAA-compliant, even if using SSL. Email is not encrypted from the email server to the recipient. If data is stored for any reason it is encrypted.
Business Associate Agreements
Rincon Family Dental provides a standard Business Associate Agreement. This agreement is for our customers whose PHI we may come in contact with. See HIPAA and Your Practice.
Common Questions Asked About Rincon Family Dental’s HIPAA Policies
Are your HIPAA policies and procedures up to date, effective and available?
Yes. Our policies and procedures are updated regularly and available for all employees.
Is your HIPAA training effective and up to date?
Yes. All employees are certified through an ongoing training program.
Has a risk assessment been conducted? If so, how often does Rincon Family Dental perform internal Risk Assessments?
Yes. We perform one at least every 18 months, usually about once a year. The most recent date is shown above.
Did Rincon Family Dental’s latest risk assessment identify any vulnerabilities that would subject our office to risk of a data breach?
No. Any vulnerabilities detected during our risk assessments are immediately addressed. To date, nothing that could put an office at risk has been detected.
Do you have an ongoing auditing and monitoring program for HIPAA Privacy and Security?
Yes. Workstations with access to PHI are regularly audited.
Does Rincon Family Dental have a policy in place for employees who fail to comply with HIPAA security policies and procedures?
Yes. Disciplinary action will be taken against staff that do not comply with the privacy policies and procedures made to protect protected health information.
As part of my HIPAA diligence, I need to know if Rincon Family Dental is covered by insurance if there is a HIPAA breach. Does Rincon Family Dental have Cyber Liability insurance?
Yes.
Have you conducted due diligence on your business associates?
Yes. Rincon Family Dental very rarely shares PHI with any third party, and never shares it as structured data, so we do not normally have to conduct due diligence with respect to PHI and HIPAA. The two current exceptions are:
- Screen sharing software that captures encrypted video stream which could contain PHI
- Electronic prescribing (not legacy)
We have conducted due diligence for these two third parties and have Business Associate Agreements on file with them.
Has Rincon Family Dental adopted a formal approach to information security supported by one or more information security policies?
Yes. Rincon Family Dental has multiple internal security policies, which all employees must be trained on.
Has Rincon Family Dental been subject to any investigations relative to a breach of privacy that resulted in penalties?
No.
Is Rincon Family Dental aware of any incident involving a potential or actual breach of patient privacy under HIPAA regarding protected health information?
If such incidents occur, the customer is immediately notified within 72 hours per policy. If you have not been notified, then this has not happened.
Is Rincon Family Dental aware of any incidents involving a potential or actual breach of patient data on customer systems?
We do not track customer data or how it is used with respect to their office.
Has an independent review of Rincon Family Dental’s information security efforts been conducted?
No. Third party reviews are not a HIPAA requirement.
Does Rincon Family Dental’s HIPAA Compliance Officer and Security Officer have sufficient HIPAA training?
Yes.
How does Rincon Family Dental stay up to date on security threats and technologies?
Our security team researches new threats and technologies and issues internal updates regularly.
Does Rincon Family Dental have a plan in place in case of a security breach?
Yes. All employees are trained accordingly.
Are physical controls in place to safeguard PHI?
Yes. Multiple layers of physical security exist.
Are remote connections encrypted?
Yes.
Is PHI access regulated based on employee roles?
Yes. Access is limited to what is necessary.
Do you maintain a PHI disclosure log?
No. This is not required for business associates.
Do you regularly review or update your contingency plan?
Yes. Reviewed at least annually or after significant events.
Do you perform screening procedures and background checks on new employees?
Yes.
Is PHI access revoked upon employee termination?
Yes.
Do you have policies and procedures to detect and respond to security events?
Yes.
Do you utilize antivirus software?
Yes. All systems are protected and monitored.
Do you assign unique identifiers for users?
Yes.
Do you protect PHI from unauthorized modification or destruction?
Yes.
Are passwords required for PHI systems?
Yes.
Do you allow personal devices on PHI networks?
No.
Do you send PHI outside your network?
Yes, but only securely and rarely with proper agreements.
Are there public workstations?
No.
Do you maintain an inventory of PHI devices?
Yes.
Do you require PHI removal before recycling media?
Yes.
Do you document policy changes?
Yes.
Do employees require ID for ePHI access?
Yes.
Can vendor agreements be terminated if violated?
Yes.
Are emergency access systems in place?
Yes.
Do you log facility access?
Yes.
Are job roles clearly defined for security duties?
Yes.
Do you send security reminders?
Yes.
Do systems monitor login failures?
Yes.
Is ePHI protected during emergencies?
Yes.
Additional Notes
How does Rincon Family Dental address encryption?
See Encryption of Data at Rest and in Transit.
Does Rincon Family Dental cache PHI locally?
No. PHI is not cached on local workstations, though third-party tools may temporarily create local files depending on usage.
A List of Things We Don’t Provide
Rincon Family Dental maintains documentation for internal use only. For security purposes, we do not provide:
- HIPAA Compliance Officer contact details
- Full employee lists
- Training logs per employee
- Internal signatures
- Custom questionnaires at scale
- Security Risk Assessment details
- Remediation Plan
- HIPAA Master Policy and Procedure Manual
- Training Materials and Logs
- Network Vulnerability Scan
- Incident Response Plan
- Disaster Recovery details
- Risk classification methodologies
- Employee termination procedures
- PHI access revocation procedures
- Encryption methods
- Password policies
- PHI disposal policies
- Physical security details