Thursday, May 30, 2019

Department of Health and Human Services Clarifies how HIPAA Applies to Business Associates

 


HIPAA can be a complicated and often scary (if you are a small provider) to follow correctly.  Many large healthcare companies have entire departments dedicated to helping understand and keep their entities in compliance with the federally mandated privacy laws.  And some of the other scary parts of the ruling have to do with the simple fact that healthcare is such a complicated field  that hardly any healthcare entity works in isolation.

No, most use 3rd parties for all types of services and those services can frequently mean that the 3rd parties have access to federally protected data.  Here is how the Department of Health and Human Services  addresses the issue of 3rd parties:

Background
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.  

Now, thankfully, HHS has come up with a “Fact Sheet on Direct Liability of Business Associates Under HIPAA.

This document will help healthcare companies and their 3rd parties understand what is covered, what is not, and who is responsible for what.  Hopefully this will bring some much needed clarity to a very confusing aspect of the business of healthcare and responsibilities of keeping patient data safe.

The new Fact Sheet can be accessed from this link.

Wednesday, May 29, 2019

June JADA finds more Research Needed into Musculoskeletal Care for Dental Professionals

 



A few years ago I was talking to someone who was involved with a physical rehabilitation clinic for patients who were suffering from spine injuries.  When he found out I was a dentist, this person asked me how my back was.  I, of course, thought that was simply because that was his focus.  However, I was way wrong about that.

It turns out that spinal injuries are the most prominent injuries that occur in dentistry.  Up to that point in my life, I had wrongly just assumed that the number one injury in dentistry was hands & wrists.  You know, carpal tunnel and that sort of thing.  I could not have been more wrong.  While those types of injuries certainly DO occur in dentistry, the number one cause of disability is neck and back injuries.

It turns out that around 65% of dentists who have to declare complete disability and retire from clinical practice do so because of neck and back injuries.  Now that I am further into my career, I’ve begun to see the affects it is having on myself as well as my colleagues who have been practicing for more than a few years now.  I can personally think of around 10 dentists that I know that have either been forced to retire or have had to reduce their clinical hours based upon neck and back injuries.  I’ve personally dealt with these issues as well although I also had a near fatal MVA in the 80s that has probably contributed to that as well.

The point of today’s post is that neck and back injuries are a serious issue in dentistry and practitioners need to be aware of them to help prevent them.  In may of my articles I’ll mention efficiency as a big advantage to the use of technology.  The efficiency that I am writing about is also something that cuts down the amount of time we spend in what I’m calling “the clinical posture” which is what really creates that problems for our spines.  Decreasing the time spent in this posture could well be one of the ways to extend your career.

The ADA is now starting to pay special attention to the ergonomics of dentistry and a recent JADA (Journal of the American Dental Association) study looks at Musculoskeletal Disorders in Dental Professionals.  Here is part of the discussion:

“Given the high prevalence of [musculoskeletal disorders] in oral health care professionals and the fact that these problems may begin to develop during the education process, early intervention is crucial for the prevention and treatment of these disorders,” the authors state. “Investigators should conduct further interventional research on the topic to provide sufficient support for oral health care professionals.”
Many professionals experience daily musculoskeletal discomfort, but they ignore it as “part of the job,” said corresponding author Shawn C. Roll, Ph.D., an associate professor in the Chan Division of Occupational Science and Occupational Therapy at the University of Southern California. However, that pain can lead to suboptimal patient care.
“Furthermore, too often, expert practitioners are forced to reduce their work hours or transition out of patient care due to an inability to continue the physical tasks because of their discomfort or injuries,” Dr. Roll said.

To read the entire post on the subject, follow this link.

To read the study, follow this link.

Tuesday, May 28, 2019

MOHC Reports Data Breach - Way Outside of HIPAA Timeline

 



I hate to throw anyone, especially someone in healthcare, under the bus.  However, sometimes it’s necessary to prove a bigger point to the rest of my readership.  My blog hits continue to increase monthly and I feel a responsibility to all of you to provide the best information and recommendations possible.

Recently Medical Oncology Hematology Consultants in Newark, NJ began sending letters to patients of record to inform them of a data breach.  The  problem here isn’t that there was a data breach, unfortunately all we can do is be vigilant to try and stop them, no the real problem with this breach was that it took them an entire year to notify those affected.  That is unacceptable according to federal law and also a fairly big ethical problem as well.

You see, according to HIPAA standards (which are federal law) a data breach must me reported within 60 days of the breach discovery.  Even if you don’t have all the answers, healthcare organizations only have 60 days to report.  Failing to do so can create a PR nightmare as well as trigger serious fines from DHS (Department of Health and Human Services.

Here is information that was recently provided to patients who were affected by the breach:

DATA INCIDENT NOTIFICATION
Medical Oncology Hematology Consultants, P.A. (“the Practice”) was victimized by a cyber attack (the “Incident”)
that impacted a Practice email account. On March 14, 2019, the Practice, through its extensive investigation of the
Incident, determined that personal health information (“PHI”) and/or personally identifiable information (“PII”)
relating to you may have been subject to unauthorized access or acquisition as a result of the Incident.

We commenced the foregoing investigation immediately upon learning of the Incident for the purpose of
determining its scope, the impact on our information systems, and the identities of those potentially affected. We
engaged third party experts to assist us with our investigation and, during that investigation, coordinated extensively
with the third party that hosts our email environment. Through our investigation, we determined that the attack
occurred on or about June 7 and June 8, 2018. We have not found any evidence that your information was misused
as a result of the Incident.

What Information Was Involved

The personal information subject to this incident may have included your name, health information, medical
information, dates of birth, Social Security Number, government issued identification number, and/or financial
account information.

What We Are Doing

The Practice is providing notice to potentially affected individuals so that they can take steps to minimize the risk
that their information will be misused. As an added precaution, the Practice has arranged for TransUnion to provide
potentially affected individuals 12 months of free credit monitoring and related services. To find out whether you
were among those whose information was potentially affected, please contact (855) 424-2585, Monday through
Friday, from 9 am to 9 pm Eastern Time (except holidays).

The Practice treats all sensitive information in a confidential manner and is proactive in the careful handling of such
information. Since learning of the attack, the Practice has taken a number of steps to further secure its systems.
Specifically, it has, among other things: established a new portal for delivery of secure emails from external sources;
implemented malware blocking measures; facilitated suspicious email reporting; established notifications to alert
users that they may be attempting to send un-encrypted sensitive data; facilitated encryption of outgoing emails; and
provided additional data security training. Further, the Practice will soon implement multi-factor authentication and
take additional steps to bolster its email phishing defenses.

What You Can Do

In addition to enrolling in the free credit monitoring and related services mentioned above, we recommend that you
remain vigilant and take the following steps to protect your personal information:

1. Contact the nationwide credit-reporting agencies as soon as possible to:

Add a fraud alert statement to your credit file at all three national credit-reporting agencies: Equifax,
Experian, and TransUnion. You only need to contact one of the three agencies listed below; your
request will be shared with the other two agencies. This fraud alert will remain on your credit file for
90 days.
You can also receive information from these agencies about avoiding identity theft, such as by placing
a “security freeze” on your credit accounts.
Remove your name from mailing lists of pre-approved offers of credit for approximately six months.
Receive and carefully review a free copy of your credit report by going to
www.annualcreditreport.com.
Equifax
P.O. Box 740256 Atlanta, GA 30374 (800) 525-6285 www.equifax.com
Experian
P.O. Box 9554
Allen, TX 75013
(888) 397-3742 www.experian.com/consumer
TransUnion
P.O. Box 2000 Chester, PA 19022 (800) 888-4213 www.transunion.com
Carefully review all bills and credit card statements you receive to see if there are items you did not
contract for or purchase. Also review all of your bank account statements frequently for checks, purchases,
or deductions not made by you. Note that even if you do not find suspicious activity initially, you should
continue to check this information periodically since identity thieves sometimes hold on to stolen personal
information before using it.
The Federal Trade Commission (“FTC”) offers consumer assistance and educational materials relating to
identity theft, privacy issues, and how to avoid identity theft, such as by setting up fraud alerts or placing a
“security freeze” on your credit accounts. The FTC can be contacted either by visiting www.ftc.gov,
www.consumer.gov/idtheft, or by calling (877) 438-4338. If you suspect or know that you are the victim
of identity theft, you should contact local law enforcement, and you can also contact the Fraud Department
of the FTC, which will collect all information and make it available to law enforcement agencies. The FTC
can be contacted at the website or phone number above, or at the mailing address below:

Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue
NW Washington, DC 20580
Maryland Residents: To obtain additional information about avoiding identity theft, please contact the
Maryland Attorney General’s Office, using the contact information below:

Maryland Attorney General’s Office
200 St. Paul Place
Baltimore, MD 21202
Phone: (410) 576-6300
Toll-Free (in Maryland): (888) 743-0023
Website: https://www.oag.state.md.us/contact.htm
For More Information

If you have questions or concerns, please contact (855) 424-2585, Monday through Friday, from 9 am to 9 pm
Eastern Time (except holidays). We sincerely apologize for this situation and any inconvenience it may cause you.

Wednesday, May 22, 2019

Email Fraud Attacks on Healthcare Jumped 473% Since 2017

 


This is a shocking stat, but in the last 2 years healthcare systems have seen a tremendous increase in fraud attacks launched via email.  By tremendous, I mean 473% tremendous.  That is no small number and given the amount of data that can be purloined via breaking into a repository of medical records, it is definitely an indication of just how vigilant we need to be of threats to our data security.

I recently read that the value of a medical record is around $20 apiece to those purchasing them, while viable credit card numbers are worth about $0.50… that’s right.  A credit card number is worth 50 cents while a medical record is worth twenty dollars.  Personally I would have never thought our records were actually worth that much, but that is what the market is paying.

I have had a chance to peruse the Healthcare Email Fraud Report  that has been put together from security company ProofPoint.  The information is fascinating and also a bit frightening.  As Dentistry’s “Technology Evangelist” I look upon my job as to not only present information on new devices, techniques, and materials, but to also help with things such as security and help with HIPAA and other data protection issues.  To that end, that’s why you are seeing more and more posts here leading off with my “biohazard” graphic (seen here at the top of this post) because things are just getting crazier from a standpoint of protection.

Recently I’ve become quite interested in a company called “ProofPoint” because they seem to be doing a very commendable job or monitoring the trends in the security aspects of our profession.  Like any aspect of our profession, you cannot have too much good information and ProofPoint is a powerhouse when it comes to tracking and warning of the problems we are facing every day.  

Proofpoint regularly conducts extensive research to highlight
the threats, trends, and key takeaways we see within our large
customer base and in the wider threat landscape.

Every day, we analyze more than 5 billion email messages,
hundreds of millions of social media posts and more than 250
million malware samples to protect organizations around the
world from advanced threats. We continue to see sophisticated
threats across email, social media and the web. That gives us a
unique vantage point from which to reveal and analyze the tactics,
tools and targets of today’s cyber attacks.
Here are some of their  Key Findings:

KEY FINDINGS

Healthcare organizations were targeted in 96 email fraud attacks on average in Q4 2018—
a 473% jump over Q1 2017.
Wire-transfer fraud is healthcare’s most common form of email fraud.
Within targeted healthcare organizations, 65 staff members were attacked in Q4 2018
on average.
The largest volume of email fraud attacks targeting healthcare arrived on weekdays between
7 a.m. and 1 p.m. in the targets’ time zone.
95% of healthcare organizations were targeted by an attack using their own trusted domain.
And all of them had their domain spoofed to target patients and business partners.
45% of all email sent from healthcare-owned domains in Q4 appeared suspicious, including
65% sent to employees, 42% sent to patients, and 15% sent to business partners.

For more information on the state of security in healthcare and to be able to access reports as well as read their very informative blog, head over to the ProofPoint website and bookmark it.  I think you’ll find it a great place to learn more.  I know that I certainly have.

Tuesday, May 21, 2019

Kulzer and DENTCA Partner to Launch World’s First Web-Based Denture Design Software



Kulzer, a global leader in dental materials, announced today that
it has officially launched a web-based denture design platform that will allow dental labs and

clinicians to design a denture online using digital Mondial and Mondial i teeth, download the
design files and print the denture. The result will be significant time savings and accuracy
enhancements that will benefit dental practices, labs and patients alike.

Kulzer’s new design platform, Pala Design Studio, allows lab technicians to design a denture
case in under 20 minutes, which is a small fraction of the time it would take with conventional
dentures. The technology also allows practices to require only two visits from their patients,
compared to up to five visits with conventional dentures. Pala Design Studio generates
digital denture designs as STL files, which are the standard format for additive manufacturing
technology.

The digitally designed and printed dentures created with Pala Design Studio are significantly
more accurate than those produced conventionally. Moreover, Kulzer’s cara Print 4.0 3D
printer yields smoother, more homogeneous surfaces than other 3D printers. The cara Print
4.0’s exceptional precision in the z-axis and the finely tuned parameters for each material
mean that dental professionals can position appliances in almost any direction and always
achieve the perfect fit.

“We are extremely excited to be partnering with our sister company to bring DENTCA’s
outstanding digital design platform to our valued customers,” said Lesley Melvin, Kulzer’s
Director of Marketing and Product Management. “Our commitment to helping practices, labs
and patients benefit from the exceptional efficiency and accuracy of digital dentures is
unmatched in our industry, and this partnership is just the latest example of that
commitment.”

Pala Design Studio advantages over other denture design platforms:

  • Faster Web-based design process with pay-per-download fee structure
  • Simpler design process and available as a diagnostic tool
  • Multiple cases can be designed at the same time
  • No software to install
  • Portability - designs are stored in the cloud and accessible from anywhere
  • No extra module needed to use impressions
  • No dongle necessary
  • Design supervisors can have access to all designs for a lab from anywhere
  • Ease-of-use - teeth placement is more intuitive, less manipulation is required afterthe automatic placement, and adjustments are more user-friendly and natural looking

Kulzer’s denture design platform, powered by DENTCA, is the most recent addition to
Kulzer’s complete digital workflow for denture production, which includes:
  • cara Scan 4.0, a compact and precise model and impression scanner with an excellent price-performance ratio
  • cara Print 4.0, the first 3D printer for dental practices that meets all of their speed and accuracy requirements for polymer-based dental appliances
  • cara Print Clean, an automated cleaning system that utilizes an agitated contained volume of isopropyl alcohol to clean excess, uncured, 3D printing liquid material from 3D printed parts (coming soon)
  • HiLite Power 3D, a high-performance light polymerization curing unit that can be used with all light-curing dental materials
  • dima Print Denture Base Materials (4-shades), light-curable resins indicated for fabrication and repair of full and partial removable dentures and baseplates
  • dima Print Denture Teeth Materials (6-shades), light-curable resins for fabricating, by additive manufacturing, preformed denture teeth to be used in a denture

While Pala Design Studio will initially be used for 3D printed dentures design, over time it
will also be used for milling dentures, all-on-4 design and splint and night-guard design. It
also has the potential to be used in orthodontics.

For more information about Kulzer and its award-winning products and services, please
visit www.kulzerUS.com. To set up an account in Pala Design Studio and begin designing
dentures, please visit www.paladesignstudio.com.

Monday, May 20, 2019

DMG Donates Toothbrush Testing Machine to UNC’s Adams School

 


This is some pretty cool news.  DMG makes some innovative products and now they’ve made a pretty serious donation to dental research.  The company has agreed to donate a toothbrush simulation machine to the University of North Carolina’s Adams School of Dentistry.  The UNC school has long been well known for its research and has been home to quite a few heavy hitters in the dental research arena.

By utilizing this toothbrush simulator, researchers will be able to study the long term viability of materials since they can now simulate what would take years of brushing to test finish, wear, etc of materials.

Here is all of the info:

DMG is proud to support the University of North Carolina Adams
School of Dentistry with their recent donation of a toothbrush simulation testing machine.

“A critical key to our ability to bring our customers and their patients the most effective and safest materials
possible is to support independent research at such pioneering institutions as UNC’s Adams School of
Dentistry, which is renowned for its dental materials research,” said George Wolfe, President DMG America.

"We are incredibly grateful for the generosity of DMG,” said Scott S. De Rossi, DMD, MBA, dean of the
University of North Carolina at Chapel Hill Adams School of Dentistry. “It is because of contributions like these
that we are able to work toward our ultimate goal of becoming the global model for oral health education, in
care and discovery."
DMG’s goal is to streamline the lives of dental professionals by producing premium quality dental materials
that put their customers in a better position for clinical, operational and financial success. The company’s
commitment to innovation is fostered by its strong collaborative relationships with many partners, including:
  • Dental schools
  • Private educational and research organizations
  • Product testing facilities
  • Leading dental practitioners and influencers
The need for a toothbrush simulation testing machine was first discussed in a meeting between Dr. Taiseer
Sulaiman, Assistant professor, Division Director of Operative Dentistry and Biomaterials, Department of
Restorative Sciences at the UNC Adams School of Dentistry, and Dr. Susanne Effenberger, DMG Head of
Clinical Research, during her spring 2018 tour of the dental school. Discussion topics also included an
educational grant by DMG and two possible in-vitro studies to be conducted by Dr. Sulaiman’s Biomaterials
Laboratory at the school to confirm the quality of the chemical properties of an innovative new DMG material
for use in dental practices. In the fall of 2018, plans for both the educational grant and the donation of the
tooth brush simulator were finalized, and two months later the agreement for the two research projects was
finalized. The tooth brush simulation testing machine was delivered to the school in early 2019.
“I would like to extend my sincere appreciation to DMG for their continuous support of research in our
Biomaterials Laboratory at the UNC-CH Adams School of Dentistry,” said Dr. Sulaiman. “Their support allows
us to provide clinicians with guidelines and recommendations that support newly introduced materials.
Maximizing the clinical relevance of in-vitro testing may help bridge some of the gaps that are currently
present. With machines like the toothbrush simulator, we can investigate many properties related to surface
gloss, roughness and color stability. DMG understands the importance of supporting research institutions with
such equipment, and of enabling researchers and clinicians to have a better understanding of dental materials
with the ultimate goal of providing our patients the best care possible.”

For information about DMG and its category-defining products, please visit https://www.dmg-america.com/.

Thursday, May 16, 2019

Twitter Releases Data on a Bug Impacting Collection and Sharing of Location Data on iOS Devices

 


Security issues are becoming more and more a part of my reporting here.  Between reporting on HIPAA breaches, encouraging methods to protect your data, and reporting on security issues that can affect you both personally and professionally I’ve been pretty busy as of late.  As the Technology Evangelist, I’ve got a lot of subjects to cover and report to you on and currently it’s more focused on security.

This latest issue is from the team at Twitter.  The company recently announced that they were exposing location data of iOS users to a Third Party that they have some type of business relationship with.  Obviously if your location is being broadcast to someone without your permission, that’s a major invasion of your privacy.  The good news is that this problem affected a fairly small subset of users.  I feel the takeaway here is that sharing your location is something to really think about before doing it.  While there are certainly benefits to sharing your location, there are also serious detriments.  Weigh your decisions carefully!

Here is what Twitter had to say in their announcement:

You trust us to be careful with your data, and because of that, we want to be open with you when we make a mistake. We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.
Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature. 
Separately, we had intended to remove location data from the fields sent to a trusted partner during an advertising process known as real-time bidding. This removal of location did not happen as planned. However, we had implemented technical measures to “fuzz” the data shared so that it was no more precise than zip code or city (5km squared). This location data could not be used to determine an address or to map your precise movements. The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter. This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner.   
We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process.
We have fixed this problem and are working hard to make sure it does not happen again. We have also communicated with the people whose accounts were impacted to let them know the bug has been fixed. We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us.
We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day.
If you have any questions, you may contact Twitter's Office of Data Protection through this form.

Wednesday, May 15, 2019

Studies Show Charcoal Toothpastes Do NOT Whiten Teeth

 


JADA (the Journal of the American Dental Association) has performed an analysis on over 100 articles covering charcoal toothpaste.  Their conclusion was that "there was “insufficient clinical and laboratory data” to support charcoal toothpaste’s safety or effectiveness, and warned dentists and patients to “be cautious” in using them."

Also recently the BDJ (British Dental Journal) performed a study that determined charcoal based toothpastes are a “marketing gimmick” with no scientific evidence to support claims they whiten teeth.  One of the study’s co-authors Dr. Joseph Greenwald-Cohen had the following to say:
"When used too often in people with fillings, it can get into them and become difficult to get out," Dr Greenwall-Cohen said.
"Charcoal particles can also get caught up in the gums and irritate them."
He said charcoal toothpastes and powders were more abrasive than regular toothpastes, potentially posing a risk to the enamel and gums.
The charcoal contained in today's toothpastes is usually a fine powder form of treated charcoal, the review says.
Charcoal can be made from materials including nutshells, coconut husks, bamboo and peat, and possibly wood and coal.
Prof Damien Walmsley, from the British Dental Association, said: "Charcoal-based toothpastes offer no silver bullets for anyone seeking a perfect smile, and come with real risks attached.
"So don't believe the hype. Anyone concerned about staining or discoloured teeth that can't be shifted by a change in diet, or improvements to their oral hygiene, should see their dentist."
 

The JADA study can be accessed here and the BDJ study is discussed in this article on the BBC website.

Tuesday, May 14, 2019

New Version of Dharma Ransomware Masquerades as ESTV Anti-Virus Attached to a Warning Email

 



In the never ending battle against malware, there is a new variant in the Ransomware realm.  The malware itself, called Dharma, has been around for a while, but what is different this time around is how the payload is delivered.  

Usually with Ransomeware there is some type of user action required to get it installed.  Often it is some type of  phishing email that tricks the user into opening a file which then installs Dharma.  This time the perpetrators have tried something even more nefarious.  The user receives an email that appears to be from a trusted source such as Microsoft and warns the user that their “computer is at risk”.  It makes some type of doom and gloom threat of how you have been infected and the only way to fix it is to download and install a new antivirus software.

The email looks and reads very legit and fools the recipient into downloading and double clicking the file.  What happens next is the antivirus (which is an old version of an actual AV software) begins to install and at the same time the Dharma ransomware is also installing.  Since the user thinks the AV software is making beneficial changes to the computer they don’t think twice about windows opening & closing, etc.  Unfortunately when the process is over, the user is faced with a screen informing them of the Ransomware and the way they can pay to get their data unencrypted.

This a true instance of good social engineering.  They attempt to catch you off guard, provide a very strong threat that must be acted upon immediately, and disguise their tracks with the AV install.  The entire time the user is in actuality doing the bad guys job for them.

The moral to the story is NEVER open a file you are not expecting and always do research about these types of problems by searching Google or another reputable search engine.  Vigilance is important to prevent these types of disasters!

Trendmicro was the company that discovered this new variation.  You can read their blog post about it here.  

Monday, May 13, 2019

MouthWatch CEO Brant Herman Speaking on Teledentistry Opportunities in Private Practice During CDA Presents in Anaheim

 



Brant Herman, the CEO and founder of MouthWatch, LLC a leader in innovative teledentistry solutions, digital case presentation tools and intraoral imaging devices, will be a featured speaker during CDA Presents in Anaheim. MouthWatch will also be exhibiting in booth #2323.

During the lecture, entitled “Teledentistry Opportunities in Private Practice” Herman will provide a brief background on teledentistry technology and legislation, focusing on how the landscape has changed to create exciting opportunities for private practices, ranging from solo practitioners to groups practices. The learning objectives are as follow:

• Explore the teledentistry technology currently available.
• Discuss a range of private practice opportunities incorporating teledentistry.
• Understand how teledentistry can augment their current practice model.

The lecture is being held on Friday, May 17th, from 12:00 PM – 1:00 PM in the Spot Hall C, in the Anaheim Convention Center. According to Herman, “The technology of teledentistry is not exclusive to
public health programs, DSOs and consumer-direct clear aligner companies. It can be easily adopted and afforded by private dental practices seeking new ways to grow their businesses.”
During his lecture, Herman will review examples of how his company’s all-in-one teledentistry platform, TeleDent™ 2.0 can be used successfully in a variety of scenarios, including:

• GP/Specialist Referrals & Clinical Collaboration
• DSO Access to Specialists Rotating in Different Locations
• Medical-Dental Collaboration
• Innovative Dental Hygiene Business Models
• Public Health / Private Practice Hybrids
• Pop-Up Dental Clinics

Teledentistry technology is now within reach of the average dental practice to improve the patient experience, simplify workflow and provide easier communication amongst internal and external care team, all of which contribute to the ability to seize upon new business opportunities that previously didn’t exist.”

For more information about MouthWatch, visit www.MouthWatchPro.com, call 877-544-4342 or send an email to info@MouthWatch.com.

About MouthWatch, LLC:
Headquartered in Metuchen, New Jersey, MouthWatch, LLC is a leader in leader in innovative teledentistry solutions, digital case presentation tools and intraoral imaging devices. The company is dedicated to finding new ways to constantly improve the dental health experience for both patient and provider.

The founders and management team of MouthWatch have relevant backgrounds and successful track records in dentistry, consumer products and communications. Since 2012, this team has pioneered the integration of digital imagery and communications technology in the field of dentistry. Their cumulative experience makes it possible for the company to take the lead in introducing the benefits of telemedicine to the world of dentistry.

Thursday, May 9, 2019

Charlatan Posing as Licensed Dentist Now Charged Under RICO Statute

 


You know, it takes all kinds to make up this crazy world and that includes unethical and dangerous buffoons.  

This story revolves around Krista Szewczyk and her husband John.  It seems that Krista was arrested twice within 2 weeks for posing as a dentist.  She performed dental procedures for years without ever having gone to dental school or been certified to practice.  She had a case brought against her in 2013 but since she was married to a deputy sheriff, she was allowed to enter a diversion program. However before even completing the diversion program, she was seeing patients again.

She is accused of (at a minimum) performing extractions, bonding orthodontic brackets, and performing fixed prosthodontic services.  Some of the charges she is currently accused of are:
• 40 counts of practicing dentistry without a license
• 3 counts of unlawful prescription
• 1 count of forgery in the first degree
• 4 counts of insurance fraud

Now the feds are involved and are prosecuting husband and wife using US Federal RICO Statutes.  Here is a bit from the Atlanta Journal and Constitution.

The woman accused of working as a dentist despite not having a license must now answer to additional charges, along with her husband. On Wednesday, a Paulding County grand jury indicted both Krista and John Szewczyk on charges related to their alleged illegal dental office.

It’s the second indictment in Paulding since August for Krista Szewczyk, who is also charged with practicing dentistry without a license in Cobb County. But it is the first time her husband, a former Paulding sheriff’s deputy, has been criminally charged in the case.
The Szewczyks, who live in Dallas, are accused of racketeering, practicing dentistry without a license, insurance fraud and writing an unlawful prescription in the 56-count indictment obtained by The Atlanta Journal-Constitution.
“Neither Krista Szewczyk or John Szewczyk are licensed dentists but owned and operated a business that provided dental services,” the indictment states.
The pair is charged with two counts under Georgia’s Racketeer Influenced and Corrupt Organizations Act, known as RICO. RICO is often used by prosecutors to prove that a legal business was being used for illegal means. In the Szewczyk’s case, the dental office was a licensed business. But according to investigators, the two schemed to provide illegal dental services and then billed insurance companies fraudulently. 

If you would like to read AJC’s entire article follow this link.

Wednesday, May 8, 2019

Ultradent Brings You My Lecture: Day-to-Day Technology That Can Improve Your Practice

 



I *love* technology!  I mean I *really love technology*!!!  It’s a passion, a hobby, and sometimes my mistress.

I’m the kind of guy that when I see a problem the first part of my thought process is “how can this be done better, faster, with lower stress, and a better outcome?”  In both my personal AND professional life, I can usually find that solution by seeing what new ways there are to tackle that problem.  That’s how I became “The Technology Evangelist” and since the late 90’s I’ve been working to make the world, and especially my profession, better through the use of high tech.

I’m very grateful to the good people at Ultradent who sponsor me for some of my lectures.  My next stop on my 2019 Ultradent Tech Tour is San Francisco on June 14th.  The Early Bird registration time is about to expire, but you can still register by following this link.

At this event, held at the Westin St. Francis, I’ll be discussing a variety of topics such as lasers, digital caries detection, handheld drug databases, the science of curing, cone beam computed tomography, sensitivity free restorations, and many others.  I’ll also be discussing the Ultradent products I pick up every day and the reasons that I use them.  This is going to be a really fun lecture because it lets me cover a wide variety of things that I use every day.  I never do this lecture the same way twice because tech keeps changing.

If you are interested in taking your practice to the next level with minimal stress, come spend the day with me on June 14th.  I guarantee you’ll have a good time!

Tuesday, May 7, 2019

Oregon Passes Bill Allowing Dentists to Administer Vaccines

  
 


Here is some tremendous news that extends the scope of dental practice in the state of Oregon.  Hopefully this process extends across the rest of the states of the union in short order.  According to the ADA News, dentists in Oregon will soon be providing several different kinds of vaccines to patients.  These will include flu vaccines as well as HPV (Human Papilloma Virus) vaccines.  

In most states that I know of, flu vaccines can be administered certified personnel in pharmacies and other type of “minute clinics”.  This would offer a tremendous opportunity to help immunize the general public.  Most people see their dentist 6 times more frequently than they see their medical doctor and this could help stem the tide of individuals missing these vaccinations.

Here’s the story from the ADA News:

Dentists in Oregon can soon provide vaccinations, including annual flu shots and the human papilloma virus vaccine, to patients.

The Oregon state legislature approved a bill that adds the prescription and administration of vaccines into a dentist’s scope of practice. House Bill 2220 received overwhelming bipartisan support and passed the Oregon Senate on April 25 and now awaits Gov. Kate Brown’s signature, according to the Oregon Dental Association.

“Dentists are highly trained medical practitioners who are well-positioned to provide this additional preventive care service,” said Dr. James McMahan, Oregon Dental Association president, in a news release. “Increasing our scope of practice to the administration of vaccines will help further integrate oral health with physical and behavioral health, ultimately better serving our patients.”

Under the bill, dentists providing vaccinations are required to take an additional continuing education training course and must meet current state mandated vaccine storage and reporting requirements. The Oregon Dental Association announced it will work with Oregon Health and Sciences University and the Board of Dentistry to create training programs for dentists who wish to provide vaccinations in their practice.

The bill, according to the ODA, would allow dentists to help Oregon reach state health goals that call for 70 percent of Oregon adults to regularly receive annual flu shots by 2020; increase the number of school-age children receiving vaccines; and, of particular interest to some dentists, administer the HPV vaccine to prevent oral and throat cancers.

The ADA in 2018 adopted a policy that urges dentists to support the use and administration of the HPV vaccine, recognizing it as a way to help prevent infection of the types of HPV associated with oropharyngeal cancer.

The Oregon bill passed the state House unanimously on March 28.

Monday, May 6, 2019

New Ransomware Variant Infects by "Self Installation"

 


Security continues to be more and more complicated to implement… and even more complicated to provide protection.  The latest security concern that has hit the news is a new form of Ransomeware.

In its previous designs, Ransomware was like a virus.  It required user interaction of some kind to install it.  Sometimes this was a phishing attack while other times it was an email attachment.  Either way, the end installer had to click on something which basically gave the script permission to run and that caused the infection.  

Now comes word of a new type of Ransomware that infects Cloud servers.  Basically the attackers can break into a Cloud server and install the Ransomware which then encrypts the server.  The next time the end user attempts to log into the Cloud server, they are greeted with the image at the top of this post.  Many of us are now incredibly reliant on Cloud based systems and this could very well have created havoc.  The other devastating part of this new attack is that the malware also tried to search for backups of the server and destroy them.  This is one reason that I am still using redundant backup drives that I store offsite.  It’s not the easiest solution, but those drives are just one more link in my backup chain.  For those of you relying *only on Cloud backups* I’d advise you to consider the possibilities of how you would handle being unable to retrieve your data.

While I haven’t heard of any impact from this attack, it does beg the question of dental cloud based systems and the potential effect this type of thing could have on them.  One of the best things about Cloud based dental or medical practice management systems is the stability and backup that those systems provide.  Obviously if you open your browser to your management system website and are greeted with a Ransomware graphic it’s going to be a bad day.  This is a situation that will keep Cloud service providers up at night.

It’s also worrisome to those who depend on those Cloud software services since something you depend on could potentially become infected and encrypted through no fault of your own.  This is (at least for now) a problem that is affecting servers in the Cloud and nowhere else.

Fortunately Oracle released an emergency patch quickly which closed the vulnerable part of the system.  Good for them for locking the door pretty quickly after the problem was discovered.

This is an interesting change of attack when it comes to  Ransomeware.  Whether this type of malware can ever cause problems on local servers and workstations is only a guess right now.  However, if you prepare for the emergency it ceases to be an emergency…  To that end, I’m encouraging all Cloud based systems to allow for a local backup to be kept in the office.  Since it now appears that the future may hold a scenario where not only the Cloud server is encrypted, but the Cloud backups are either encrypted as well OR deleted.  If ALL Cloud providers gave users an option to store a backup of their data in their office, losing the cloud server and backup is not catastrophic.  To the best of my knowledge, no Cloud dental company is offering that as an option, but it SHOULD be and it SHOULD be available quickly.  The time to close the corral is NOT after the horses are gone.

This entire scenario, even though it has not impacted dentistry, should be a wakeup call to the healthcare industry as a whole.  There is a storm brewing on the horizon and the time to prepare for it is NOW and not after disaster has struck.  Doctors in private practice need to realize this could happen to them and that when it does, the financial consequences will be dire.

This is one more reason to have a good local AND cloud backup utilizing a system such as DDS Rescue.  Being prepare is the best defense!  The good folks at DDS Rescue are providing a *FREE*  risk assessment analysis that will show your vulnerabilities.

Thursday, May 2, 2019

HHS Guidance Clarifies HIPAA Liability with use of 3rd-Party Health Apps

 
 
 
As our world becomes more digital and thus more connected, we are seeing ways to share data that have never existed before.  One of these changes is the “smartphone centric” society that has evolved in the wake of the iPhone and Samsung Galaxy lines.  We are now seeing a multitude of “health apps” that allow for smart phones and smart watches to track and report all kinds of information on personal health.  
 
In the wake of these apps and the information sharing ecosystem that has evolved around it, now we come to a point where providers are being asked to provide information to patients to use as they see fit on their own personal healthcare apps.  Of course, with security concerns being what they are, a lot of questions abound as these changes take place.  It is especially critical since healthcare providers are required to secure patient data in accordance with HIPAA (Health Insurance Portability and Accountability Act).  The big question for providers has been about liability of the data security.  Basically it boils down to “if I share PHI (Protected Health Information) with a patient and then the security of the data is somehow compromised, am I (the provider) liable?"
 
Obviously this question has put providers in a Catch-22.  If they don’t share the data, they are denying patients access to their own information.  However, if they were liable for a data compromise why would they share the data?
 
To help clarify the situation, HHS (The Department of Health and Human Services) has released information designed to provide guidance for the liability involved with the use of 3rd party apps.
 
Here is the information, straight from the HHS website:
 

The HIPAA access right, health apps, & APIs

 

 

1. Q: Does a HIPAA covered entity that fulfills an individual's request to transmit electronic protected health information (ePHI) to an application or other software (collectively "app")1 bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app's use or disclosure of the health information it received?

 

A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual's direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual's app – chosen by an individual to receive the individual's requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.

 

If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.

 

2. Q: What liability does a covered entity face if it fulfills an individual's request to send their ePHI using an unsecure method to an app?

 

A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual's ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.

 

3. Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity's electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?

 

A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual's ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.

 

If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

 

4. Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?

 

A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual's designee, such as an app, may use the health information that has been disclosed pursuant to the individual's right of access. For instance, a covered entity is not permitted to deny an individual's right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual's ePHI for research or because the app does not encrypt the individual's data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.

 

5. Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?

 

A: It depends on the relationship between the app developer, and the covered entity and/or its EHR system developer. A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions of the covered entity. An app's facilitation of access to the individual's ePHI at the individual's request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).

 

HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).

 

However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity's business associate), then a business associate agreement would be required.

 

More information about apps, business associates, and HIPAA is available at https://hipaaqsportal.hhs.gov

 

Footnotes

 

1.↩ See also OCR FAQ 2039, "What is the liability of a covered entity in responding to an individual's access request to send the individual's PHI to a third party," available at https://www.hhs.gov/hipaa/for-professionals/faq/2039/what-is-the-liability-of-a-covered-entity-in-responding/index.html

Wednesday, May 1, 2019

Hola! Spanish is Coming to Amazon Alexa Devices

 



Amazon has done an amazing job with their continuing evolution of the Alexa system.  More than 100 million Alexa devices have been sold and that number continues to climb.  I know in the Flucke household they are sprinkled around the domicile…  I even went so far as to hot wire an Echo Dot into my Tahoe a while back.

One of the great things about Alexa is the constant development from both Amazon and 3rd party developers who continue to create newer and better “Alexa Skills”.  On Monday, Amazon announced that Alexa will now be speaking Spanish before the end of the year.  

The announcement was made on the Amazon Alexa developer blog.  Here is part of the announcement:

We are excited to announce that developers can start building skills for Spanish-speaking customers in the US using the Alexa Skills Kit (ASK) with the new Spanish for US voice model. Skills that developers create now and are certified for publication will be available for participants in the Alexa Preview program, and to all customers when Alexa launches in the US with Spanish language support later this year. Commercial hardware manufacturers who want to develop Alexa Built-in products for Spanish-speaking customers in the US can request early access to the invite-only Alexa Voice Service (AVS) developer preview. Along with the Echo family of devices, later this year Bose, Facebook, and Sony will bring Alexa Built-in devices and Philips, TP Link, and Honeywell Home will bring Works with Alexa devices that support Spanish in the US.

We are pleased to announce that as of today it is possible to offer skills for Spanish-speaking Alexa clients in the United States using the Spanish voice model for the United States. From this moment, the skills that the developers believe and that are certified for the publication will be available for the participants in the Alexa Preview program and for all the clients when Alexa launches the Spanish support for its clients in the United States, later this year. . Commercial hardware manufacturers that want to develop products with integrated Alexa (Alexa Built-in) for Spanish-speaking customers in the United States, can request advance access to the preview for developers of the Alexa Voice Service (AVS), only by invitation. Later this year, along with the Echo family of devices, brands such as Bose, Facebook and Sony will bring the devices ' Alexa Built-in ' and Philips, TP Link and Honeywell Home will bring ' Works with Alexa ' devices that support Spanish in the United States .