Monday, May 20, 2019

DMG Donates Toothbrush Testing Machine to UNC’s Adams School


This is some pretty cool news.  DMG makes some innovative products and now they’ve made a pretty serious donation to dental research.  The company has agreed to donate a toothbrush simulation machine to the University of North Carolina’s Adams School of Dentistry.  The UNC school has long been well known for its research and has been home to quite a few heavy hitters in the dental research arena.

By utilizing this toothbrush simulator, researchers will be able to study the long term viability of materials since they can now simulate what would take years of brushing to test finish, wear, etc of materials.

Here is all of the info:

DMG is proud to support the University of North Carolina Adams
School of Dentistry with their recent donation of a toothbrush simulation testing machine.

“A critical key to our ability to bring our customers and their patients the most effective and safest materials
possible is to support independent research at such pioneering institutions as UNC’s Adams School of
Dentistry, which is renowned for its dental materials research,” said George Wolfe, President DMG America.

"We are incredibly grateful for the generosity of DMG,” said Scott S. De Rossi, DMD, MBA, dean of the
University of North Carolina at Chapel Hill Adams School of Dentistry. “It is because of contributions like these
that we are able to work toward our ultimate goal of becoming the global model for oral health education, in
care and discovery."
DMG’s goal is to streamline the lives of dental professionals by producing premium quality dental materials
that put their customers in a better position for clinical, operational and financial success. The company’s
commitment to innovation is fostered by its strong collaborative relationships with many partners, including:
  • Dental schools
  • Private educational and research organizations
  • Product testing facilities
  • Leading dental practitioners and influencers
The need for a toothbrush simulation testing machine was first discussed in a meeting between Dr. Taiseer
Sulaiman, Assistant professor, Division Director of Operative Dentistry and Biomaterials, Department of
Restorative Sciences at the UNC Adams School of Dentistry, and Dr. Susanne Effenberger, DMG Head of
Clinical Research, during her spring 2018 tour of the dental school. Discussion topics also included an
educational grant by DMG and two possible in-vitro studies to be conducted by Dr. Sulaiman’s Biomaterials
Laboratory at the school to confirm the quality of the chemical properties of an innovative new DMG material
for use in dental practices. In the fall of 2018, plans for both the educational grant and the donation of the
tooth brush simulator were finalized, and two months later the agreement for the two research projects was
finalized. The tooth brush simulation testing machine was delivered to the school in early 2019.
“I would like to extend my sincere appreciation to DMG for their continuous support of research in our
Biomaterials Laboratory at the UNC-CH Adams School of Dentistry,” said Dr. Sulaiman. “Their support allows
us to provide clinicians with guidelines and recommendations that support newly introduced materials.
Maximizing the clinical relevance of in-vitro testing may help bridge some of the gaps that are currently
present. With machines like the toothbrush simulator, we can investigate many properties related to surface
gloss, roughness and color stability. DMG understands the importance of supporting research institutions with
such equipment, and of enabling researchers and clinicians to have a better understanding of dental materials
with the ultimate goal of providing our patients the best care possible.”

For information about DMG and its category-defining products, please visit

Thursday, May 16, 2019

Twitter Releases Data on a Bug Impacting Collection and Sharing of Location Data on iOS Devices


Security issues are becoming more and more a part of my reporting here.  Between reporting on HIPAA breaches, encouraging methods to protect your data, and reporting on security issues that can affect you both personally and professionally I’ve been pretty busy as of late.  As the Technology Evangelist, I’ve got a lot of subjects to cover and report to you on and currently it’s more focused on security.

This latest issue is from the team at Twitter.  The company recently announced that they were exposing location data of iOS users to a Third Party that they have some type of business relationship with.  Obviously if your location is being broadcast to someone without your permission, that’s a major invasion of your privacy.  The good news is that this problem affected a fairly small subset of users.  I feel the takeaway here is that sharing your location is something to really think about before doing it.  While there are certainly benefits to sharing your location, there are also serious detriments.  Weigh your decisions carefully!

Here is what Twitter had to say in their announcement:

You trust us to be careful with your data, and because of that, we want to be open with you when we make a mistake. We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.
Specifically, if you used more than one account on Twitter for iOS and opted into using the precise location feature in one account, we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature. 
Separately, we had intended to remove location data from the fields sent to a trusted partner during an advertising process known as real-time bidding. This removal of location did not happen as planned. However, we had implemented technical measures to “fuzz” the data shared so that it was no more precise than zip code or city (5km squared). This location data could not be used to determine an address or to map your precise movements. The partner did not receive data such as your Twitter handle or other unique account IDs that could have compromised your identity on Twitter. This means that for people using Twitter for iOS who we inadvertently collected location information from, we may also have shared that information with a trusted advertising partner.   
We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process.
We have fixed this problem and are working hard to make sure it does not happen again. We have also communicated with the people whose accounts were impacted to let them know the bug has been fixed. We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us.
We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day.
If you have any questions, you may contact Twitter's Office of Data Protection through this form.

Wednesday, May 15, 2019

Studies Show Charcoal Toothpastes Do NOT Whiten Teeth


JADA (the Journal of the American Dental Association) has performed an analysis on over 100 articles covering charcoal toothpaste.  Their conclusion was that "there was “insufficient clinical and laboratory data” to support charcoal toothpaste’s safety or effectiveness, and warned dentists and patients to “be cautious” in using them."

Also recently the BDJ (British Dental Journal) performed a study that determined charcoal based toothpastes are a “marketing gimmick” with no scientific evidence to support claims they whiten teeth.  One of the study’s co-authors Dr. Joseph Greenwald-Cohen had the following to say:
"When used too often in people with fillings, it can get into them and become difficult to get out," Dr Greenwall-Cohen said.
"Charcoal particles can also get caught up in the gums and irritate them."
He said charcoal toothpastes and powders were more abrasive than regular toothpastes, potentially posing a risk to the enamel and gums.
The charcoal contained in today's toothpastes is usually a fine powder form of treated charcoal, the review says.
Charcoal can be made from materials including nutshells, coconut husks, bamboo and peat, and possibly wood and coal.
Prof Damien Walmsley, from the British Dental Association, said: "Charcoal-based toothpastes offer no silver bullets for anyone seeking a perfect smile, and come with real risks attached.
"So don't believe the hype. Anyone concerned about staining or discoloured teeth that can't be shifted by a change in diet, or improvements to their oral hygiene, should see their dentist."

The JADA study can be accessed here and the BDJ study is discussed in this article on the BBC website.

Tuesday, May 14, 2019

New Version of Dharma Ransomware Masquerades as ESTV Anti-Virus Attached to a Warning Email


In the never ending battle against malware, there is a new variant in the Ransomware realm.  The malware itself, called Dharma, has been around for a while, but what is different this time around is how the payload is delivered.  

Usually with Ransomeware there is some type of user action required to get it installed.  Often it is some type of  phishing email that tricks the user into opening a file which then installs Dharma.  This time the perpetrators have tried something even more nefarious.  The user receives an email that appears to be from a trusted source such as Microsoft and warns the user that their “computer is at risk”.  It makes some type of doom and gloom threat of how you have been infected and the only way to fix it is to download and install a new antivirus software.

The email looks and reads very legit and fools the recipient into downloading and double clicking the file.  What happens next is the antivirus (which is an old version of an actual AV software) begins to install and at the same time the Dharma ransomware is also installing.  Since the user thinks the AV software is making beneficial changes to the computer they don’t think twice about windows opening & closing, etc.  Unfortunately when the process is over, the user is faced with a screen informing them of the Ransomware and the way they can pay to get their data unencrypted.

This a true instance of good social engineering.  They attempt to catch you off guard, provide a very strong threat that must be acted upon immediately, and disguise their tracks with the AV install.  The entire time the user is in actuality doing the bad guys job for them.

The moral to the story is NEVER open a file you are not expecting and always do research about these types of problems by searching Google or another reputable search engine.  Vigilance is important to prevent these types of disasters!

Trendmicro was the company that discovered this new variation.  You can read their blog post about it here.  

Monday, May 13, 2019

MouthWatch CEO Brant Herman Speaking on Teledentistry Opportunities in Private Practice During CDA Presents in Anaheim


Brant Herman, the CEO and founder of MouthWatch, LLC a leader in innovative teledentistry solutions, digital case presentation tools and intraoral imaging devices, will be a featured speaker during CDA Presents in Anaheim. MouthWatch will also be exhibiting in booth #2323.

During the lecture, entitled “Teledentistry Opportunities in Private Practice” Herman will provide a brief background on teledentistry technology and legislation, focusing on how the landscape has changed to create exciting opportunities for private practices, ranging from solo practitioners to groups practices. The learning objectives are as follow:

• Explore the teledentistry technology currently available.
• Discuss a range of private practice opportunities incorporating teledentistry.
• Understand how teledentistry can augment their current practice model.

The lecture is being held on Friday, May 17th, from 12:00 PM – 1:00 PM in the Spot Hall C, in the Anaheim Convention Center. According to Herman, “The technology of teledentistry is not exclusive to
public health programs, DSOs and consumer-direct clear aligner companies. It can be easily adopted and afforded by private dental practices seeking new ways to grow their businesses.”
During his lecture, Herman will review examples of how his company’s all-in-one teledentistry platform, TeleDent™ 2.0 can be used successfully in a variety of scenarios, including:

• GP/Specialist Referrals & Clinical Collaboration
• DSO Access to Specialists Rotating in Different Locations
• Medical-Dental Collaboration
• Innovative Dental Hygiene Business Models
• Public Health / Private Practice Hybrids
• Pop-Up Dental Clinics

Teledentistry technology is now within reach of the average dental practice to improve the patient experience, simplify workflow and provide easier communication amongst internal and external care team, all of which contribute to the ability to seize upon new business opportunities that previously didn’t exist.”

For more information about MouthWatch, visit, call 877-544-4342 or send an email to

About MouthWatch, LLC:
Headquartered in Metuchen, New Jersey, MouthWatch, LLC is a leader in leader in innovative teledentistry solutions, digital case presentation tools and intraoral imaging devices. The company is dedicated to finding new ways to constantly improve the dental health experience for both patient and provider.

The founders and management team of MouthWatch have relevant backgrounds and successful track records in dentistry, consumer products and communications. Since 2012, this team has pioneered the integration of digital imagery and communications technology in the field of dentistry. Their cumulative experience makes it possible for the company to take the lead in introducing the benefits of telemedicine to the world of dentistry.

Thursday, May 9, 2019

Charlatan Posing as Licensed Dentist Now Charged Under RICO Statute


You know, it takes all kinds to make up this crazy world and that includes unethical and dangerous buffoons.  

This story revolves around Krista Szewczyk and her husband John.  It seems that Krista was arrested twice within 2 weeks for posing as a dentist.  She performed dental procedures for years without ever having gone to dental school or been certified to practice.  She had a case brought against her in 2013 but since she was married to a deputy sheriff, she was allowed to enter a diversion program. However before even completing the diversion program, she was seeing patients again.

She is accused of (at a minimum) performing extractions, bonding orthodontic brackets, and performing fixed prosthodontic services.  Some of the charges she is currently accused of are:
• 40 counts of practicing dentistry without a license
• 3 counts of unlawful prescription
• 1 count of forgery in the first degree
• 4 counts of insurance fraud

Now the feds are involved and are prosecuting husband and wife using US Federal RICO Statutes.  Here is a bit from the Atlanta Journal and Constitution.

The woman accused of working as a dentist despite not having a license must now answer to additional charges, along with her husband. On Wednesday, a Paulding County grand jury indicted both Krista and John Szewczyk on charges related to their alleged illegal dental office.

It’s the second indictment in Paulding since August for Krista Szewczyk, who is also charged with practicing dentistry without a license in Cobb County. But it is the first time her husband, a former Paulding sheriff’s deputy, has been criminally charged in the case.
The Szewczyks, who live in Dallas, are accused of racketeering, practicing dentistry without a license, insurance fraud and writing an unlawful prescription in the 56-count indictment obtained by The Atlanta Journal-Constitution.
“Neither Krista Szewczyk or John Szewczyk are licensed dentists but owned and operated a business that provided dental services,” the indictment states.
The pair is charged with two counts under Georgia’s Racketeer Influenced and Corrupt Organizations Act, known as RICO. RICO is often used by prosecutors to prove that a legal business was being used for illegal means. In the Szewczyk’s case, the dental office was a licensed business. But according to investigators, the two schemed to provide illegal dental services and then billed insurance companies fraudulently. 

If you would like to read AJC’s entire article follow this link.

Wednesday, May 8, 2019

Ultradent Brings You My Lecture: Day-to-Day Technology That Can Improve Your Practice


I *love* technology!  I mean I *really love technology*!!!  It’s a passion, a hobby, and sometimes my mistress.

I’m the kind of guy that when I see a problem the first part of my thought process is “how can this be done better, faster, with lower stress, and a better outcome?”  In both my personal AND professional life, I can usually find that solution by seeing what new ways there are to tackle that problem.  That’s how I became “The Technology Evangelist” and since the late 90’s I’ve been working to make the world, and especially my profession, better through the use of high tech.

I’m very grateful to the good people at Ultradent who sponsor me for some of my lectures.  My next stop on my 2019 Ultradent Tech Tour is San Francisco on June 14th.  The Early Bird registration time is about to expire, but you can still register by following this link.

At this event, held at the Westin St. Francis, I’ll be discussing a variety of topics such as lasers, digital caries detection, handheld drug databases, the science of curing, cone beam computed tomography, sensitivity free restorations, and many others.  I’ll also be discussing the Ultradent products I pick up every day and the reasons that I use them.  This is going to be a really fun lecture because it lets me cover a wide variety of things that I use every day.  I never do this lecture the same way twice because tech keeps changing.

If you are interested in taking your practice to the next level with minimal stress, come spend the day with me on June 14th.  I guarantee you’ll have a good time!

Tuesday, May 7, 2019

Oregon Passes Bill Allowing Dentists to Administer Vaccines


Here is some tremendous news that extends the scope of dental practice in the state of Oregon.  Hopefully this process extends across the rest of the states of the union in short order.  According to the ADA News, dentists in Oregon will soon be providing several different kinds of vaccines to patients.  These will include flu vaccines as well as HPV (Human Papilloma Virus) vaccines.  

In most states that I know of, flu vaccines can be administered certified personnel in pharmacies and other type of “minute clinics”.  This would offer a tremendous opportunity to help immunize the general public.  Most people see their dentist 6 times more frequently than they see their medical doctor and this could help stem the tide of individuals missing these vaccinations.

Here’s the story from the ADA News:

Dentists in Oregon can soon provide vaccinations, including annual flu shots and the human papilloma virus vaccine, to patients.

The Oregon state legislature approved a bill that adds the prescription and administration of vaccines into a dentist’s scope of practice. House Bill 2220 received overwhelming bipartisan support and passed the Oregon Senate on April 25 and now awaits Gov. Kate Brown’s signature, according to the Oregon Dental Association.

“Dentists are highly trained medical practitioners who are well-positioned to provide this additional preventive care service,” said Dr. James McMahan, Oregon Dental Association president, in a news release. “Increasing our scope of practice to the administration of vaccines will help further integrate oral health with physical and behavioral health, ultimately better serving our patients.”

Under the bill, dentists providing vaccinations are required to take an additional continuing education training course and must meet current state mandated vaccine storage and reporting requirements. The Oregon Dental Association announced it will work with Oregon Health and Sciences University and the Board of Dentistry to create training programs for dentists who wish to provide vaccinations in their practice.

The bill, according to the ODA, would allow dentists to help Oregon reach state health goals that call for 70 percent of Oregon adults to regularly receive annual flu shots by 2020; increase the number of school-age children receiving vaccines; and, of particular interest to some dentists, administer the HPV vaccine to prevent oral and throat cancers.

The ADA in 2018 adopted a policy that urges dentists to support the use and administration of the HPV vaccine, recognizing it as a way to help prevent infection of the types of HPV associated with oropharyngeal cancer.

The Oregon bill passed the state House unanimously on March 28.

Monday, May 6, 2019

New Ransomware Variant Infects by "Self Installation"


Security continues to be more and more complicated to implement… and even more complicated to provide protection.  The latest security concern that has hit the news is a new form of Ransomeware.

In its previous designs, Ransomware was like a virus.  It required user interaction of some kind to install it.  Sometimes this was a phishing attack while other times it was an email attachment.  Either way, the end installer had to click on something which basically gave the script permission to run and that caused the infection.  

Now comes word of a new type of Ransomware that infects Cloud servers.  Basically the attackers can break into a Cloud server and install the Ransomware which then encrypts the server.  The next time the end user attempts to log into the Cloud server, they are greeted with the image at the top of this post.  Many of us are now incredibly reliant on Cloud based systems and this could very well have created havoc.  The other devastating part of this new attack is that the malware also tried to search for backups of the server and destroy them.  This is one reason that I am still using redundant backup drives that I store offsite.  It’s not the easiest solution, but those drives are just one more link in my backup chain.  For those of you relying *only on Cloud backups* I’d advise you to consider the possibilities of how you would handle being unable to retrieve your data.

While I haven’t heard of any impact from this attack, it does beg the question of dental cloud based systems and the potential effect this type of thing could have on them.  One of the best things about Cloud based dental or medical practice management systems is the stability and backup that those systems provide.  Obviously if you open your browser to your management system website and are greeted with a Ransomware graphic it’s going to be a bad day.  This is a situation that will keep Cloud service providers up at night.

It’s also worrisome to those who depend on those Cloud software services since something you depend on could potentially become infected and encrypted through no fault of your own.  This is (at least for now) a problem that is affecting servers in the Cloud and nowhere else.

Fortunately Oracle released an emergency patch quickly which closed the vulnerable part of the system.  Good for them for locking the door pretty quickly after the problem was discovered.

This is an interesting change of attack when it comes to  Ransomeware.  Whether this type of malware can ever cause problems on local servers and workstations is only a guess right now.  However, if you prepare for the emergency it ceases to be an emergency…  To that end, I’m encouraging all Cloud based systems to allow for a local backup to be kept in the office.  Since it now appears that the future may hold a scenario where not only the Cloud server is encrypted, but the Cloud backups are either encrypted as well OR deleted.  If ALL Cloud providers gave users an option to store a backup of their data in their office, losing the cloud server and backup is not catastrophic.  To the best of my knowledge, no Cloud dental company is offering that as an option, but it SHOULD be and it SHOULD be available quickly.  The time to close the corral is NOT after the horses are gone.

This entire scenario, even though it has not impacted dentistry, should be a wakeup call to the healthcare industry as a whole.  There is a storm brewing on the horizon and the time to prepare for it is NOW and not after disaster has struck.  Doctors in private practice need to realize this could happen to them and that when it does, the financial consequences will be dire.

This is one more reason to have a good local AND cloud backup utilizing a system such as DDS Rescue.  Being prepare is the best defense!  The good folks at DDS Rescue are providing a *FREE*  risk assessment analysis that will show your vulnerabilities.

Thursday, May 2, 2019

HHS Guidance Clarifies HIPAA Liability with use of 3rd-Party Health Apps

As our world becomes more digital and thus more connected, we are seeing ways to share data that have never existed before.  One of these changes is the “smartphone centric” society that has evolved in the wake of the iPhone and Samsung Galaxy lines.  We are now seeing a multitude of “health apps” that allow for smart phones and smart watches to track and report all kinds of information on personal health.  
In the wake of these apps and the information sharing ecosystem that has evolved around it, now we come to a point where providers are being asked to provide information to patients to use as they see fit on their own personal healthcare apps.  Of course, with security concerns being what they are, a lot of questions abound as these changes take place.  It is especially critical since healthcare providers are required to secure patient data in accordance with HIPAA (Health Insurance Portability and Accountability Act).  The big question for providers has been about liability of the data security.  Basically it boils down to “if I share PHI (Protected Health Information) with a patient and then the security of the data is somehow compromised, am I (the provider) liable?"
Obviously this question has put providers in a Catch-22.  If they don’t share the data, they are denying patients access to their own information.  However, if they were liable for a data compromise why would they share the data?
To help clarify the situation, HHS (The Department of Health and Human Services) has released information designed to provide guidance for the liability involved with the use of 3rd party apps.
Here is the information, straight from the HHS website:

The HIPAA access right, health apps, & APIs



1. Q: Does a HIPAA covered entity that fulfills an individual's request to transmit electronic protected health information (ePHI) to an application or other software (collectively "app")1 bear liability under the HIPAA Privacy, Security, or Breach Notification Rules (HIPAA Rules) for the app's use or disclosure of the health information it received?


A: The answer depends on the relationship between the covered entity and the app. Once health information is received from a covered entity, at the individual's direction, by an app that is neither a covered entity nor a business associate under HIPAA, the information is no longer subject to the protections of the HIPAA Rules. If the individual's app – chosen by an individual to receive the individual's requested ePHI – was not provided by or on behalf of the covered entity (and, thus, does not create, receive, transmit, or maintain ePHI on its behalf), the covered entity would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app. For example, the covered entity would have no HIPAA responsibilities or liability if such an app that the individual designated to receive their ePHI later experiences a breach.


If, on the other hand, the app was developed for, or provided by or on behalf of the covered entity – and, thus, creates, receives, maintains, or transmits ePHI on behalf of the covered entity – the covered entity could be liable under the HIPAA Rules for a subsequent impermissible disclosure because of the business associate relationship between the covered entity and the app developer. For example, if the individual selects an app that the covered health care provider uses to provide services to individuals involving ePHI, the health care provider may be subject to liability under the HIPAA Rules if the app impermissibly discloses the ePHI received.


2. Q: What liability does a covered entity face if it fulfills an individual's request to send their ePHI using an unsecure method to an app?


A: Under the individual right of access, an individual may request a covered entity to direct their ePHI to a third-party app in an unsecure manner or through an unsecure channel. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). For instance, an individual may request that their unencrypted ePHI be transmitted to an app as a matter of convenience. In such a circumstance, the covered entity would not be responsible for unauthorized access to the individual's ePHI while in transmission to the app. With respect to such apps, the covered entity may want to consider informing the individual of the potential risks involved the first time that the individual makes the request.


3. Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity's electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?


A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual's ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.


If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.


4. Q: Can a covered entity refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives?


A: No. The HIPAA Privacy Rule generally prohibits a covered entity from refusing to disclose ePHI to a third-party app designated by the individual if the ePHI is readily producible in the form and format used by the app. See 45 CFR 164.524(a)(1), (c)(2)(ii), (c)(3)(ii). The HIPAA Rules do not impose any restrictions on how an individual or the individual's designee, such as an app, may use the health information that has been disclosed pursuant to the individual's right of access. For instance, a covered entity is not permitted to deny an individual's right of access to their ePHI where the individual directs the information to a third-party app because the app will share the individual's ePHI for research or because the app does not encrypt the individual's data when at rest. In addition, as discussed in Question 1 above, the HIPAA Rules do not apply to entities that do not meet the definition of a HIPAA covered entity or business associate.


5. Q: Does HIPAA require a covered entity or its EHR system developer to enter into a business associate agreement with an app designated by the individual in order to transmit ePHI to the app?


A: It depends on the relationship between the app developer, and the covered entity and/or its EHR system developer. A business associate is a person or entity who creates, receives, maintains or transmits PHI on behalf of (or for the benefit of) a covered entity (directly or through another business associate) to carry out covered functions of the covered entity. An app's facilitation of access to the individual's ePHI at the individual's request alone does not create a business associate relationship. Such facilitation may include API terms of use agreed to by the third-party app (i.e., interoperability arrangements).


HIPAA does not require a covered entity or its business associate (e.g., EHR system developer) to enter into a business associate agreement with an app developer that does not create, receive, maintain, or transmit ePHI on behalf of or for the benefit of the covered entity (whether directly or through another business associate).


However if the app was developed to create, receive, maintain, or transmit ePHI on behalf of the covered entity, or was provided by or on behalf of the covered entity (directly or through its EHR system developer, acting as the covered entity's business associate), then a business associate agreement would be required.


More information about apps, business associates, and HIPAA is available at




1.↩ See also OCR FAQ 2039, "What is the liability of a covered entity in responding to an individual's access request to send the individual's PHI to a third party," available at

Wednesday, May 1, 2019

Hola! Spanish is Coming to Amazon Alexa Devices


Amazon has done an amazing job with their continuing evolution of the Alexa system.  More than 100 million Alexa devices have been sold and that number continues to climb.  I know in the Flucke household they are sprinkled around the domicile…  I even went so far as to hot wire an Echo Dot into my Tahoe a while back.

One of the great things about Alexa is the constant development from both Amazon and 3rd party developers who continue to create newer and better “Alexa Skills”.  On Monday, Amazon announced that Alexa will now be speaking Spanish before the end of the year.  

The announcement was made on the Amazon Alexa developer blog.  Here is part of the announcement:

We are excited to announce that developers can start building skills for Spanish-speaking customers in the US using the Alexa Skills Kit (ASK) with the new Spanish for US voice model. Skills that developers create now and are certified for publication will be available for participants in the Alexa Preview program, and to all customers when Alexa launches in the US with Spanish language support later this year. Commercial hardware manufacturers who want to develop Alexa Built-in products for Spanish-speaking customers in the US can request early access to the invite-only Alexa Voice Service (AVS) developer preview. Along with the Echo family of devices, later this year Bose, Facebook, and Sony will bring Alexa Built-in devices and Philips, TP Link, and Honeywell Home will bring Works with Alexa devices that support Spanish in the US.

We are pleased to announce that as of today it is possible to offer skills for Spanish-speaking Alexa clients in the United States using the Spanish voice model for the United States. From this moment, the skills that the developers believe and that are certified for the publication will be available for the participants in the Alexa Preview program and for all the clients when Alexa launches the Spanish support for its clients in the United States, later this year. . Commercial hardware manufacturers that want to develop products with integrated Alexa (Alexa Built-in) for Spanish-speaking customers in the United States, can request advance access to the preview for developers of the Alexa Voice Service (AVS), only by invitation. Later this year, along with the Echo family of devices, brands such as Bose, Facebook and Sony will bring the devices ' Alexa Built-in ' and Philips, TP Link and Honeywell Home will bring ' Works with Alexa ' devices that support Spanish in the United States .