HIPAA at Open Dental Software, Inc.

See Network and Computer Setup.

Below is a summary of how Open Dental Software, Inc addresses HIPAA guidelines and standards.

Open Dental Software, Inc. follows HIPAA guidelines and standards for security and privacy, implementing physical and electronic safeguards, including encryption. Open Dental software is a tool to help you become HIPAA compliant. It is up to you to make sure your practice is secure. See HIPAA and Your Practice.

Open Dental Software, Inc. performs risk assessments
Open Dental Software, Inc. follows the NIST SP800-30 rev.1 protocol for risk assessments. This is the current, required protocol for analyzing potential PHI security risks. Following this protocol, we evaluate each risk's likelihood and impact, and implement security measures to address them. Open Dental actively reviews and edits a remediation checklist to document vulnerabilities and track the resolutions.

Our last Risk Assessment was completed on 07/18/2017. All risks (if any) were evaluated and addressed.

Our HIPAA procedures and policies are up to date and available
Open Dental Software, Inc. requires all employees to be certified on our policies and procedures. Our documentation addresses and enforces the requirements of the HIPAA Privacy and Security Rules and the HITECH Act.

Employees are actively trained to properly handle PHI
Open Dental Software, Inc. has an effective training program that is regularly updated to ensure all employees are properly trained in the HIPAA Privacy and Security Rules. Training is tracked internally. Open Dental Software, Inc. regularly audits all employees with access to PHI to ensure that data is properly handled, including but not limited to an annual audit plan. In the event of a disaster, Open Dental, Inc. is prepared to implement contingency operations and facility security plans.

Open Dental Software, Inc. and PHI
In the process of providing customer support, Open Dental employees may be exposed to PHI, including but not limited to customer databases collected for debugging, troubleshooting or conversions; screenshots showing patient information; X12 files (insurance batch files); and EOBs. All instances of data transit used for customer support are HIPAA-compliant and encrypted. We do not use email for data transit because it is not HIPAA-compliant, even if using SSL. Email is not encrypted from the email server to the recipient. If data is stored for any reason it is encrypted.

Business Associate Agreements
Open Dental Software, Inc. provides a standard Business Associate Agreement. This agreement is for our customers whose PHI we many come in contact with. See HIPAA and Your Practice.

Open Dental Software, Inc. does not share PHI with anyone, so we do not enter into Business Associate Agreements with third parties or sub-contractors.

Common Questions Asked About Open Dental's HIPAA Policies

Are your HIPAA policies and procedures up to date, effective and available?
Yes. Our policies and procedures are updated regularly and available for all employees.

Is your HIPAA training effective and up to date?
Yes. All employees are certified through an ongoing, efficacious training program.

Has a risk assessment been conducted?If so, how often does Open Dental perform internal Risk Assessments?
Yes. We perform one at least every 18 months, usually about once a year. The most recent date is shown above.

Did Open Dental Software's latest risk assessment identify any vulnerabilities that would subject our office to risk of a data breach?
No. Any vulnerabilities detected during our risk assessments are immediately addressed. To date nothing that could put an office at risk has been detected

Do you have an ongoing auditing and monitoring program for HIPAA Privacy and Security?
Yes. Workstations with access to PHI are regularly audited.

Does Open Dental Software have a policy in place for employees who fail to comply with HIPAA security policies and procedures?
Yes. Disciplinary action will be taken against staff that do not comply with the privacy policies and procedures made to protect protected health information.

As part of my HIPAA diligence, I need to know if Open Dental is covered by insurance if there is a HIPAA breach. Does Open Dental have Cyber Liability insurance?

Have you conducted due diligence on your business associates?
Yes. Open Dental Software, Inc. does not share PHI with anyone, so we do not enter into Business Associate Agreements with third parties or sub-contractors.

Has Open Dental adopted a formal approach to information security supported by one or more information security policies?
Yes. Open Dental has multiple internal security policies, which all employees must be trained on.

Has Open Dental Software been subject to any investigations relative to a breach of privacy that resulted in penalties?

Is Open Dental aware of any incident involving a potential or actual breach of patient privacy under HIPAA regarding our patient's protected health information at Open Dental Software?
If such incidents occur, the customer is immediately notified (notification should be as soon as possible, but within 72 hours per Open Dental's Policy). If you have not been notified, then this has not happened to your patient data.

Is Open Dental aware of any incidents involving a potential or actual breach of patient data on customer's information systems?
We do not track customer data, or how it is used with respect to their office (except as it relates to the PHI that we hold or transmit). Much PHI is held by customers on their own systems and they are responsible for tracking incidents regarding those systems.

Has an independent review of Open Dental's information security efforts been conducted?
No. Third party reviews of Open Dental's policies are not a HIPAA requirement.

Does Open Dental Software's HIPAA Compliance Officer and Security Officer have sufficient HIPAA training?

How does Open Dental stay up to date on current information such as security threats, trends, and technologies?
Our security team frequently researches new threats and technologies. Internal announcements are released to help our staff be aware of phishing attempts and other vulnerabilities.

Does Open Dental have a plan in place in case of a security breach?
Yes, we do have a formal process in case of a security breach. All employees are trained accordingly.

Are physical controls in place to safeguard PHI?
Yes. Open Dental Software, Inc. has multiple layers of physical security.

Are GoToAssist and remote connections encrypted?
See GoToAssist Security.

A List of Things We Don't Provide

Open Dental Software, Inc. maintains documentation for internal use only. For security purposes we do not provide the following documents to the public: