HIPAA at Open Dental Software, Inc.

See Network and Computer Setup.

Below is a summary of how Open Dental Software, Inc addresses HIPAA guidelines and standards.

Open Dental Software, Inc. follows HIPAA guidelines and standards for security and privacy, implementing physical and electronic safeguards, including encryption. Open Dental software is a tool to help you become HIPAA compliant. It is up to you to make sure your practice is secure. See HIPAA and Your Practice.

Open Dental Software, Inc. performs risk assessments
Open Dental Software, Inc. follows the NIST SP800-30 rev.1 protocol for risk assessments. This is the current, required protocol for analyzing potential PHI security risks. Following this protocol, we evaluate each risk's likelihood and impact, and implement security measures to address them. Open Dental actively reviews and edits a remediation checklist to document vulnerabilities and track the resolutions.

Our last Risk Assessment was completed on 09/19/2023. All risks (if any) were evaluated and addressed.

Our HIPAA procedures and policies are up to date and available
Open Dental Software, Inc. requires all employees to be certified on our policies and procedures. Our documentation addresses and enforces the requirements of the HIPAA Privacy and Security Rules and the HITECH Act.

Employees are actively trained to properly handle PHI
Open Dental Software, Inc. has an effective training program that is regularly updated to ensure all employees are properly trained in the HIPAA Privacy and Security Rules. Training is tracked internally. Open Dental Software, Inc. regularly audits all employees with access to PHI to ensure that data is properly handled, including but not limited to an annual audit plan. In the event of a disaster, Open Dental, Inc. is prepared to implement contingency operations and facility security plans.

Open Dental Software, Inc. and PHI
In the process of providing customer support, Open Dental employees may be exposed to PHI, including but not limited to customer databases collected for debugging, troubleshooting or conversions; screenshots showing patient information; X12 files (insurance batch files); and EOBs. All instances of data transit used for customer support are HIPAA-compliant and encrypted. We do not use email for data transit because it is not HIPAA-compliant, even if using SSL. Email is not encrypted from the email server to the recipient. If data is stored for any reason it is encrypted.

Business Associate Agreements
Open Dental Software, Inc. provides a standard Business Associate Agreement. This agreement is for our customers whose PHI we many come in contact with. See HIPAA and Your Practice.

Common Questions Asked About Open Dental's HIPAA Policies

Are your HIPAA policies and procedures up to date, effective and available?
Yes. Our policies and procedures are updated regularly and available for all employees.

Is your HIPAA training effective and up to date?
Yes. All employees are certified through an ongoing, efficacious training program.

Has a risk assessment been conducted?If so, how often does Open Dental perform internal Risk Assessments?
Yes. We perform one at least every 18 months, usually about once a year. The most recent date is shown above.

Did Open Dental Software's latest risk assessment identify any vulnerabilities that would subject our office to risk of a data breach?
No. Any vulnerabilities detected during our risk assessments are immediately addressed. To date nothing that could put an office at risk has been detected

Do you have an ongoing auditing and monitoring program for HIPAA Privacy and Security?
Yes. Workstations with access to PHI are regularly audited.

Does Open Dental Software have a policy in place for employees who fail to comply with HIPAA security policies and procedures?
Yes. Disciplinary action will be taken against staff that do not comply with the privacy policies and procedures made to protect protected health information.

As part of my HIPAA diligence, I need to know if Open Dental is covered by insurance if there is a HIPAA breach. Does Open Dental have Cyber Liability insurance?
Yes.

Have you conducted due diligence on your business associates?
Yes. Open Dental Software very rarely shares PHI with any third party, and never shares it as structured data, so we do not normally have to conduct 'due diligence' with respect to PHI and HIPAA.The two current exceptions are:

1. Screen sharing software that captures (encrypted) video stream which could contain PHI
2. Electronic prescribing (not legacy)

We have conducted due diligence for these two third parties and have Business Associate Agreements on file with them.

Has Open Dental adopted a formal approach to information security supported by one or more information security policies?
Yes. Open Dental has multiple internal security policies, which all employees must be trained on.

Has Open Dental Software been subject to any investigations relative to a breach of privacy that resulted in penalties?
No.

Is Open Dental aware of any incident involving a potential or actual breach of patient privacy under HIPAA regarding our patient's protected health information at Open Dental Software?
If such incidents occur, the customer is immediately notified (notification should be as soon as possible, but within 72 hours per Open Dental's Policy). If you have not been notified, then this has not happened to your patient data.

Is Open Dental aware of any incidents involving a potential or actual breach of patient data on customer's information systems?
We do not track customer data, or how it is used with respect to their office (except as it relates to the PHI that we hold or transmit). Much PHI is held by customers on their own systems and they are responsible for tracking incidents regarding those systems.

Has an independent review of Open Dental's information security efforts been conducted?
No. Third party reviews of Open Dental's policies are not a HIPAA requirement.

Does Open Dental Software's HIPAA Compliance Officer and Security Officer have sufficient HIPAA training?
Yes.

How does Open Dental stay up to date on current information such as security threats, trends, and technologies?
Our security team frequently researches new threats and technologies. Internal announcements are released to help our staff be aware of phishing attempts and other vulnerabilities.

Does Open Dental have a plan in place in case of a security breach?
Yes, we do have a formal process in case of a security breach. All employees are trained accordingly.

Are physical controls in place to safeguard PHI?
Yes. Open Dental Software, Inc. has multiple layers of physical security.

Are remote connections encrypted?
Yes

Is PHI access regulated based on employee's roles?
Yes. Open Dental Software, Inc. employees only have access to PHI when necessary.

Do you maintain a PHI disclosure log?
No. A PHI disclosure log is not a HIPAA requirement for business associates.

Do you regularly review or update your contingency plan?
Yes. Open Dental Software, Inc.'s contingency plans are reviewed on an as-needed basis following any significant events, but will be reviewed annually at minimum.

Do you perform screening procedures and background checks on new employees?
Yes.

Is PHI access revoked upon employee termination?
Yes.

Do you have policies and procedures that are designed to help detect, prevent, and respond to security events?
Yes.

Do you utilize antivirus software to prevent intrusions by viruses and malware?
Yes. All machines have antivirus and antimalware software installed, and are monitored by our IT team. The software is regularly updated.

Do you have policies and procedures for the assignment of a unique identifier for each authorized user?
Yes.

Do you have policies and procedures for protecting PHI from unauthorized modification or destruction?
Yes.

Are passwords required for all applications that provide access to PHI?
Yes.

Has Open Dental adopted a formal approach to information security supported by one or more information security policies?
Yes. Open Dental Software, Inc. has multiple internal security policies, which all employees must be trained on. Security policies are reviewed regularly.

Do you allow personal devices to be connected to the same network which contains PHI?
No.

Do you send PHI outside of your network?
Yes. Open Dental Software very rarely shares PHI with any third party, and never shares it as structured data. The one current exception is that we use screen sharing software that captures (encrypted) video stream which could contain PHI, and we have conducted due diligence on that one third party and have a Business Associate Agreement with them.

Are there any public workstations on your network?
No.

Do you set security standards for workstations used outside of Open Dental Software Inc's headquarters?
No. Workstations are not permitted outside of Open Dental Software, Inc.

Do you keep inventory of devices which have stored or contain PHI?
Yes.

Do you require all PHI be removed before reusing or recycling media?
Yes.

Do you document changes to your policies and procedures?
Yes. Changes to procedures are documented, and historical records are kept.

Does your organization require physical identification of employees who have access to ePHI (i.e. photos on access cards)?
Yes.

Are you able to terminate vendor agreements if the a vendor violates terms within a contract?
Yes.

Can authorized employees gain access to systems in the event of an emergency?
As a business associate and not a practice, Open Dental Software, Inc. is not required to maintain PHI or provide access in the event of an emergency.

Does your organization keep a record of everyone who has entered any facilities that provide access to ePHI?
Yes.

Is there a complete job description that accurately reflects assigned security duties and responsibilities?
Yes.

Does your organization send out periodic reminders to employees regarding security procedures?
Yes.

Do the systems in your organization monitor and report when system login failures occur?
Yes.

Has your organization clearly defined the software and/or hardware that must be operating to ensure ePHI is protected during an emergency?
Yes. Even in the event of an emergency, ePHI access is secured.

How does Open Dental address encryption?
See Encryption of Data at Rest and in Transit.

A List of Things We Don't Provide

Open Dental Software, Inc. maintains documentation for internal use only. For security purposes we do not provide the following documents to the public:

• Name and contact information of our HIPAA Compliance Officer. Questions can be directed to service@opendental.com and will be answered accordingly.
• Names of employees performing work under Open Dental Software's Business Associate Agreement - Open Dental Software is simply too large to supply a full list of all employees that come into contact with PHI.
• The date of each employee's initial and subsequent HIPAA training - Open Dental Software is simply too large to supply a full list of all employee's date of training completion. Open Dental Software trains every employee to handle PHI, and recertifies every employee annually.
• Signatures by our HIPAA Compliance Officer or Security Officer - our employee's information is confidential.
• Filled questionnaires - Open Dental Software provides a standard list of answers that most offices require, on this page. We have thousands of customers. In order to review each questionnaire, we would need a legal team to read and respond to thousands of customers each year. If your state or office has specific requirements that are not listed in ours, we will add those sections as needed.
• Security Risk Assessment
• Remediation Plan
• HIPAA Master Policy and Procedure Manual
• Training Materials and Logs
• Network Vulnerability Scan
• Incident Response Plan
• Disaster Recovery
• How risks are classified and mitigated. Each risk found (if any) requires special attention and detail, which can change processes depending on the risk. Details vary too greatly to describe.
• How employees are terminated.
• How PHI access is revoked.
• The specific encryption methods and mechanisms used.
• Specific password policies.
• Specific PHI disposal policies.
• Specific details of physical site security.