HERRAMIENTAS TECNOLÓGICAS USADAS EN EL AULA

%

o

Protecting% against% unauthorized% access% to% your% practice’s% protected% health%

information%in%various%forms.%

%

•

Institute%formal%training%for%current%workforce%members%annually;%training%as%to%new%

or% changed% policies% every% six% (6)% months;% and% applicable% training% whenever% a%

workforce% member% changes% jobs% within% the% practice% or% takes% on% new% job%

responsibilities.%

%

•

Institute%formal%training%for%new%workforce%members%no%later%than%30%days%following%

a%new%hire.%

•

Consider% whether% online% training% courses% on% privacy% and% security,% with% tests% to%

document% understanding% of% privacy% and% security% rules,% would% enhance% your%

practice’s%risk%mitigation%efforts%and%compliance%with%HIPAA%training%requirements.%

%

•

Post%reminder%signs%near%workstations,%in%the%break%room,%and%other%areas%in%your%

practice%facility%where%workforce%members%gather.%

!

7.##Enforcement#of#Privacy#and#Security#Compliance#

Effective%July%27,%2009,%Secretary%of%Health%and%Human%Resources%(HHS)%Kathleen%Sebelius%

delegated%enforcement%of%the%HIPAA%Security%Rule%to%the%HHS%Office%for%Civil%Rights%(OCR),%

which%has%had%HIPAA%Privacy%Rule%enforcement%responsibilities%since%the%compliance%date%

of% that% rule,% April% 14,% 2003.

13

% % Then,%on% Friday,% October% 30,% 2009,% HHS% published% in% the%

Federal%Register%its%Interim%Final%Rule%that%strengthens%HIPAA%enforcement%under%HITECH%

Act%civil%penalty%revisions%enacted%as%part%of%the%American%Recovery%and%Reinvestment%Act%

on% February% 17,% 2009.

14

% %“These% HITECH% Act% revisions% significantly% increase% the% penalty%

amounts% the% Secretary% [of% HHS]% may% impose% for% violations% of% the% HIPAA% rules% and%

encourage% prompt% corrective% action,”% according% to% the% HHS% press% release.

15

% %The% Interim%

Final%Rule%took%effect%on%November%30,%2009.%%OCR%will%also%enforce%the%HITECH%Act%Breach%

Notification%Rule.%%Unified%enforcement%and%higher%penalties%increase%both%the%likelihood%

and%the%severity%of%consequences%for%HIPAA%nonTcompliance%with%the%Privacy%and%Security%

Rules%and%the%Breach%Notification%Rule.%

%

Prior% to% the% February% 17,% 2009% enacted% HITECH% Act% revisions,% civil% penalties% for% HIPAA%

violations%were%$100%for%each%violation%or%$25,000%for%all%violations%of%the%same%provision%in%

a%calendar%year%period.

16

_{%%%Under%the%HITECH%Act,%penalties%are%substantially%increased%and%}

have%been%divided%into%four%tiers,%with%a%maximum%penalty%of%$1.5%million%for%all%violations%

of%an%identical%provision%in%a%calendar%year.%%The%tiered%penalties%now%range%as%follows,%for%

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

13_{!See!Department!of!Health!and!Human!Services,!Office!of!the!Secretary,!“Office!for!Civil!Rights;!Delegation!of!Authority,”!Federal!}

Register,! v.74,! n.148,! August! 4,! 2009,! p.! 38630,! which! is! available! online! at!

www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/srdelegation.pdf.!!

14_{!See!Department!of!Health!and!Human!Services,!Office!of!the!Secretary,!“45!CFR!Part!160—HIPAA!Administrative!Simplification:!!} Enforcement;!Interim!Final!Rule,”!Federal!Register,!v.74,!n.209,!October!30,!2009,!pp.!56123Q56131,!which!is!available!online!at:!!

www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf.!!

15_{! Press! release,! “HHS! Strengthens! HIPAA! Enforcement,”! October! 30,! 2009,! which! is! available! online! at:!}

http://www.hhs.gov/news/press/2009pres/10/20091030a.html.!! 16_{!See!74!Federal!Register!56131:!!45!CFR!160.404(b)(1).!}

each%violation:%

%

•

$100% T% $50,000% if% the% Covered% Entity%did! not! know% and,% by% exercising% reasonable%

diligence,%would%not%have%known,%that%it%violated%such%provision.%

%

•

$1,000% T% $50,000% if% the% violation% was% due% to%reasonable! cause% and% not% to% willful%

neglect.%

%

•

$10,000%T%$50,000%if%the%violation%was%due%to%willful!neglect%and%was%corrected%as%

required.

17

%%

%

•

$50,000%or%more%if%the%violation%was%due%to%willful!neglect%and%was%not!corrected%as%

required.%

%

According% to% the% OCR% Director% Georgina% Verdugo,% “The% Department’s% implementation% of%

these%HITECH%Act%enforcement%provisions%will%strengthen%the%HIPAA%protections%and%rights%

related% to% an% individual’s% health% information….% %This% strengthened% penalty% scheme% will%

encourage% health% care% providers,% health% plans% and% other% health% care% entities% required% to%

comply%with%HIPAA%to%ensure%that%their%compliance%programs%are%effectively%designed%to%

prevent,%detect%and%quickly%correct%violations%of%the%HIPAA%rules.”

18

_%

%

8.#Securing#Electronic#Protected#Health#Information#

On%August%24,%2009,%the%Secretary%of%Health%and%Human%Services%published%in%the%Federal%

Register% the%

Interim2 Final2 Rule:% %

Breach2 Notification2 for2 Unsecured2 Protected2 Health2

Information.

19

_{%%Contained%within%this%document%is%the%very%important%Guidance2Specifying2}

the2 Technologies2 and2 Methodologies2 that2 Render2 Protected2 Health2 Information2 Unusable,2

Unreadable,2 or2 Indecipherable2 to2 Unauthorized2 Individuals,

20

_{% which% instructs% your% dental%}

practice—and% your% hardware% and% software% vendors—how% to% secure% your% practice’s%

protected% health% information% in% your% database,% in% transmission,% or% in% disposal.% % The%

Guidance%is%reproduced%below.%HHS%may%update%or%change%the%Guidance2on%an%annual%basis%

beginning%in%April%2010.%

%

“Guidance”!Specifying!the!Technologies!and!Methodologies!that!Render!Protected!Health!

Information!Unusable,!Unreadable,!or!Indecipherable!to!Unauthorized!Individuals.%

Protected%health%information%(PHI)%is%rendered%unusable,%unreadable,%or%indecipherable%to%

unauthorized%individuals%if%one%or%more%of%the%following%applies:%

%

a.%%Electronic%PHI%has%been%encrypted%as%specified%in%the%HIPAA%Security%Rule%by%%

“the%use%of%an%algorithmic%process%to%transform%data%into%a%form%in%which%there%is%

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

17_{!“For!a!violation!in!which!it!is!established!that!the!violation!was!due!to!willful!neglect!and!was!corrected!during!the!30Qday!period!} beginning!on!the!first!date!the!covered!entity!liable!for!the!penalty!knew,!or,!by!exercising!reasonable!diligence,!would!have!known! that!the!violation!occurred.”!!74!Federal!Register!56131:!45!CFR!160.404(b)(2)(iii).!

18_{! Press! release,! “HHS! Strengthens! HIPAA! Enforcement,”! October! 30,! 2009,! which! is! available! online! at:!}

http://www.hhs.gov/news/press/2009pres/10/20091030a.html.!!

19_{!Department!of!Health!and!Human!Services,!Office!of!the!Secretary,!“45!CFR!Parts!160!and!164:!!Breach!Notification!for!Unsecured!}

Protected! Health! Information,”! Federal! Registerv.74,! n.162,! August! 24,! 2009,! pp.42739Q42770,! which! is! available! online! at! http://edocket.access.gpo.gov/2009/pdf/E9Q20169.pdf.!!

%a%low%probability%of%assigning%meaning%without%use%of%a%confidential%process%or%

%key”

21

_{%and%such%confidential%process%or%key%that%might%enable%decryption%has%%}

not%been%breached.%%To%avoid%a%breach%of%the%confidential%process%or%key,%these%%

decryption%tools%should%be%stored%on%a%device%or%at%a%location%separate%from%the%%

data%they%are%used%to%encrypt%or%decrypt.%%The%encryption%processes%identified%%

below%have%been%tested%by%the%National%Institute%of%Standards%and%Technology%%

(NIST)%and%judged%to%meet%this%standard.%

%

i.%%Valid%encryption%processes%for%data%at%rest%[your%practice’s%database]%%

are%consistent%with%NIST%Special%publication%800T111,%Guide2to2Storage22

Encryption2Technologies2for2End2User2Devices.

22

_%

23

_%

ii.%%Valid%encryption%processes%for%data%in%motion%[your%practice’s%electronic%%

transmissions]%are%those%which%comply,%as%appropriate,%with%NIST%Special%%

Publications%800T52,%Guidelines2for2the2Selection2and2Use2of2Transport2Layer22

Security2(TLS)2Implementations;%800T77,%Guide2to2IPsec2VPNs;%or%800T113,%%

Guide2to2SSL2VPNs,%or%others%which%are%Federal%Information%Processing%%

Standards%(FIPS)%140T2%validated.

24

_%

%

b.%%The%media%on%which%the%PHI%is%stored%or%recorded%have%been%destroyed%in%one%%

of%the%following%ways:%

%

%

i.%%Paper,%film,%or%other%hard%copy%media%have%been%shredded%or%destroyed%%

such%that%the%PHI%cannot%be%read%or%other%otherwise%cannot%be%%

reconstructed.%%Redaction%is%specifically%excluded%as%a%means%of%data%%

destruction.%

%

iii.%%Electronic%media%have%been%cleared,%purged,%or%destroyed%consistent%%

with%NIST%Special%Publication%800T88,%Guidelines2for2Media2Sanitation,

25

%such%%

that%the%PHI%cannot%be%retrieved.”%

%

%

We% recommend% that% you% encrypt% your% electronic% protected% health% information% in% your%

database% and% in% transmissions% so% that% it% is% “secure”% as% defined% in% the%Guidance.% We% also%

recommend% that% you% follow% the% protected% health% information% disposal% requirements%

outlined%in%the%Guidance.%%Be%alert%to%any%changes%in%the%provisions%of%the%Guidance.%

%

9.#Business#Associates#Must#Comply#with#the#HIPAA#Security#Rule#

Effective%February%17,%2010,%your%dental%practice’s%Business%Associates%must%comply%with%

the%HIPAA%Security%Rule.%%As%a%Covered%Entity,%your%practice%is%not%required%to%enforce%a%

Business% Associate’s% compliance% with% the% Security% Rule.% % Rather,% as% stated% in% 45% CFR%

164.308(b)(1),%your% dental% practice,% as% a% Covered% Entity,% in% accordance% with% the% General%

Rules% Section% of% the% HIPAA% Security% standards,

26

% “may% permit% a% Business% Associate% to%

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

21_{!45!CFR!164.304,!definition!of!“encryption.”!} 22_{!NIST!Roadmap!plans!include!the!development!of!security!guidelines!for!enterpriseQlevel!storage!devices,!and!such!guidelines!will!} be!considered!in!updates!to!this!guidance,!when!available.! 23_{!Available!at!http://www.csrc.nist.gov.!} 24_{!Available!at!http://www.csrc.nist.gov.!} 25_{!Available!at!http://www.csrc.nist.gov.!!} 26_{!45!CFR!164.306!}

create,% receive,% maintain,% or% transmit% electronic% protected% health% information”% on% your%

behalf% only% if% you% obtain%satisfactory! assurances,% in% accordance% with% the% HIPAA% Security%

standard% for% Business% Associate% Agreements% (or% “other% arrangements”% as% defined% in% the%

Organizational%Requirements%Section%of%the%HIPAA%Security%standards),

%27

_{%“that%the%Business%}

Associate%will%appropriately%safeguard%the%information.”%%%

%

It%is%expected%that%the%Department%of%Health%and%Human%Resources%will%issue%in%the%near%

future% additional% guidelines% for% Business% Associate% Agreements% to% reflect% enhanced%

compliance%by%Business%Associates%with%electronic%protected%health%information%safeguards%

required% by% the% HIPAA% Security% Rule.% % In% the% meantime,% your% dental% practice% may% find% it%

prudent%to%inform%your%Business%Associates%that%they%must%comply%with%the%HIPAA%Security%

Rule%beginning%on%February%17,%2010,%and%that%they%are%subject%to%the%significantly%higher%

civil%penalties%for%nonTcompliance.%

%

!10.##Is#Certification#a#Substitute#for#Compliance?#

HIPAA% requires%compliance% by% the% dental% practices% and% individuals% to% which% it% applies.% It%

does%not%require%that%dental%practices%or%their%workforce%members%obtain%certification!of%

their% compliance% from% an% external% source.% Compliance% is% an% ongoing% effort,% whereas%

certification% generally% is% considered% a% snapshot% in% a% moment% of% time.% The% MerriamT

Webster’s% Collegiate% Dictionary% (11th% ed.)% defines% certification% as% the% act% or% state% of%

“attest[ing]%as%being%true%or%as%represented%or%as%meeting%a%standard.”%%%

%

The% comment% in% the% preamble% of% the% January% 16,% 2009,% Final% Rule% pertaining% to% HIPAA%

Electronic% Transaction% Standards% states% that% “HHS% does% not% recognize% certification% of% any%

systems%or%software%for%purposes%of%HIPAA%compliance.”

28

_{%%Although%this%comment%refers%to%}

“administrative%transactions,”%it%may%be%instructive%in%the%context%of%training%as%well.%%HIPAA%

requires% your% dental% practice% as% a% Covered% Entity% to% undertake% a% number% of% tasks;% for%

example,%you%must%conduct%and%periodically%review%your%risk%assessment,%implement%and%

modify,% as% necessary,% policies% and% procedures% to% safeguard% protected% health% information,%

conduct% “awareness”% training% for% all% workforce% members% based% on% those% policies% and%

procedures,% update% that% training% if% policies% and% procedures% change% or% HIPAA% privacy% and%

security% regulations% are% initiated% or% modified,% and% document% those% activities.% Obtaining%

training%certification%is%not%a%requirement%for%HIPAA%compliance.%

%

HIPAA% training% is% an% ongoing% process% that% your% practice% must% undertake% to% safeguard%

protected%health%information%from%unauthorized%use%or%disclosure%as%business%policies%and%

procedures% evolve% and% regulatory% standards% are% initiated% or% modified.% Training% requires%

that% workforce% members,% including% management,% demonstrate% awareness% and%

understanding%on%an%ongoing%basis%(not%just%once%in%order%to%obtain%certification),%and%that%

Covered% Entities% and% Business% Associates% document% that% their% workforce% members% have%

been% trained% and% document% continuing% training% as% it% occurs.% %As% examples,% the% first%

implementation% specifications% of% the% Security% Rule% “Security% Awareness% and% Training”%

standard%is%“Security%reminders%(addressable).%Periodic%security%updates.”

29

_{%%One%part%of%the%}

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

27_{!45!CFR!164.314!} 28_{!74!Federal!Register!3310.!Do!not!confuse!HIPAA!training!certification!with!the!“certification”!of!electronic!health!records!(EHRs)!} for!purposes!of!HITECH!Act!reimbursement!incentives!for!Covered!Entities!that!adopt!EHRs.! 29_{!45!CFR!164.308(a)(5)(ii)(A).!}

implementation%specification%for%the%Privacy%Rule%Training%standard%states%that%a%“covered%

entity% must% provide% training% …% [t]o% each% member% of% covered% entity’s% workforce% whose%

functions%are%affected%by%a%material%change%in%the%policies%or%procedures%required%by%[the%

HIPAA% Privacy% Rule% or% the% Breach% Notification% Rule],% within% a% reasonable% period% of% time%

after% the% material% change% becomes% effective…”

30

_{% Another% part% requires% that% a% new%}

workforce%member%receive%training%“within%a%reasonable%period%of%time%after%the%person%

joins% the% covered% entity’s% workforce.”% These% examples% indicate% that% training% must% be%

dynamic2and%ongoing.%HIPAA%training%certification%is%not%required,%and%the%HIPAA%training%

requirements%would%not%be%satisfied%by%a%single%training%episode,%whether%or%not%it%resulted%

in%certification.%

!

11.####Build#Your#Dental#Practice#Disaster#Recovery#Plan#

The% HIPAA% Administrative% Safeguard% Standard% “Contingency% Plan”% requires% each% Covered%

Entity

31

_{% to% build% a% disaster% recovery% plan% under% the% Standard’s% second% implementation%}

specification,

32

_{%which%is%required,%not%addressable.%}

%

The%“disaster%recovery%plan”%implementation%specification%requires%Covered%Entities%(and,%

under%the%HITECH%Act,%their%Business%Associates)%to%“establish%(and%implement%as%needed)%

procedures%to%restore%any%loss%of%data%[e.g.,%electronic%protected%health%information].”%%The%

content% and% procedures% of% your% dental% practice’s% disaster% recovery% plan% will% depend% on%

your% practice’s% risk% analysis:% % specifically,% your% disaster% recovery% plan% will% focus% on% the%

potential%threats%and%vulnerabilities%that%you%determine,%during%your%risk%analysis,%that%your%

practice%might%experience%in%a%disaster.%%Has%your%Security%Official%assigned%a%practice%team%

to%respond%if%there%is%a%disaster%and%do%members%of%the%team%know%what%to%do%should%a%

disaster%trigger%required%action?%%Has%your%practice%simulated%a%disaster%to%test%readiness%

should%a%disaster%occur?%

%

Your% dental% practice,% and% in% particular,% your% Security% Official,% should% prepare% a%

comprehensive,% usable,% and% effective% disaster% recovery% plan,% which% will% take% time% and%

which% will% involve% the% entire% workforce.% % Your% dental% practice’s% loss% of% electricity% for% a%

sustained% period% of% time% should% be% considered% a% disaster,% affecting% both% your% dentistry%

tools%and%your%electronic%protected%health%information.%%How%would%your%practice%deal%with%

such%a%disaster,%and%how%long%would%it%take%for%your%practice%to%recover?%%

%

“The%final%[Security]%rule%calls%for%covered%entities%to%consider%how%natural%disasters%could%

damage%systems%that%contain%electronic%protected%health%information%and%develop%policies%

and% procedures% for% responding% to% such% situations.% We% [HHS]% consider% this% to% be% a%

reasonable%precautionary%step%to%take%since%in%many%cases%the%risk%would%be%deemed%to%be%

low.”

33

%Even%though%the%probability%of%occurrence%may%be%low,%your%dental%practice%should%

consider%potential%losses%that%could%result%from%any%vulnerability%or%threat%in%a%worstTcase%

scenario.%

#

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

30_{!45!CFR!164.530(b)(2)(c).!} 31_{!Business!Associates!also!are!required!to!comply!with!the!HIPAA!Security!Rule!standards!began!February!17,!2010,!under!the!} HITECH!Act!provisions!of!the!American!Recovery!and!Reinvestment!Act!of!2009!(ARRA).! 32_{!45!CFR!164.308(a)(7)(ii)(B).!} 33_{!68!Federal!Register!8351.!}

12.##Breach#Notification#Rule#Enforcement#

On% February% 22,% 2010,% the% federal% government% began% enforcing% the% HITECH% Act% Breach%

Notification% Rule% for% breaches% discovered% on% or% after% that% date.% % The% Breach% Notification%

Rule%requirements%were%published%in%the%Federal%Register%on%August%24,%2009

34

_%and%became%

effective% September% 23,% 2009,% although% HHS% will% not% impose% sanctions% for% breaches%

discovered% prior% to% February% 22,% 2010.

35

_{% % % If% your% dental% practice% has% implemented% the%}

Guidance,% then% your% practice% has% “secured”% certain% protected% health% information.%

Notification%is%only%required%if%“unsecured”%protected%health%information%is%breached.%%

%

What%is%a%“breach”%in%the%Interim%Final%Rule?%%Generally,%a%breach%means%the%acquisition,%

access,%use,%or%disclosure%of%protected%health%information%in%a%manner%that%is%not%permitted%

under%the%HIPAA%Privacy%Rule%and%that%poses%a%significant%risk%of%financial,%reputational,%or%

other%harm%to%the%individual.%%

%

Information% that% does% not% include% any% of% the% eighteen% the% HIPAA% “identifiers”

36

% % is% not%

considered%“protected%health%information”%(unless%the%Covered%Entity%has%actual%knowledge%

that% the% information% could% be% used% alone% or% in% combination% with% other% information% to%

identify%an%individual%who%is%a%subject%of%the%information);%%unauthorized%use%or%disclosure%of%

information% that% is% not% protected% health% information% does% not% constitute% a% “breach.”%

Information%in%a%“limited%data%set”%that%excludes%the%HIPAA%“direct%identifiers,”

% 37

%date%of%

birth,%and%zip%code%does%not%constitute%a%breach.

%38

%

%

The%definition%of%“breach”

39

%is%reproduced%below.%%Note%the%three%exclusions,%with%emphasis%

added%in%bold:%

“!Breach!means%the%acquisition,%access,%use,%or%disclosure%of%protected%health%information%in%

a% manner% not% permitted% under% subpart% E% of% this% part% which% compromises% the% security% or%

privacy%of%the%protected%health%information.%

%

1.%

%

i.

For%purposes%of%this%definition,%compromises2the2security2or2privacy2of2the2protected2

health2information2means%poses%a%significant%risk%of%financial,%reputational,2or%other%harm%to%

the%individual.2%2

2

ii.

A% use% or% disclosure% of% protected% health% information% that% does% not% include% the2

identifiers%listed%at%§%164.514(e)(2),%date%of%birth,%and%zip%code%does%not2compromise%the%

security%or%privacy%of%the%protected%health%information.2

%

2.%%Breach%excludes:%

%

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

34_{!74!Federal!Register!42739Q42770.!} 35_{!74!Federal!Register!42756Q42757.!} 36_{!45!CFR!164.514(b)(2)(i).!For!more!information!about!protected!health!information!and!the!HIPAA!Identifiers.!} 37_{!45!CFR!164.514(e)(2).!!} 38_{!45!CFR!164.402.!} 39_{!45!CFR!164.402.!The!definition!of!Breach!also!appears!in!the!Definitions!of!Key!Terms!in!Appendix!1Q1!}

i.

Any% unintentional% acquisition,% access,% or% use% of% protected% health% information% by% a%

workforce%member%or%person%acting%under%the%authority%of%a%Covered%Entity%or%a%Business%

Associate,%if%such%acquisition,%access,%or%use%was%made%in%good!faith!and!within!the!scope!of!

authority!and%does%not%result%in%further%use%or%disclosure!in%a%manner%not%permitted%under%

subpart%E%of%this%part.!

!

ii.

Any%inadvertent!disclosure%by%a%person%who%is%authorized%to%access%protected%health%

information% at% a% Covered% Entity% or% Business% Associate% to% another% person% authorized% to%

access%protected%health%information%at%the%same%Covered%Entity%or%Business%Associate,%or%

organized% health% care% arrangement% in% which% the% Covered% Entity% participates,% and% the%

information% received% as% a% result% of% such% disclosure% is% not% further% used% or% disclosed% in% a%

manner%not%permitted%under%subpart%E%of%this%part.%

%

iii.

A% disclosure% of% protected% health% information% where% a% Covered% Entity% or% Business%

Associate%has%a%good%faith%belief%that%an%unauthorized%person%to%whom%the%disclosure%was%

made%would!not!reasonably!have!been!able!to!retain!such%information.%”%

!

What%do%these%three%exclusions%in%the%definition%of%Breach%mean?%%Here%are%examples:%

%

•

Exclusion%i%(Acting!in!Good!Faith).%%Someone%that%your%dental%practice%employs%or%

contracts% with% was% acting% in% good% faith% and% accidently% accessed% protected% health%

information.%%This%person%does%not%further%use%or%disclose%such%information%in%a%way%

that%would%violate%the%HIPAA%Privacy%Rule.2

2

•

Exclusion%ii%(Inadvertent!Disclosure).%%A%workforce%member%in%your%dental%practice%

who% is% authorized% to% access% certain% protected% health% information% inadvertently%

leaves%an%open%dental%patient%file%on%a%desk%in%a%limited%access%area%of%the%practice,%

where%it%is%seen%by%another%workforce%member%who%is%authorized%to%access%certain%

other% protected% health% information.% % % The% patient% file% and% the% protected% health%

information%in%the%file%is%not%used%or%further%disclosed%in%a%way%that%would%violate%the%

HIPAA%Privacy%Rule.2

2

•

Exclusion%iii%(No!Retention).%%One%of%your%dental%practice%workforce%members%brings%

In document Uso de lasTecnologías en los Procesos de Lectura, Escritura y Oralidad,en el Curso 4E de la IED Manuela Beltrán Sede B (JT) (página 70-73)