HIPAA at Allen Aesthetics

See United States Regulatory Information.

Below is a summary of how Allen Aesthetics addresses HIPAA guidelines and standards.

Allen Aesthetics follows HIPAA guidelines and standards for security and privacy, implementing physical and electronic safeguards, including encryption. Open Dental software is a tool to help you become HIPAA compliant. It is up to you to make sure your practice is secure. See HIPAA and Your Practice.

Allen Aesthetics follows the NIST SP800-30 rev.1 protocol for risk assessments. This is the current, required protocol for analyzing potential PHI security risks. Following this protocol, we evaluate each risk’s likelihood and impact, and implement security measures to address them. Allen Aesthetics actively reviews and edits a remediation checklist to document vulnerabilities and track the resolutions.

Our HIPAA procedures and policies are up to date and available

Allen Aesthetics requires all employees to be certified on our policies and procedures. Our documentation addresses and enforces the requirements of the HIPAA Privacy and Security Rules and the HITECH Act.

Employees are actively trained to properly handle PHI

Allen Aesthetics has an effective training program that is regularly updated to ensure all employees are properly trained in the HIPAA Privacy and Security Rules. Training is tracked internally. Allen Aesthetics regularly audits all employees with access to PHI to ensure that data is properly handled, including but not limited to an annual audit plan. In the event of a disaster, Allen Aesthetics is prepared to implement contingency operations and facility security plans.

Allen Aesthetics and PHI

In the process of providing customer support, Open Dental employees may be exposed to PHI, including but not limited to customer databases collected for debugging, troubleshooting or conversions; screenshots showing patient information; X12 files (insurance batch files); and EOBs. All instances of data transit used for customer support are HIPAA-compliant and encrypted. We do not use email for data transit because it is not HIPAA-compliant, even if using SSL. Email is not encrypted from the email server to the recipient. If data is stored for any reason it is encrypted.

Business Associate Agreements

Allen Aesthetics provides a standard Business Associate Agreement. This agreement is for our customers whose PHI we may come in contact with. See HIPAA and Your Practice.

Common Questions Asked About Allen Aesthetics’ HIPAA Policies

Are your HIPAA policies and procedures up to date, effective and available?

Yes. Our policies and procedures are updated regularly and available for all employees.

Is your HIPAA training effective and up to date?

Yes. All employees are certified through an ongoing training program.

Has a risk assessment been conducted? If so, how often does Allen Aesthetics perform internal Risk Assessments?

Yes. We perform one at least every 18 months, usually about once a year. The most recent date is shown above.

Did Allen Aesthetics’ latest risk assessment identify any vulnerabilities that would subject our office to risk of a data breach?

No. Any vulnerabilities detected during our risk assessments are immediately addressed. To date, nothing that could put an office at risk has been detected.

Do you have an ongoing auditing and monitoring program for HIPAA Privacy and Security?

Yes. Workstations with access to PHI are regularly audited.

Does Allen Aesthetics have a policy in place for employees who fail to comply with HIPAA security policies and procedures?

Yes. Disciplinary action will be taken against staff that do not comply with the privacy policies and procedures made to protect protected health information.

As part of my HIPAA diligence, I need to know if Allen Aesthetics is covered by insurance if there is a HIPAA breach. Does Allen Aesthetics have Cyber Liability insurance?

Yes.

Have you conducted due diligence on your business associates?

Yes. Allen Aesthetics very rarely shares PHI with any third party, and never shares it as structured data, so we do not normally have to conduct due diligence with respect to PHI and HIPAA. The two current exceptions are:

  • Screen sharing software that captures encrypted video stream which could contain PHI

  • Electronic prescribing (not legacy)

We have conducted due diligence for these two third parties and have Business Associate Agreements on file with them.

Has Allen Aesthetics adopted a formal approach to information security supported by one or more information security policies?

Yes. Allen Aesthetics has multiple internal security policies, which all employees must be trained on.

Has Allen Aesthetics been subject to any investigations relative to a breach of privacy that resulted in penalties?

No.

Is Allen Aesthetics aware of any incident involving a potential or actual breach of patient privacy under HIPAA regarding protected health information?

If such incidents occur, the customer is immediately notified within 72 hours per policy. If you have not been notified, then this has not happened.

Is Allen Aesthetics aware of any incidents involving a potential or actual breach of patient data on customer systems?

We do not track customer data or how it is used with respect to their office.

Has an independent review of Allen Aesthetics’ information security efforts been conducted?

No. Third party reviews are not a HIPAA requirement.

Does Allen Aesthetics’ HIPAA Compliance Officer and Security Officer have sufficient HIPAA training?

Yes.

How does Allen Aesthetics stay up to date on security threats and technologies?

Our security team researches new threats and technologies and issues internal updates regularly.

Does Allen Aesthetics have a plan in place in case of a security breach?

Yes. All employees are trained accordingly.

Are physical controls in place to safeguard PHI?

Yes. Multiple layers of physical security exist.

Are remote connections encrypted?

Yes.

Is PHI access regulated based on employee roles?

Yes. Access is limited to what is necessary.

Do you maintain a PHI disclosure log?

No. This is not required for business associates.

Do you regularly review or update your contingency plan?

Yes. Reviewed at least annually or after significant events.

Do you perform screening procedures and background checks on new employees?

Yes.

Is PHI access revoked upon employee termination?

Yes.

Do you have policies and procedures to detect and respond to security events?

Yes.

Do you utilize antivirus software?

Yes. All systems are protected and monitored.

Do you assign unique identifiers for users?

Yes.

Do you protect PHI from unauthorized modification or destruction?

Yes.

Are passwords required for PHI systems?

Yes.

Do you allow personal devices on PHI networks?

No.

Do you send PHI outside your network?

Yes, but only securely and rarely with proper agreements.

Are there public workstations?

No.

Do you maintain an inventory of PHI devices?

Yes.

Do you require PHI removal before recycling media?

Yes.

Do you document policy changes?

Yes.

Do employees require ID for ePHI access?

Yes.

Can vendor agreements be terminated if violated?

Yes.

Are emergency access systems in place?

Yes.

Do you log facility access?

Yes.

Are job roles clearly defined for security duties?

Yes.

Do you send security reminders?

Yes.

Do systems monitor login failures?

Yes.

Is ePHI protected during emergencies?

Yes.

Additional Notes

How does Allen Aesthetics address encryption?

See Encryption of Data at Rest and in Transit.

Does Allen Aesthetics cache PHI locally?

No. PHI is not cached on local workstations, though third-party tools may temporarily create local files depending on usage.

A List of Things We Don’t Provide

Allen Aesthetics maintains documentation for internal use only. For security purposes, we do not provide:

  • HIPAA Compliance Officer contact details

  • Full employee lists

  • Training logs per employee

  • Internal signatures

  • Custom questionnaires at scale

  • Security Risk Assessment details

  • Remediation Plan

  • HIPAA Master Policy and Procedure Manual

  • Training Materials and Logs

  • Network Vulnerability Scan

  • Incident Response Plan

  • Disaster Recovery details

  • Risk classification methodologies

  • Employee termination procedures

  • PHI access revocation procedures

  • Encryption methods

  • Password policies

  • PHI disposal policies

  • Physical security details