The United States Department of Health and Human Services considers dental laboratories to be health care providers and as such are expected to comply with federal and state guidelines and standards regarding the privacy and security of protected health information.
Decadent’s owner is designated the responsibility of overseeing that the organizations privacy and security procedures are implemented and followed in compliance with the standards and specifications set forth in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Decadent electronically and physically creates, receives, maintains, transports, and transmits only the protected health information necessary for use in the manufacture and delivery of dental prosthetics, appliances, and any other device for use in the dental treatment plan. We do not receive patients’ telephone numbers, addresses, birth dates, social security numbers, relatives, employers, household members, etc. Decadent may share protected health information with covered entities strictly for treatment purposes only. These communications may occur orally, in writing, by phone, e-mail, or otherwise.
Information is secured and maintained by physical, administrative, and technical safeguards which are monitored and kept up to date to meet the guidelines and specifications set forth within the Health Insurance Portability and Accountability Act (HIPAA) and The Health Information Technology for Economic and Clinical Health act (HITECH).
Safeguards to the physical materials containing the organizations PHI is limited only by access to the facility itself. The business is the leaseholder to the property and it’s owner is the only person permitted access to the facility apart from the property owner and building management in the occurrence of inspections, maintenance, and emergencies.
Protected Health Information (PHI) and Personally Identifiable Information (PII) is readily visible within the facility. The organization determined it to be impractical to operate as a dental laboratory without readily accessible information visible such as patient names and treatment information. As a medical device manufacturer, de-identifying readily visible PHI/PII is impractical and in some instances, it is required by law that a manufacturer temporarily or permanently display PII on medical devices or medical devices packaging.
Safeguards to the electronic information; data is stored locally on a Network Attached Storage (NAS) in a redundant array of independent discs (RAID) with bit rot protection, copy on write (COW) protection, and block based snapshots are recorded daily as the first level of data loss prevention (DLP).
Data is guarded from the public network and unauthorized access with a hardware firewall utilizing SPI Filtering, IP/MAC/ Filtering, perimeter network access (DMZ), anon & IDENT port filtering, and secure with AES-256-bit encryption at rest and transfer within the local network.
Data is encrypted and transmitted to various cloud services acting as contractual business associates (BAA) of Decadent Laboratories, Inc. in compliance with HIPAA guidelines. These data clouds serve as further data loss prevention resources as well as creating an optimal infrastructure in order to increase the quality, safety, and quickness of patient care.
Data and/or data changes in the NAS are transmitted once daily to Amazon Simple Storage Service (AWS S3) with SMB3 transport encryption where it is stored using AES-256-bit encryption in a write once read many (WORM) configuration with data versioning. Once each 30 days, data and/or data changes only, are transferred from AWS S3 to an AWS S3 Glacier vault. Data versions old and new are stored indefinitely and restricted from deletion from even the account administrator. Unauthorized access is guarded by Private Keys/Certificates, 2FA/MFA, password policies, and device access restrictions/monitoring. This cloud serves as an archival function for Decadent's invaluable PHI.
Data and/or data changes in the NAS are transmitted every 60 seconds to Dropbox Business Standard cloud services with enforced AES-256-bit encryption for files at rest and SSL/TLS AES-256-bit encryption for data in transfer in a bidirectional configuration. Data versions are stored for 180 days. Unauthorized access is guarded by Private Keys/Certificates, 2FA/MFA, password policies, and device access restrictions/monitoring. This cloud serves as a remote access point for authorized users to access Decadent’s PHI.
E-mail is transmitted using Decadent’s private business domain hosted by G-Suite. Decadent's electronic mail is transferred using enforced SSL/TSL AES-256-bit encryption. Additional safeguards and protocols such as MTA-STS, DKIM, multiple SPF-TXT records, and enforced 2FA/MFA are in place to restrict unauthorized access and guard against e-mail spoofing. In addition, all electronic mail is routed to a catch-all secure server for archiving and monitoring purposes.
Decadent believes that the privacy of the dentist should also be protected. Our relationship is our most prized asset. All information related to your practice and/or organization is held completely confidential. We treat it the same as the patient – doctor confidential policy. Our client list is completely confidential. We do not share it outside of our organization without your express permission.
In summary, we do not share any information concerning your practice or patients, without your permission, and the invaluable patient data you share with us is undoubtedly secure from loss, damage, and/or unauthorized access. Apart from the aforementioned high standards in data management and accompanying technical information, Decadent holds itself to a high standard in regards to moral, ethics, etiquette, justice, and sincerity when it comes to it’s relationships with friends, family, colleagues, clients, and partners. If you can trust anyone, you can trust us.
Decadent Laboratories, Inc. Owner,
If you have any questions or comments related to our information safeguards, or if you would like to know more about how you can implement the best practices in your organization, please contact us at firstname.lastname@example.org.