Case Study: Securely Email Medical Laboratory Results to Patients

August 17th, 2021

Medical laboratories use LuxSci’s secure services to email lab test results to patients. Although medical laboratories are not always HIPAA Covered Entities themselves, they are Business Associates with hospitals and doctors who are required to abide by HIPAA. By the “transitive” nature of the HIPAA privacy laws, Business Associates must abide by HIPAA security and privacy standards, protect patient data, and ensure confidentiality.

email lab results

In order to send patients their results via email, these labs must use a HIPAA-compliant system that can send email to anyone with an email address. We work with labs to securely send Covid-19 test results, cancer screening results, and many other kinds of medical test results via email.

This post describes how one large medical lab uses LuxSci’s Secure High Volume Email sending service to safely deliver lab results to thousands of people every day.

HIPAA-compliant bulk emailing of lab results

The medical lab in this example has technicians that spend their days analyzing samples and generating test results. The lab needed a service to email the results of the lab tests to patients in a batch at the end of the day.

This is a large-scale transactional email blast that required:

  1. The sending of individual messages for thousands of different recipients
  2. HIPAA-compliant security for each email message
  3. Tracking so the laboratory can tell if a user has opened his/her lab results

The laboratory was already utilizing email software that generated each individualized lab result email. LuxSci’s Secure High Volume Sending email service was needed to securely transmit the results. The lab configured their email software to:

  • Connect and authenticate to LuxSci’s outbound email server securely over TLS
  • Transmit the message to LuxSci for encryption and delivery to the patient
  • Repeat on a daily basis

LuxSci receives these messages securely from the laboratory’s email software and:

  1. Encrypts them and digitally signs the emails
  2. Stores them in a secured database using SecureLine Escrow
  3. Sends a simple notification email to each recipient informing them of the waiting lab results

Then the recipient:

  1. Receives the notice from LuxSci in his/her regular email
  2. Clicks on a link in it and is taken to a secure web page whose look and feel has been customized by the lab.
  3. Verifies his/her identity by either:
    1. Registering for free (to verify the recipient’s identity), or
    2. Entering the answer to a custom question provided by the lab (e.g. what is your lab “id number”?)
  4. Securely views the lab results

The laboratory can:

  • See who has opened which messages and when
  • Retract messages
  • Set messages to expire from the recipients view after a pre-determined time period (e.g. 1 day to 10 years)
  • Send messages with attachments up to 200MB in size

What kind of LuxSci account do you need to email lab results?

In order to send occasional HIPAA-compliant secure email messages to patients (e.g. on the order of tens or a hundreds per day), you could use a regular LuxSci business email account with HIPAA compliance.

To send to large numbers of recipients (over 500), you need a Secure High Volume mailing account with HIPAA compliance.

Many of these customers also use LuxSci Secure Marketing to handle email marketing for these customer email lists as well.

Managing Recipients & Encryption

There are two ways to have your recipients verify their identities when picking up their secure messages:

  1. You can have them register with you the first time, verify access to their email, and use that password going forward, or
  2. You can have them answer a question you provide in order to gain access

The latter method is more secure if you provide a good question which is unique to each recipient. Indeed, this is the method used by the example lab results company. However, when you have tens of thousands of recipients, how do you manage this database of recipients, questions, and answers?

The answer is quite simple. When you send secure email though LuxSci, we use your LuxSci address book(s) to see if you have entries for these recipients and, if you have questions and answers (or other encryption data like PGP or S/MIME keys) for them. Keeping your address book current is not a problem, you can either:

  1. Upload a CSV of data about your recipients to your address book on demand, though our web interface, or
  2. Use our RESTful API to add/remove/update address book entries automatically from your system

Read More Testimonials On G2

To learn more about how LuxSci customers are utilizing our secure technology solutions, read our customer reviews on G2.