If you want the person visiting your website to be able to securely email you then you'll need to either link to the SecureSend portal or use a SecureForm. Otherwise any email they send to you will not be encrypted, unless they manually encrypt it themselves.

The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act, and can be found beginning on page 112 in the official document at: http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf

The Security Rule of the original HIPAA legislation permits Covered Entities to use email as a way to electronically transmit protected health information (PHI) and requires that steps be taken to protect those transmissions. The requirements are detailed in the Technical Safeguards of the HIPAA Security Rule, section 164.312, which may be accessed in plain text or in a PDF document.

Currently there is no organization that certifies any other organization as HIPAA compliant. Covered Entities can be audited by the department of Health and Human services at any time and face steep fines and or other negative consequences for data breaches or other HIPAA violations. LuxSci designates your account as HIPAA compliant in that we consider ourselves a HIPAA Business Associate of your organization and that we have configured and locked down your organization's use of our services to comply with our HIPAA Security Restrictions, which all meet or exceed the Technical Safeguards of the HIPAA Security Rule. LuxSci does not certify HIPAA compliance of services whose usage is largely in the organization's purview, such as web hosting, however, we provide strong recommendations and an infrastructure allowing for your organization to use these services in a HIPAA compliant manner.

No, LuxSci does not currently offer these services. Companies such as eFax offer secure faxing services, though unless they specify HIPAA compliance, how do you know if your faxes are HIPAA compliant? LuxSci's SecureLine end-to-end email encryption service is an effective alternative to secure faxing as it enables you to easily send file attachments to any arbitrary email address.

The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."

"Individually identifiable health information” is information, including demographic data, that relates to:

-the individual’s past, present or future physical or mental health or condition,
-the provision of health care to the individual, or
-the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number)."

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

[source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html]

No, there is no explicit requirement...in fact, the HIPAA law is 'technology neutral' in that it makes no specific requirements for the implementation of technical security, e.g. the level of encryption (128 bits or 256 bits), the encryption type (RSA, AES, etc.), the level of auditing, etc. The security restrictions we enforce ensures that your shared hosting account meets the Technical Safeguards of the HIPAA Security Rule. LuxSci's Premium Dedicated Servers offer a solution for clients interested in a dedicated hosting environment for their HIPAA compliant requirements.

Our current HIPAA compliant accounts offer many of the security items described as requirements for Health Information Service Providers (HISPS) per the 'Consensus Proposal' and 'Security and Trust Consensus Proposal' documents. At this time LuxSci has no plans to implement the full complement of security protocols and specifications as laid out by the NHIN Direct Project guidelines.

The Direct Project discusses use of public certificate repositories of sorts such as ICAM (http://www.idmanagement.gov/), but we currently do not support integration with these type of centralized certificate databases. We do not intend to provide that service anytime soon. Additionally, we don't currently support the use of DNS CERT records to perform recipient certificate fetching. Lastly, we may or may not be able to support the transmission of health industry specific formats such as HL7, CDA, and CCR, but we do not have intent at this time to make software changes to ensure support for these formats specifically.

The several key security requirements of the Direct Project that LuxSci's HIPAA compliant accounts meet include:

* Forced use of S/MIME certificates for all outbound email for encryption and digital signing
* Forced use of TLS encrypted transmission for inbound and outbound email (requires a dedicated proxy server)
* Forced use of TLS encrypted transmission for POP, IMAP, and SMTP connections from email clients (i.e. Outlook)
* Forced authentication for POP, IMAP, and SMTP services
* Detailed auditing of sent messages