When health care organizations review their operations to see where electronic protected health information (ePHI) is being saved, transmitted, and viewed, a great deal of time is spent on the obvious candidates: email, chat, stored files and health records, etc.

Many overlook the fact that ePHI can be embedded in Contacts, Calendars, and Tasks.  Consider for example:

Read the rest of this post »

If your mobile device (e.g., iPad or Blackberry) is lost or stolen, then you have no control over who may gain access to:

• Viewing existing and new email messages
• All of your contacts
• Your calendar appointments
• Sending email as you
• and more…

This is pretty serious, especially for folks who are subject to regulations and compliance laws.

For example, if a Nurse, using an iPad to manage patient appointments or to communicate via email with remote doctors, were to lose that iPad and it were to be accessed by someone else, then that may become a HIPAA “breach” (an unauthorized disclosure of protected health information) and the Nurse’s organization may be subject to stiff monetary fines and bad publicity.

Read the rest of this post »

LuxSci’s HIPAA Certification Seal is an image that HIPAA accounts can place on their web sites and/or include in their email signatures to show that their email and/or web forms are HIPAA compliant.  Clicking on the LuxSci HIPAA Seal takes one to a custom LuxSci page certifying that the customer is using specific LuxSci security services for compliance reasons.

Read the rest of this post »

In February, 2010, the HITECH changes to HIPAA went into effect.  These required that the Business Associates of HIPAA covered entities also be HIPAA Compliant with respect to the Protected Health Information (PHI) they manage and transmit.  This was a big change with big ramifications … but more changes are coming.

On July 14th, 2010, the US Department of Health and Human Services (HHS) published a series of proposed changes to HIPAA in a notice in the Federal Register.  All comments on these proposed changes are due by September 13th, 2010, and the final rules will likely go into effect shortly thereafter.

With respect to electronic communications, there are several significant changes that will be happening.

Read the rest of this post »

We are often approached by customers wanting to use their blackberry mobile devices to send and receive email that may contain electronic Protected Health Information (ePHI).  Such customers, when they must abide by the HIPAA and HITECH laws governing medical privacy, must comply with a long set of regulations that covers, among other things, how ePHI may be transmitted over the Internet.

This article deals with the security of sending and receiving email on a Blackberry configured for Internet email services (i.e. it does not apply to those connecting to an Blackberry Enterprise Server and Exchange).

Read the rest of this post »

If you are in need of HIPAA-compliant email services, this video will answer many of your questions regarding how LuxSci’ secure email services apply to HIPAA and what is needed for a HIPAA-compliant account with LuxSci.

Watch Video: HIPAA-compliant email services at LuxSci

SecureForm is LuxSci’s service that makes it quick and easy to collect data, including files, from web and PDF form posts and have that data emailed to one or more recipients and/or archived in a LuxSci WebAides document storage area.  The “Secure” in SecureForm refers in part to the fact that the emailed form data can be secured using PGP or S/MIME.  This, combined with enforced use of SSL, ensures that the form data is secured from end-to-end … from submission by the end user to the receipt by the web site administrator.  This ensures HIPAA compliance and strong security for that data.

Now, SecureForm supports the option of secure delivery of form data emails to recipients using TLS instead of PGP or S/MIME.  While use of TLS only is less secure than PGP or S/MIME, it is more user friendly — there is no need for certificates or extra steps to decrypt the messages once they arrive.  TLS does provide transport encryption from LuxSci’s servers to the recipients servers and thus still provides HIPAA compliant form data delivery. 

Read the rest of this post »

LuxSci customers who require HIPAA Compliance to safeguard electronic protected health information (ePHI) that is stored in or transmitted through their accounts can now display a “HIPAA Compliance Seal” on their web sites or in their email signatures/tag lines/disclaimers.

For example, your compliance seal may look like (click on it to see an example verification page):

Read the rest of this post »

Changes to HIPAA as a result of HITECH provisions in the American Recovery and Reinvestment Act are going into effect on February 17, 2010.  These changes seriously impact the requirements on Business Associates and impose significant liability penalties on HIPAA violations.  For a discussion of these and how they relate to email and web services, see: HITECH 2010: HITECH Impact on Email and Web Outsourcing.

In response to these changes and to ensure that both LuxSci and its HIPAA customers are HIPAA-compliant:

• Old BAA Void: All Business Associate Agreements (BAA), formerly known as Medical Privacy Agreements, that current LuxSci customers have by virtue of the old BAA being incorporated automatically in LuxSci’s Master Services Agreement are VOID as of February 17th, 2010.
• New BAA Required: Any LuxSci Customer who is using or plans to use LuxSci for ePHI (electronic protected health information) of any kind (i.e. email, web sites, WebAides, databases, etc) must explicitly sign our new BAA and ARA (Account Restrictions Agreement) before LuxSci will consider itself a Business Associate and the customer’s LuxSci account HIPAA compliant.

LuxSci will be contacting customers that it believes might need to sign a BAA and ARA during the month of February.  However, as LuxSci does not know which customers are using their account(s) for storage or transmission of ePHI, it is up to our customers to contact LuxSci to establish a BAA.

See:

• Lux Scientiae HIPAA Busines Associate Agreement
• Lux Scientiae HIPAA Account Restrictions Agreement
• Medical Privacy / HIPAA in LuxSci’s Privacy Policy

Read the rest of this post »

On January 30th, 2010, LuxSci will be releasing a set of software updates that add new security features and enhance existing security features.  Additionally, LuxSci is introducing a new Business Associate Agreement for HIPAA customers — one that complies with the new HITECH provisions of HIPAA.  These changes will impact some existing and future customers, as described in this notice.

Read the rest of this post »