Comments on: What HIPAA Says about Email Security http://luxsci.com/blog/what-hipaa-says-about-email-security.html News, solutions and insider insight from LuxSci: provider of Secure Email and Web Security Thu, 06 Oct 2011 17:44:26 +0000 hourly 1 http://wordpress.org/?v=168 By: HIPAA Compliance Checklist: What You Need To Do | LuxSci FYI http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-1276 HIPAA Compliance Checklist: What You Need To Do | LuxSci FYI Thu, 12 May 2011 18:43:39 +0000 http://luxsci.com/blog/?p=1532#comment-1276 [...] be protected per HIPAA.  ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, electronic FAX, [...] [...] be protected per HIPAA.  ePHI is merely PHI that is stored or transmitted electronically (i.e. via email, text message, web site, database, online document storage, electronic FAX, [...]

]]> By: Rebecca http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-975 Rebecca Tue, 21 Sep 2010 01:09:43 +0000 http://luxsci.com/blog/?p=1532#comment-975 You have provided a lot of useful information in this article. I have recently been helping some practices are beginning to utilize the encrypted email sites that insurance providers now give them in order to upload patient record information for appeals which is more secure and easier to use than faxing. I agree with Erik that written policies must be exact on procedures such as this to avoid unauthorized disclosures. This is an ever changing world especially with the social media exchanges now being made by medical practices. Warmly, Rebecca You have provided a lot of useful information in this article. I have recently been helping some practices are beginning to utilize the encrypted email sites that insurance providers now give them in order to upload patient record information for appeals which is more secure and easier to use than faxing.

I agree with Erik that written policies must be exact on procedures such as this to avoid unauthorized disclosures.

This is an ever changing world especially with the social media exchanges now being made by medical practices.

Warmly,

Rebecca

]]> By: Erik Kangas http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-743 Erik Kangas Tue, 20 Apr 2010 00:30:20 +0000 http://luxsci.com/blog/?p=1532#comment-743 This would sure make many people's lives easier. However, due to the nature of HIPAA, no automated tool could do much beyond scratching the surface of determining if an organization is complaint. Why? Because compliance reaches from employee training and written policies, to access controls and auditing mechanisms, to enforcement of encryption, to access to and policies for disposal of computer hardware -- to name a few. Additionally, HIPAA compliance requires frequent reviews of policies, self audits, extensive documentation, and disaster testing. The only way to really see "where you stand" is to have someone well versed in HIPAA do an audit of your organization and its management of PHI. The more you can outsource the management of ePHI to HIPAA-compliant services, the less you have to be responsible for and audit yourself. This would sure make many people’s lives easier. However, due to the nature of HIPAA, no automated tool could do much beyond scratching the surface of determining if an organization is complaint. Why? Because compliance reaches from employee training and written policies, to access controls and auditing mechanisms, to enforcement of encryption, to access to and policies for disposal of computer hardware — to name a few. Additionally, HIPAA compliance requires frequent reviews of policies, self audits, extensive documentation, and disaster testing.

The only way to really see “where you stand” is to have someone well versed in HIPAA do an audit of your organization and its management of PHI. The more you can outsource the management of ePHI to HIPAA-compliant services, the less you have to be responsible for and audit yourself.

]]> By: jay http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-742 jay Mon, 19 Apr 2010 23:33:44 +0000 http://luxsci.com/blog/?p=1532#comment-742 There should be some type of compliance test that people/companies could run to see where they stand. That would be an awesome tool for someone to make. There should be some type of compliance test that people/companies could run to see where they stand. That would be an awesome tool for someone to make.

]]> By: Erik Kangas http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-704 Erik Kangas Sat, 03 Apr 2010 11:43:48 +0000 http://luxsci.com/blog/?p=1532#comment-704 Please refer to our blog on HIPAA compliance for web sites: http://luxsci.com/blog/what-makes-a-web-site-hipaa-secure.html Essentially, it is not possible to have any external scan to determine HIPAA compliance for web sites as a large degree of compliance depends on on how ePHI is handled on the server and behind the scenes. How it is stored, how it is transmitted, how access to it is gained, how it is disposed of, etc. External tests cannot analyze these things. You really need a knowledgeable IT person to review both your site architecture and your hosting situation to determine your degree of HIPAA compliance. At LuxSci, we provide web hosting accounts that require HIPAA compliance strict guidelines on what they should and should not do and have tools to make compliance easier. However, there are still things that are "up to the customer" which cannot be enforced by LuxSci or monitored for externally. For example, a web hosting customer could accidentally post ePHI behind a secure password protected web page which is accessible to a lot of people who should not see such ePHI -- resulting in a breach of HIPAA. Please refer to our blog on HIPAA compliance for web sites:

http://luxsci.com/blog/what-makes-a-web-site-hipaa-secure.html

Essentially, it is not possible to have any external scan to determine HIPAA compliance for web sites as a large degree of compliance depends on on how ePHI is handled on the server and behind the scenes. How it is stored, how it is transmitted, how access to it is gained, how it is disposed of, etc. External tests cannot analyze these things. You really need a knowledgeable IT person to review both your site architecture and your hosting situation to determine your degree of HIPAA compliance.

At LuxSci, we provide web hosting accounts that require HIPAA compliance strict guidelines on what they should and should not do and have tools to make compliance easier. However, there are still things that are “up to the customer” which cannot be enforced by LuxSci or monitored for externally. For example, a web hosting customer could accidentally post ePHI behind a secure password protected web page which is accessible to a lot of people who should not see such ePHI — resulting in a breach of HIPAA.

]]> By: alan Ludington http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-701 alan Ludington Sat, 03 Apr 2010 03:47:06 +0000 http://luxsci.com/blog/?p=1532#comment-701 is there a way to run a test on the internet to make sure my web site is totally compliant? is there a way to run a test on the internet to make sure my web site is totally compliant?

]]> By: HIPAA 2010 and Beyond: Impact on Email and Web Outsourcing | LuxSci FYI http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-626 HIPAA 2010 and Beyond: Impact on Email and Web Outsourcing | LuxSci FYI Wed, 20 Jan 2010 22:29:25 +0000 http://luxsci.com/blog/?p=1532#comment-626 [...] What HIPAA Says about Email Security [...] [...] What HIPAA Says about Email Security [...]

]]> By: LuxSci is Fully PCI Compliant | LuxSci FYI http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-518 LuxSci is Fully PCI Compliant | LuxSci FYI Fri, 02 Oct 2009 19:06:58 +0000 http://luxsci.com/blog/?p=1532#comment-518 [...] requirements are very stringent.  Unlike HIPAA, where you decide what requirements apply to your situation, the PCI/DSS requirements are very [...] [...] requirements are very stringent.  Unlike HIPAA, where you decide what requirements apply to your situation, the PCI/DSS requirements are very [...]

]]> By: Recipe: Completely Secure Collection of Web Form Data using SSL and PGP or S/MIME | LuxSci FYI http://luxsci.com/blog/what-hipaa-says-about-email-security.html/comment-page-1#comment-327 Recipe: Completely Secure Collection of Web Form Data using SSL and PGP or S/MIME | LuxSci FYI Tue, 17 Mar 2009 12:29:36 +0000 http://luxsci.com/blog/?p=1532#comment-327 [...] Edited by Erik Kangas, PhD, President of LuxSci Bringing you news, solutions and insider insight on LuxSci and our digital life « What HIPAA Says about Email Security [...] [...] Edited by Erik Kangas, PhD, President of LuxSci Bringing you news, solutions and insider insight on LuxSci and our digital life « What HIPAA Says about Email Security [...]

]]>