LuxSci HIPAA Business Associate Agreement

Version 2010.06.23 - Standard

This document (the combined Business Associate Agreement and Account Restrictions Agreement) must be signed and returned to LuxSci for an account to be considered eligible for HIPAA Customer status.

You may return signed versions of these documents to Lux Scientiae by:

• Using the online signature form
• FAXing to 413-332-0598
• Mailing to Lux Scientiae at PO Box 326 Westwood, MA 02090 USA
• Scanning and attaching digital copies to a support ticket in your Lux Scientiae account.

Business Associate Agreement

This Business Associate Agreement (the "Agreement") shall apply to the extent that the Lux Scientiae Customer signee is a "Covered Entity," as defined below. Execution of the Agreement does not automatically qualify either party as a "Covered Entity" or "HIPAA Business Associate" under law or regulation unless that party is considered a "Covered Entity" or "HIPAA Business Associate" under the applicable laws or regulations. This Agreement defines the rights and responsibilities of each of us with respect to Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996, the Health Information Technology for Economic and Clinical Health (HITECH) provisions of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder, as each may be amended from time to time (collectively, "HIPAA"). This Agreement shall be applicable only in the event and to the extent Lux Scientiae meets, with respect to you, the definition of a Business Associate set forth at 45 C.F.R. Section 160.103, or applicable successor provisions.

1. Definitions

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

Specific definitions:

1. Agreement. "Agreement" shall mean the Service Description, any Master Services Agreement, any Lux Scientiae Agreement to the Master Services Agreement (including this Agreement), and the Acceptable Use Policy, collectively.

2. Business Associate. "Business Associate" shall mean Lux Scientiae, Incorporated (“Lux Scientiae”).

3. HIPAA Business Associate. "HIPAA Business Associate" shall mean an organization that has a HIPAA Business Associate Agreement with one or more "Covered Entities."

4. Covered Entity. "Covered Entity" shall mean a client of Lux Scientiae that is (1) a health plan, (2) a health care clearinghouses, or (3) a health care provider who electronically transmits any health information in connection with transactions for which the U.S. Department of Health and Human Services has adopted standards. In this agreement, the term "Covered Entity" will also be extended to include a client of Lux Scientiae who is a "HIPAA Business Associate."

5. CFR. "CFR" shall mean the Code of Federal Regulations.

6. Disclosure. "Disclosure" of PHI means "the release, transfer, provision of, access to, or divulging in any other manner, of PHI outside the entity holding the information," as per 45 CFR 160.103.

7. Electronic Protected Health Information. "Electronic Protected Health Information" (ePHI) shall have the same meaning as the term "electronic protected health information" in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

8. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR 160.103 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

9. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR Part 160 and Part 164, Subparts A and E.

10. Protected Health Information. "Protected Health Information" (PHI) shall have the same meaning as the term "protected health information" in 45 CFR 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

11. Required by Law. "Required by Law" shall have the same meaning as the term "required by law" in 45 CFR 164.103.

12. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee.

13. Security Rule. "Security Rule" shall mean those requirements of the 45 CFR Part 164.308, 164.310, 164.312, 164.314, and 164.316

14. Use. "Use" of PHI shall mean "the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information," as per 45 CFR 160.103.

2. What is considered ePHI by Business Associate.

There are many kinds of data that a Customer may store in or pass through Business Associate's services. As Business Associate cannot know specifically which information is ePHI and which is not, though Business Associate is required to ensure the security and privacy of all covered Entity's ePHI as per the Security and Privacy Rules, Business Associate uses a blanket definition to consider certain classes of data to be "ePHI" so it can ensure the security and privacy of actual ePHI in a straight forward and consistent manner.

Business Associate will treat the following classes of data as "ePHI" for the purposes of ensuring the security and privacy of that data as per the Security and Privacy Rules:

1. Sent Email. The content of all sent email messages

   i. The subject, sender address, recipient addresses, and other email header metadata is not considered ePHI, though they are covered by Covered Entity's standard privacy and non-disclosure policies.

   ii. Sent Email includes only email messages sent by Covered Entity from Business Associate's WebMail or user-authenticated SMTP services

   iii. Sent Email does not include email messages "sent" as a result of inbound email processing rules, such as email forwards, email notices, etc.

2. Received Internal or Encrypted Email. The content of all received secure email messages

   i. The subject, sender address, recipient addresses, and other email header metadata is not considered ePHI, though they are covered by Covered Entity's standard privacy and non-disclosure policies.

   ii. "Secure messages" are those that are transmitted from the sender's email server(s)

   1. Over a TLS-encrypted SMTP connection, or

   2. PGP-encrypted, or

   3. S/MIME-encrypted

   4. Notices to pickup secure messages on a web site are not themselves ePHI.

3. WebAides. The content of WebAides

   i. This includes: WebAide Documents, Blogs, Address Books, Calendars, Tasks, Links, Notes, Passwords, and any other WebAides that may be introduced.

   ii. This applies to all WebAide content including comments, notes, and file attachments

   iii. This applies whether or not the WebAide content has been encrypted using optional PGP encryption by Covered Entity.

4. Widgets. The content of Widgets

   i. This includes: Notepad widgets, WebAide widgets, and all other widgets that do not otherwise indicate that they should not be used for ePHI.

   ii. This excludes: Custom widgets created by Covered Entity or third parties.

5. Databases. The content of any MySQL databases that the customer may be using for web hosting.

   i. This applies even if Covered Entity has not PGP-encrypted the ePHI in the database.

6. File Storage. Applies to files stored on Covered Entity's web hosting/FTP file space

   i. This includes all files stored in this space on servers dedicated to the Covered Entity

   ii. This includes PGP- or SSL-encrypted files stored in this space on servers that the Covered Entity shares with other Customers.

While Business Associate treats all data in these classes as "PHI" with respect to its security and privacy policies, a "breach" caused by a Use or Disclosure of PHI other than as permitted or required by this Agreement or as permitted or Required by Law will only be construed to occur if the data Used or Disclosed was actually PHI as defined in Section 1.

3. Obligations and Activities of Business Associate

1. Business Associate agrees to not Use or Disclose PHI other than as permitted or required by this Agreement or as permitted or Required by Law.
2. Business Associate agrees to use appropriate safeguards to prevent Use or Disclosure of the PHI other than as provided for by this Agreement. In particular, Business Associate agrees to comply with the Privacy Rule and Security Rule with respect to all data considered ePHI per Section 2, subject to the caveats in 3c.
3. Business Associate provides many mechanisms by which the Covered Entity can safeguard PHI, which, when properly utilized by Covered Entity, will ensure compliance with the provisions of the Privacy Rule and the Security Rule. As the use of Business Associate's services with respect to PHI varies significantly from one Covered Entity to another, Business Associate by default does not automatically lock down the security of information storage and transfer to the maximum degree possible and does not require that Covered Entity purchase or employ all possible services available to it to do so, as that would not be appropriate for many Covered Entitles. Business Associate will, upon request, advise the Covered Entity as to the most appropriate measures it should take with regards to Business Associate.s services in order to ensure compliance with the Privacy Rule and the Security Rule, and will assist the Covered Entity in taking those measures. However, it is the sole responsibility of the Covered Entity to choose and utilize those optional security measures that it deems appropriate for its business practices with respect to Business Associate.
4. Business Associate agrees to mitigate, to the extent reasonably practicable, any harmful effect that is known to Business Associate of a Use or Disclosure of PHI by Business Associate or its agents or subcontractors in violation of the requirements of this Agreement.
5. Business Associate agrees to report to Covered Entity any Use or Disclosure of PHI not provided for by this Agreement of which it becomes aware. Such notice will be made within 60 days of the discovery of the breach as per SEC 13302 of the American Recovery and Reinvestment Act of 2009.
6. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides PHI received from, or created or received by Business Associate on behalf of Covered Entity, agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information.
7. All PHI maintained by Business Associate for Covered Entity will be available to Covered Entity in a time and manner that reasonably allows Covered Entity to comply with the requirements under 45 CFR 164.524. Business Associate shall not be obligated to provide any such information directly to any Individual or person other than Covered Entity.
8. All PHI and other information maintained by Business Associate for Covered Entity will be available to Covered Entity in a time and manner that reasonably allows you to comply with the requirements under 45 CFR 164.526.
9. Business Associate agrees to document such Disclosures of PHI and information related to such Disclosures that it is aware of as would be required for Covered Entity or respond to a request by an Individual for an accounting of Disclosures of PHI in accordance with 45 CFR 164.528. This provision covers the actions of Business Associate with respect to explicit Disclosure of PHI; it does not cover Disclosures that may result from inappropriate choices of security settings or inappropriate usage of Business Associate's services by Covered Entity.
10. You acknowledge that Business Associate is not required by this Agreement to make Disclosures of PHI to Individuals or any person other than Covered Entity, and that Business Associate does not, therefore, expect to maintain documentation of such Disclosure as described in 45 CFR 164.528. In the event that Business Associate does make such Disclosure, it shall document the Disclosure as would be required for you to respond to a request by an Individual for an accounting of Disclosures in accordance with 45 CFR 164.528, and shall provide such documentation to you promptly on your request.
11. Business Associate agrees to consider any amendment(s) to PHI stored on the Business Associate.s servers in accounts owned by Covered Entity at the request of Covered Entity or an Individual, and in the time and manner agreed upon by Business Associate and Covered Entity. Such amendments and their terms must be negotiated and agreed upon by Business Associate and Covered Entity before they will be implemented.
12. Business Associate agrees to make internal practices, books, and records, including policies and procedures and PHI, relating to the Use and Disclosure of PHI received from, or created or received by Business Associate on behalf of, Covered Entity available to the Secretary, within 30 days of a verified request, for purposes of the Secretary determining Covered Entity or Business Associate's compliance with the Privacy or Security Rules.

4. Permitted Uses and Disclosures by Business Associate

Except as otherwise limited in this Agreement or other portion of the Agreement, Business Associate may Use or Disclose PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in the Agreement, provided that such Use or Disclosure would not violate the Privacy Rule if done by you.

Business Associate's services include the transmission of material over email, web sites, and other means. Business Associate provides the means to ensure that PHI is encrypted so that it will not be Disclosed in ways that would violate the Privacy Rule. As per obligation 3c and 6a, it is up to Covered Entity to use the appropriate optional services to ensure the appropriate level of security for the PHI that travels through or is stored in Business Associate's services.

5. Specific Use and Disclosure Provisions.

Except as otherwise limited in this Agreement or other portion of the Agreement, Business Associate may:

1. Use PHI for the proper management and administration of Business Associate or to carry out its legal responsibilities;
2. Disclose PHI for the proper management and administration of Business Associate, provided that disclosures are (i) Required By Law, or (ii) Business Associate obtains reasonable assurances from the person to whom the information is Disclosed that it will remain confidential and used or further Disclosed only as Required By Law or for the purpose for which it was Disclosed to the person, and the person will notify Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached; and
3. Use PHI to report violations of law to appropriate Federal and State authorities, consistent with CFR 164.502(j)(1).

6. Obligations of Covered Entity

1. Covered Entity is obliged to utilize Business Associate.s services in a way that ensures that Covered Entity is in compliance with the Privacy Rule.
2. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices of Covered Entity in accordance with 45 CFR 164.520, to the extent that such limitation may affect Business Associate's Use or Disclosure of PHI.
3. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by Individual to Use or Disclose PHI, to the extent that such changes may affect Business Associate's Use or Disclosure of PHI.
4. Covered Entity shall notify Business Associate of any restriction to the Use or Disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 164.522, to the extent that such restriction may affect Business Associate's Use or Disclosure of PHI.
5. Covered Entity shall not request Business Associate to Use or Disclose PHI in any manner that would not be permissible under the Privacy Rule if done by Covered Entity.
6. Covered Entity agrees not to use Business Associate's services for the transmission or storage of ePHI, except for that ePHI which meets one or more of the classes of ePHI supported by Business Associate as defined in Section 2.
7. Covered Entity agrees to indemnify and hold harmless Business Associate, its directors, officers, shareholders, parents, subsidiaries, affiliates, and agents, from and against all losses, expenses, damages and costs, including reasonable attorneys' fees, resulting from Covered Entity.s failure to fulfill its obligations under this Agreement to use Business Associate.s services in such a manner as to prevent the unauthorized disclosure of PHI.

7. Term and Termination

1. Term. The Term of this Agreement shall be effective as of the date when Covered Entity signs this Agreement and it is accepted by Lux Scientiae, and shall terminate when all of the PHI provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section.
2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall either:
   1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity;
   2. Immediately terminate this Agreement if Business Associate has breached a material term of this Agreement and cure is not possible; or
   3. If neither termination nor cure is feasible, Covered Entity shall report the violation to the Secretary.

   In the case of legitimate Termination for Cause, Covered Entity may also terminate its accounts with Business Associate without regard any time remaining on Covered Entity.s account contracts, though any amounts due to Business Associate at that time will become immediately due.

3. Effect of Termination.
   1. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy, within 90 days of termination, all PHI received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to PHI that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the PHI after this time.
   2. In the event that Business Associate determines that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. If return or destruction of PHI is infeasible, Business Associate shall extend the protections of this Agreement to such PHI and limit further Uses and Disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such PHI.

8. Miscellaneous

1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule or Security Rule means the section as in effect or as amended.
2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule, the Security Rule, the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and all subsequent laws and regulations bearing on the subject matter of this Agreement.
3. Survival. The respective rights and obligations of Business Associate under Section 6.c of this Agreement shall survive the termination of this Agreement.
4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the Privacy Rule and Business Associate to comply with the Privacy and Security Rules.

Required Restrictions to HIPAA Accounts at LuxSci

This document goes along with LuxSci's HIPAA Business Associate Agreement. Both must be signed and returned to LuxSci for an account to be considered eligible for HIPAA Customer status.

Version 2011.04.22

In order for LuxSci to ensure the security and privacy of all Electronic Protected Health Information (ePHI) that is stored on or that passes through its servers , [See the definition of what LuxSci considers ePHI in the Business Associate Agreement] LuxSci has instituted the following restrictions that are required of all accounts designated as HIPAA.

NOTE: A customer of LuxSci that stores ePHI on LuxSci servers and/or sends ePHI through LuxSci and who is a HIPAA Covered Entity or a Business Associate of a HIPAA Covered Entity, must be designated and approved as a HIPAA Account at LuxSci or be subject to account(s) suspension. By law, it is incumbent upon LuxSci to ensure that all customers that it knows to store and/or send ePHI have a co-signed LuxSci Business Associate Agreement and be configured in a way that safeguards ePHI.

There are two different types of HIPAA Accounts at LuxSci; the LuxSci HIPAA requirements for each type are slightly different. The two types are:

• Account-Wide HIPAA: All users and all domains in the account are locked down for compliance.
• Per-Domain HIPAA: All users have a general level of good security enforced, but only users in designated "HIPAA Domains" can use the services for ePHI and only these users are locked down for compliance.

1. Account Type Requirements

In order to be considered a HIPAA Account, a LuxSci customer account must:

• [Account-Wide HIPAA Accounts] Have SecureLine licenses for all users in Email Hosting or SecureForm accounts domains
• [Per-Domain HIPAA Accounts] Have SecureLine licenses for all users in designated HIPAA
• Use a Premium High Volume Outbound Email Account for bulk email
• Be a Covered Entity under HIPAA (or a Business Associate of Covered Entity)

2. Account Security Requirements

The following security measures must be enforced on HIPAA Accounts before LuxSci will consider the customer to be taking appropriate measures to safeguard ePHI and thus be eligible for status as a HIPAA Account.

2.1 Enforced use of Secure Logins: All logins to LuxSci servers by any user in the account, must be secured via SSL, TLS, or SSH. This includes: WebMail, POP, IMAP, SMTP, FTP, and remote MySQL access.

2.2 Password Strength: All passwords used by all users to access LuxSci servers must be "strong". This means that they must be 8 or more characters long, contain both letters and numbers, and pass the "crack" password strength checking system to ensure that they are hard to guess.

2.3 Web Interface Session Timeout: The maximum web interface (i.e. WebMail) session timeout must be reduced to 20 minutes.

2.4 [Section removed as it referred to a feature no longer available].

2.5 Outbound Email Encryption Enforcement. (Enforced SecureLine Encryption will use TLS-only transport encryption for recipients whose email servers support TLS, PGP or S/MIME when available, and SecureLine Escrow for anyone else with an email address. This restriction applies to messages sent via WebMail and via SMTP. Messages sent via SMTP that cannot be encrypted or sent via TLS are blocked.)

2.5.1: [Account-Wide HIPAA] All users will be forced to have their outbound email encrypted.

2.5.2: [Per-Domain HIPAA] All users in designated HIPAA domains will be forced to have their outbound email encrypted.

2.6 WebAides Feeds: All published WebAides feeds must be accessed over a password-protected secure connection (HTTPS).

2.7 SecureForm: All SecureForms configured must be configured securely. This means that HTTPS must be used to secure the form data when it is posted and PGP, S/MIME, or TLS SecureLine encryption must be used to encrypt any email messages containing form data sent out from the SecureForm service.

2.8 Secure Forwarding Enforced: This ensures that all messages that might contain ePHI which are forwarded will be encrypted during transport using TLS. Attempts to configure forwarding to recipients using email services that do not support SMTP TLS message delivery will be uniformly restricted by the LuxSci system. The Customer can optionally further restrict end users from being able to enable any filtering and forwarding settings for themselves.

2.8.1: [Account-Wide HIPAA] All email forwarding rules for any address created using features of your LuxSci account (i.e. email aliases, email forwards, email capturing, etc.) can only be forwarded to recipients whose email servers support TLS for SMTP transport encryption.

2.8.2: [Per-Domain HIPAA] All email forwarding rules for addresses in designated HIPAA domains created using features of your LuxSci account (i.e. email aliases, email forwards, email capturing, etc.) can only be forwarded to recipients whose email servers support TLS for SMTP transport encryption.

2.9 Maximal Security Lockdown: The above configuration settings are put in place by LuxSci's "Maximal Security" tool. LuxSci Support will lock down this setting so that Account Administrators cannot change any of the above settings themselves. Additionally, LuxSci Support cannot change any of the settings without first removing the lockdown. All changes to the settings and the lockdown itself are permanently logged in your account's audit trail.

3. Workarounds

Due to the nature of the HIPAA and HITECH requirements, as your Business Associate, LuxSci has a great deal of responsibility in ensuring that your use of its services is such that ePHI is safeguarded. As a result, LuxSci imposes the restrictions of Section 2. There are various ways to increase the usability of the system in the face of these necessary security requirements. Identified below are our recommendations. Customer is not required to be compliant with or implement any or all of the recommendations presented below; they are all optional. Failure by Customer to comply with or implement any of the recommendations identified in this Section 3 does not void or negate any obligation or responsibility of LuxSci or a Customer under this or the Business Associate Agreement.

3.1 TLS-Only Secure Delivery: SecureLine Outbound Encryption permits enabling TLS-Only delivery as an option for outbound email encryption. Recipient domains hosted by LuxSci or whose email servers support SMTP over TLS, can be delivered to "normally" without the required use of more complex outbound encryption (i.e. PGP, S/MIME, or Escrow). I.e. all messages to such recipients would be sent via "regular email"; however, that regular email would be delivered over a secure channel -- either locally within LuxSci or to remote servers over a TLS-secured channel. This kind of delivery meets HIPAA's Security Rule requirements, while allowing a large class of email messages (such as those between users in your account) to be sent and received normally.

TLS-Only secure delivery can be enabled for only selected recipient domains or can be dynamic -- where the system will dynamically determine eligible recipients and use TLS whenever possible.

For more information, see:

• How Does Secure Socket Layer (SSL or TLS) Work?
• How to Tell Who Supports TLS for Email Transmission
• Enforcing Email Security with TLS when Communicating with Banks

3.2 Automatic Inbound Email Decryption: This optional feature will allow all inbound email for your users encrypted via PGP or S/MIME to be automatically decrypted upon arrival to LuxSci. As all email between users in your account and messages sent to them from SecureLine Escrow or SecureSend will be encrypted in this way, it allows:

• Users to access these email messages "as normal" via WebMail or their favorite email client (both over an SSL-secured channel to LuxSci's servers).
• Access to all of these received messages without any need for further manual decryption or passwords.
• Filtering of decrypted email upon arrival to LuxSci's servers using custom filtering rules that you are able to set up.
• Archival of inbound messages in an unencrypted format so that they are more easily searchable and so that they can be accessed even if the original certificates used are deleted or the passwords forgotten.
• Business as almost-usual for inbound email.

3.3 Global SecureLine Address Book: Have an account administrator create an "Address Book" in the web interface where you define all of the common contacts to whom your organization corresponds. In this Address Book, you can also upload PGP and S/MIME public keys, should they be available, or specify a question and answer that should be used when picking up secure emails via SecureLine Escrow. This Address Book can be shared with all users in your account (and they can be auto-subscribed to it), so that it is automatically used when your users are sending email messages (via WebMail and SMTP). Not only do your users get easy access to the shared contact list, but the security information being used can be centrally located and managed.

3.4 Default SecureLine Escrow Question and Answer: For outbound email messages going to recipients who have not been explicitly set up in the system or in a shared Address Book, you can define a default question and answer that will be used to secure a SecureLine Escrow message to them. This allows you to send to any email address without needing to pre-configure it. This is especially useful when using SMTP as, unlike WebMail, you cannot specify a new SecureLine Escrow question and answer in your email client at the time of sending.

3.5 Control Email Forwarding: Even though email forwarding is restricted to be to TLS-enabled recipients only, you still have responsibilities with regard to forwarding. Administrators can choose to restrict end users from managing their own email forwarding and filtering settings. By requiring only Account Administrators to configure these settings, you can easily ensure that only approved email forwarding rules are in place. Additionally, instead of forwarding email messages to external accounts, custom email filters can be used to send non-ePHI-containing notices of messages arrivals to any external email address. In this way, users can be informed of the arrival of messages in their insecure accounts, without potential ePHI being forwarded out of their secure accounts.

3.6 Multiple Sending Profiles: For users who must be able to send some messages securely and some insecurely (to non-exempt domains), LuxSci recommends having two separate domains -- one regular and one HIPAA. For example "john@yourdoctor.com" for regular email and "john@secure.yourdoctor.com" for ePHI. The recommendation for separate user logins is based on the following:

• These two accounts can be setup in parallel in the user's email program (i.e. Outlook or Thunderbird).
• The user can select the appropriate email account by choosing the account in the email program before sending. Ie. Click on the "Secure" account to send ePHI and the "insecure" account to send non-ePHI.
• The user can see inbound email arriving to either account in real time in his/her email program.
• The user can reply to messages as normal in his/her email program.
• The user can reply to an "insecure" message securely by dragging and dropping it from the insecure inbox to the secure inbox before sending (among other ways).
• The separate domains with LuxSci keep the delineation of what is ePHI and what is not ePHI, very clear.
• The separate accounts in the user's email client keep the distinction of what is secure and not, very clear.
• It is up to your end user to determine what should be sent securely or not.
• The recipient also gains assurance via the different email address "secure.yourdoctor.com" that s/he sees when receiving a message containing ePHI.
• Your "insecure" login with LuxSci will not be forced to send email in an encrypted manner.

This approach is really the cleanest way to separate secure from insecure email in terms of clarity and ease of use for the end user and in terms of limiting liability for improper disclosure of ePHI for both you and LuxSci.

4. Customer Responsibility

LuxSci cannot reasonably lockdown all aspects of an account to prevent any possible use that might disclose ePHI in an unauthorized fashion. As a result, with respect to the terms specified in the LuxSci HIPAA Business Associate Agreement, it is the HIPAA Customer's responsibility to ensure that all ePHI in the following situations is safeguarded appropriately.

4.1 Email Forwarding: LuxSci gives Customers the ability to automatically forward email messages from their LuxSci email account to external email addresses that support TLS for secure email transmission. In this way, any potential ePHI is forwarded out of the account in a secure, encrypted manner. This feature is mainly intended to make it easy to integrate LuxSci services with those of other secure email servers. It is the Customer's responsibility to ensure that email is not forwarded to locations that could result in violations of the HIPAA Security or Privacy Rules. Customer is responsible for preventing any HIPAA breach due to improper use or disclosure of ePHI resulting from ePHI being forwarded to improper recipients or insecure locations. For example, forwarding email to other Customer-controlled accounts at LuxSci or other service providers which are NOT HIPAA-compliant would render Customer not HIPAA-Compliant in general and would be a violation of this Agreement.

4.2 Email Sending: LuxSci gives Customers the ability to send email to anyone on the Internet and have that email be transmitted to the recipient(s) in a secure and encrypted manner. It is the Customer's responsibility to ensure that ePHI is only transmitted to recipients whose access to that ePHI would not violate the HIPAA Privacy Rule. Customer is responsible for preventing any HIPAA breach due to improper use or disclosure of ePHI resulting from ePHI being emailed to improper recipients.

4.3 Web Sites: HIPAA Customers are in full control of the content and operation of any hosted web sites. LuxSci does not perform audits of these sites to ensure that they are constantly HIPAA compliant. HIPAA Customer must ensure that any ePHI stored on or accessible through or submitted to its web site(s) is safeguarded to a degree that satisfies the HIPAA Security and Privacy rules. This may include:

• Use of SSL and password protection to secure portions of the web site.
• Storing data in an encrypted fashion.
• Using LuxSci's SecureForm service for processing form submissions that may contain ePHI.
• Removing any unencrypted ePHI from the customers' web or file storage areas.

4.4 File Storage: HIPAA Customers using shared web hosting servers (as opposed to dedicated servers) must not have any unencrypted ePHI stored in any files in the shared web / FTP file storage space. Additionally, any files containing passwords to databases or encryption keys must be secured by permissions to ensure that other users on the same shared server cannot gain read or write access.

4.5 McAfee Outbound Filtering: Customers using outbound email services from McAfee must be sure that they are using TLS to encrypt the messages sent from their workstations or servers to McAfee. Alternately, they should relay such messages securely through LuxSci's outbound email servers -- LuxSci's servers can then ensure secure relaying of the messages through McAfee.

4.6 McAfee Email Archival: Customers using Premium Email Archival (provided through our partnership with McAfee) must configure a secure connection for the ingest of the messages into the archival system. LuxSci automatically configures the archival account in this way for customers whose email is hosted with LuxSci, and this is enforced by policy. For customers who are ingesting email from their own servers, it is their responsibility to be sure that this connection is secure.

4.7 Premium Email Filtering: Customer has access to the Premium Email Filtering control panel at McAfee. Customer must ensure that: any email forwarding to distribution lists or notification email addresses configured in this portal are only delivered to recipients in their filtered domains -- forwarding to other email addresses may result in the messages being delivered without transport encryption to the recipient(s).

4.8 LDAP: Customers using LDAP for access to their Address Books must use LDAP over SSL if their address books may contain ePHI.

4.9 Widgets: Customers must not implement custom or third party Widgets in the LuxSci user interface which might be used for transferring/storing ePHI at third party locations in a manner which does not safeguard that data. LuxSci does not include the data in or passing though third party Widgets to be in its definition of supported ePHI.

4.10 Other Email Accounts: It is the Customer's responsibility to inform LuxSci of all accounts that they may have with LuxSci which may be involved in the sending, receipt, or storage of ePHI.

4.11 Access Auditing: It is the Customer's responsibility to review the access auditing reports for individual users if that is deemed by Customer to be important for their HIPAA compliance. Only Customer would have clear knowledge as to what access is legitimate and what is not.

4.12 Sharing: Customers in Per-Domain HIPAA accounts are permitted to share objects (such as email folders, workspaces, and WebAides) owned by non-HIPAA users with HIPAA users. It is the Customer's responsibility to either (a) restrict sharing by end users so that this is not permitted, or (b) to ensure that HIPAA users never copy ePHI into the shared objects of non-HIPAA users thus permitting access to ePHI by non-compliant users.

5. Agreement

Please sign and date this document to indicate that you agree with the required restrictions that will be imposed on a HIPAA account (Section 2) and that you understand your own responsibility in safeguarding ePHI with respect to your LuxSci account (Section 4).