HIPAA Security | LuxSci | HIPAA Email Security, Secure Email

Overview

The new regulations in effect as of February 17th, 2010 require HIPAA compliance for Business Associates of HIPAA covered entities. LuxSci can give you peace of mind with staying HIPAA compliant.

Video: HIPAA-Compliant Email Services at LuxSci

HIPAA Compliant Services:

Email to and from anyone
Transmission of data from PDF and/or web forms
Information management and collaboration
Robust spam and virus filtering; e-discovery and archival

As a healthcare organization, insurer, medical office, or individual practitioner you must ensure your hosted email provider meets HIPAA compliance for ePHI to safeguard your clients' information. It is also vital that your provider mitigates the potential for HIPAA violations and subsequent liability, as the penalties can be severe. HIPAA HITECH 2010 is here, and LuxSci's got you covered!

HIPAA HITECH 2010: Email Hosting at LuxSci (PDF file)
HIPAA Business Associate Agreement
HIPAA Account Security Restrictions Agreement

LuxSci's rock-solid security offers you a cost-effective, fully compliant solution. Our specially designed set of account settings and use guidelines designate your account as HIPAA compliant, after being locked down and verified by LuxSci Support. Enforced TLS, SSL, SecureLine end-to-end encryption, along with other security features enables LuxSci to protect your ePHI and provide you with a HIPAA compliant communications environment.

LuxSci's SecureLine end-to-end email encryption service makes it easy to communicate with anyone, regardless of their email provider, in a secure, trouble-free manner. No special software required.

Use LuxSci SecureForm to encrypt and securely transmit your web or PDF form data over SSL, and receive submissions via secure email or download them from our web site.

In addition to security, storage of emails is an equally important aspect in adhering to mandated compliance regulations. Over 90% of companies have received at least one e-discovery request.

Comprehensive. Cost-effective. Customizable.

Designed for Compliance. Experience LuxSci.

Want to learn more?

More Information

Satisfying all of the HIPAA rules and security requirements takes a specific collection of account features and settings. With the implementation and utilization of the following items, after review and lockdown by LuxSci Support, we will confirm your account as being HIPAA compliant in terms of our HIPAA Business Associate Agreement.

	Compliance Seal Once your account is certified by LuxSci as meeting its HIPAA Security Requirements, you can use a LuxSci HIPAA Compliance Seal on your web site or in your HTML Email Signatures, Taglines, or Disclaimers. An example HIPAA Seal looks like this (click on it to see an example certification page):
	ePHI Safeguarded As required by the HITECH amendment to HIPAA, LuxSci follows the HIPAA Security and Privacy Rules with respect to all ePHI in your HIPAA-enabled accounts with LuxSci. This means that LuxSci actively ensures that the privacy of all electronic health information is safeguarded while it is stored on our servers, passing through our servers, or on our backups. It also means that LuxSci follows all of the other Security Rule requirements such as: Physical safeguards and data access control Staff training and administrative policies Facility access control and security Contingency plans, backups plans, and disaster recovery Workstation security and usage lockdown I.e. LuxSci staff themselves obey all of the same HIPAA Security and Privacy requirements that our customers face when dealing with their ePHI.
	Message Archival LuxSci can offer you an archival solution that is comprehensive, cost-effective, and compliant with most current federal regulations including: Permanent single-instance storage on Write-Once Read-Many (WORM) media Redundant storage in 2 different locations. Powerful full-content search with immediate results Message export and import Unlimited storage capacity included Retention of email for 1, 3, 5, or 7 years. (for a much simpler archival solution, see our basic email archival offering).
	HIPAA Business Associate Agreement LuxSci provides a Business Associate Agreement compatible with the HITECH ammendments of HIPAA. This defines LuxSci's role in maintaining the Privacy of Protected Health Information (PHI) for you as you seek to be HIPAA-compliant. A document like this is required by HIPAA of any vendor that you use.
	Message Transmission Security & Encryption In addition to enforced use of SSL and TLS for all connections to our serveers, all users must always send and receive email securely using our SecureLine end-to-end encryption service. All outbound messages sent via either SMTP or WebMail will be automatically encrypted. This means HIPAA compliant accounts will be configured such that S/MIME certificates are auto-generated for users-though certificates can also be imported if available. Additionally, SecureLine allows your users to send secured messages to anyone with any valid email address. Those recipients can easily reply back securely or use our SecureSend portal to register for free and initiate secure messages to your SecureLine users. To provide a user-friendly environment, certain work-arounds are possible, such as the use of TLS transmission for certain recipients instead of end-to-end encryption. See Restrictions to HIPAA Accounts at LuxSci.
	Message Integrity Controls Use of LuxSci's SecureLine and enforced connection encryption (SSL & TLS) for the transmission of messages ensures that the messages cannot be modified while in transit. Their integrity can be assured. Additionally, LuxSci's SecureLine permits the addition of digital signatures to encrypted messages to further ensure and prove the message integrity and identity of the sender.
	Unique User Identification & Authentication LuxSci requires use of user names and passwords for access to all services. This allows the system to recognize all users accessing it and to control access based on their identity. HIPAA compliant accounts are required to utilize the maximum level of password complexity: 8 characters of letters and numbers, and must be able to pass a standard "crack" dictionary. Automatic auditing of password changes and password resets is performed and required for HIPAA accounts.
	Emergency Access to Email LuxSci provides a facility for securely capturing/archiving copies of all inbound and/or outbound messages for backup and auditing purposes. This enables administrators to have secure access to copies of all message content for emergency or other reasons. LuxSci also provides other optional features such as Message Continuity and FailSafe can can be used to ensure access to email messages even in the case of LuxSci server or data center failure.
	Automatic System Logoff HIPAA compliant accounts have a 20 minute maximum idle period to web-based interfaces, i.e.WebMail. The system will automatically log users off after 20 minutes of inactivity. Other services such as POP, IMAP, SMTP and Secure FTP also have automatic idle timeouts.
	Access Audit Controls LuxSci provides comprehensive security auditing for all accounts. Included in the security audits are password changes, resets, and lookups by LuxSci staff; user access to services such as WebMail, Email Sending (SMTP), POP, IMAP and more; changes to any of the specific "Maximal Security" settings, as well as changes to the "Maximal Security" lockdown status. These reports enable verification of user, administrator, and LuxSci Support staff activity on access and security specific changes to the account.
	Data Backups & Disposal LuxSci automatically makes backup copies of all data on our servers, including all customer ePHI. Daily backup copies are kept on-site for 2 days and Weekly backup copies are kept off-site for 4 weeks. All data is transmitted securelye to the backup servers and stored there in a HIPAA-compliant way. After 4 weeks, all backup copies are destroyed. Accounts can ask for data to be restored from backup for free once/month. LuxSci's Premium Email Archival provides permanent, immutable email storage on servers in multiple geographic locations, updated in real-time, with weekly backups made to optical media. See our complete backup and restore statement.
	Secure Web Site Forms HIPAA accounts that sign up for LuxSci SecureForm to transmit data from a web or PDF form will be required to configure the forms to use PGP or S/MIME email encryption and to post the form data over SSL. This ensures that submitted information is encrypted and transmitted to your email in a secure and compliant way. See: SecureForm.
	Maximal Security Setting The LuxSci Maximal Security setting covers individual account settings including the 20 minute WebMail timeout maximum, forcing appropriate outbound encryption, setting password strength requirements, auto-generating S/MIME certificates for users, and forcing secure logins. LuxSci support will perform a manual review of any account deemed to be HIPAA compliant, and ensuring that the Maximal Security setting is locked down so that security settings cannot be altered.

Related Materials

Agreements

Videos

Blog Posts

PDF Documents

Order Now | Free Trial

Order Now

Choose a package or build your own

HIPAA-Secure Email
HIPAA-Secure Email plus Web
Secure Email with SecureForm
Secure Email and Web with SecureForm
SecureForm: Standalone
View all Standard Packages