LuxSci's HIPAA-compliant email was specifically designed to satisfy all
HIPAA rules and security requirements. With the implementation and
utilization of the following features, and after review and lock down by
LuxSci Support, we will confirm your account as being HIPAA compliant in
terms of our HIPAA Business Associate Agreement.
|HIPAA Account Feature
Signed HIPAA Business Associate Agreement
LuxSci provides a Business Associate Agreement
compatible with the HITECH amendments of HIPAA. This defines LuxSci's
role in maintaining the Privacy of Protected Health Information (PHI) for
you as you seek to be HIPAA-compliant. A document like this is
required by HIPAA of any vendor that you use.
HIPAA Compliance Seal / Trust Mark
Once your account is certified by LuxSci as meeting its HIPAA Security Requirements, you
can use a LuxSci HIPAA Compliance Seal on your web site or in your HTML
Email Signatures, Taglines, or Disclaimers.
A sample HIPAA Seal looks like this (click on it to see an example
Accounts with Mixed HIPAA and non-HIPAA Domains
HIPAA accounts can be either globally secure, so all users are compliant and encryption
and security are fully-enforced for all messages, or they can be secured on a per-domain
basis. In the per-domain case, only users in specified "HIPAA Domains" are required to
send all email securely; users in other domains can send insecure email messages but cannot
deal with ePHI at all. All users in these accounts share certain basic security considerations
such as strong passwords, required use of SSL and TLS for server access, etc.
Use of per-domain HIPAA allows organizations to easily manage their
compliant and non-compliant domains in a single account and also permits
limited collaboration and sharing between non-HIPAA and HIPAA user
Customers can select account-wide or per-domain HIPAA accounts during
the ordering process.
As required by the HITECH
amendment to HIPAA, LuxSci follows the HIPAA Security and Privacy Rules
with respect to all ePHI in your HIPAA-enabled accounts. This
means that LuxSci actively ensures that the privacy of all electronic
health information is safeguarded while it is stored on our servers,
passing through our servers, or on our backups. It also means that LuxSci
staff comply with all HIPAA Security and Privacy requirements:
- Physical safeguards and data access control for ePHI
- Staff training and administrative policies
- Facility access control and security for ePHI
- Contingency plans, backups plans, and disaster recovery for ePHI
- Workstation security and usage lock down with respect to ePHI
I.e. LuxSci staff themselves obey all of the same HIPAA Security and
Privacy requirements that our customers face when dealing with ePHI.
Secure Mobile Email, Calendar, Contact, Task, and Notes Access
Mobile Sync is an optional
service that enables you to synchronize email, calendars, contacts, tasks,
and notes on your mobile devices automatically and in real time. Mobile
Sync is HIPAA-compliant and provides "Remote Wipe", so you can delete ePHI
from your mobile device should it become lost or stolen -- preventing
possible HIPAA breaches.
Even without Mobile Sync, LuxSci's IMAP, POP, and SMTP services can be
used to securely send and receive email on most mobile devices.
LuxSci can offer you an archival solution that is comprehensive, cost-effective, and compliant with most current federal regulations including:
- Permanent single-instance storage on Write-Once Read-Many (WORM) media
- Redundant storage in 2 different locations.
- Powerful full-content search with immediate results
- Message export and import
- Unlimited storage capacity included
- Retention of email for 30-days to 10-years.
Data Transmission Security & Encryption
In addition to enforced use of SSL and TLS for all connections to our
servers, all users automatically send and receive email securely using our
SecureLine end-to-end encryption service. All outbound messages sent via
SMTP, WebMail, or Premium Mobile
Sync will be automatically encrypted. Additionally, SecureLine allows
your users to send secured messages to anyone with any valid email
address, even if they do not have TLS or S/MIME or PGP support. Those
recipients can easily reply back securely or use our SecureSend portal to
register for free and initiate secure messages to your SecureLine
To provide a user-friendly environment, certain work-arounds are
possible, such as the use of TLS transmission for certain recipients
instead of end-to-end encryption. See Restrictions to HIPAA Accounts at
Message Integrity Controls
LuxSci's SecureLine and enforced connection encryption (SSL & TLS)
ensures that the messages cannot be modified while in transit. Message
integrity is assured. Additionally, LuxSci's SecureLine permits the
addition of digital signatures to encrypted messages to further ensure the
message integrity and prove the identity of the sender.
Unique User Identification & Authentication
LuxSci requires that user names and passwords be entered for access to
any of its services. The system recognizes users based on their login
information, and controls access based on their identity. HIPAA-compliant
accounts are required to utilize a high level of password complexity: 8
characters consisting of letters and numbers or symbols. The password must
have "high entropy" and not be easily guessable. Automatic auditing of
password changes and password resets is required and performed for HIPAA
Emergency Access to Email
LuxSci provides a facility for securely archiving
copies of all
inbound and/or outbound messages for backup and auditing purposes.
Administrators thus have secure access to copies of all message content
for emergency or other reasons. LuxSci also provides other optional
features such as Message Continuity that is used to ensure access to email
messages in the event of LuxSci server or data center failure.
Automatic System Logoff
HIPAA compliant accounts have a 20 minute default idle period to
web-based interfaces (WebMail). The system will automatically log users off
after 20 minutes of inactivity; this can be increased to 3 hours by
account administrators. Other services such as POP, IMAP, SMTP, Mobile Sync, and Secure FTP also have
automatic idle timeouts.
Access Audit Controls
LuxSci provides comprehensive security auditing for all accounts. Included
in the security audits are password changes, resets, and lookups by LuxSci
staff; user access to services such as WebMail, Email Sending (SMTP), POP,
IMAP, Mobile Sync, and more; changes to any of the specific "Maximal
Security" settings, as well as changes to the "Maximal Security" lock down
status. These reports enable verification of user, administrator, and
LuxSci Support staff activity on access and security specific changes to
Data Backups & Data Disposal
LuxSci automatically makes backup copies of all data on our servers,
including all customer ePHI. Daily backup copies are kept on-site for 2
days and Weekly backup copies are kept off-site for 4 weeks. All data is
transmitted securely to the backup servers and stored there in a
HIPAA-compliant way. After 4 weeks, all backup copies are
destroyed. Accounts can ask for data to be restored from backup for
free once/month. LuxSci's Email Archival
provides permanent, immutable email storage on servers in multiple
geographic locations, updated in real-time, with weekly backups made to
optical media. See our complete backup
and restore statement for additional information.
Maximal Security Enforcement
The LuxSci "Maximal Security" setting provides individual accounts with
the highest level of email security. Security includes implementing the 20
minute WebMail timeout maximum, forcing appropriate outbound encryption,
setting password strength requirements, and forcing secure logins. LuxSci
support manually reviews any account needing to be HIPAA compliant and
ensures that the Maximal Security setting is locked down so these security
settings cannot be altered.
Optional Encryption Opt Out on a Per-Message Basis
Though disabled by default, administrators can choose to allow users the option
to opt out of SecureLine encryption for a particular message. However, the user must explicitly
agree that the message they are sending does not contain any ePHI. All messages sent
without SecureLine encryption are logged for auditing purposes, and copies of them can be
sent to an auditor email address for review.
Opt Out is available both in WebMail and for messages sent via email programs using our
SecureLine Outlook Plugin
or via adding opt out content to the email subject line.
Optional VPN Access for Enhanced Security
LuxSci can provide a Virtual Private Network (VPN) connection to further
secure access to our email, web, and database servers.