HIPAA Compliance requires that the transfer of any sensitive or confidential patient health information (ePHI) over the Internet is done securely. Our SecureLine email encryption system is designed to do just that. SecureLine seamlessly integrates the following modes of secure email communication to ensure that you can securely communicate with anyone, no matter what kind of email system they are using.

  • SMTP TLS - SMTP TLS enables mail servers to pass email between themselves in a secure manner even if the messages themselves are not internally encrypted. TLS provides secure email delivery to recipients whose email servers support TLS.
  • SecureLine Escrow - SecureLine Escrow requires that a recipient actively verify his or her identity before he or she can access a message at a secure web portal. Escrow provides secure email delivery, authentication, and auditing to anyone with an email address
  • SecureLine PKI - SecureLine PKI uses certificates (PGP & S/MIME) to internally encrypt email messages before sending them to the recipients. The recipients must also be using PKI for this method to be useful.

Required Legal Forms

LuxSci requires a signed Business Associates Agreement (BAA) and a signed Account Restrictions Agreement (ARA) in order to certify your account as HIPAA-compliant.

SecureLine Meets Your Compliance Needs

When you sign up for our HIPAA-compliant Email, SecureLine will ensure that all email messages sent via SMTP or through our WebMail interface are sent securely to any recipient, while remaining flexible enough to allow exceptions where appropriate for usability. The chart below shows how SecureLine can be adjusted to fit the scope of your compliance.

Who sends ePHI? Is non-ePHI sending required? Solution
Everyone
Never Full account-wide lockdown. All users are required to send securely. Insecure sending is entirely prohibited.
Everyone
Occasionally for some users Account-wide lockdown with opt-out enabled. All users are required to send securely, but certain users are permitted to opt-out on an individual message basis. All opt-outs are logged.
Everyone
Occasionally for all users All users have logins to two separate domains — one for secure sending (typically a subdomain), and one for non-ePHI sending. The secure domain is completely locked down to prohibit non-ePHI sending.
Some Users
Never Majority of users have logins in a non-HIPAA domain, while the few that send ePHI have logins in a different HIPAA-secure domain (typically a subdomain). The secure domain is locked down to prohibit non-ePHI sending.
Some Users
Occasionally Majority of users have logins in a non-HIPAA domain, while the few that send ePHI have logins in a different HIPAA-secure domain (typically a subdomain). The secure domain is set to allow opt-outs. All opt-outs are logged.

Final Review

Your security settings are locked down as soon as your account is created. Once we have your signed BAA and ARA, LuxSci gives your account a final review to make sure everything is in order. At this point your account is considered HIPAA-compliant.

Users are locked down to certain security settings based on whether they will be sending ePHI or not:



Feature Sending non-ePHI Sending ePHI
Global enforcement of outbound email encryption via WebMail
Global enforcement of outbound email encryption via SMTP
Opt-out of secure sending
Forced secure logins for all services
Email forwarding only over TLS
Insecure forwards and aliases allowed
WebAide encryption allowed
Auditing of Blog, Document, and Password WebAides
Password strength requirement
Strength may vary 8+ Alphanumeric + Hard to Guess
WebMail session timeout after inactivity
Length may vary up to 3 hours

Beyond email sending, LuxSci ensures compliance of your email and other data (e.g. WebAides, Widgets, etc.) per the terms of our Business Associate Agreement with you.

What People Say About LuxSci