eBook: HIPAA-compliant Website Basics

Published: February 27th, 2017

What healthcare organizations need to know about HIPAA-compliant web sites

Book 2 in the LuxSci Internet Security Series.

Created by Erik Kangas, PhD

This LuxSci eBook is your well-researched guide to both a critical understanding of the specific issues and concepts of HIPAA as it applies to web sites, so that you stay compliant with these government standards. This document will provide a framework for your health care organization to keep the privacy of patient information front and center while still having an engaging web presence. Providers will have the necessary tools to meet all requirements established by HIPAA for access to, storage of, and transmission of protected health information (PHI) through web sites.

This eBook includes sections on:

  1. Introduction
  2. What are HIPAA-compliant web sites?
  3. HIPAA-compliance for WordPress
  4. What is HIPAA-compliant web site hosting?
  5. Components of a solid web site hosting infrastructure
  6. Finding a HIPAA-compliant provider
  7. What are HIPAA-compliant web forms?
  8. Informing developers of HIPAA requirements
  9. Conclusion

Download the eBook

What is HIPAA-compliant Email Marketing?

Published: February 27th, 2017

To achieve HIPPA-compliant email marketing, you need to satisfy two objectives. First, you need to understand the fundamentals of email marketing. Second, you need to execute your email marketing activities within HIPPA’s requirements and restrictions.

HIPAA-compliant email marketing

It’s easy to make a mistake with HIPAA-compliant email marketing, especially when you’re in a rush.

Picture this:

You leave your clinic early on a Thursday afternoon to head off on a vacation. Before you go, you ask your office manager to send off an email blast. You were just certified on a new procedure and you know at least 200 patients in your files would likely benefit from it. A simple message inviting them to the office for a consultation next week is the perfect next step. Your office manager takes some quick notes and promises to send off the note tomorrow. And off you go for a weekend of golf at Pebble Beach.

On your way home, you check your email. You see an angry email from a patient and start reading. It turns out that you’ve violated some arcane HIPAA rules… Even worse, that patient’s sister is an attorney who has promised to call you tomorrow. You’re pretty sure you’ve done nothing wrong but you’re nervous on the flight home.

This situation could have been prevented if your office manager had asked you one simple question:

Read the rest of this post »

Is a “Click Here to Agree” checkbox really legally binding?

Published: February 24th, 2017

Your web site order form or registration form comes complete with terms and conditions.  What is the best way to have the user see and agree with these terms?  Ultimately, you want the user’s agreement to be legally binding so that if there should ever be an issue, you are protected.  Is it good enough to have the user check an agreement checkbox?  Do you have to do more?  Do you have to be sure that the user actually reads the terms?

These questions come up all of the time and righty are a cause for concern.  Just because other web sites do it “one way” does not necessarily make that way right for you or best for you.  In this article, we will tackle the how the different choices you make in getting user agreement translate (or don’t translate) into binding contractual relationships.*

Read the rest of this post »

Is sharing my patient list with a marketing company OK under HIPAA?

Published: February 11th, 2017

We received this questions via Ask Erik from the head of a Dental Practice (who wished to remain anonymous):

“I want to create a Refer-a-Friend program, for a dental practice, that will be managed by a third party marketing agency.  The third party needs only my patient names and address to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.

Because I am ‘Marketing” to my own list, and I am NOT marketing any third party products, and I am not receiving any third party payment for anything:

* Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)

* Because my PHI is de-identified from the associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?

* Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?

NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO. The definition above states that it is ONLY the health information about a patient — NOT the patient’s name and e-mail addresses themselves.

Also, on the mail list for the Refer-a-Friend marketing program, there will be names other than patients, probably about 5% are not patients. Does this influence the phi/non-phi question?

This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.

If a mailing list, for a dentist, that contains 95% patients and 5% non-patients, and NO health information (just names and addresses)… is it considered PHI?”

Read the rest of this post »

Am I at HIPAA-risk if a patient replies to my secure email message?

Published: January 31st, 2017

Here is a question from “Ask Erik:”

Dear Dr. Kangas,  When I write an email to a patient from my LuxSci account, it is encrypted and therefore HIPPA compliant.  When they write me back from their regular email address (it’s often hard to get them to sign up at LuxSci), they are putting [PHI /Medical Information] out without security, but that is not my HIPPA violation as I understand it because patients are not required to keep their PHI secure.  Yet often a patient replying to my email simply hits ‘reply’ and my email is attached to their reply, putting my original email in an insecure from on the Internet.  Does that become therefore a HIPPA violation of mine, especially if I continue to allow this without telling the patient to stop doing this?

Read the rest of this post »

Planned Upgrades from PHP 5.5 to PHP 5.6

Published: January 24th, 2017

LuxSci will be upgrading servers that are currently running PHP v5.5 to the latest version of PHP v5.6 on/after February 15th, 2017.  PHP v5.5 is no longer receiving updates from the community and thus is not viable for continued use.  PHP v5.6 will continue to be supported for the next 2 years.

For those one servers that are running PHP v5.5, please review the following upgrade guide, as there are some changes in going to PHP v5.6 that are incompatible with how PHP v5.5 works(this is why we do not just auto-upgrade everyone without notice):

PHP 5.5 to 5.6 Upgrade Guide

Some of the backwards incompatible changes involve:

  • json_decode and boolean values
  • SSL/TLS certificate verification will be enabled
  • mcrypt changes

Please contact LuxSci support if you have any questions.

Why am I still getting spam at my old email provider?

Published: January 18th, 2017

This question came in through “Ask Erik:”

Hi Erik,

I came across your article entitled Split Domain Routing: Getting Email for Your Domain at Two Providers while trying to figure out why one of the people in the small 3 person company I am affiliated with got a call from our web hosting and domain name company asking him to increase his email storage capacity even though we had migrated our email service away from them 2 years ago and at that time had redirected our DNS MX records to our new email provider.

When I looked at my colleague’s email on the old service, I saw that he is still receiving spam mail there even though he is getting all his business mail through the new provider. How is it possible that he gets any mail at the old place at all now? I think the money he paid them is a completely ripoff as that is not his working email! Unfortunately I am the only one of the 3 of us that understands any of this…and that isn’t saying much. Thanks for any thoughts.

Hello!  This is actually quote a common scenario.  If you do not close down your account with your old email provider, then that provider will usually still accept inbound email addressed to you which arrives at its servers.

Read the rest of this post »

LuxSci’s 2016 Advancements – The Year in Review

Published: December 31st, 2016

LuxSci has been really busy in 2016!  Besides migrating customers from McAfee due to the “end of life” of their filtering and archival services, keeping up with the changing security landscape, and replacing our Enterprise Server Environment with a newer, faster, more scalable, and more secure private cloud, LuxSci has been hard at work adding new features and extending existing services in the directions most requested by our customers.  Here are some of the highlights.

Read the rest of this post »

End of Support for Internet Explorer 8 and Windows XP/Outlook

Published: December 28th, 2016

As of January 9th, 2017, LuxSci is ending support for Internet Explorer 8 and Outlook (all versions) running on Windows XP.

Internet Explorer 8.  This very old browser has worked to varying degrees with LuxSci.  Starting mid-January, LuxSci will be explicitly dropping support for Internet Explorer 8 by using new JavaScript libraries that do not support Internet Explorer 8.  Microsoft ended all support for Internet Explorer 8 on all versions of Windows on January 12th, 2016.  It ended all support for it on Windows XP (where it was primarily used) in April, 2014.

Internet Explorer 8 is very old, unsupported, and insecure.  It does not support many of the modern web standards used by modern web sites.  Anyone who is still using Internet Explorer 8 should either upgrade to a newer version of Internet Explorer (or Edge) and switch to an alternate supported browser such as Chrome or FireFox.

Windows XP and Outlook. In the interest of security, LuxSci often has to change the list of encryption ciphers supported by its servers — dropping those that are deemed too insecure and adding new ones.  Starting January 9th, LuxSci will be pushing out changes that remove support for the last TLS cipher that we supported that was also supported by Outlook running on Windows XP.  Once this change happens, Outlook on Windows XP will no longer be able to make secure IMAP, POP, or SMTP connections to LuxSci servers.    This will apply to any version of Outlook running on XP, as Outlook uses the (old) encryption services built into XP itself.  Windows XP itself has not been supported since April, 2014, and should be avoided for security reasons at this point.

Anyone affected by this change should either (a) upgrade to a newer version of Windows, (b) use an alternate email program that brings its own encryption libraries (e.g. Mozilla Thunderbird), or (c) use LuxSci WebMail directly using a supported web browser.

Outlook running on newer operating systems will continue to be supported as usual.

McAfee Migration Deadline Approaching

Published: December 9th, 2016

McAfee has been LuxSci’s partner for premium email filtering and email archival services, well, since these services were owned by McAfee-acquired  MXLogic and MXLogic first started setting up partner relationships.  A long time.

In late 2015, McAfee announced that it was ending its email filtering and archival service offerings, effective January 11th, 2017.  They gave everyone about 1 year to find alternatives and move away before the plug is pulled.

LuxSci chose two replacement companies: Proofpoint for email filtering and Sonian for email archival.  Both are very good; Proofpoint was even the 2015 pick by Gartner as the best in email filtering.  We announced this change in December of 2015:

Introducing Proofpoint and Sonian to replace McAfee for Premium Filtering and Archival

Over the past year, LuxSci has been working long hours migrating its 1000s of customers from McAfee to these new services.  All customers who were previously using McAfee have migration-related support tickets with detailed information and instructions on the process.  A majority of customers are all set — their migrations are complete.

There are, however, several hundred customers who have yet to complete the migration of their email filtering to Proofpoint: their email is still flowing through their old McAfee accounts.  These customers are in charge of the DNS settings for their domains, so LuxSci can not complete the migration steps without their assistance.  These customers need to follow the instructions in their migration tickets, which includes:

Read the rest of this post »