Case Study: Securely Email Medical Laboratory Results to Patients
We count many medical laboratories among our customers. They process lab tests for doctors and send the results to the patients via email.
Medical laboratories, while sometimes not HIPAA covered entities themselves, are Business Associates with Hospitals and doctors who are required to abide by HIPAA. By the “transitive” nature of the HIPAA privacy laws, such Business Associates must take pains to abide by HIPAA security and privacy standards, protecting patient data, and ensuring confidentiality.
In order to send patients their results via email, these labs must use a HIPAA-complaint system that can send email to anyone with an email address.
This post describes how one large medical lab uses LuxSci’s SecureLine to safely deliver lab results to 1000s people every day.
HIPAA-compliant bulk emailing of lab results
The lab’s process:
- Analyzes the tests during the day and generates the results
- Sends all of the results in a large mailing at the end of the day
This is a legitimate large-scale transactional emailing that:
- Includes individual messages to 1000s of different recipients
- Must employ HIPAA-compliant security for each email message
- Must Include tracking so the laboratory can tell if a user has opened his/her lab results
The laboratory uses email software to:
- Generate each individualized lab result email
- Connect and authenticate to LuxSci’s outbound email server securely over TLS
- Transmit the message to Luxsci for encryption and delivery
LuxSci receives these messages securely and:
- Encrypts them and digitally signs them
- Stores them in a secured database using SecureLine Escrow
- Sends a simple notification email to each recipient informing them of the waiting lab results
- This message has been completely customized by the lab using LuxSci Private Label branding.
- Receives the notice in his/her regular email
- Clicks on a link in it and is taken to a secure web page whose look and feel has been customized by the lab.
- Verifies him/herself, by either:
- Registering for free (quick and simple to verify the recipient’s identity), or
- Enters the answer to a custom question provided by the lab (e.g. what is your lab “id number”?)
- Securely views the lab results
The laboratory can:
- See who has opened which messages and when
- Retract messages
- Set messages to expire from the recipients view after a pre-determined time period (e.g. 1 day to 10 years)
- Send messages with attachments up to 200MB in size
What kind of LuxSci account does this require?
In order to send occasional HIPAA-compliant secure email messages to patients (e.g. on the order of tens or a hundreds per day), you could use a regular LuxSci business email account with HIPAA compliance.
To send to large numbers of recipients, you need a Premium High Volume mailing account with HIPAA compliance.
Many of these customers also use LuxSci Spotlight mailer to handle email marketing for these customer email lists as well.
Managing Recipients & Encryption
There are two ways to have your recipients verify their identities when picking up their secure messages:
- You can have them register with you the first time, verifying access to their email, and use that password going forward, or
- You can have them answer a question you provide in order to gain access
The latter method is more secure if you provide a good question which is unique to each recipient. Indeed, this is the method used by your lab results company. However, when you have 10s of thousands of recipients, how do you manage this database of recipients, questions, and answers?
The answer is quite simple. When you send secure email though LuxSci, we use your LuxSci address book(s) to see if you have entries for these recipients and, if so, if you have questions and answers (or other encryption data like PGP or S/MIMe keys) for them. Keeping your address book current is not a problem, you can either:
- Upload a CSV of data about your recipients to your address book on demand, though our web interface, or
- Use our RESTful API to add/remove/update address book entries automatically from your system
- How do I send HIPAA-compliant lab results via email?
- HIPAA Compliance is Needed for Emailed Appointment Reminders
- Does HIPAA really permit reminding patients to pick up their prescriptions?
- When Should You Send ePHI in Your Marketing Emails?
- If my web site is very simple, do I have to worry about HIPAA compliance?