LuxSci

HIPAA Compliance

Are LuxSci's HIPAA compliant services NHIN (Nationwide Health Information Network) Direct Project compliant?

Our current HIPAA compliant accounts offer many of the security items described as requirements for Health Information Service Providers (HISPS) per the 'Consensus Proposal' and 'Security and Trust Consensus Proposal' documents. At this time LuxSci has no plans to implement the full complement of security protocols and specifications as laid out by the NHIN Direct Project guidelines.

The Direct Project discusses use of public certificate repositories of sorts such as ICAM (http://www.idmanagement.gov/), but we currently do not support integration with these type of centralized certificate databases. We do not intend to provide that service anytime soon. Additionally, we don't currently support the use of DNS CERT records to perform recipient certificate fetching. Lastly, we may or may not be able to support the transmission of health industry specific formats such as HL7, CDA, and CCR, but we do not have intent at this time to make software changes to ensure support for these formats specifically.

The several key security requirements of the Direct Project that LuxSci's HIPAA compliant accounts meet include:

* Forced use of S/MIME certificates for all outbound email for encryption and digital signing
* Forced use of TLS encrypted transmission for inbound and outbound email (requires a dedicated proxy server)
* Forced use of TLS encrypted transmission for POP, IMAP, and SMTP connections from email clients (i.e. Outlook)
* Forced authentication for POP, IMAP, and SMTP services
* Detailed auditing of sent messages

Does HIPAA require that I have a dedicated server?

No, there is no explicit requirement...in fact, the HIPAA law is 'technology neutral' in that it makes no specific requirements for the implementation of technical security, e.g. the level of encryption (128 bits or 256 bits), the encryption type (RSA, AES, etc.), the level of auditing, etc. The security restrictions we enforce ensures that your shared hosting account meets the Technical Safeguards of the HIPAA Security Rule. LuxSci's Premium Dedicated Servers offer a solution for clients interested in a dedicated hosting environment for their HIPAA compliant requirements.

Will LuxSci co-sign my own BAA or do I have to use LuxSci's BAA?

LuxSci has constructed a Business Associate Agreement that is tailored to its services and what it provides in terms of HIPAA compliance. This agreement has been vetted by our lawyers and is used by all of our HIPAA customers for consistency in application, expectations, and training.

LuxSci does not sign individual Business Associate Agreements (BAA) provided by its customers. This is because of : (a) the time and cost it would involve to legally review each one, (b) the additional time and cost involved in ironing out differences in the contents of the customer's BAA and what LuxSci can and will agree to, and (c) having differing, individualized expectations and contracts with each customer would make security and privacy training, policies, and procedures complicated and thus increase the chance of error. Nobody wants to increase the chance of error with regards to the treatment of PHI.

Does LuxSci offer HIPAA compliant faxing or electronic faxing services?

No, LuxSci does not currently offer these services. Companies such as eFax Corporate® offer secure faxing services, though unless they specify HIPAA compliance, how do you know if your faxes are HIPAA compliant? LuxSci's SecureLine end-to-end email encryption service is an effective alternative to secure faxing as it enables you to easily send file attachments to any arbitrary email address.

Does LuxSci have HIPAA certification?

We are often asked who or what certifies that LuxSci's HIPAA compliant services are really HIPAA compliant. The short answer is that there is no governmental regulatory body responsible for certifying vendors as HIPAA compliant.

In fact, the HIPAA Final Security Rule specifically states HIPAA does "not assume the task of certifying software and off-the-shelf products" (p. 8352 of the Final Security Rule) nor does it set criteria to accredit independent agencies that do HIPAA certifications.

Per the HIPAA HITECH Act of 2010, two government entities are jointly responsible for regulation and certification of health care technology:

The Office of the National Coordinator for Health Information Technology (ONC) and the National Institute of Standards and Technology (NIST).

As of February 2016, the HITECH legislation only provides for the testing and certification of Electronic Health Records (EHR) programs and modules--this is generally used to qualify health operations to make healthcare organizations eligible for Medicare and Medicaid EHR incentives.

Companies that perform HIPAA certifications are not regulated by any federal accreditation agency.