LuxSci

Is LuxSci NHIN Direct Project Compliant?

Are LuxSci's HIPAA compliant services NHIN (Nationwide Health Information Network) Direct Project compliant?

Our current HIPAA compliant accounts offer many of the security items described as requirements for Health Information Service Providers (HISPS) per the 'Consensus Proposal' and 'Security and Trust Consensus Proposal' documents. At this time LuxSci has no plans to implement the full complement of security protocols and specifications as laid out by the NHIN Direct Project guidelines.

The Direct Project discusses use of public certificate repositories of sorts such as ICAM (http://www.idmanagement.gov/), but we currently do not support integration with these type of centralized certificate databases. We do not intend to provide that service anytime soon. Additionally, we don't currently support the use of DNS CERT records to perform recipient certificate fetching. Lastly, we may or may not be able to support the transmission of health industry specific formats such as HL7, CDA, and CCR, but we do not have intent at this time to make software changes to ensure support for these formats specifically.

The several key security requirements of the Direct Project that LuxSci's HIPAA compliant accounts meet include:

* Forced use of S/MIME certificates for all outbound email for encryption and digital signing
* Forced use of TLS encrypted transmission for inbound and outbound email (requires a dedicated proxy server)
* Forced use of TLS encrypted transmission for POP, IMAP, and SMTP connections from email clients (i.e. Outlook)
* Forced authentication for POP, IMAP, and SMTP services
* Detailed auditing of sent messages