HIPAA HITECH Business Associate Agreement and LuxSci Account Requirements
Changes to HIPAA as a result of HITECH provisions in the American Recovery and Reinvestment Act are going into effect on February 17, 2010. These changes seriously impact the requirements on Business Associates and impose significant liability penalties on HIPAA violations. For a discussion of these and how they relate to email and web services, see: HITECH 2010: HITECH Impact on Email and Web Outsourcing.
In response to these changes and to ensure that both LuxSci and its HIPAA customers are HIPAA-compliant:
- Old BAA Void: All Business Associate Agreements (BAA), formerly known as Medical Privacy Agreements, that current LuxSci customers have by virtue of the old BAA being incorporated automatically in LuxSci’s Master Services Agreement are VOID as of February 17th, 2010.
- New BAA Required: Any LuxSci Customer who is using or plans to use LuxSci for ePHI (electronic protected health information) of any kind (i.e. email, web sites, WebAides, databases, etc) must explicitly sign our new BAA and ARA (Account Restrictions Agreement) before LuxSci will consider itself a Business Associate and the customer’s LuxSci account HIPAA compliant.
LuxSci will be contacting customers that it believes might need to sign a BAA and ARA during the month of February. However, as LuxSci does not know which customers are using their account(s) for storage or transmission of ePHI, it is up to our customers to contact LuxSci to establish a BAA.
- Lux Scientiae HIPAA Busines Associate Agreement
- Lux Scientiae HIPAA Account Restrictions Agreement
Requirements to be HIPAA Compliant at LuxSci
LuxSci has instituted the following security restrictions that are required of all standard HIPAA Accounts.
All HIPAA accounts must be reviewed and approved by LuxSci. Eligible accounts must meet the security requirements specified in the Account Restrictions Agreement. These include:
- SecureLine licenses required for all users in accounts with email services at LuxSci
- Enforcement of LuxSci’s “Maximal Security” settings to configure and enforce appropriate levels of security on all account users. These include:
- Enforced use of Secure Logins: All logins to LuxSci servers by any user in the account must be secured via SSL, TLS, or SSH. This includes: WebMail, POP, IMAP, SMTP, FTP, and remote MySQL access.
- Password Strength: All passwords used by all users to access LuxSci servers must be “strong”. This means that they must be 8 or more characters long, contain both letters and numbers, and pass the “crack” password strength checking system.
- Web Interface Session Timeout: The maximum web interface (i.e. WebMail) session timeout must be reduced to 20 minutes.
- Outbound Email Encryption: All users sending outbound email through LuxSci will be forced to have that email encrypted using the SecureLine system (using one or more of SMTP TLS, SecureLine Escrow, PGP, and S/MIME). This systems supports use of TLS-only transport encryption for recipients whose email servers support TLS. It uses PGP or S/MIME, when TLS is not available and the recipient is known to support that, and SecureLine Escrow for anyone else with an email address. This sending restriction applies to messages sent via WebMail and messages sent via SMTP. Messages sent via SMTP that cannot be encrypted or sent via TLS are blocked.
- WebAides Feeds: All published WebAides feeds must be accessed over a password-protected secure connection (HTTPS).
- SecureForm: All SecureForms configured must be configured securely. This means that HTTPS must be used to secure the form data when it is posted and PGP and/or S/MIME SecureLine encryption must be used to encrypt any email messages containing form data sent out from the SecureForm service.
- Secure Forwards: All email forwarding rules created using features of your LuxSci account (i.e. email aliases, email forwards, email capturing, etc.) can only be forwarded only to recipients whose email servers support TLS for SMTP transport encryption. This ensures that all messages forwarded off-site will be encrypted during transport with integrity and controls. Attempts to configure forwarding to recipients using email services that do not support SMTP TLS message delivery will be uniformly restricted by the LuxSci system. The Customer can optionally restrict end users from being able to configure any filtering and forwarding settings for themselves.
- Maximal Security Lockdown: The above configuration settings are administered by LuxSci’s “Maximal Security” tool. LuxSci Support will lock down this setting so that Account Administrators cannot change any of these settings themselves; they must submit requests to LuxSci Support who will make any approved changes. Only LuxSci Support has access to unlock this tool, make changes to the settings and re-enable the lockdown. All actions are permanently logged in your account’s audit trail.
- Account to be reviewed by LuxSci to ensure that it meets HIPAA compliance criteria
- Customer must sign and return copies of the new BAA and Account Restrictions Agreements.
When all of these requirements are met, LuxSci will designate the account as a “HIPAA Account” and consider itself a Business Associate of said account.
Note: Customers of LuxSci that store ePHI on LuxSci servers or send ePHI through LuxSci and who are a HIPAA Covered Entity or a Business Associate of a HIPAA Covered Entity, must also be designated and approved as a HIPAA Account at LuxSci, or face account suspension. It is incumbent upon LuxSci, by law, to ensure that all customers that it believes to be in this situation have a signed LuxSci Business Associate Agreement and have their LuxSci account(s) configured in a way that safeguards their ePHI.
The Account Restrictions Agreement covers these requirements and also provides recommended “Work Arounds” to make compliance easier.
Steps to be HIPAA Compliant
If your organization wants an account with LuxSci that needs to be “HIPAA Compliant” because of the storage or transmission of ePHI through LuxSci, here is what to do:
- Order one of the “HIPAA-Secure” packages from our ordering pages, or check the “HIPAA Compliance Required” check box on your online order confirmation page.
- Once your account is created, LuxSci Support will coordinate with you:
- The lock down of your security settings
- Copies of the BAA and Restrictions Agreements to sign, if you have not already downloaded or been provided them by LuxSci
- Sign and return the BAA and Restrictions Agreements – see instructions.
If your organization has an account with LuxSci that needs to be “HIPAA Complaint” because of the storage or transmission of ePHI through LuxSci, here is what to do:
- Review the new BAA and Account Restrictions Agreements in the context of your LuxSci account
- Use the new “Security Audit” tool in your account under “Account > Advanced Account Administration > Security” to see which aspects of your account do not meet LuxSci’s HIPAA Security guidelines.
- Take steps to correct any security issues that would impede your compliance.
- Review the “Work Arounds” section of the Account Restrictions Agreement to identify which options are recommended for ensuring compliance in as much of a “business as usual” manner as possible.
- Create a Support Ticket within your LuxSci account that indicates your need for HIPAA Compliance.
- LuxSci will review your account and assist you with determining what changes, if any, that you may need to make.
- Sign and return the BAA and Restrictions Agreements – see instructions.
If you have questions about your account, the restrictions, or the work arounds, please contact Support. We can help you find a way to ensure HIPAA compliance for services that use ePHI while minimizing the impact on other users.
What happens if you ignore HIPAA?
If you are a customer who uses LuxSci for transmission or storage of ePHI, but you do nothing:
- Any pre-existing BAA with LuxSci, which is not compliant with the new HITECH changes, will expire on February 17th, 2010. After that, you will no longer have a BAA with LuxSci.
- You will be violating HIPAA by not having a valid Business Associate Agreement with LuxSci.
- If LuxSci determines that you are using its services for the transmission or storage of ePHI, and you do not have a new BAA, LuxSci will be forced by law to insist that you promptly sign our new BAA and comply with our security requirements. Accounts without a new BAA will face immediate suspension until the situation is corrected.
Why must you sign a new BAA?
New HIPAA law requires that LuxSci actively protect all ePHI by following the HIPAA Security and Privacy Rules itself, as must all HIPAA Business Partners. To do this, we:
- Must know exactly which customers are using our services for the transmission or storage of ePHI
- Ensure that usage of our services meets the HIPAA Security Rule so that the chance of a HIPAA breach is minimized.
Starting in Febrary 2010, HIPAA Customers and LuxSci may have liability if there is a HIPAA breach. This did not used to be the case. Additionally, the HITECH amendments to HIPAA add serious teeth to liability prosecution — up to $1.5 million dollars per year in damages, as well as possible negative media exposure. LuxSci and other Business Associates and their Covered Entities cannot risk litigation, fines or negative press as a result of HIPAA violations. Now is the time to make sure that ePHI meets the privacy guidelines of HIPAA by locking down your LuxSci account(s).