" baa Archives - LuxSci

Posts Tagged ‘baa’

Business Associate Agreement: Explained

Monday, October 26th, 2020

If your organization collects, stores or processes electronic protected health information (ePHI) it will need a clear understanding of business associate agreements (BAAs). This also applies to businesses that process ePHI on behalf of other organizations.

Business Associate Agreements

Each business associate agreement stipulates how a company will share its ePHI with the respective business associate, and where the responsibilities lie. Unless your organization is a rare breed that has its own web hosting, email service, lawyers, accountants and every other aspect of its business in-house, then it needs to have these agreements in place with every provider that it shares ePHI with.

Read the rest of this post »

What We Call “Quasi-HIPAA-Compliance”

Thursday, March 26th, 2020

Are your organization’s service providers really HIPAA compliant, or are they only quasi-HIPAA compliant?

What do we mean? 

Okay, we’ll be honest quasi-HIPAA compliant isn’t an accepted term yet but it should be.

When we talk about quasi-HIPAA compliance, we’re referring to setups and services that look like they’re HIPAA compliant and share some of the features; however, they may not be completely in line with HIPAA requirements if you actually use them in the way that you want.

Quasi-HIPAA compliance is common, particularly in popular services. It can also be incredibly dangerous for businesses because quasi-HIPAA compliance can lead organizations into a false sense of security, while they may be violating the regulations unwittingly.

What Is Quasi-HIPAA Compliance?

The best way to explain the concept of quasi-HIPAA compliance is through example. A quasi-HIPAA compliant service could come from an email-hosting provider, web-hosting provider, or an organization that offers a range of other solutions. 

If these providers are quasi-HIPAA compliant, they will include elements of HIPAA compliance, but the services may not be appropriately tailored to keep their clients within the lines of the regulations when used in various ways.  A provider may be willing to sign a HIPAA business associates agreement (BAA) with your company, but its services may not include the appropriate protections for compliance.

As a good example: Google is willing to sign a BAA with customers using its G Suite service.  However, Google does not actually provide HIPAA-compliant email encryption — so using G Suite email in a HIPAA context can immediately leave you in non-compliance and subject to breach. This is quasi-HIPAA compliance.  You assume that by signing a BAA, you can use the services as you like and be “all set.”  In truth, you need to really understand what is allowed and what is not allowed. You then need to either (a) avoid performing non-compliant actions, or (b) add additional measures to fill those gaps.

Quasi-HIPAA compliance

Business Associates Agreements & Quasi-HIPAA Compliance

A BAA is essential for HIPAA compliance. Your company can’t be completely HIPAA compliant if it uses the services of another entity without a BAA in place. It doesn’t matter if the entity’s services are technically HIPAA compliant, you will fall foul of the regulations unless a BAA is in place between the two parties.

Even if you do have a BAA with your provider, that alone may not be enough to keep your organization on the right side of HIPAA. The provider may not have the security measures that your organization needs, and instead have a carefully worded BAA that will leave you vulnerable.

Let’s say your email marketing service provider is a quasi-HIPAA compliant provider. It may not offer email encryption, or the necessary access control measures that your organization needs to safely send ePHI and other sensitive information.  The “HIPAA Compliance” may be limited only to data stored at rest on their servers; you may be very surprised to learn that an email marketing company offering “HIPAA compliance” does not recommend sending any sensitive data over email

The BAA offered by a company may be carefully worded to say that the service is technically HIPAA-compliant, but only if you don’t use it to send ePHI. This is legal, and the provider isn’t necessarily doing anything wrong by offering such a service, as long as this is clearly stated in the agreement.  Without understanding clearly what is actually “covered,” you leave yourself at risk.

The compliance and breach danger comes when organizations use quasi-HIPAA compliant services without completely understanding them. If they don’t take the time to do their research or thoroughly read the agreement, they could end up using the service in a way that isn’t covered under the BAA.

Doctor Video Conference

Dangers of Quasi-HIPAA Compliance

In our example, an organization might subscribe to a quasi-HIPAA compliant service and use it to send ePHI. If ePHI isn’t allowed to be sent via email or text under the BAA, and it’s sent without encryption and other security measures in place, then the messages will violate HIPAA regulations.

This is an easy trap to fall into for several major reasons. 

  1. BAAs can be complex and need to be studied carefully. 
  2. People make assumptions about what is actually covered by an organization’s “HIPAA compliance.”
  3. It’s very easy to accidentally send ePHI in an email. The definition of ePHI is broad, so employees can include ePHI in messages without even realizing it.

Even if your organization specifies that ePHI shouldn’t be sent through a particular service, all it takes is one mistake and your company will have a costly HIPAA violation on its hands. If your organization does use an email marketing service that’s only quasi-HIPAA compliant, then the restrictions on ePHI will prevent your organization from being able to market effectively, and to communicate properly with its clients.

How Your Organization Can Avoid Quasi-HIPAA Compliance

The most important way to protect your organization is to do your research beforehand, and make sure that any prospective provider will cover your intended uses properly. This means that you need to read through their BAAs to make sure that they are inline with your business’ requirements.

To save you some time, services like G Suite and the vast majority of email marketing services can be seen as quasi-HIPAA compliant, at best. Only providers that specialize in HIPAA-compliant services will be able to deliver the solutions that healthcare organizations and those that process ePHI require.

If your company needs true HIPAA compliance, then a provider like LuxSci is the best way to stay on the ride side of the regulations. We have been providing HIPAA-compliant secure email since 2005. Not only are our solutions tailored to abide by HIPAA, but we have also developed the services you need to conduct important business tasks.

We provide HIPAA-compliant bulk email solutions for clients that need to send at scale. These services are set up over our secure infrastructure, and we provide dedicated servers for clients that require it.

LuxSci focuses on both compliance and ease-of-use, so we have developed secure email hosting, email marketing, and transactional email solutions among our offerings. Our services help your organization comfortably market itself and conduct business, all while staying in line with HIPAA compliance.

Is Amazon Simple Email Service (SES) HIPAA Compliant?

Thursday, March 19th, 2020

Because Amazon Web Services (AWS) is very inexpensive, very well known, and offers “HIPAA-compliant” solutions to some degree, we are often asked if, and to what degree, Amazon Simple Email Service (SES) is HIPAA compliant. AWS is a big player offering countless services on which companies can build and/or host applications and infrastructures. One of the myriad of services provided by Amazon is their “Simple Email Service” (AWS SES for short).  Organizations are very interested in determining if the services offered are appropriate for their use cases and if use of specific Amazon services will leave them non-compliant or at risk.  Indeed, the larger the organization, the more concern we encounter.

 

Read the rest of this post »

How Is HIPAA-Compliant Email Different from Secure Email?

Wednesday, June 21st, 2017

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

HIPAA-compliant email vs secure email

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

Read the rest of this post »

What is HIPAA-Compliant Cloud Storage?

Friday, November 11th, 2016

HIPAA-compliant cloud storage complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure the security of healthcare patients’ data stored on remote servers accessed from the internet.

HIPAA governs how healthcare providers and their business associates, as defined in the Act, can store, manage, and share personal health information (PHI). If you’re a healthcare provider (or a cloud storage provider working with a healthcare provider), it’s important to understand how HIPAA applies to cloud storage.

With the rising popularity of services like iCloud and Dropbox, many people and companies have become more comfortable with cloud storage. There’s no question these services are convenient; being able to access universally synced data anytime, anywhere, from any device, is incredible.

HIPAA-compliant cloud storage

But that doesn’t mean these services are HIPAA-compliant. HIPAA introduces particular requirements that not every cloud storage provider satisfies.

Don’t make the mistake of assuming that a particular cloud storage option will comply with HIPAA. Storing your data “in the cloud” can make it difficult to achieve the level of security required of healthcare.

Here’s what you need to know about cloud storage to make sure your data is safe and sound — and HIPAA-compliant.

Read the rest of this post »

LUXSCI