" business associate Archives - LuxSci

Posts Tagged ‘business associate’

Healthcare Marketing & HIPAA: Are you in Compliance?

Wednesday, September 14th, 2022

Healthcare Marketing Today

Marketing is essential to growing any business successfully, but when you work in regulated spaces such as healthcare, there are compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstandings in marketing best practices can lead to patient privacy breaches.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

HIPAA and Healthcare Marketing

A large part of HIPAA regulates what is appropriate for the use or disclosure of patient information. There are certain instances where the use and disclosure of protected health information (PHI) is allowed without patient consent. These instances include sharing PHI for treatment, payment, or healthcare operations.

However, before you can use patient information for marketing efforts, you need to receive explicit written consent from the patient. The consent form must be specific to the marketing efforts you will use the patient’s PHI in. For instance, if you would like to share patient testimonials, photos, or videos on your website or social media accounts, the patient must sign a consent form stating that you will use their information in this way.

HIPAA-compliant marketing also largely depends on an employee’s understanding of the law. Employees responsible for handling PHI must be trained to use and disclose PHI within the scope of their job role. Improperly trained employees can expose your practice to HIPAA violations and costly fines.

examples of healthcare marketing breaches

8 Common Misunderstandings of Marketing and HIPAA

1. As long as patient consent is obtained, HIPAA doesn’t matter
Some organizations think they can use any marketing tool with a signed patient consent form. Still, the tool has to be HIPAA-compliant. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences.

2. Marketing emails do not need encryption
Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA.

3. Personalizing marketing emails is a HIPAA violation
Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4. Marketing companies do not need to sign Business Associates Agreements
As of 2013, the HIPAA Omnibus rule expanded HIPAA obligations to include business associates and subcontractors. Marketing agencies and vendors that process PHI on behalf of a covered entity must comply with HIPAA regulations, which include signing a BAA.

5. The only way to protect PHI is to use patient portals
TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal.

6. Using BCC is enough to keep patient identities private
BCC is NOT enough to protect patient identities. Although the end recipient cannot tell who else received the message, the entire list is visible as the messages are transmitted from server to server. The messages can be eavesdropped on by someone with technical abilities.

7. Always respond to social media reviews
Be extremely careful when responding to online reviews. Publicly confirming information about a patient’s health or treatment status is a HIPAA violation.

8. Healthcare marketing isn’t necessary or worth the hassle
Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improve new customer acquisition and retention.

How to be HIPAA-Compliant

The most crucial step is vetting marketing vendors and HIPAA compliance tools. Any vendor that handles PHI on behalf of a healthcare entity needs to sign a Business Associate Agreement that outlines how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements. Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” vendors can protect data at rest but not in transmission or require patient waivers to achieve compliance.

Next, always use encryption and default to security. Identifying PHI is often tricky, and the legal burden should not fall on the marketing team. By selecting technology that encrypts every marketing email, you can rest assured that messages are secure and compliant. A bonus tip- do not send marketing messages to an encrypted patient portal. Instead, send marketing messages with TLS encryption directly to patients’ inboxes. You will see much higher response rates and engagement.

Finally, to create the most effective marketing campaigns, use PHI to create segmented audiences and send them personalized content. These tactics are widely used outside the healthcare industry because they deliver results. *Remember that any tool you put PHI into must be HIPAA-compliant.

How LuxSci and Compliancy Group Can Help

LuxSci’s Secure Marketing tool is an email marketing platform designed to meet HIPAA requirements. It allows marketing teams to segment audiences and personalizes emails to engage patients and improve marketing ROI. If you are already using a third-party email marketing platform, no worries, we got you covered. LuxSci’s Secure High Volume Email solution can integrate with any third-party platform to make sure those emails are also HIPAA-compliant.

Compliancy Group enables healthcare organizations and vendors serving the healthcare industry to achieve HIPAA compliance through an automated software platform and live guided coaching. The Guard, its proprietary compliance platform, covers all the necessary parts of the HIPAA regulation. Compliancy Group awards clients the HIPAA Seal of Compliance upon successful completion of their process. The Seal can be displayed on a practice’s website, email signature, and signage, and proves they are dedicated to protecting patient information and have completed the steps required to satisfy the law.

email CTA

What is HITRUST Certification and Why Does It Matter?

Tuesday, December 7th, 2021

Any company can claim to be HIPAA-compliant, but if you are considering using their services, it’s worth understanding what they mean. Using a vendor that self-attests compliance is risky. As a result, many serious organizations use a third-party validator to assure that they are doing all the right things regarding security and compliance. If you work in the healthcare industry, a HITRUST certification is one of the most widely respected third-party validators.

hitrust certification

Read the rest of this post »

Covered Entities and HIPAA Law

Tuesday, November 24th, 2020

HIPAA law is important legislation that outlines how organizations and individuals (which it refers to as covered entities) must protect their protected health information (PHI). While HIPAA is actually much broader and includes rules for things like insurance claims and payments, our focus is on its provisions for safeguarding PHI.

Covered Entity

The Two Key Parties: Covered Entities and Business Associates

If HIPAA law is designed to protect patient information, then it’s important to understand which parties must abide by it. Those that don’t meet the legal definitions of covered entities or business associates don’t have to comply with the HIPAA Rules

Covered Entities

The legislation uses the term covered entities to refer to individuals or organizations that collect, store, transmit or process PHI.

Covered entities fall into three categories:

  • Health care providers – These include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists and similar types of providers.
  • Health plans – Health insurance companies, company health plans, HMOs and Government-paid health care plans such as Medicare are all considered health plans.
  • Health care clearinghouses – These are entities that either process or facilitate the processing of health information that they receive from other entities. Health care clearinghouses can be public or private, and can include things like billing services and repricing companies.

Individuals or entities that meet the definition of covered entities are required to follow the HIPAA legislation’s stipulations. These include rules for protecting the security and privacy of health information, while also providing individuals with certain rights regarding this information.

Covered entities can’t do everything by themselves, and they frequently engage in the services of others to conduct their work. After all, if you ran a covered entity such as a hospital and you needed to send secure email to patients, would you set up your own infrastructure for it?

No, of course not. You would find a provider to do it for you. But how do you make sure the email provider also protects the data inline with your organization’s HIPAA responsibilities?

Business Associates

Thankfully, the legislators did make provisions for this. The providers that work alongside covered entities are referred to as business associates. The HIPAA laws set out how these two entities can share PHI to make sure that it is safeguarded.

Business associates can include a wide range of individuals and organizations, including things like web hosts, billing companies, consultants, legal firms, accountants, and many more. Any organization that processes PHI on behalf of a covered entity is considered a business associate if it does so according to the rules that the HIPAA laws lay out.

But what ensures that the business associate will protect the data appropriately?

The Business Associate Agreement

The relationship between covered entities and business associates is brought together by the business associate agreement. This is a contract that sets out how each party will protect the PHI, what each side’s obligations are, and where the responsibilities lie. These agreements help to protect both covered entities and the data of individuals, because the legal weight behind them motivates business associates to take their responsibilities seriously.

Violation Costs for Covered Entities and Business Associates

HIPAA laws can’t be looked at as just some dull, bureaucratic box-checking. The penalties are too high for such an unconcerned approach. Both covered entities and business associates need to be aware that they face penalties of between $100 and $50,000 per violation, depending on the severity of the offense.

Considering the number of individual records most companies process, this can very quickly add up to the $1.5 million yearly maximum penalty for each violation category.

If you are a covered entity, you need trusted Business Associates

If your organization is a covered entity, it can be difficult to find a business associate that meets its needs for secure email, web hosting ,and related services. Few providers have the right combination of protection measures, verified HIPAA compliance, functionality, and effectiveness that your business requires.

LuxSci’s services are specifically tailored to combine all of these traits. They are designed to be easy to use, efficient, secure, and to comply with the legislation. Our company’s focus at this junction makes LuxSci the perfect provider for healthcare organizations and those that process ePHI. Call us if you want to learn more about how our solutions can work for your company.

HIPAA 2010: HITECH Impact on Email and Web Outsourcing

Wednesday, January 20th, 2010

Surprise!  HIPAA has changed, gotten bigger, and grown teeth.

The American Recovery and Reinvestment Act (ARRA, or The Obama Stimulus Bill), signed into law in February 2009, includes new, more comprehensive provisions for HIPAA. These provisions are in a section of the bill known as the Health Information Technology for Economic and Clinical Health Act (HITECH).

For organizations that are already required to abide by HIPAA (i.e. the “Covered Entities” of HIPAA), HITECH adds the following requirements:

Read the rest of this post »