" compliance Archives - LuxSci

Posts Tagged ‘compliance’

17 Questions To Ask Before Sending A HIPAA-Compliant Marketing Email

Tuesday, April 20th, 2021

You’ve just been told that your email marketing program is putting your company at risk of violating HIPAA. What now? If you want to continuing using email to communicate with patients, you must implement HIPAA-compliant email marketing.

Start by breaking down that goal into two components: becoming HIPAA-compliant and achieving your marketing objectives. Setting up HIPAA-compliant systems and procedures will ensure your patient data is protected. However, you don’t have to let your marketing objectives suffer for the sake of security. Implementing a HIPAA-compliant marketing program can actually help you achieve better marketing results.

Ask yourself these 17 questions to ensure your email marketing plan aligns with your business goals and HIPAA.

Read the rest of this post »

Information Blocking Is Over – How Will It Affect Your Organization?

Tuesday, April 6th, 2021

Starting April 5, 2021, information blocking will no longer be allowed thanks to changes that were kicked off by 2016’s 21st Century Cures Act. In short, information blocking involves interfering with the exchange, access, or use of electronic health information.

There are many ways information can be “blocked,” but the term broadly refers to improperly restricting access to private health information. Information blocking can sometimes occur by misapplying the HIPAA Privacy Rule, but it is not always intentional. Poorly designed IT systems can also prevent patients from accessing important health information.

A Brief Background on Information Blocking

Congress passed the 21st Century Cures Act to modernize the health care system. With many hospitals and organizations adopting electronic medical records and other technology, the bill focused on improving the interoperability of technology and increasing patient access to their health information. The 21st Century Cures Act builds on HIPAA, which was passed in 1996 before the widespread adoption of online health technology. Under HIPAA, patients have the right to access and receive copies of their health information.

The Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule added exceptions and health IT certification requirements, but the Department of Health and Human Services postponed compliance requirements due to the pandemic. HHS set the new date for the information blocking provisions to begin on April 5, 2021.

What Is Information Blocking?

Information blocking is any practice that is likely to interfere with the use, access, or exchange of electronic health information. It applies to three specific groups:

  • Healthcare providers
  • Health IT developers of certified health IT.
  • Health information networks and health information exchanges

Examples include:

  • Improperly citing the HIPAA Privacy Rule as the reason for not sharing ePHI.
  • Imposing fees that make the exchange of information cost prohibitive.
  • Implementing technology in non-standard ways to limit the interoperability of the information.
  • Locking patients in to a particular technology or standard so that their health information is not portable.

Information Blocking Exceptions

There are eight separate categories of exceptions. The first group include exceptions that involve not fulfilling requests for access, exchange, or use:

  • Privacy
  • Security
  • Preventing harm
  • Infeasibility
  • Health IT performance

The second are exceptions that involve procedures for fulfilling requests for access, exchange, or use:

  • Licensing
  • Fees
  • Content and manner

In situations that meet these exceptions, interfering with the sharing, use, or access to health data is not considered information blocking. The categories are nuanced, so you should really refer to the link for specifics.

One basic example would be an IT department denying an information request during a natural disaster event that impacted a data center. It would not be feasible for an IT department to grant access during the outage and an exception may be granted. However, the entity needs to reply to the requester within 10 business days to explain why the request could not be fulfilled. Requests cannot be ignored.

Proposed Penalties

The Office of the Inspector General has not yet announced the finalized penalty. However, the proposed rule states that the maximum penalty for each violation would not exceed $1 million.

How to Prepare for the Information Blocking Changes

Starting on April 5, 2021, organizations that are responsible for compliance will need to ensure that they are not engaging in information blocking practices (unless covered by an exception).

If an organization is improperly restricting information, it will need to make technical and operational changes to stop the practice. This may include updating policies and business associate agreements to ensure that data is available when requested.

Depending on the technology utilized, ending the practice of information blocking may be a significant undertaking. If large overhauls to current governance standards and infrastructure are required, organizations should:

  • Develop an action plan that reviews requirements and establishes an appropriate governance structure.
  • Review access policies to meet the new requirements.
  • Set up a process for evaluating situations where the eight exceptions apply.
  • Give employees comprehensive training where appropriate.

The information blocking changes may help to facilitate a better healthcare environment, but they are also a significant undertaking for certain stakeholders. Managing them appropriately will require diligence and attention to bring about the best outcomes for patients, and to reduce the chances of facing penalties from violations.

30th National HIPAA Summit Recap

Tuesday, March 30th, 2021

Last week, the LuxSci team attended the Virtual 30th National HIPAA Summit. The conference featured government and industry leaders who led sessions on updates to HIPAA rules, ongoing threats to cybersecurity, the impacts of remote work, and many other topics.

We can’t touch on every session that took place over the four days of the conference, but some of the most interesting updates came from the Office of Civil Rights (OCR) at Department of Health and Human Services. OCR is responsible for enforcing HIPAA, so as you would expect their sessions were of high interest to anyone responsible for compliance.


At the start of the pandemic, OCR adopted enforcement discretion to allow health care organizations to quickly transition to virtual health care and remote work without fear of penalties. In January, OCR announced that enforcement discretion would also apply to Covid-19 vaccine scheduling. OCR will not impose penalties on those acting in “good faith” to create online or web-based scheduling applications for Covid-19 vaccine appointments. Nevertheless, this does not mean that covered entities are off the hook when it comes to HIPAA. It is recommended that they implement “reasonable safeguards” to protect PHI.

The Office of Civil Rights has also continued to penalize organizations for right of access violations. When most people think of HIPAA, they think of protecting private information through strict security policies. However, HIPAA stands for the Health Insurance Portability and Accountability Act. Portability means that patients have a right to access and transmit their information to other insurance or health care providers as they see fit. In recent years, OCR has increasingly penalized organizations for failing to respond to patient information requests in a timely manner. It is important for health care organizations to have secure offsite back-ups of patient information to prevent enforcement actions. It is challenging to find the right balance of security and patient access, but it is so important!


Unsurprisingly, Covid-19 exposed organizations to new security risks as employees rapidly transitioned to remote work. Although the pandemic changed practically every aspect of our lives, phishing and ransomware remained two of the biggest security threats to health care providers. At the outset of the pandemic, many ransomware hackers voluntarily stopped targeting hospitals systems in a show of solidarity. However, the respite was temporary. As the value of health care data on the black market has continued to rise, ransomware attacks have surged.

Phishing also remains a primary attack vector for intruders. OCR reported that in the first two months of 2021, hacking/IT accounted for 71% of large health care breaches. According to OCR, most large breaches have occurred via email (39%) or network servers (32%). Phishing attacks increased so much over the last year that one conference speaker noted his organization considered turning off external emails. Though it is true that the only way to completely avoid hackers is to disable your systems, it is an unrealistic option for most businesses. To combat phishing, organizations need to train staff and have technology controls in place to prevent human error. If you have the right email filtering in place, you can prevent phishing emails from even reaching your employees’ inboxes.


Shifting to remote work in early 2020 left organizations scrambling to create security policies and protect patient information. Not only did providers need to worry about preventing telehealth conversations from being overheard by their families, but they also needed to be conscious of a wide array of security issues including:

  • Securing their physical workspace and devices
  • Preventing data loss
  • Protecting notes from patient conversations
  • Using secure network connections
  • Letting children or partners use work devices

The number of security risks that remote work introduced were almost immeasurable. Organizations needed to act quickly to create new policies to protect patient data, while maintaining excellent standards of patient care. Time and time again, health care organizations that lacked basic cyber hygiene like unique logins, complex passwords, and device usage policies were the most at risk of a cyberattack or breach.

One year later, organizations are continuing to adapt their policies as much of the workforce remains remote. Many presenters expect at least some of their workforce to remain remote once the pandemic ends. Some organizations were surprised to discover the benefits of having a remote workforce. Rural hospitals are better able to attract talent when remote work is an option. Patients also benefitted from increased access to health care when telehealth was an option.

The HIPAA Summit was a wonderful reminder that if you don’t have procedures and policies in place to protect your patient data and communications, it’s only a matter of time before a breach occurs. Did you attend the HIPAA Summit? We would love to learn more about your challenges with Covid-19 and secure patient communications.

Time-Based Access Control

Tuesday, March 16th, 2021

A new security feature is available for LuxSci WebMail customers. Account administrators now have the option to implement time-based access controls for their users. Administrators can restrict what times of day and what days of the week individual users are permitted to use the LuxSci web interface (for WebMail, administration, or other tasks) to increase security on the platform.

This prevents unauthorized off-hours access by employees and also by potential attackers. In a compliance context, LuxSci customers are able to apply time-of-day access controls on a user-level to further limit the attack surface and keep essential information protected.

How to Enable Time-Based Access

You must be an account administrator to enable time-based access. To edit this setting, go to the user’s account and click on “Settings.” Under “Security,” go to the “General” page and do the following steps:

  • Enable the overall setting “Enable time-based access restrictions to this web interface.”
  • Select the time zone to use for these times.
  • For each day the user will be allowed to login to the Web Interface, enter one or two time ranges in the 24-hour time format “HH:MM-HH:MM.”
    • For example, if the user can use the system between 9am and 5pm, you would enter “09:00-17:00.” Use two time ranges if there are two distinct periods of time during the day that are acceptable.

time based access settings

Additional Security Features

In addition to this feature, we also recommend that LuxSci customers take advantage of our other security controls such as:

GDPR & Email: 10 Critical Questions & Answers for Compliance

Thursday, May 24th, 2018

GDPR, the General Data Protection Regulation which asserts and enforces protections on the personal information of EU citizens is on everyone’s minds these days. This is because it impacts any company anywhere in the world that interacts with citizens of the European Union (EU), even if that only means sending email messages to them. The kicker … if you are found to be in non-compliance you could earn yourself a fine of 20 million euros or 4% of your gross annual revenue, whichever is higher.

As an email security company, we receive a lot of questions around the intersection of email and GDPR. There is a whole lot of confusion out there and ambiguity in the regulations. In this post, we answer 10 of the most prominent and important questions on GDPR and email that we have seen. The answers are at times surprising and even enlightening.  However, if you are unaware of the answers to these questions, you are almost certainly out of compliance with GDPR.

Read the rest of this post »