" email Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘email’

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business, and those in the industry are facing increasing pressure to maintain their standing against their rivals. One of the key tactics for keeping up involves having a carefully planned marketing strategy.

While there are a range of different approaches that companies can take, sending out marketing emails proves popular, because many organizations have substantial email lists of their clients.

This practice can have a range of business advantages, but the more cautious in the sector may be wondering “Do healthcare marketing emails have to be HIPAA-compliant?”

It’s an important question to ask, and one that’s not exactly clear-cut, because the answer is dependent on the context.

Does the Email Contain Protected Health Information?

Information is protected by HIPAA regulations if it contains “protected health information” that is “individually identifiable.”  The term “protected health information” refers to any data that relates to a person’s health, treatment or payment information, whether it is in the past, present, or future.

Under this definition, things like the results of a test, a prescription, an appointment notice, or a receipt for healthcare services are just a few of the many things considered “protected health information.”

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked back to the individual. There are a long list of identifiers, such as names, addresses, birthdays, contact details, insurance details, biometrics, and many more are considered possible identifiers under HIPAA.  The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual”, so this concept is really is all-encompassing.

Does the Marketing Email Tick Both Boxes?

If it does, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t your organization may be safe. But before you rush into sending off your emails, you need to be careful, because the edges of HIPAA can be blurred, and it’s best to stay on the safe side.

Let’s give you an example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it can use this information not just to help mothers-to-be, but also to bring in new business. The clinic then sends out an email to all of its expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Since it was also addressed to each of their email addresses, it also contains individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could potentially fall foul of HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA, because such an approach wouldn’t single out the women who were pregnat (though it might single you out as a former patient of that clinic and, depending on what the clinic is, that could also imply things about your past/present/future medical treatments). While this kind of situation sounds rare, it’s important to appreciate that it can and does occur, so that your organization is more cautious and doesn’t unwittingly end up with a HIPAA violation.

Even if most of your organization’s emails never tick both of these boxes, it may be best to send them in a HIPAA-compliant manner anyway. This is because a slight, unintentional change to your organization’s approach could lead to the inclusion of ePHI, leading your company to a HIPAA violation.

When you consider the high penalties of these violations in comparison to the insignificant costs of sending HIPAA-compliant messages, making sure that all of its emails are sent in compliance with the regulations ends up being a pretty cheap insurance policy.

How Can You Make Healthcare Marketing Emails HIPAA-Compliant?

If your organization sends out marketing emails that could contain ePHI, then it’s important to make sure that they are sent in a HIPAA-compliant manner. The best approach is to use a HIPAA-compliant bulk email service, such as LuxSci’s High Volume Secure Email Sending.

Your organization will need to sign a HIPAA Business Associate Agreement with the service provider and use the appropriate encryption, access control and other security mechanisms that are needed to protect ePHI.

Using a service with opt-out encryption (as opposed to one with risky opt-in encryption, requiring you to actively specify which messages need encryption) limits the risks of user error, which means that your organization is more free to send out its marketing emails, without such a significant threat of accidentally violating HIPAA regulations.

Email Delivery Status Tracking …. for successes, failures, and bounces of all kinds

Tuesday, July 10th, 2018

LuxSci automatically tracks the delivery status for all email messages sent via SMTP, WebMail, and the LuxSci API. This report indicates whether or not the messages were successfully delivered to each recipient’s email servers, if they failed to be accepted there for some reason, or they are still queued at LuxSci. For many purposes, this automatic delivery status tracking is more than sufficient.

A standard automatic delivery tracking process has one limitation. For the case where an email message is successfully delivered to the recipient’s servers but then later it bounces back to the sender, the message will show as “delivered” (because it was) and there will be no indication of the subsequent bounce.

The optional “Automatic SMTP Bounce Processing” feature takes care of this situation.

Read the rest of this post »

GDPR & Email: 10 Critical Questions & Answers for Compliance

Thursday, May 24th, 2018

GDPR, the General Data Protection Regulation which asserts and enforces protections on the personal information of EU citizens is on everyone’s minds these days. This is because it impacts any company anywhere in the world that interacts with citizens of the European Union (EU), even if that only means sending email messages to them.  The kicker … if you are found to be in non-compliance you could earn yourself a fine of 20 million euros or 4% of your gross annual revenue, whichever is higher.

GDPR and Email: 10 Critical Questions

As an email security company, we receive a lot of questions around the intersection of email and GDPR.  There is a whole lot of confusion out there and ambiguity in the regulations.  In this post, we answer 10 of the most prominent and important questions on GDPR and email that we have seen.  The answers are at times surprising and even enlightening.  However, if you are unaware of the answers to these questions, you are almost certainly out of compliance with GDPR.

Read the rest of this post »

Are you Prepared for Disaster? Business Continuity Planning for Email Outages

Friday, February 9th, 2018

It happens to everyone who uses any email service: suddenly your email is no longer working.  If it’s just for a few minutes or some scheduled time at night, it’s usually no big deal.  However, if it’s in the middle of your work day and you rely on email, you may have a big problem.

Email can go down. Are you prepared?

What do you do if your email stays offline for 5 minutes … 10 minutes … an hour … and you don’t know when it is coming back?

Read the rest of this post »

Ask Erik: Is this email fake? How can I tell?

Thursday, December 28th, 2017

In a recent “Ask Erik” question, Eve asked:

“I received a copy of an email that someone claims they sent to me. They did not forward this apparent email they claim they sent to me. Rather they copied and pasted it into a current email.

However, I did not receive this email, and in all honesty this apparent copy of this email looks fake. I believe I could easily create this type of fake email myself. So, is there a way of telling whether someone has faked an email which they claim they sent to you? And, should I insist that the original email they claim they sent to be is forwarded to me and not copied and pasted?”

Read the rest of this post »

LUXSCI