" email encryption Archives - Page 4 of 6 - LuxSci

Posts Tagged ‘email encryption’

Infographic: Most Email Software Cannot Use PHI

Thursday, January 12th, 2023

Email Communication is Necessary- But Introduces Risk

When it comes to receiving communications from businesses, 93% of people say that email is their preferred communication channel. In the healthcare industry, organizations must take extra care to comply with HIPAA. Only some email marketing platforms can adequately protect PHI. If not properly secured, email can introduce significant risks to sensitive data. 72% of organizations report experiencing an email cyberattack.

As the definition of PHI is ever-expanding to include information like biomarkers, organizations need to adopt a more secure posture for their personal, transactional, and marketing email. Cybercriminals seek out personal data because it is highly valued on the dark web. Data Loss Prevention (DLP) and policies preventing users from sending PHI insecurely are not enough.

Humans are prone to error and often make mistakes classifying PHI. Even DLP technology is not infallible- keywords can be misspelled, and PHI only sometimes fits cleanly into pre-determined filters. 40% of threats stem from internal actors. Many are not malicious, just mistakes! You must account for errors when humans are part of your security program.

So how can you prevent data leakage and ensure the security of sensitive data at rest and in transit? It’s simple when you choose the right solution. Resolve the tension between security risk and business engagement objectives by choosing a fully compliant email marketing solution.

infographic email phi(Click to Expand)

Two Requirements for Including PHI in Marketing Emails

Secure Application

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability. When using email marketing platforms or customer relationship management systems that contain PHI, it’s essential to keep that information protected. You must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from being improperly accessed, and generally protects the data no matter what happens (unless the keys are stolen). Encryption is essential to protect private health data at rest in an application.

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases. Non-compliant and quasi-compliant applications do not offer transmission encryption that is secure enough to comply with HIPAA. You should only send communications containing PHI if they are encrypted.

Types of Email Marketing Solutions

Non Compliant (1)

Many of the most popular email solutions on the market were not designed to protect the sensitive data of the healthcare industry. These vendors will not sign Business Associate Agreements and do not provide the storage or transmission encryption needed to meet HIPAA requirements. Healthcare organizations should only use these solutions if they do not send PHI- which may be impossible if you plan to email lists of patients with any information about their healthcare. 

Quasi Compliant (2)

HIPAA does not require any specific technology to meet its requirements, which allows for flexibility, but also creates uncertainty. No central government organization certifies HIPAA compliance, and as a result, many organizations advertise themselves as “HIPAA-compliant” but don’t enable you to take full advantage of their functionality. We call this “Quasi compliance.”

Quasi-compliant solutions often provide a secure application and protect patient data at rest. However, they will not permit you to send emails or transmit PHI outside the database. This can seriously limit the usefulness of the solution. Take a real-life example: one healthcare organization purchased a CRM system and set it up, uploaded their contacts, and was ready to start using it, so they enabled the “HIPAA Compliance” toggle on the backend. They quickly found that much of the functionality was no longer available and wouldn’t allow them to email or log certain data types. The solution was almost useless for their patient engagement efforts.

Other applications will permit you to use the full functionality of the solution, but when you read the terms of the Business Associate Agreement, it is clear that you are not allowed to send PHI. If signed, your organization will be responsible for any breaches caused by sending PHI insecurely, not the vendor.

Full Compliance (4)

This is why it’s crucial to vet solutions carefully and not take shortcuts regarding HIPAA compliance. Any CRM, CDP, or email marketing solution must protect data at rest in a secure application and encrypt transmitted messages. Even more importantly, it shouldn’t take any extra training or require any extra steps to use in a compliant way.

At LuxSci, (3) we provide a secure application to manage your email campaigns that encrypts transmitted messages automatically. Our Secure Marketing solution is designed to meet the unique security needs of healthcare organizations. All email transmissions are encrypted automatically, and users can choose the right type of encryption (TLS, Portal Pickup) to meet their email use cases. Automatic encryption gives your security and compliance teams peace of mind that all messages are sent securely. Data is protected throughout the lifecycle and does not require employees to decide whether a message contains PHI. Healthcare marketers can fully use PHI to personalize and customize messaging to increase patient engagement and get better ROI on their marketing campaigns. 

Healthcare Marketing & HIPAA: Are you in Compliance?

Wednesday, September 14th, 2022

Healthcare Marketing Today

Marketing is essential to growing any business successfully, but when you work in regulated spaces such as healthcare, there are compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstandings in marketing best practices can lead to patient privacy breaches.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

HIPAA and Healthcare Marketing

A large part of HIPAA regulates what is appropriate for the use or disclosure of patient information. There are certain instances where the use and disclosure of protected health information (PHI) is allowed without patient consent. These instances include sharing PHI for treatment, payment, or healthcare operations.

However, before you can use patient information for marketing efforts, you need to receive explicit written consent from the patient. The consent form must be specific to the marketing efforts you will use the patient’s PHI in. For instance, if you would like to share patient testimonials, photos, or videos on your website or social media accounts, the patient must sign a consent form stating that you will use their information in this way.

HIPAA-compliant marketing also largely depends on an employee’s understanding of the law. Employees responsible for handling PHI must be trained to use and disclose PHI within the scope of their job role. Improperly trained employees can expose your practice to HIPAA violations and costly fines.

examples of healthcare marketing breaches

8 Common Misunderstandings of Marketing and HIPAA

1. As long as patient consent is obtained, HIPAA doesn’t matter
Some organizations think they can use any marketing tool with a signed patient consent form. Still, the tool has to be HIPAA-compliant. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences.

2. Marketing emails do not need encryption
Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA.

3. Personalizing marketing emails is a HIPAA violation
Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4. Marketing companies do not need to sign Business Associates Agreements
As of 2013, the HIPAA Omnibus rule expanded HIPAA obligations to include business associates and subcontractors. Marketing agencies and vendors that process PHI on behalf of a covered entity must comply with HIPAA regulations, which include signing a BAA.

5. The only way to protect PHI is to use patient portals
TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal.

6. Using BCC is enough to keep patient identities private
BCC is NOT enough to protect patient identities. Although the end recipient cannot tell who else received the message, the entire list is visible as the messages are transmitted from server to server. The messages can be eavesdropped on by someone with technical abilities.

7. Always respond to social media reviews
Be extremely careful when responding to online reviews. Publicly confirming information about a patient’s health or treatment status is a HIPAA violation.

8. Healthcare marketing isn’t necessary or worth the hassle
Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improve new customer acquisition and retention.

How to be HIPAA-Compliant

The most crucial step is vetting marketing vendors and HIPAA compliance tools. Any vendor that handles PHI on behalf of a healthcare entity needs to sign a Business Associate Agreement that outlines how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements. Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” vendors can protect data at rest but not in transmission or require patient waivers to achieve compliance.

Next, always use encryption and default to security. Identifying PHI is often tricky, and the legal burden should not fall on the marketing team. By selecting technology that encrypts every marketing email, you can rest assured that messages are secure and compliant. A bonus tip- do not send marketing messages to an encrypted patient portal. Instead, send marketing messages with TLS encryption directly to patients’ inboxes. You will see much higher response rates and engagement.

Finally, to create the most effective marketing campaigns, use PHI to create segmented audiences and send them personalized content. These tactics are widely used outside the healthcare industry because they deliver results. *Remember that any tool you put PHI into must be HIPAA-compliant.

How LuxSci and Compliancy Group Can Help

LuxSci’s Secure Marketing tool is an email marketing platform designed to meet HIPAA requirements. It allows marketing teams to segment audiences and personalizes emails to engage patients and improve marketing ROI. If you are already using a third-party email marketing platform, no worries, we got you covered. LuxSci’s Secure High Volume Email solution can integrate with any third-party platform to make sure those emails are also HIPAA-compliant.

Compliancy Group enables healthcare organizations and vendors serving the healthcare industry to achieve HIPAA compliance through an automated software platform and live guided coaching. The Guard, its proprietary compliance platform, covers all the necessary parts of the HIPAA regulation. Compliancy Group awards clients the HIPAA Seal of Compliance upon successful completion of their process. The Seal can be displayed on a practice’s website, email signature, and signage, and proves they are dedicated to protecting patient information and have completed the steps required to satisfy the law.

email CTA

New Feature: Secure Email Tagline

Thursday, June 23rd, 2022

LuxSci is introducing a new email tagline feature to inform recipients that email messages are secured. This helps build trust and increase confidence with less tech-savvy recipients who do not understand how email encryption works.

secure email tagline

TLS Encryption

TLS encryption is now widely supported by the most popular email providers. As a result, more organizations are choosing to send emails containing sensitive data with TLS encryption. There are a few reasons for this:

  1. TLS encryption is permitted under HIPAA and most compliance regulations.
  2. It’s easier to use and does not require recipients to log in to portals to access their messages.
  3. The open and response rates are higher on TLS encrypted messages.

However, using only TLS to encrypt emails can be confusing to the laypeople receiving them. While it’s easy to use and “invisible,” that can be concerning when transmitting sensitive information. If it looks like a regular email, recipients may be concerned that the organization does not care about the security of their personal information. This perception can negatively impact the business and dissuade people from using digital channels.

Introducing a New Email Tagline

For these reasons, all Email Hosting, Secure Connector, Secure High Volume Email, and Secure Marketing customers who send emails encrypted via SecureLine will have a small tagline at the bottom of the email that indicates the message is secure. It looks like this:

message secured by LuxSci tagline

This tagline builds trust and lets the recipient know that the company has taken steps to secure sensitive data. If you are an existing customer, visit your email settings or contact Customer Support to enable this feature. New customers will automatically have the tagline enabled when sending SecureLine encrypted emails.

HIPAA-Compliant Email Hosting or Outbound Email Encryption?

Tuesday, January 25th, 2022

There are many ways to protect ePHI in email. HIPAA is technology-neutral and doesn’t make specific recommendations for how to protect email communications. This article explains the difference between a HIPAA-compliant email host and an email encryption gateway. These are just two of the options for securing email accounts.

email encryption

Read the rest of this post »

Hidden Security Dangers of Google Workspace and Google Drive

Tuesday, November 30th, 2021

Google is one of the world’s most popular email providers. Many businesses choose to utilize Google Workspace for their email communications because of their collaboration tools like Calendar, Docs, and File Sharing via Google Drive. Google Workspace includes basic privacy and security protections, but their security measures are not enough for HIPAA compliance. Even though Google will sign a BAA with HIPAA covered entities, it may not apply to all of the Google apps. Google Workspace has hidden dangers that may lead to a violation of HIPAA rules.

is google workspace hipaa compliant

EMAILS SENT FROM GOOGLE CALENDAR ARE NOT ENCRYPTED

Google Calendar is a core service of Google Workspace and is covered by a Business Associates Agreement. The problem is that email encryption is not a standard feature of Google Workspace. That is, although Google supports encrypted messages within its servers, emails sent to other systems are not encrypted.

Google does not even offer a native end-to-end email encryption solution; one has to purchase such services from a third party and integrate it with your Google account.

So, even though Calendar and other core services – including Gmail, Drive, Meet and Google Cloud Search – are covered by the company’s BAA, the emails that Gmail automatically schedules and sends via Calendar are not encrypted.

In addition, it is extremely important to make sure your calendar settings are completely private and that your calendars are not visible to anyone who should not have access to PHI. Many of these settings are public to your organization by default, so make sure you take the time to configure the account properly.

YOU MAY END UP SENDING UNENCRYPTED PHI

HIPAA has a ‘per violation’ penalty, imposing a fine on every email that fails to comply with HIPAA rules. As far as emails go, you can send PHI via email as long as it is secure and encrypted and other requirements are met (i.e., access control, backups, audit trails, etc.). If you think about it, encryption protects PHI in many ways; for instance, if an email containing PHI is sent to the wrong recipient, it cannot be read or used without the keys needed to decrypt it. On the other hand, by choosing to send emails unencrypted, you expose your organization to security, financial and legal risks.

For the record, ‘reasonable cause’ penalties range from $1,000-$50,000 per breached data item, ‘willful neglect (corrected)’ attracts penalties between $10,000-$50,000. ‘Willful neglect (not corrected)’ penalties will cost you a flat $50,000 fine per breached data item.

You can, potentially, send out all kinds of ePHI courtesy of the Calendar-Gmail integration. Examples include:

  • Meeting invitations
  • Appointment reminders
  • Appointment follow-up instructions
  • Health-related advice and comments
  • Patient satisfaction survey containing identifying information
  • Mentions of new or urgent symptoms
  • A brief discussion of mental or sensitive health problems
  • Details of the patient’s care
  • Emailing patient’s details to a colleague
  • Information related to test results or prescription refills

Your BAA with Google isn’t very useful if Google Workspace poses a regulatory risk of ePHI breach.

PHI CANNOT BE USED WITH THESE GOOGLE SERVICES

Your BAA does not cover all Google Services. For example, your internal policies should disallow the use of PHI with Google+ and Google Contacts, should you enable these services. To be on the safe side, you also need to set checks and balances for HIPAA-compliant services in Google Workspace. Some other common risks include:

  • Files uploaded to Google Drive must not contain PHI in file or folder titles or within team drives. Restrict file and folder sharing to trusted entities.
  • Free Gmail accounts pose a big risk of ePHI breach. Gmail does not offer a native encryption solution, and on its own, can never be HIPAA compliant. Free Gmail services do not come with a BAA and as a result do not meet compliance standards.
  • Assess the appropriate uses of Google Meet and Chat in relation to PHI and train staff appropriately. The use of messaging apps on mobile devices is one area where violations can occur and potentially stack up pretty quickly.
  • You cannot send emails with PHI from Google Workspace, even if you have a BAA with Google. Emails with PHI must be encrypted and using a third-party email encryption service is required to meet compliance standards.

YOU CAN AUTOMATICALLY SECURE ALL OUTBOUND EMAIL FROM GOOGLE WORKSPACE APPS

You can address many common compliance challenges with proper user training and appropriate administrative controls. However, encrypting emails sent from Google requires the use of a third party encryption solution. LuxSci’s SecureLine encryption technology was designed for HIPAA compliance and is compatible with any email program.

SecureLine is a simple system that offers advanced email security. You can choose the encryption method (TLS, PGP, S/MIME or ESCROW), and automatically secure all outbound email from Google Workspace apps. You can continue to receive email from any program or web service.

SecureLine is linked with the SecureSend Portal, our free web-based service that your recipients can access for free in order to send encrypted email.

USE SMART HOSTING TO ADD ENCRYPTION TO OUTBOUND EMAIL

By configuring your Google Workspace account to send all outbound email through LuxSci for processing and delivery, you will not only be adding encryption that secures ePHI but also masking your IP address. By using a third-party connector, you can also add outbound email archival to meet HIPAA requirements.

LuxSci’s Secure Connector is a better option than others because of our always on encryption settings. Administrators can enforce encryption for all users who are likely to be sending PHI via email. Instead of relying on employees remembering to encrypt emails, all of their emails are automatically encrypted via TLS. More on that here: Opt-In Email Encryption is Too Risky for HIPAA Compliance.

Is Google Workspace HIPAA Compliant?

If you still want to use Google Workspace for your business, make sure you take the appropriate steps to secure your accounts. Google Workspace can be HIPAA-compliant, but it does not come automatically configured to meet those standards. Admins must take the time to disable public sharing settings for users with access to PHI and set up clear policies regarding app usage. They must also set up an encryption solution to send emails that contain PHI. Only after these steps are taken, can Google Workspace be HIPAA compliant.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization? Contact one of our email security experts today.