Google Workspace is one of the world’s most popular email platforms. Although it is more than adequate for basic email correspondence, Gmail does not come configured to meet HIPAA email security requirements. To use Google Workspace in a HIPAA-compliant manner, you need to use a third-party connector to secure your communications.
Read the rest of this post »
Online reviews are critical for success in our modern business world. Many of us turn to online reviews when searching for a new health provider, but HIPAA compliance issues complicate how providers can use online reviews.
Savvy health care marketers want to use online reviews to attract new patients. But how can they do so while also protecting sensitive data and complying with HIPAA?
Online reviews are extremely popular and are often consulted by patients looking for new providers. Google, Yelp, and Facebook are just a few of the most common review websites that people visit. Skilled digital marketers in every industry recognize the power of a positive review and want to incorporate online reviews and testimonials into their marketing strategies. How many times have you been contacted and asked to leave a review after visiting a restaurant, supermarket, or retail store?
However, when it comes to the health care industry, it’s not as simple as sending off an automated email or survey. Health care marketers need to keep HIPAA compliance in mind when crafting their review campaigns.
A traditional email campaign to request a review is quite simple. The sender creates a message that says something like “Thanks for visiting Dr. Smith’s office today. We hope you had a positive experience and we would appreciate your feedback. Please click here to leave a review on Google.” You may not realize it, but this simple ask is more complicated than it seems from a HIPAA compliance perspective. Why? Because even the most seemingly mundane details constitute electronic protected health information (ePHI).
ePHI is defined as “individually identifiable health information” relating to:
A patient’s name and even their email address are considered individually identifiable information, while asking for a review of their appointment clearly relates to the “…provision of health care to the individual.”
Most messages that ask for an online review include ePHI and must be protected. If this information isn’t adequately secured, the message will be sent in violation of HIPAA. These violations can result in significant penalties for your organization.
Is it possible for healthcare marketers to solicit patient reviews via email? Keeping the message content as generic as possible may help you avoid a violation. However, when it comes to HIPAA and patient security, we always recommend stepping up your game.
Sending normal emails or text messages is risky, but a HIPAA-compliant email solution allows you to circumvent this problem. Services like LuxSci’s Secure Marketing and Secure High Volume Email are designed with HIPAA compliance in mind. They have the appropriate protections (including message encryption) in place to keep ePHI secure.
Using these services allows you to ask patients for online reviews, all in a HIPAA-compliant manner. Not only will this help your company get more positive online reviews, but LuxSci’s solutions allow you to automate the whole process. You can set up the systems to automatically email patients after they have an appointment, making it simple for your company to boost its online reputation.
Most marketers know that it is a good practice to respond to patient reviews, whether they are positive or negative. However, public correspondence regarding patient appointments can be a nightmare when it comes to HIPAA compliance.
Even acknowledging that a patient had an appointment with your organization can be a HIPAA violation, because it combines details of their health care with individually identifiable information in a public forum.
This means that even if a patient publicly writes about their medical conditions or treatments, you can’t acknowledge them. This means messages like “Thanks so much! We’re glad Dr. Smith was able to stitch you up.” or “We’re sorry to hear you had a bad experience refilling your anti-depressant prescription. How can we fix the situation?” are off-limits.
It’s counter to how most marketers would like to reply, but for compliance reasons you cannot acknowledge their visit or the specifics. A HIPAA-compliant message could be something like* “We really appreciate your review.” It may seem impersonal, but the law is the law, and you face huge fines if you disobey it.
(*Please note that this is not intended as legal advice. You should consult a lawyer if you have questions about online reviews and compliance.)
There are many situations where you may want to give a more sincere reply than the example above, especially if a patient had a negative experience. If the review is not anonymous, we recommend having a staff member reach out privately.
It’s best to see these as opportunities to listen to your patients and try to rectify the situation. By taking the right approach, you can turn a negative review into a positive experience.
However, you can’t have a detailed discussion about the online review on the website while still maintaining your HIPAA compliance. This means that you need a way to reach out to your patients without violating the regulations. LuxSci’s Secure Email is perfect for these kinds of situations, because it is designed from the ground up to be HIPAA-compliant. You can email your patients to discuss the situation without worrying about exposing their ePHI and violating the law.
Contact LuxSci now to find out how you can use our services to reach out to your patients and collect reviews that drive new business.
An email encryption gateway is a great way to protect sensitive emails for HIPAA compliance. You probably know just how important encryption is for sensitive data, as well as information that is protected by law, like ePHI. However, embracing these protections can sometimes be challenging. Gateways that rely on opt-in encryption put your company at risk, because employees may forget to encrypt protected health information.
Email encryption gateways like LuxSci’s Secure Connector automatically encrypt all outgoing emails, drastically reducing the risk of breaches caused by human errors.
By default, email is incredibly insecure. Protecting it requires additional effort, and it is easy for employees to make mistakes. The main purpose of an email encryption gateway is to encrypt outgoing emails. Some common ways to trigger encryption are:
LuxSci’s Secure Connector automatically encrypts every email message using TLS encryption for a seamless delivery to recipient accounts. LuxSci’s solution allows you to choose the right type of encryption to suit your email use cases. For example, you may want to send highly sensitive messages like patient lab results using a more secure form of encryption like Portal Pickup to protect patient privacy. Not every gateway can provide that level of flexibility so it’s important to understand how you want to use the tool when shopping for a solution.
There are several situations when using an email encryption gateways is appropriate. These include:
One of the most useful applications is for businesses that use Microsoft Office 365 or Google Workspace. These extremely popular email platforms do not come automatically configured for HIPAA compliance. To make Google Workspace HIPAA-compliant, you must use a third-party encryption tool to secure your emails. Microsoft Office 365 has an encryption add-on option, but it can be difficult to configure and cumbersome for your email recipients.
LuxSci’s own email encryption gateway Secure Connector works with both Google Workspace and Microsoft Office 365 and is simple to configure. All it requires are LuxSci smart hosting accounts for your Google or Microsoft users. For example, if you have 20 users for your company’s domain in Microsoft, you would simply need LuxSci accounts set up in the same domain for those 20 users.
Once the user accounts are configured and smart hosting is enabled in Google or Microsoft, the outbound email for all of these users will flow through LuxSci’s Secure Connector. Every outbound email will be automatically encrypted, without the user noticing or having to do anything. This setup can help your organization meet its HIPAA obligations without having to switch email hosting providers.
While one of the most popular uses of LuxSci’s Secure Connector is for automatically encrypting outbound email for Google and Microsoft, this has much to do with the ubiquity of these services, rather than the limitations of email encryption gateways.
LuxSci’s Secure Connector can also solve the following problems:
If your company needs an email encryption gateway to automatically secure all of its outbound email, LuxSci’s Secure Connector is the only choice. Our opt-out approach to email encryption sets us apart from other companies. It is a HIPAA-compliant solution that supports multiple types of encryption to increase security for highly sensitive emails. Contact our team now to learn more about how Secure Connector can help solve your problems.
Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.
As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:
“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”
This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.
Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.
The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.
NIST’s publication on Zero Trust Architecture also stipulates that:
“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”
When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.
LuxSci supports:
Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.
Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.
In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:
These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.
As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.
If you are subject to HIPAA regulations- think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA-compliant email marketing platform before sending.
Not all email marketing platforms were designed with HIPAA compliance in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA-compliant emails on their platforms. We created this list of five questions to help you screen potential vendors for compliance.
It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.
If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.
However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.
For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:
“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”
Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.
Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications. Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.
If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.
As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.
However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.
Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.
LuxSci’s Secure Marketing platform was built from the ground up with HIPAA compliance in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.
