" email security Archives - LuxSci

Posts Tagged ‘email security’

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business, and those in the industry are facing increasing pressure to maintain their standing against their rivals. One of the key tactics for keeping up involves having a carefully planned marketing strategy.

While there are a range of different approaches that companies can take, sending out marketing emails proves popular, because many organizations have substantial email lists of their clients.

This practice can have a range of business advantages, but the more cautious in the sector may be wondering “Do healthcare marketing emails have to be HIPAA-compliant?”

It’s an important question to ask, and one that’s not exactly clear-cut, because the answer is dependent on the context.

Does the Email Contain Protected Health Information?

Information is protected by HIPAA regulations if it contains “protected health information” that is “individually identifiable.”  The term “protected health information” refers to any data that relates to a person’s health, treatment or payment information, whether it is in the past, present, or future.

Under this definition, things like the results of a test, a prescription, an appointment notice, or a receipt for healthcare services are just a few of the many things considered “protected health information.”

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked back to the individual. There are a long list of identifiers, such as names, addresses, birthdays, contact details, insurance details, biometrics, and many more are considered possible identifiers under HIPAA.  The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual”, so this concept is really is all-encompassing.

Does the Marketing Email Tick Both Boxes?

If it does, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t your organization may be safe. But before you rush into sending off your emails, you need to be careful, because the edges of HIPAA can be blurred, and it’s best to stay on the safe side.

Let’s give you an example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it can use this information not just to help mothers-to-be, but also to bring in new business. The clinic then sends out an email to all of its expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Since it was also addressed to each of their email addresses, it also contains individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could potentially fall foul of HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA, because such an approach wouldn’t single out the women who were pregnat (though it might single you out as a former patient of that clinic and, depending on what the clinic is, that could also imply things about your past/present/future medical treatments). While this kind of situation sounds rare, it’s important to appreciate that it can and does occur, so that your organization is more cautious and doesn’t unwittingly end up with a HIPAA violation.

Even if most of your organization’s emails never tick both of these boxes, it may be best to send them in a HIPAA-compliant manner anyway. This is because a slight, unintentional change to your organization’s approach could lead to the inclusion of ePHI, leading your company to a HIPAA violation.

When you consider the high penalties of these violations in comparison to the insignificant costs of sending HIPAA-compliant messages, making sure that all of its emails are sent in compliance with the regulations ends up being a pretty cheap insurance policy.

How Can You Make Healthcare Marketing Emails HIPAA-Compliant?

If your organization sends out marketing emails that could contain ePHI, then it’s important to make sure that they are sent in a HIPAA-compliant manner. The best approach is to use a HIPAA-compliant bulk email service, such as LuxSci’s High Volume Secure Email Sending.

Your organization will need to sign a HIPAA Business Associate Agreement with the service provider and use the appropriate encryption, access control and other security mechanisms that are needed to protect ePHI.

Using a service with opt-out encryption (as opposed to one with risky opt-in encryption, requiring you to actively specify which messages need encryption) limits the risks of user error, which means that your organization is more free to send out its marketing emails, without such a significant threat of accidentally violating HIPAA regulations.

Will Email Ever Be Truly Secure?

Tuesday, November 6th, 2018

Email gateways are a leading cause of security breaches. The optimistic view is that effective email security practices, firewalls, mobile device security, wireless security, endpoint security, web security, behavioral best practices, data loss prevention and network access control – among other solutions – can ensure foolproof security. The realistic view is that email – or anything for that matter – cannot be truly secure.

To err is human. Technology advancement is a boon and a bane: cyber attacks are more sophisticated than before. You can trust no one security solution, place your full trust on end-to-end encryption (currently the most secure way to communicate securely and privately online) or predict when someone will break into your device and access your email.

The road to HIPAA compliance is paved with many risks, possibilities and outcomes. Well-researched and thoughtful implementations are essential but there are many decisions to make and loose ends to tie up. Your ePHI protection, privacy and confidentiality practices may be excellent, but your employees may still mistakenly dispose of a fax machine or hard drive that contains retrievable PHI. Or some of your staff may fail to observe the policy of what needs to be encrypted and what does not.

 

And if you thought that email encryption, cryptographic protocols and even your computer system and CPU were protecting your data at all times, think again…

Read the rest of this post »

HIPAA-Compliant Email Checklist – 8 Things You Need to Know

Tuesday, August 14th, 2018

The Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information (PHI). When stored or transmitted electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard the integrity and confidentiality of electronic protected health information (ePHI). The most common way in which ePHI is shared is via email. No wonder then that HIPAA-compliant email security is a critical concern for healthcare organizations, with a majority preferring to outsource this item to knowledgeable providers.

The HIPAA email security rule

The HIPAA Security Rule pertaining to email explicitly requires adequate protection for all patient data and does not endorse or prohibit the use of any specific technologies to ensure robust protection. The rule lays down four standards:

Read the rest of this post »

SSL versus TLS – What’s the difference?

Saturday, May 12th, 2018

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

SSL versus TLS: What is the differenc?

See also our Infographic which summarizes these differences.

Read the rest of this post »

The Case For Email Security

Tuesday, March 31st, 2015

We all know that regular email is insecure; however, it may surprise you to learn just how insecure it really is. For example, did you know that messages which you thought were deleted years ago may be sitting on servers half-way around the world? Or, that your messages can can sometimes be read and modified in transit, even before they reach their destination? Did you know that forging email is very, very easy?  Can you trust what you read in an email?  Email security was never designed in to the internet from the beginning and as a result, many different solutions have evolved to plug the multitude of resulting issues.

This article is designed to teach you about how email really works, what the real email security issues are, what mitigations to these are generally in use, and what else you can to to protect you email.

Case for Email Security

Information security and integrity are centrally important  as we use email for personal and business communication: sending confidential and sensitive information over this medium every day. While you are reading this article, imagine how these security problems could affect your business, your personal life, and your identity…. if they have not already.

Read the rest of this post »

LUXSCI