" encrypted email Archives - LuxSci

Posts Tagged ‘encrypted email’

Frequently Asked Questions: HIPAA and Email Marketing

Thursday, October 27th, 2022

HIPAA is a complicated law that offers a lot of guidance but does not require the use of any specific technologies to protect patient privacy. This causes a lot of confusion when it comes to HIPAA-compliant marketing campaigns. This article addresses some frequently asked questions about HIPAA-compliant email marketing and what you need to do to be on the right side of the law.

Do generic practice newsletters still count as PHI?

In many cases, even generic email newsletters can be considered PHI because they are sent to lists of current patients. Email addresses are individually identifiable and combined with the email content; it may imply that they are patients of the practice. For example, say you send a “generic” newsletter to the patients of a dialysis clinic. An eavesdropper may be able to infer that the recipients receive dialysis. Therefore the email is PHI and should be protected.

In some cases, it can be complicated to determine what is PHI and what is not. Using a HIPAA-compliant marketing solution is best to avoid ambiguity and ensure you are secure.

What are email marketing best practices for organizations using Mailchimp?

The best practice is not to use Mailchimp! Mailchimp is NOT HIPAA-compliant and will not sign a Business Associate Agreement to protect your data. The best way to begin an email marketing program is to select a fully HIPAA-compliant vendor. Simply put, this means that emails are encrypted in transit, and stored data is also encrypted. 

 

quasi compliance

What is an Email API?

API is an acronym that stands for “Application Programming Interface.” An email API gives applications (like CRMs, CDPs, or EHRs) the ability to send emails and retrieve analytics. Email APIs are often used to send transactional or bulk marketing emails. Trigger-based emails are ideal for sending with an email API. In this situation, emails are sent when pre-determined conditions in the application are met. For example, an order confirmation is a transactional, trigger-based email. A person buys a product online, the transaction is processed, and an email is sent to the buyer with their transaction details. The email is sent automatically with an email API. When a new patient has an upcoming appointment, an email API could be used to send a reminder email and offer rescheduling options. Email APIs enable the automation of common email workflows.

Does HIPAA permit providers to send unencrypted emails with PHI to patients?

Encryption is an addressable standard under the HIPAA Security Rule, but that does not mean it’s optional. The HIPAA Privacy Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email.”

The Department of Health and Human Services (HHS) has clarified this by stating that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” Some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.

However, we do not recommend this for several reasons. One, keeping track of waivers over time and recording status changes and updates is challenging. Two, signed waivers do not insulate you from the consequences of a HIPAA breach. And finally, using waivers to send unencrypted emails doesn’t eliminate your other HIPAA obligations. Using a HIPAA-compliant solution is more manageable and eliminates ambiguity.

Do patients have a right to exercise their right of access to their own PHI by receiving it via unencrypted email?

Yes, but they must be fully informed of the risks and sign waivers acknowledging them. The caveats in the previous answer apply. It’s always better to encrypt emails. 

Is Microsoft 365/Exchange 365 encryption sufficient for marketing emails?

Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, it is not well-suited to send marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. If you are a marketer trying to increase open and response rates, the portal adds a barrier to access that many will not cross. Light-PHI marketing messages are best sent using TLS encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require a user to log in to read the message.

tls vs portal pickup

Conclusion

HIPAA can be difficult to understand, but choosing the right tools and properly vetting your vendors makes it easy to execute HIPAA-compliant email marketing campaigns. If you are interested in learning more about LuxSci’s easy-to-use, Secure Marketing platform, please get in touch with our sales team.

HIPAA Email: Does it Require Encryption?

Tuesday, July 31st, 2018

HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:

  • encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
  • there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned

What exactly is mutual consent?

Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.

Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA-compliant systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.

Encryption at rest is ‘addressable’

‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.

Read the rest of this post »

Best Practices for Minimizing the Impact of Social Engineering on Your Organization

Tuesday, June 26th, 2018

When many people think of cybercrime, they think of a bearded guy tapping away at his keyboard in a dark room, searching for vulnerabilities in the network that can be exploited. While exploits are a significant threat, the reality is that many attacks happen in smoother and more subtle ways. Why spend days trying to get in the backdoor when an attacker can ask nicely to be let in through the front? This is the essence of social engineering.

A social engineer uses many tactics to manipulate victims into giving up whatever information they need. Imagine someone with a police uniform knocks on your door and asks for a word. They look authoritative, so you invite them in to sit down. They spend five minutes discussing crime in the neighborhood, and on the way out, they secretly swipe the spare key. A few days later, you return home to discover that all your valuables are gone.

In this case, the social engineer tricked their way into the home by using a police uniform to appear authoritative. Most people won’t think to turn down a police officer’s request or ask for further identification. The attacker took advantage of this to gain access to the house, where they could get what they wanted, the spare key.

Read the rest of this post »

Patient Privacy Issues with Unencrypted Email

Monday, August 28th, 2017

We have scoured the internet for real-life examples of emails in medical scenarios to convince our readers of our points in past posts about the perils and pitfalls of using unencrypted emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and between doctors and their business associates can be fraught with issues that may violate the Health Insurance Portability and Accountability Act (HIPAA) provisions.

The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA:

“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.

An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, and misguided policies on usage play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.

HIPAA-compliant email

Medical providers often forget (or might even be unaware of) “reasonable safeguardsthat can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing real-life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards to make email a valuable and efficient part of your workflow while conforming to HIPAA.

Read the rest of this post »

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies that offer email encryption for HIPAA compliance allow senders to “opt-in” to encryption on a message-by-message basis. If the sender “does nothing special” then the email will be sent in the normal/insecure manner of email. If the sender explicitly checks a box or types a keyword in the body or subject of the message, then it will be encrypted and HIPAA-compliant.

Opt-in encryption is desirable because it is “easy.” End users don’t want any extra work and don’t want encryption requirements to slow them down, especially if many of their messages do not contain PHI. It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule. Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization. Organizations are responsible for the mistakes and lapses of their employees. Accidentally sending unencrypted emails with PHI is an automatic breach with serious penalties.

Read the rest of this post »