" encryption Archives - LuxSci

Posts Tagged ‘encryption’

5 Questions to Find the Right HIPAA-Compliant Email Marketing Platform

Tuesday, June 15th, 2021

If you are subject to HIPAA regulations- think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA-compliant email marketing platform before sending.

Not all email marketing platforms were designed with HIPAA compliance in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA-compliant emails on their platforms. We created this list of five questions to help you screen potential vendors for compliance.

hipaa compliant email marketing

1.    Is your email marketing platform HIPAA-compliant and HITRUST certified?

It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.

2.    Will the vendor sign a Business Associate Agreement?

If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.

However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.

For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:

“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”

Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.

3.    Does the email marketing platform protect data at rest and in transit?

Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications.  Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.

4.    How does the email marketing platform encrypt emails?

If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.

  • How are they encrypting those emails?
  • Do the encryption methods match your email use cases?

As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.

However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.

5.    Does the platform allow you to send ePHI in the body of your emails?

Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.

HIPAA-Compliant Email Marketing Platforms

LuxSci’s Secure Marketing platform was built from the ground up with HIPAA compliance in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.

 

 

What End-to-End Email Encryption Really Means

Tuesday, January 26th, 2021

As security and privacy become more prominent in the news, you’re probably starting to hear the term end-to-end email encryption a lot. But what does it actually mean? You may have a rough idea that it protects your data, but many people are vague on the specifics. However, it’s the details of end-to-end encryption that are the most important. After all, it only takes one false assumption to put your data at unnecessary risk.

What Is End-to-End Encryption

Read the rest of this post »

HIPAA-compliant Email Host or SMTP Connector?

Tuesday, July 28th, 2020

choosing hipaa compliant email

You may have heard that you need to use HIPAA-compliant email to protect your organization’s ePHI, but many people aren’t sure where to go from there. Don’t worry if you fall into this camp, because this article will explain your options in depth.

The most straightforward solution is to simply sign up for a HIPAA-compliant email host. These are providers who specifically design their email services to be compliant with HIPAA regulations. A good example is LuxSci’s Secure Email.

If you currently use tools like Google Workspace or Microsoft Office 365 for your email, you might be looking for ways that you can adapt them for HIPAA compliance. The good news is that this is possible with an outbound encryption tool like our HIPAA-compliant SMTP connector.

Some organizations may pursue this option because they need certain features that these programs offer, while others may be hesitant to introduce new software and have to train their employees to use it.

Why Do You Need a HIPAA-compliant SMTP Connector for Google Workspace, Microsoft Office & Other Services?

These services aren’t designed to be HIPAA-compliant. Tools like Google Workspace, Microsoft Office 365, and Microsoft Exchange are designed for the mass market, so HIPAA compliance and security were not significant factors during their development.

This means that they are unsuitable for protecting ePHI straight out of the box. In the case of Google Workspace, it lacks a HIPAA-compliant email encryption solution. Microsoft does have one, but it is difficult to configure. A solution like LuxSci’s Secure SMTP Connector hooks up to your existing email service, bridging the gap to make your outbound email secure and HIPAA-compliant.

LuxSci Secure Connector

LuxSci Secure Connector

 

HIPAA-compliant SMTP connectors can also help you send emails if your internet service provider prevents or limits your outbound mail server from sending messages. On top of this, they can also add SMTP authentication to your outbound email system, as well as offer encryption and archival mechanisms. SMTP servers can also assist you in adapting your existing mail service in a variety of other ways.

Should You Use a HIPAA-compliant Email Host or an SMTP Connector?

Every organization will come to its own conclusion, based on the factors that matter most in its unique situation. If your main concern is making your company’s HIPAA compliance as easy as possible, then a HIPAA-compliant email host is probably your best option.

These are developed with the regulations in mind, and are designed to make compliance simple, with configuration options that suit a range of scenarios. With a HIPAA-compliant email host, you are less likely to misconfigure it and accidentally expose ePHI. 

LuxSci’s HIPAA-compliant email is designed to offer you a high level of performance and functionality, without having to constantly worry about regulatory headaches.

In contrast, some organizations aren’t in a position where they are ready to switch to a new email host. If they rely on certain software features in Google Workspace or Microsoft Office 365, it’s best for them to deploy LuxSci’s secure connector so that they can protect their outbound email sending.

Setting up and maintaining HIPAA compliance may be more complicated if they pursue this option, but it’s still a better choice than completely disregarding their regulatory obligations.

Email Encryption Showdown: SMTP TLS vs PGP vs S/MIME vs Portal Pickup

Monday, May 29th, 2017

While messaging apps may have become more popular over the last ten or so years, email remains an important method of communication, particularly for business. Despite its common use, there are many security problems associated with regular email:

Message Tampering

False messages are a significant threat, particularly when it comes to business and legal issues. Imagine someone else sends an email from your account – how can you prove it wasn’t you? There are many viruses that spread in this way, and with regular email, there is no concrete way to tell whether a message is false or not.

Email Encryption

Normal emails can also be modified by anyone with system-administrator access to the SMTP servers that your emails pass through. They can alter or completely delete the message, and your recipient has no way of knowing if the message has been tampered with or not.

In the same way, messages can be saved by the SMTP system administrator, then altered and sent again at a later time. This means that subsequent messages may appear valid, even if they are actually just copies that have been faked.

Read the rest of this post »

How do I send HIPAA-compliant lab results via email?

Friday, May 5th, 2017

A question about HIPAA-compliant transactional email from Ask Erik:

As a non-technical member of the founding team of a Health Care Startup I have a question about HIPAA-compliant email as we begin to send out lab test results to individuals and the health care providers we partner with:

“Does one dedicated email address for results distribution that is HIPAA-compliant and secure make us in compliance. ”

We have team members who communicate with our DDS clinics but they don’t distribute test results. Only I will do that through a dedicated email address.   What do we have to do to be compliant from day one of distributing test results as part of our service to our customers (primarily dentists and oral surgeons)?

I was told by the service provider of our website and email hosting services that if we made the one email address a Business Premium account using the Microsoft Secure Server, that all the other regular email addresses would be covered as well. Is this true?

Thank you for the forum to ask real life scenario questions.

Lab results to email

Hello,

There are many aspects to your question.  Lets address each one in turn:

Read the rest of this post »

LUXSCI