" encryption Archives - Page 2 of 5 - LuxSci

Posts Tagged ‘encryption’

5 Questions to Find the Right HIPAA-Compliant Email Marketing Platform

Tuesday, June 15th, 2021

If you are subject to HIPAA regulations- think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA-compliant email marketing platform before sending.

Not all email marketing platforms were designed with HIPAA compliance in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA-compliant emails on their platforms. We created this list of five questions to help you screen potential vendors for compliance.

hipaa compliant email marketing

1. Is your email marketing platform HIPAA-compliant and HITRUST certified?

It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.

2. Will the vendor sign a Business Associate Agreement?

If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.

However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.

For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:

“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”

Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.

3. Does the email marketing platform protect data at rest and in transit?

Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications.  Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.

4. How does the email marketing platform encrypt emails?

If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.

  • How are they encrypting those emails?
  • Do the encryption methods match your email use cases?

As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.

However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.

5. Does the platform allow you to send ePHI in the body of your emails?

Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.

HIPAA-Compliant Email Marketing Platforms

LuxSci’s Secure Marketing platform was built from the ground up with HIPAA compliance in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.

 

 

What End-to-End Email Encryption Really Means

Tuesday, January 26th, 2021

As security and privacy become more prominent in the news, you’re probably starting to hear the term end-to-end email encryption a lot. But what does it actually mean? You may have a rough idea that it protects your data, but many people are vague on the specifics. However, it’s the details of end-to-end encryption that are the most important. After all, it only takes one false assumption to put your data at unnecessary risk.

What Is End-to-End Encryption

Read the rest of this post »

Email Encryption Showdown: SMTP TLS vs PGP vs S/MIME vs Portal Pickup

Monday, May 29th, 2017

While messaging apps may have become more popular over the last ten or so years, email remains an important method of communication, particularly for business. Despite its common use, there are many security problems associated with regular email:

Message Tampering

False messages are a significant threat, particularly when it comes to business and legal issues. Imagine someone else sends an email from your account – how can you prove it wasn’t you? There are many viruses that spread in this way, and with regular email, there is no concrete way to tell whether a message is false or not.

Email Encryption

Normal emails can also be modified by anyone with system-administrator access to the SMTP servers that your emails pass through. They can alter or completely delete the message, and your recipient has no way of knowing if the message has been tampered with or not.

In the same way, messages can be saved by the SMTP system administrator, then altered and sent again at a later time. This means that subsequent messages may appear valid, even if they are actually just copies that have been faked.

Read the rest of this post »

How do I send HIPAA-compliant lab results via email?

Friday, May 5th, 2017

A question about HIPAA-compliant transactional email from Ask Erik:

As a non-technical member of the founding team of a Health Care Startup I have a question about HIPAA-compliant email as we begin to send out lab test results to individuals and the health care providers we partner with:

“Does one dedicated email address for results distribution that is HIPAA-compliant and secure make us in compliance. ”

We have team members who communicate with our DDS clinics but they don’t distribute test results. Only I will do that through a dedicated email address.   What do we have to do to be compliant from day one of distributing test results as part of our service to our customers (primarily dentists and oral surgeons)?

I was told by the service provider of our website and email hosting services that if we made the one email address a Business Premium account using the Microsoft Secure Server, that all the other regular email addresses would be covered as well. Is this true?

Thank you for the forum to ask real life scenario questions.

Lab results to email

Hello,

There are many aspects to your question.  Lets address each one in turn:

Read the rest of this post »

7 Ways You Could be Unknowingly Violating HIPAA

Friday, August 14th, 2015

Non-compliance with HIPAA can easily lead to unintended breaches where data is exposed to unauthorized parties. This can be very expensive! Violating HIPAA can cost anywhere from $100 to $50,000 per violation (or per data record).

You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in violating HIPAA. Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.

Check your organization!

If any of the following scenarios apply to you, it is worth bringing them up the person responsible for compliance (your HIPAA Security Officer) to include in your mandatory yearly Risk Analysis.  Is the risk of breach worth continuing with “business as usual?”

Read the rest of this post »