" ePHI Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘ePHI’

What We Call “Quasi-HIPAA-Compliance” 

Thursday, March 26th, 2020

Are your organization’s service providers really HIPAA compliant, or are they only quasi-HIPAA compliant?

What do we mean? 

Okay, we’ll be honest quasi-HIPAA compliant isn’t an accepted term yet but it should be.

When we talk about quasi-HIPAA compliance, we’re referring to setups and services that look like they’re HIPAA compliant and share some of the features; however, they may not be completely in line with HIPAA requirements if you actually use them in the way that you want.

Quasi-HIPAA compliance is common, particularly in popular services. It can also be incredibly dangerous for businesses because quasi-

HIPAA compliance can lead organizations into a false sense of security, while they may be violating the regulations unwittingly.

HIPAA Stethoscope

What Is Quasi-HIPAA Compliance?

The best way to explain the concept of quasi-HIPAA compliance is through example. A quasi-HIPAA compliant service could come from an email-hosting provider, web-hosting provider, or an organization that offers a range of other solutions. 

If these providers are quasi-HIPAA compliant, they will include elements of HIPAA compliance, but the services may not be appropriately tailored to keep their clients within the lines of the regulations when used in various ways.  A provider may be willing to sign a HIPAA business associates agreement (BAA) with your company, but its services may not include the appropriate protections for compliance.

As a good example: Google is willing to sign a BAA with customers using its G Suite service.  However, Google does not actually provide HIPAA-compliant email encryption — so using G Suite email in a HIPAA context can immediately leave you in non-compliance and subject to breach. This is quasi-HIPAA compliance.  You assume that by signing a BAA, you can use the services as you like and be “all set.”  In truth, you need to really understand what is allowed and what is not allowed. You then need to either (a) avoid performing non-compliant actions, or (b) add additional measures to fill those gaps.

Business Associates Agreements & Quasi-HIPAA Compliance

A BAA is essential for HIPAA compliance. Your company can’t be completely HIPAA compliant if it uses the services of another entity without a BAA in place. It doesn’t matter if the entity’s services are technically HIPAA compliant, you will fall foul of the regulations unless a BAA is in place between the two parties.

Even if you do have a BAA with your provider, that alone may not be enough to keep your organization on the right side of HIPAA. The provider may not have the security measures that your organization needs, and instead have a carefully worded BAA that will leave you vulnerable.

Let’s say your email marketing service provider is a quasi-HIPAA compliant provider. It may not offer email encryption, or the necessary access control measures that your organization needs to safely send ePHI and other sensitive information.  The “HIPAA Compliance” may be limited only to data stored at rest on their servers; you may be very surprised to learn that an email marketing company offering “HIPAA compliance” does not recommend sending any sensitive data over email

The BAA offered by a company may be carefully worded to say that the service is technically HIPAA-compliant, but only if you don’t use it to send ePHI. This is legal, and the provider isn’t necessarily doing anything wrong by offering such a service, as long as this is clearly stated in the agreement.  Without understanding clearly what is actually “covered,” you leave yourself at risk.

The compliance and breach danger comes when organizations use quasi-HIPAA compliant services without completely understanding them. If they don’t take the time to do their research or thoroughly read the agreement, they could end up using the service in a way that isn’t covered under the BAA.

Doctor Video Conference

Dangers of Quasi-HIPAA Compliance

In our example, an organization might subscribe to a quasi-HIPAA compliant service and use it to send ePHI. If ePHI isn’t allowed to be sent via email or text under the BAA, and it’s sent without encryption and other security measures in place, then the messages will violate HIPAA regulations.

This is an easy trap to fall into for several major reasons. 

  1. BAAs can be complex and need to be studied carefully. 
  2. People make assumptions about what is actually covered by an organization’s “HIPAA compliance.”
  3. It’s very easy to accidentally send ePHI in an email. The definition of ePHI is broad, so employees can include ePHI in messages without even realizing it.

Even if your organization specifies that ePHI shouldn’t be sent through a particular service, all it takes is one mistake and your company will have a costly HIPAA violation on its hands. If your organization does use an email marketing service that’s only quasi-HIPAA compliant, then the restrictions on ePHI will prevent your organization from being able to market effectively, and to communicate properly with its clients.

How Your Organization Can Avoid Quasi-HIPAA Compliance

The most important way to protect your organization is to do your research beforehand, and make sure that any prospective provider will cover your intended uses properly. This means that you need to read through their BAAs to make sure that they are inline with your business’ requirements.

To save you some time, services like G Suite and the vast majority of email marketing services can be seen as quasi-HIPAA compliant, at best. Only providers that specialize in HIPAA-compliant services will be able to deliver the solutions that healthcare organizations and those that process ePHI require.

If your company needs true HIPAA compliance, then a provider like LuxSci is the best way to stay on the ride side of the regulations. We have been providing HIPAA-compliant secure email since 2005. Not only are our solutions tailored to abide by HIPAA, but we have also developed the services you need to conduct important business tasks.

We provide HIPAA-compliant bulk email solutions for clients that need to send at scale. These services are set up over our secure infrastructure, and we provide dedicated servers for clients that require it.

LuxSci focuses on both compliance and ease-of-use, so we have developed secure email hosting, email marketing, and transactional email solutions among our offerings. Our services help your organization comfortably market itself and conduct business, all while staying in line with HIPAA compliance.

LuxSci Pursuing HITRUST Certification

Thursday, January 30th, 2020

LuxSci is working toward its HITRUST certification as part of our constant efforts to meet the highest levels of security and compliance. The threat landscape and regulatory environment are ever-evolving, and LuxSci is on track to be HITRUST CSF Level 3 certified (for HIPAA and GDPR, among other things) by the third quarter of 2020.

While LuxSci already follows the best practices in a variety of areas, the HITRUST certification is an industry-standard, ongoing, evolving, independent third-party review that shows just how committed we are to providing secure and compliant solutions and which enables anyone to really trust that LuxSci is doing all the right things.

HITRUST is an association that was formerly known as the Health Information Trust Alliance. A group of organizations came together in 2007 to develop the HITRUST Common Security Framework (CSF). The HITRUST CSF includes elements of a variety of different standards such as:

  • HIPAA
  • ISO/IEC 27000-series
  • NIST 800-53
  • PCI-DSS

How Does the HITRUST Certification Help?

By establishing a framework that encompasses many other important sets of regulations, the HITRUST certification makes it easier to provably meet all of the different requirements in a streamlined manner.

The framework is especially critical for organizations in the healthcare field and those that process electronic protected health information (ePHI), but it is also useful for security and compliance in other situations, such as GDPR.

The HITRUST certification is beneficial for any organization that deals with sensitive, valuable or highly regulated data, whether it creates it, transfers it, or processes it in any other way.  This is because the HITRUST CSF certification not only makes it easier to manage risk and compliance, but it also demonstrates to other parties that these critical areas are being properly taken care of.

All of LuxSci’s central services fall within the HITRUST umbrella and will be HITRUST certified. These services include:

  • Secure email hosting
  • Secure email marketing
  • Secure high volume email sending
  • Secure web site hosting
  • Secure form processing

Once LuxSci finishes the HITRUST certification process, its clients can be even more confident that they have chosen a provider that places security first and that LuxSci is committed to staying on top of all of the HIPAA security requirements.  

HITRUST is not a “one and done” process, it is a process that requires yearly refinements, yearly third party reviews, and yearly recertification.

A HITRUST certification proves both that you have all of the needed policies and procedures for compliance (hundreds of them) and that you have properly implemented and are following these policies and procedures.  HITRUST requires organizations to actively prove they are doing the right thing.  It’s not simple. It takes a lot of work and attention and buy in from all levels of an organization.  This is what makes HITRUST so valuable.

LuxSci’s Existing Certifications

LuxSci is 100 percent HIPAA-compliant and undergoes yearly internal and external HIPAA audits, penetration tests, and other internal and external reviews to ensure it continues to go above and beyond the regulations.

On top of this LuxSci maintains a TRUSTe Privacy Certification.  This is a yearly third-party review of LuxSci’s privacy policies and procedures (kind of like a mini-HITRUST for privacy) to ensure that our privacy policies meet industry best practices.  This certification enables LuxSci to keep our US-EU Privacy Shield status.

These certifications ensure that your business can be confident in LuxSci’s services. They let you know that one of the most trusted service providers in the industry is guiding your organization through the security and compliance minefield.

The HITRUST certification is simply another step in our constant effort to ensure that we provide the highest degree of security and compliance in all of LuxSci’s services.

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not actually monolithic encryption entities that you either use or do not use to connect securely to email servers, web sites, and other systems.  SSL and TLS are evolving protocols which have many nuances to how they may be configured.  The “version” of the protocol you are using and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is actually the successor of SSL (version 3.0). … see SSL versus TLS – what is the difference?  In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone (see the POODLE attacks, for example); TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) anfd which “ciphers” are permitted have the greatest impact on security.  A “cipher” specifies encryption algorithm to be used,  the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated.   Some ciphers that have long been used, such as RC4, have become weak over time and should never be used in secure environments.  Other ciphers provide protection against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

What level of TLS is required by HIPAA?

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance for an appropriate and compliant level TLS security.  Simply “turning on TLS” without also configuring it appropriately is likely to leave your transmission encryption non-complaint.

Read the rest of this post »

What You Need To Know About the HIPAA Security Rule

Thursday, January 10th, 2019

In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.

What is the difference between the privacy and security of health information?

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.

Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information

Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.

The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.

HIPAA Security Rules

Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.

Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.

Read the rest of this post »

Case Study: Securely Email Medical Laboratory Results to Patients

Thursday, February 1st, 2018

We count many medical laboratories among our customers.  They process lab tests for doctors and send the results to the patients via email.

Medical laboratories, while sometimes not HIPAA covered entities themselves, are Business Associates with Hospitals and doctors who are required to abide by HIPAA.  By the “transitive” nature of the HIPAA privacy laws, such Business Associates must take pains to abide by HIPAA security and privacy standards, protecting patient data, and ensuring confidentiality.

Medical labs use large scale secure email sending

In order to send patients their results via email, these labs must use a HIPAA-complaint system that can send email to anyone with an email address.

This post describes how one large medical lab uses LuxSci’s SecureLine to safely deliver lab results to 1000s people every day.

Read the rest of this post »

LUXSCI