" ePHI Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘ePHI’

If my web site is very simple, do I have to worry about HIPAA compliance?

Friday, March 24th, 2017

We received this questions via Ask Erik from a Physicians’ Association:

“Our company website does not contain any patient information.  As a healthcare group, do we need to worry about HIPAA compliance for our site? It contains forms, news and some company polices and procedures but no patient information whatsoever. Thank you.”

Thank you for your question!  Here, we delve into how you can answer this for your site.

 

Read the rest of this post »

Does HIPAA really permit reminding patients to pick up their prescriptions?

Thursday, December 8th, 2016

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Read the rest of this post »

Is Skype HIPAA Compliant? If not, what is?

Wednesday, April 6th, 2016

Revision 2016:  Since the article was published, Microsoft has started offering a Business Associate Agreement (BAA) for Office 365 Online of which Skype is a part.  While online documentation is very unclear, Microsoft has indicated that Skype is covered under this BAA and thus use of Skype can be “HIPAA compliant” as long as you have “Skype for Business” and the signed BAA with Microsoft.

However, Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting.  This makes it unclear what the usefulness of its being “covered” under Microsoft’s BAA really is.  Microsoft is really just leaving it up to the Skype user to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really could be compliant.  Additionally, even though Skype is covered under Microsoft’s BAA, the regular, free Skype used by most people is not covered.  So, for example, a therapist should under no circumstances have a session with a patient, where that patient is using the regular free Skype program.

Original Article Content:

In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.

Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video?  Why?  Everyone else is doing it … shouldn’t I thus be able to as well?

The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.”  For the long answer, read on.

Read the rest of this post »

Press Release: How To Text and Remain HIPAA-compliant

Tuesday, March 15th, 2016

WESTWOOD, MA, March 15, 2016 — LuxSci® announces the recent launch of SecureText, a unique solution to concerns about HIPAA-compliant text messaging, and an important step to safeguard and secure electronic patient health information (ePHI).

Communicating through text message is a convenience to which we have grown rapidly accustomed. However, sending unsecured texts places healthcare providers and patients at risk in several ways: (1) ePHI-laden messages are not always encrypted during transmission or storage; (2) anyone with access to a recipient’s phone or stored messages can view ePHI-laden messages; (3) and some ePHI-laden text messages travel through organizations which lack required HIPAA Business Associate Agreements. Additionally, since healthcare providers are required to obtain and maintain consent from patients for texting – providers must ensure that patients are adequately educated on the risks associated with sending ePHI via text and presented with secure alternatives to insecure texting.

Read the rest of this post »

eBook: HIPAA-compliant Email Basics

Thursday, February 25th, 2016

Safeguarding Your Healthcare Practice and Protecting Patient Privacy

Book 1 in the LuxSci Internet Security Series.

Created by Erik Kangas, PhD

This LuxSci eBook is your well-researched guide to both a critical understanding of the specific issues and concepts of HIPAA, HITECH, and the Omnibus rule, and their practical application to your business with respect to email, so that you stay compliant with these government standards. This document will provide a framework for your health care entity to keep the privacy of patient information front and center. Providers will have the necessary tools to meet all requirements established by HIPAA to access email outsourcing services.

This eBook includes sections on:

  1. Overview of HIPAA
  2. What is ePHI?
  3. Provisions of the HIPAA Email Security Rule
  4. Additional Risk Analysis and the Need for Encryption
  5. Gmail and Google Apps?

Download the eBook

Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?

Monday, August 24th, 2015

There are many ways to encrypt email, TLS being the simplest and most seamless.  With SMTP TLS (the use of TLS encryption to secure the “SMTP Protocol” used for the transmission of email between computers), messages are transported between the sender, recipient, and all servers securely.  TLS is a layer that fits seamlessly over “regular email” to ensure transport email encryption when supported by both the message sender and the recipient.  With SMTP TLS, sending a secure message works and feels the same as sending any other email message.

“It just works.” That is the ideal combination of security and usability.

SMTP TLS for Email Encryption

However, SMTP TLS only solves the problem of email encryption during transmission from sender to recipient.  It does not in any way secure an email message while it is at rest, whether while in the sender’s “sent email” folder, queued or backed up on the email servers of the sender or recipient, or saved and stored in the email recipient’s folders.  While SMTP TLS is really easy to use, it is important to consider if use of SMTP TLS alone is “good enough” for companies to comply with the many U.S. government laws which apply to email.

When it  is “good enough,” organizations may opt for the seamless simplicity of TLS over the added complexity of other modes of secure email communication.

In this article, we shall examine the security afforded by SMTP TLS and compare that to other modes of email encryption such as PGP, S/MIME, and Escrow (i.e. picking up your message from a secure web portal).  We shall then look at many of the most important laws (HIPAA, GLBA, Sarbanes-Oxley, SB1386, NASD 3010, FRCP, SEX 17a-4, FINRA, and PCI DSS)  to see what is said or implied about using “Just TLS” vs. other, stronger forms of encryption.  We won’t spend a lot of time explaining each law; if you are interested there are innumerable articles on the web for that.  We  focus only on what they say or imply about encryption for email transmission and storage.

The short answer is that many of these laws outline various requirements for email storage, archival, and retrieval for legal proceedings without specifically delineating requirements for the encryption of those messages.  So, use of TLS is just fine with respect to those.

For PCI compliance, avoid email if at all possible; however, if you must use email for sending credit card data, “Just TLS” is not sufficient.

For the rest, the burden ends up being on each individual organization to decide for itself the level of encryption appropriate to protect sensitive data.  Use of encryption methods that provide protection for data at rest can mitigate liability in the case of a breach, but they are not mandated.  There are also ways of protecting data at rest that do not involve more onerous methods of email encryption.

Indeed, your internal risk analysis may find that “Just TLS” is best in some cases and methods that provide explicit data-at-rest email encryption are warranted in others.

Read the rest of this post »

7 Ways You Could be Unknowingly Violating HIPAA

Friday, August 14th, 2015

Non-compliance with HIPAA can easily lead to unintended breaches where data is exposed to unauthorized parties.  This can be very expensive!  The cost of a breach depends on your degree of negligence; it ranges from $100 to $50,000 per violation (or per data record).

You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in unintended breaches.  Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.

Check your organization!

If any of the following scenarios apply to you, it is worth bringing them up the person responsible for compliance (your HIPAA Security Officer) to include in your mandatory yearly Risk Analysis.  Is the risk of breach worth continuing with “business as usual?”

Read the rest of this post »

What exactly is ePHI? Who has to worry about it? Where can it be safely located?

Thursday, April 9th, 2015

There is often a great deal of confusion and misinformation about what, exactly, constitutes ePHI (electronic protected health information) which must be protected due to HIPAA requirements.  Even once you have a grasp of ePHI and how it applies to you, the next question becomes … where can I put ePHI and where not?  What is secure and what is not?

We will answer the “what is ePHI” question in general, and the “where can I put it” question in the context of web and email hosting, and SecureForm processing at LuxSci.

Read the rest of this post »

Case Study: Securely Email Medical Laboratory Results to Patients

Tuesday, April 7th, 2015

We count medical laboratories among our many customers.  They process lab tests for doctors and send the results to the patients via email.

Medical laboratories, while sometimes not HIPAA covered entities themselves, are Business Associates with Hospitals and doctors who are required to abide by HIPAA.  By the “transitive” nature of the HIPAA privacy laws, such Business Associates must take pains to abide by HIPAA security and privacy standards, protecting patient data, and ensuring confidentiality.

In order to send patients their results via email, these labs must use a HIPAA-complaint system that can send email to anyone with an email address.

This post describes how one large medical lab uses LuxSci’s SecureLine to safely deliver lab results to 1000s people every day.

Read the rest of this post »

Interview with Mason Rothert, CEO of Mediprocity our partner for SecureChat

Friday, February 20th, 2015

Mason Rothert is the CEO of Mediprocity, the company that we have partnered with and worked closely with to provide LuxSci SecureChat.

Mason Rothert & Nicholas Magers conceived Mediprocity while working together in the healthcare field calling on physician offices and healthcare provider centers. At the time, Mason Rothert was working as V.P. of Sales and Technology for a management company overseeing long-term care facilities and a full range therapy company. Nicholas Magers was finishing up his MBA at USC and working for a pulmonary company as a sales director. They decided to combine forces in order to solve the fragmentation of communication amongst covered entities and business associates in healthcare. They would focus on the new technologies available as well as the growing need to encrypt patient health information in order to prevent data breaches.

Mediprocity begin in 2009 as a social network for healthcare.  The Company culture has always been to be physician-centric and to help improve communications.  As smartphone and text messaging popularity grew rapidly, it was clear in 2010 that Mediprocity needed to become a simple secure solution for HIPAA-compliant communication.  They set out to combine the best elements of instant messaging, SMS text, and Email.

LuxSci has integrated the Mediprocity secure communications product into its offering and is continuing to work closely with them to integrate the SecureChat service more and more tightly with LuxSci’s SecureLine secure emailing offerings.

Mason has agreed to this interview so that we can answer many common SecureChat-related questions for you.

Read the rest of this post »