" ePHI Archives - LuxSci

Posts Tagged ‘ePHI’

What Are Your Goals for Sending HIPAA-Compliant Emails?

Wednesday, October 7th, 2020

…and how Do They Influence Which Provider You Choose?

So, you’ve heard that you need to send HIPAA-compliant emails. Maybe your company is only just starting to send ePHI in its messages. Perhaps it just wants to be extra careful, and limit the potential repercussions if ePHI is accidentally sent in an email. It could have even been skirting HIPAA regulations all along, and has suddenly realized the error of its ways.

Whatever led you up to this point, you are doing the right thing by looking for a HIPAA-compliant email provider. But the regulations and the services that have been developed to abide by them can be complex, so it’s important to do your research and carefully think through your decision.

hipaa compliant email sending

Secure email sending

On top of making sure that a potential service meets your compliance and security needs, you also need to consider the goals of your HIPAA-compliant email sending. Obviously, we can’t tell you what your goals are, but we can give you some suggestions that will help you refine them.

Are You Intending to Send ePHI, or Do You Just Want a HIPAA-Compliant Service to Be Careful?

Some organizations may want to directly email ePHI to their patients, so they need to focus on how they can do this effectively, while keeping both their patients and their businesses safe. For example, a doctor’s clinic may want to offer to send out test results via email.

Due to the high risk of exposing this information, it will probably want to opt-out encryption, rather than opt-in. Measures like this can significantly reduce the chances of accidentally sending out unprotected ePHI.

In contrast, other companies may only want to send ePHI on rare occasions, so they may find opt-in encryption more convenient. The point is that every organization has its own set of requirements, and they need to find a suitable email service for their individual circumstances.

Some will want a service that is tightly locked down to limit their risks, while others May have a high risk tolerance.

Do You Plan on Using It as Your Everyday Email Service, or for High Volume Messaging?

If you just want a HIPAA-compliant email service for everyday use, something like LuxSci’s Secure Email is a great option. Alternatively, if your main goal is to send out emails in bulk, you will need something like our Secure High Volume Sending.

Do You Want to Send Transactional Messages, Marketing Emails, or Both?

As obvious as it seems, marketing emails are messages that are mainly sent out for marketing purposes. These include newsletters and product updates. On the other hand, transactional emails are those that are essential for customer interactions with the company. Many different things qualify as transactional emails, from onboarding messages, to password resets, to receipts, and much more.

Savvy companies don’t just see transactional emails as a bland part of conducting business. Instead, they use them as opportunities to add in a little marketing for their products, services, or simply overall brand awareness.

Before you make your decision on an email platform, you should consider how you want to use the service, and which solutions cater best to those needs.

Do You Have an In-House Graphic Designer, or Do You Need Intuitive & Professional-Looking Templates?

If your company has its own graphic designer, or the budget to outsource it, then it may not need beautiful email templates. Not every organization has those resources on hand, and many just want something that looks good without having to put in a lot of effort. Your company’s current setup and goals will influence whether you look for a HIPAA-compliant email provider that offers these ready-made templates.

Do You Need Analytics that Help You Measure the Effectiveness of Your Campaigns?

If your goal is to have the most effective campaign possible, then you need to measure everything. Of course, this is only possible with a marketing service that has a comprehensive analytics platform. LuxSci’s Secure Marketing solution offers A/B testing, which allows you to compare two different approaches to see which is best.

It also features a range of reports that tell you who opened emails, what they clicked on, the bounce rate, whether messages were marked as spam, and much more. If you need this type of in-depth knowledge in your email campaigns, it will be an important factor in which email service you ultimately end up choosing.

LuxSci’s HIPAA-compliant email services aim to combine the functional features you need for high performance, alongside the security mechanisms required to stay within the regulations. Together, these provide adaptable services for those in the healthcare sector and for other businesses that deal with ePHI.

When Should You Send ePHI in Your Marketing Emails?

Monday, July 20th, 2020

secure marketing email from LuxSci

If you operate in the healthcare sector, you should always be wary of your organization’s electronic protected health information (ePHI). One of the most complicated situations involves email marketing, because carelessly sent messages can easily lead to HIPAA violations and their costly ramifications.

Because of this danger, you should only send ePHI in your marketing messages under certain conditions:

When Using a HIPAA-compliant Email Marketing Service

If you want to send ePHI in your marketing emails, you will need a HIPAA-compliant marketing service. If you send ePHI through Mailchimp or its equivalents, the messages won’t be encrypted or compliant with the regulations.

Because email is so inherently insecure by nature, using a normal email marketing service makes it easy for hackers to access ePHI in messages. They can intercept the messages, then use the data to commit a range of crimes.

The result? Sending ePHI over one of these services can lead to your organization violating the privacy of everyone whose sensitive data was sent. Not only is this a shocking breach of their rights, but it leaves you open to damages from fraud, extortion and other crimes.

Each instance/email also counts as a HIPAA violation for your company. These can result in huge fines, disruption to business, harm to your company’s reputation and even jail time in the most egregious offenses.

Unless your company is hellbent on its own destruction, it must use a HIPAA-compliant email marketing service when sending ePHI in its messages.

The Features of a HIPAA-compliant Email Marketing Service

If you need to send ePHI in your marketing emails, LuxSci’s HIPAA-compliant Secure Marketing tool is the perfect fit. It combines a state-of-the-art marketing interface with all of the necessary HIPAA-compliant measures to safely send ePHI.

With easy-to-use and beautiful design templates, A/B testing, analytics tools and everything else you need to run a successful marketing campaign, Secure Marketing is an excellent solution for organizations in the health industry.

Protect Your ePHI with Opt-out Encryption

If you plan to regularly send ePHI, make sure you use the opt-out encryption feature in our HIPAA-compliant Secure Marketing service. When you use the opt-out feature to set up encryption by default, then the worst case scenario is that someone sends a message that’s needlessly encrypted. Sure, it might be a little more difficult for the recipient to access, or you might have to send through an unencrypted version as well, but no major damage is done.

Now, compare this to the opposite scenario. Let’s say that one of your staff members creates an email that includes ePHI – perhaps it’s some test results from a patient’s latest psychiatric evaluation. In a moment of forgetfulness, the employee forgets to encrypt the message before they send it.

If it hasn’t been encrypted, then the patient’s family members could read it on an unlocked device. Hackers could also intercept it and blackmail the person, or use the sensitive data for identity theft and other types of fraud.

The point is that such a simple mistake can easily become a HIPAA violation, something that could have disastrous effects for the individual, as well as the company responsible. It’s pretty clear that this outcome is far worse than sending a needlessly encrypted message.

When Should You Avoid Sending ePHI in Marketing Emails?

You shouldn’t send ePHI in any situation where there isn’t a serious benefit to your patients or your company. Even though ePHI can certainly be secured with tools like LuxSci’s Secure Marketing, why bother sending out such sensitive data for no major gain?

Of course, it goes without saying that you should also avoid sending ePHI in your marketing emails if you don’t have the appropriate HIPAA-compliant tools. If you really need to send ePHI in your messages, subscribe to a suitable service that gives you the business advantages of email marketing campaigns, without having to constantly worry about violations.

CEO Erik Kangas Featured on Total HIPAA Podcasts

Thursday, July 16th, 2020

 

 

Erik recently sat down with our friends at Total HIPAA to discuss a variety of HIPAA topics, including:

The first of the 2-part conversation can be heard here or on a mobile device via Apple Podcasts.

 

 

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype.  So, while Skype may not be compliant, it is OK to use during the pandemic.  However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.

Secure & Compliant Remote Work: Coronavirus & Working from Home

Thursday, April 16th, 2020

 

Less than a month ago, a secure and compliant remote work policy may have been far from the minds of many in company leadership. Now that the coronavirus pandemic is steaming ahead, our personal and work lives have been flipped upside down and we are all struggling to make the necessary adjustments.

Many businesses have closed their offices and have employees working from home, which is a great compromise for keeping operations ongoing and allowing people to retain their incomes.

However, the sudden move to working from home is a big jump for many companies and their employees, particularly if an existing remote work policy isn’t in place. Organizations need to tread carefully, because, with certain exceptions such as telehealth, coronavirus doesn’t change their security and compliance obligations.

This is especially critical for organizations that process electronic protected health information (ePHI) and for employees that deal with valuable or sensitive data. If the appropriate precautions aren’t taken, companies could breach regulations like HIPAA or PCI DSS, and face the significant penalties that come with violations. 

They may also have their sensitive data stolen by cybercriminals or leaked through negligence, which could lead to all kinds of problems, ranging from the theft of intellectual property to blackmail.

How Can Organizations Establish a Secure & Compliant Remote Work Policy

Even in these difficult times, a secure and compliant remote work policy needs to be designed carefully. This will ensure that it meets the requirements of the company and its employees, as well as any legal obligations and the needs of customers and clients.

To address each of these needs, all of these stakeholders should be involved in the process. It’s critical to get legal advice, as well as engage security experts, to make sure that the policy and technical measures are adequate for your company’s unique circumstances.

A secure and compliant remote work policy should include:

 

  • Who is covered, when, and in which situations.
  • What the organization’s responsibilities and obligations are.
  • What the employee’s responsibilities and obligations are.
  • What hardware and software must be used, and in what configurations.
  • What security and privacy measures should be in place.
  • How reliability and availability will be ensured.

 

Companies may still have certain legal obligations for their remote workers, so a secure and compliant remote work policy needs to take these into account. For example, the company may still need to take measures to ensure that laws such as the Fair Labor Standards Act are followed, and that employees are working in a safe environment. 

Once your company has developed its remote work policy, it should have each of its employees sign it, so that they are aware of the expectations and committed to following them.

What Security Measures Do Companies Need as Part of Their Remote Work Policies?

The particular measures will vary from situation to situation, depending on a company’s setup, the regulations it is subject to, the data assets it has, as well as how it transmits and stores valuable or sensitive information.

Some measures for remote work, found in the HITRUST and other security guidelines, include:

 

  • All data should be encrypted when it is transmitted over public networks. FIPS-approved ciphers should be implemented in any of the security protocols used.
  • Wireless access points should be encrypted with AES WPA2 as a minimum security standard.
  • Emails and other digital messages should be protected from end-to-end and sensitive information should never be sent without encryption.
  • Faxes should only be used for protected information if more secure alternatives are not possible.
  • Employees should use VPNs to connect to corporate systems, and all traffic should flow through the VPN. Any access should be remotely logged and monitored. Unauthorized connections should be monitored and reviewed quarterly at a minimum, and appropriate actions should be taken after the review process.
  • Effective authorization systems need to be in place for privileged connections and for access to sensitive business information. Remote administration sessions should have heightened security measures in place.
  • The authentication process for remote devices should include additional measures on top of passwords, such as the verification of IP or MAC addresses.
  • Employee use of portable storage devices should be strictly controlled and the information should be encrypted. 
  • Any data transfers outside of controlled areas require approval and the details need to be recorded. Cryptographic measures need to be in place to protect the integrity and confidentiality of data when it is transferred.
  • Sensitive or valuable data should not be available to unauthorized individuals or left unattended. This includes leaving the information out on desks, on printers, or viewable by others on computer monitors.
  • External services (such as new SaaS vendors) should not be used to store or transmit information without prior approval.
  • Controls and training should be in place if personal devices are allowed to be used in the workplace.

Solutions for Secure & Compliant Remote Work

In the wake of the rapid spread of coronavirus and the significant changes it has brought, many companies are scrambling to provide secure and compliant remote work solutions to their employees.

This poses a significant challenge, because when new systems are implemented abruptly, it can easily lead to mistakes. If these errors involve data leaks or compliance violations, they can have huge long term consequences for businesses.

To minimize these risks, the best option is to use well-established and specialized solutions like LuxSci’s many offerings. All of our products are designed from the ground up to be secure and comply with various sets of regulations, as well as to optimize our users’ workflows, convenience and efficiency.

These services include our secure and HIPAA-compliant email service, as well as tools like SecureText and Secure Video. The rise of coronavirus may have been an unexpected interruption, but adopting LuxSci’s safe and carefully designed tools can help to prevent further threats from harming your business in these difficult times.

LUXSCI