" ePHI Archives - LuxSci

Posts Tagged ‘ePHI’

The Future of Protected Health Information

Wednesday, May 10th, 2023

HIPAA was introduced in 1996 to protect patient privacy and enable individuals to control their health records. However, over the last 30 years, the proliferation of technology has enabled patients to collect, transmit, and store personal health data in ways that were unimaginable to the original authors of the legislation. This article discusses how the definition of protected health information may expand in the future to account for new types of data, covered entities, and technologies.

the future of phi

Protected Health Information Today

Under the current iteration of HIPAA, protected health information, or PHI, is defined as “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data must be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with health data, would constitute PHI.

protected health information

In addition, under today’s HIPAA rules, only covered entities and business associates must abide by the regulations. Covered entities fall into three categories:

  1. Healthcare providers include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists, and other providers.
  2. Health plans – Health insurance companies, company health plans, HMOs, and Government-paid health care plans such as Medicare are all considered health plans.
  3. Healthcare clearinghouses – These entities either process or facilitate the processing of health information they receive from other entities.

Business associates include a wide range of companies, but most importantly, they are contracted by a covered entity to perform a business function involving PHI. Business associates can include web hosts, billing companies, marketing agencies, legal firms, accountants, and more.

The Future of Protected Health Information

As the world has rapidly changed, new technologies that challenge how we think about personal health data have evolved. IT security teams must consider future security challenges and regulatory changes to futureproof their organization and mitigate risks. Below we explore how technology and PHI have progressed in a way that is pressuring regulators and legislators to protect patient privacy.

Technological Advances

The smartphone was still a decade away from being invented when HIPAA was introduced. In today’s world, the success of the iPhone has trickled down to other internet-connected smart devices like watches, scales, and other wearable devices. Even medical devices, including heart rate monitors and remote patient monitoring devices, can be found in people’s homes today. When medical providers ask patients to use these devices to capture biometric data, HIPAA rules apply.

But what about when healthcare providers do not recommend these technologies? If a consumer wants to use an application to record their daily activity, record their weight, or monitor their heart rate without direction from a doctor, HIPAA does not apply. However, due to the sensitivity of the data and lack of consumer understanding, some are calling for additional privacy protections for device and application manufacturers. It is not hard to imagine that any application designed to collect, store, or transmit health data will become subject to stricter regulations regardless of whether they are involved in an individual’s healthcare.

New Types of Data

When HIPAA was envisioned, genetic science was progressing but still confined to the upper levels of academia and research. Improvements in genetic testing and increased knowledge of the human genome could completely alter what is defined as PHI and how individuals interact with their healthcare providers. In 2013, amendments to the Privacy Rule clarified that genetic information is PHI and needs to be secured. However, over the past decade, genetic testing capabilities have exploded. Anyone can order a genetic test from numerous consumer-facing companies. As a result, personalized medicine is thriving and is likely to grow over the next decade.

As doctors have more access than ever before to information about our genomics, it’s of the highest importance to ensure it is secured.

Change is On The Way: Are You Ready?

Covid-19 rapidly accelerated many of these technological changes, and recent events in the news have already sparked changes to HIPAA enforcement. For example, the use of online tracking pixels to collect and transmit PHI recently caused OCR to issue a statement on their proper use. In addition, last year’s Supreme Court decision in Dobbs vs. Jackson Women’s Health spurred many reproductive health-tracking apps to take additional steps to protect users’ data. The incident highlighted just how much personal health data is contained in unregulated applications.

Even without government intervention, organizations that process health data must secure it to build consumer trust and differentiate from the competition. With breaches and cyberattacks on the rise, only the best-prepared organizations will be able to grapple with future challenges and regulatory changes.

How Online Tracking Technologies Threaten Patient Privacy

Wednesday, May 3rd, 2023

Many healthcare marketers use online tracking technologies to gather information from users as they interact with a website or mobile application. After several breaches tied to improper uses of third-party tracking pixels, the Department of Health and Human Services has clarified that data collected via online tracking technologies are often PHI and must be secured according to the Privacy Rule.

online tracking technologies

What are Online Tracking Technologies?

Tracking technologies collect information about website visitors in various ways, many of which are invisible to the user. Some of the most common types of tracking technologies include cookies, web beacons or tracking pixels, session replay scripts, and fingerprinting scripts. Mobile apps also include tracking codes within the application to enable the collection of user information.

After collecting the information, it is analyzed to create insights about users’ online activities. Marketers often use the data to create advertising campaigns. In the case of third-party tracking technologies, they may continue to track users and gather information about them even after they leave and visit other websites. As you can imagine, this raises serious patient privacy concerns.

How is this Data Protected Health Information?

It may not be obvious to users, but tracking technology vendors can access a lot of personal data through tracking technologies placed on a healthcare provider’s website. Some of the information that can be captured by tracking technology could include:

  • medical record numbers
  • email addresses
  • appointment dates or requests
  • IP addresses
  • medical device IDs
  • geographic locations

Marketers may not realize that individually identifiable information collected on a covered entity’s website or mobile app is often protected health information (PHI). Even if the individual has no pre-existing relationship with the healthcare provider, DHHS’s recent update is clear that this information is protected. Collecting this information establishes a relationship between a covered entity and an individual relating to their past, present, or future provisioning of health care. 

There is always some gray area when it comes to defining PHI, but in this case, it’s better to be safe than sorry. If you are using any online tracking technology, you must confirm that it is processing and transmitting data in a way that aligns with HIPAA regulations. 

How Healthcare Marketers Can Protect Patient Privacy

First of all, if you plan to use tracking technology on your website, the vendor needs to be a business associate of your organization. In these circumstances, covered entities must ensure that the disclosures made to such vendors are permitted by the Privacy Rule and enter into a business associate agreement (BAA) that outlines how PHI will be protected.

Think carefully about what data needs to be collected and why. In other industries, collecting user data and selling it to third parties or using it in advertising efforts is very common. Healthcare marketers must be more intentional in using online tracking technologies and take additional steps to ensure the data is processed and transmitted securely. Do not install tracking pixels without careful consideration. As many hospital systems learned last winter, failing to do so can have profound privacy and compliance implications. 

If you want to follow up with patients who browsed your website for available appointments, you must ensure their data is secure from when it is collected through transmission to other systems. For example, a patient may enter their name, email address, phone number, and desired appointment time into an online form. When they click “Submit,” where and how is this data transmitted and stored? As they browse the available appointments and doctors, your system may log which web pages they visit and store them in a CRM, CDP, or another platform. If they leave without making an appointment, what do you do with the data you collect? If you transmit this data to other advertising or marketing platforms, you will also need business associate agreements with those vendors. As you can see, it can get complicated very quickly. 

HIPAA-Compliant Marketing Technology

LuxSci’s Secure Form and Secure Marketing technologies offer a few ways to address the patient privacy issues associated with online data collection and transmission. Our fully HIPAA-compliant solutions enable you to securely collect data on your website and use email to engage prospects. Contact our sales team to learn more today.

Patient Portals and Patient Engagement

Wednesday, March 8th, 2023

Patient portals are powerful tools that allow patients to access their health records and even enable appointment scheduling and communication with healthcare providers. Despite their growing importance and popularity, patient portals alone aren’t a solution for patient engagement.

What is a Patient Portal?

A patient portal is a secure online website that gives patients 24-hour access to personal health information from anywhere with an internet connection. By logging in to an account with a unique username and password, patients can view health information like medical records and lab results and communicate securely with their healthcare provider.

In May 2020, the Office of the National Coordinator for Health IT (ONC) finalized federal rulemaking to increase patients’ and caregivers’ access, exchange, and use of electronic health information. This rule implements key provisions of the 21st Century Cures Act. The legislation requires certified health IT developers to adopt secure, standards-based application programming interfaces that enable individuals to access and manage their health records using a health application.

The top ways patient portals are used include:

patient portal usage

The Problems with Patient Portals and Patient Engagement

Despite their growing popularity, not all patients want to use online portals. Below, view some of the top reasons patients do not want to use a portal.

why patient portals aren't used

The most common reasons included just simple patient preferences. Survey respondents preferred to use another channel to communicate with their healthcare providers. This survey data was collected before the Covid-19 pandemic began. Over the past two years, other surveys have identified a growing acceptance of digital health tools. Nevertheless, it’s important to remember that not everyone prefers to use internet-based technology and provide alternate methods for engagement.

Another primary concern is technology access. Three factors accounted for over 50% of responses, including:

  • Difficult to login (24%)
  • Uncomfortable with computers (20%)
  • Do not have a way to access the website (13%)

Not all patients can access a reliable internet connection or confidently use a computer. These barriers can prevent patients from accessing their medical information and highlight why providing multiple channels for patients to interact with their providers is essential. 

Security concerns are not irrelevant either. With increasing threats to the healthcare industry, it’s understandable that some patients are hesitant to have their health information shared online. Providers must do more to secure their digital environment and earn patients’ trust.

Patient Engagement Challenges

Sending timely, personalized messages is critical to the success of patient engagement efforts. However, patient portals can also be a barrier to engagement if they are the sole vector for patient communication. Nearly 40% of patients never login into the portal, while only 18% log in more than six times a year.

patient portal access

If you attempt to send engagement messages via the patient portal, they will go unread by most of your audience. A simple forgotten password could prevent patients from accessing the portal for months, meaning they could miss out on timely messages about their healthcare.

In addition, patient portals do not support the creation of personalized messages at scale. These platforms were designed to send one-to-one messages about a patient’s upcoming appointment, lab results, and medical records and do not possess the same customization features as email marketing platforms. 

Finally, most patient portals were designed to be data repositories and were not built to enable patient communication. Most send a vague notification email to the patient, letting them know a message is waiting. However, the burden is on the patient to log in and read the message. Most EHRs cannot even track who is opening and reading the messages! For healthcare marketers trying to identify the best patient engagement strategies, patient portals lack the analytics and data needed to define, track, and boost engagement.

Patient Engagement with No Portals: Secure Email Solutions

Patients expect a healthcare experience that is more like that of e-commerce. 90% of patients want to receive emails from their providers that apply to their health journey. By moving patient engagement activities out of the portal as much as possible, it opens up new possibilities for marketers. TLS-encrypted emails do not require passwords to read, and securely deliver information directly to inboxes. 

Not all messages are appropriate to send via TLS-encrypted emails. Sometimes the security of the patient portal is preferred. Patient portals are an excellent place to store sensitive data and must be a part of the patient’s healthcare experience. It’s always a good idea to post highly sensitive data like test results and medical records in an encrypted portal and not send them via email because of possible interception and eavesdropping issues. However, by using secure email to send less-sensitive patient engagement messages, marketers can reduce barriers and promote precision nudging in a way that does not compromise data security. 

Marketers will see better open and engagement rates by delivering the message directly to patients’ inboxes. Using a HIPAA-compliant email marketing solution enables the use of PHI to customize messages designed to guide patients on their healthcare journeys. Contact LuxSci today to learn about creating a flexible, data-informed patient engagement strategy.

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

LuxSci and StepAhead Partner to Protect Patient Data

Thursday, November 17th, 2022

Boston, MA- November 2022 – LuxSci, a provider of HIPAA-compliant email services, is pleased to announce a new partnership with StepAhead, a software company focused on protecting healthcare data. By partnering with LuxSci, StepAhead helps healthcare technology organizations protect sensitive data so they can utilize it in ways that do not compromise patient privacy.

“LuxSci is thrilled to work with StepAhead. Their unique approach to data security and patient privacy is a perfect complement to LuxSci’s email encryption technology. By partnering with StepAhead, we can support our enterprise technology customers as they develop the solutions that will change the future of healthcare delivery for the better,” said Heather Clark, Vice President of Partnerships at LuxSci.

The healthcare ecosystem is rapidly changing, and digital innovation is essential to serve the needs of patients. However, digital tools introduce risk to sensitive data like protected health information. The partnership allows LuxSci and StepAhead to help healthcare technology companies address the complex data security and compliance questions that arise during digital transformation.

“The synergies between our two companies and the complementary security solutions we offer, provide a powerful combination for healthcare organizations. LuxSci owns the space where movement of sensitive data is a necessary business process by applying their encryption technology to keep that data safe. StepAhead provides tools to further leverage that data, in an anonymized form with the highest level of utility, so it can be distributed freely without fear of breach. This helps expand the value of the sensitive data without increasing the risk profile for all situations where the original sensitive data is not necessary,” said Kurt Ring, Co-Founder and VP of Sales at StepAhead.

StepAhead’s innovative Tarmiz technology offers a new model for protecting PHI with targeted data anonymization. This process enables organizations to maintain the integrity and authenticity of their native data without being exposed to unnecessary risk or undesirable outcomes.

LuxSci provides secure email solutions to help healthcare organizations meet compliance requirements and protect patient data. LuxSci’s SecureLine encryption technology helps healthcare providers reduce risk profiles while providing easy-to-use email tools.

The partnership between LuxSci and StepAhead will help further expand the security around sensitive data and provide additional options for organizations looking to utilize that data in the most effective and safest ways possible. To learn more about SecureLine visit www.luxsci.com and for more information on Tarmiz visit https://stepahead.dev/learnmore/.