" ePHI Archives - Page 2 of 10 - LuxSci

Posts Tagged ‘ePHI’

Digital Strategies to Address Health Equity

Wednesday, July 5th, 2023

According to a HIMSS Market Insights study, nine out of ten healthcare executives see health equity as a top business priority. Improving health equity can drive value for other business metrics, including patient satisfaction, provider retention, health outcomes, and cost reduction. Email is an excellent way to address health equity issues, thanks to its widespread adoption across different ethnic and demographic groups.

 

doctor sending an email to patient

What is Health Equity?

According to the CDC, health equity is “achieved when every person has the opportunity to attain his or her full health potential and no one is disadvantaged from achieving this potential because of social position or other socially determined circumstances.”

 

Under President Biden, the Department of Health and Human Services has prioritized health equity in response to the COVID-19 pandemic. COVID-19 highlighted the healthcare system’s racial, economic, and social disparities. For example, COVID-19 killed Black, Latino, and Indigenous people at double the rate of White people. Native Hawaiians and Pacific Islanders remain three times more likely to contract the illness than White people. Addressing the social, cultural, racial, and economic factors contributing to this disparity is essential to improving individual and population health.

Improve Health Equity with Email Communications

Email is an excellent tool for patient engagement because of its widespread adoption across different demographic groups. As you can see in the data below, email has an overall adoption rate of 92%, and across all age and ethnic groups surveyed, adoption rates are above 80%.

email usage charts by age and ethnicity

Unlike phone numbers and addresses, email addresses seldom change because of economic instability. Email addresses are free to create and are typically accessed at least once a day. Broadband access continues to expand, though it still presents a barrier to email communication. However, even when broadband is unavailable, slower connections still permit text-based emails to be sent and received. Email is reliable, easy to use, and widely accessible to most individuals, making it an excellent channel for patient engagement.

The Technical Advantages of Email

Email also offers several advantages on the technical side to address digital health equity. Email’s main benefit is its ability to be personalized at scale. When using a secure email provider like LuxSci, you can create groups or segments of patients and send them relevant information about their health conditions or risk factors. These workflows can be automatically triggered when certain criteria are met to streamline operations and improve efficiency.

Thanks to the nearly universal use of EHR systems, healthcare marketers can access a wide variety of first-party patient data. Health records not only contain information about health conditions, but also information about patient demographics and preferences.

Intelligent marketers can use this data to close care gaps and improve health equity. Let’s take a look at an example.

An Example of Personalization and Segmentation to Address Health Equity

There are so many options when it comes to segmenting your patient population. To address health equity, you can use information like the patient’s native language and communication preferences to create personalized messaging. By doing so, you can increase response rates and close care gaps.

 

For example, say you have a significant portion of your patient population that speaks Spanish, and they are more likely to miss an appointment or not schedule a follow-up. How can you drive appointment attendance and reduce churn? The first step is to create an audience segment composed of patients who speak Spanish as their first language. Next, create email messages that are designed for the audience. This means writing the subject line and email contents in Spanish and using imagery they can identify with. But you can do more than that. Point people in this audience to schedule appointments with doctors who are fluent in Spanish. If there are other reasons this audience struggles to attend appointments, extend opportunities to help them with transportation, child/elder care, or access healthcare outside of regular working hours. Once you understand the barriers to attending appointments, you can extend personalized offers that help increase attendance and improve health outcomes. 

 

Most importantly, email allows you to test messaging and see what’s working. Review your campaign statistics and adjust your messaging to reach the most people and improve health equity among your patient population.

Conclusion

As we have seen, email is a highly effective way to engage marginalized patient populations. However, don’t forget about HIPAA compliance! Communications personalized and segmented using ePHI need to be secured.

 

LuxSci offers secure email services designed to meet HIPAA requirements. If you want to learn more about addressing health equity with secure communications, please contact us today.

The Future of Protected Health Information

Wednesday, May 10th, 2023

HIPAA was introduced in 1996 to protect patient privacy and enable individuals to control their health records. However, over the last 30 years, the proliferation of technology has enabled patients to collect, transmit, and store personal health data in ways that were unimaginable to the original authors of the legislation. This article discusses how the definition of protected health information may expand in the future to account for new types of data, covered entities, and technologies.

the future of phi

Protected Health Information Today

Under the current iteration of HIPAA, protected health information, or PHI, is defined as “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data must be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with health data, would constitute PHI.

protected health information

In addition, under today’s HIPAA rules, only covered entities and business associates must abide by the regulations. Covered entities fall into three categories:

  1. Healthcare providers include hospitals, doctors, clinics, pharmacies, nursing homes, psychologists, and other providers.
  2. Health plans – Health insurance companies, company health plans, HMOs, and Government-paid health care plans such as Medicare are all considered health plans.
  3. Healthcare clearinghouses – These entities either process or facilitate the processing of health information they receive from other entities.

Business associates include a wide range of companies, but most importantly, they are contracted by a covered entity to perform a business function involving PHI. Business associates can include web hosts, billing companies, marketing agencies, legal firms, accountants, and more.

The Future of Protected Health Information

As the world has rapidly changed, new technologies that challenge how we think about personal health data have evolved. IT security teams must consider future security challenges and regulatory changes to futureproof their organization and mitigate risks. Below we explore how technology and PHI have progressed in a way that is pressuring regulators and legislators to protect patient privacy.

Technological Advances

The smartphone was still a decade away from being invented when HIPAA was introduced. In today’s world, the success of the iPhone has trickled down to other internet-connected smart devices like watches, scales, and other wearable devices. Even medical devices, including heart rate monitors and remote patient monitoring devices, can be found in people’s homes today. When medical providers ask patients to use these devices to capture biometric data, HIPAA rules apply.

But what about when healthcare providers do not recommend these technologies? If a consumer wants to use an application to record their daily activity, record their weight, or monitor their heart rate without direction from a doctor, HIPAA does not apply. However, due to the sensitivity of the data and lack of consumer understanding, some are calling for additional privacy protections for device and application manufacturers. It is not hard to imagine that any application designed to collect, store, or transmit health data will become subject to stricter regulations regardless of whether they are involved in an individual’s healthcare.

New Types of Data

When HIPAA was envisioned, genetic science was progressing but still confined to the upper levels of academia and research. Improvements in genetic testing and increased knowledge of the human genome could completely alter what is defined as PHI and how individuals interact with their healthcare providers. In 2013, amendments to the Privacy Rule clarified that genetic information is PHI and needs to be secured. However, over the past decade, genetic testing capabilities have exploded. Anyone can order a genetic test from numerous consumer-facing companies. As a result, personalized medicine is thriving and is likely to grow over the next decade.

As doctors have more access than ever before to information about our genomics, it’s of the highest importance to ensure it is secured.

Change is On The Way: Are You Ready?

Covid-19 rapidly accelerated many of these technological changes, and recent events in the news have already sparked changes to HIPAA enforcement. For example, the use of online tracking pixels to collect and transmit PHI recently caused OCR to issue a statement on their proper use. In addition, last year’s Supreme Court decision in Dobbs vs. Jackson Women’s Health spurred many reproductive health-tracking apps to take additional steps to protect users’ data. The incident highlighted just how much personal health data is contained in unregulated applications.

Even without government intervention, organizations that process health data must secure it to build consumer trust and differentiate from the competition. With breaches and cyberattacks on the rise, only the best-prepared organizations will be able to grapple with future challenges and regulatory changes.

Patient Portals and Patient Engagement

Wednesday, March 8th, 2023

Patient portals are powerful tools that allow patients to access their health records and even enable appointment scheduling and communication with healthcare providers. Despite their growing importance and popularity, patient portals alone aren’t a solution for patient engagement.

What is a Patient Portal?

A patient portal is a secure online website that gives patients 24-hour access to personal health information from anywhere with an internet connection. By logging in to an account with a unique username and password, patients can view health information like medical records and lab results and communicate securely with their healthcare provider.

In May 2020, the Office of the National Coordinator for Health IT (ONC) finalized federal rulemaking to increase patients’ and caregivers’ access, exchange, and use of electronic health information. This rule implements key provisions of the 21st Century Cures Act. The legislation requires certified health IT developers to adopt secure, standards-based application programming interfaces that enable individuals to access and manage their health records using a health application.

The top ways patient portals are used include:

patient portal usage

The Problems with Patient Portals and Patient Engagement

Despite their growing popularity, not all patients want to use online portals. Below, view some of the top reasons patients do not want to use a portal.

why patient portals aren't used

The most common reasons included just simple patient preferences. Survey respondents preferred to use another channel to communicate with their healthcare providers. This survey data was collected before the Covid-19 pandemic began. Over the past two years, other surveys have identified a growing acceptance of digital health tools. Nevertheless, it’s important to remember that not everyone prefers to use internet-based technology and provide alternate methods for engagement.

Another primary concern is technology access. Three factors accounted for over 50% of responses, including:

  • Difficult to login (24%)
  • Uncomfortable with computers (20%)
  • Do not have a way to access the website (13%)

Not all patients can access a reliable internet connection or confidently use a computer. These barriers can prevent patients from accessing their medical information and highlight why providing multiple channels for patients to interact with their providers is essential. 

Security concerns are not irrelevant either. With increasing threats to the healthcare industry, it’s understandable that some patients are hesitant to have their health information shared online. Providers must do more to secure their digital environment and earn patients’ trust.

Patient Engagement Challenges

Sending timely, personalized messages is critical to the success of patient engagement efforts. However, patient portals can also be a barrier to engagement if they are the sole vector for patient communication. Nearly 40% of patients never login into the portal, while only 18% log in more than six times a year.

patient portal access

If you attempt to send engagement messages via the patient portal, they will go unread by most of your audience. A simple forgotten password could prevent patients from accessing the portal for months, meaning they could miss out on timely messages about their healthcare.

In addition, patient portals do not support the creation of personalized messages at scale. These platforms were designed to send one-to-one messages about a patient’s upcoming appointment, lab results, and medical records and do not possess the same customization features as email marketing platforms. 

Finally, most patient portals were designed to be data repositories and were not built to enable patient communication. Most send a vague notification email to the patient, letting them know a message is waiting. However, the burden is on the patient to log in and read the message. Most EHRs cannot even track who is opening and reading the messages! For healthcare marketers trying to identify the best patient engagement strategies, patient portals lack the analytics and data needed to define, track, and boost engagement.

Patient Engagement with No Portals: Secure Email Solutions

Patients expect a healthcare experience that is more like that of e-commerce. 90% of patients want to receive emails from their providers that apply to their health journey. By moving patient engagement activities out of the portal as much as possible, it opens up new possibilities for marketers. TLS-encrypted emails do not require passwords to read, and securely deliver information directly to inboxes. 

Not all messages are appropriate to send via TLS-encrypted emails. Sometimes the security of the patient portal is preferred. Patient portals are an excellent place to store sensitive data and must be a part of the patient’s healthcare experience. It’s always a good idea to post highly sensitive data like test results and medical records in an encrypted portal and not send them via email because of possible interception and eavesdropping issues. However, by using secure email to send less-sensitive patient engagement messages, marketers can reduce barriers and promote precision nudging in a way that does not compromise data security. 

Marketers will see better open and engagement rates by delivering the message directly to patients’ inboxes. Using a HIPAA-compliant email marketing solution enables the use of PHI to customize messages designed to guide patients on their healthcare journeys. Contact LuxSci today to learn about creating a flexible, data-informed patient engagement strategy.

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

LuxSci and StepAhead Partner to Protect Patient Data

Thursday, November 17th, 2022

Boston, MA- November 2022 – LuxSci, a provider of HIPAA-compliant email services, is pleased to announce a new partnership with StepAhead, a software company focused on protecting healthcare data. By partnering with LuxSci, StepAhead helps healthcare technology organizations protect sensitive data so they can utilize it in ways that do not compromise patient privacy.

“LuxSci is thrilled to work with StepAhead. Their unique approach to data security and patient privacy is a perfect complement to LuxSci’s email encryption technology. By partnering with StepAhead, we can support our enterprise technology customers as they develop the solutions that will change the future of healthcare delivery for the better,” said Heather Clark, Vice President of Partnerships at LuxSci.

The healthcare ecosystem is rapidly changing, and digital innovation is essential to serve the needs of patients. However, digital tools introduce risk to sensitive data like protected health information. The partnership allows LuxSci and StepAhead to help healthcare technology companies address the complex data security and compliance questions that arise during digital transformation.

“The synergies between our two companies and the complementary security solutions we offer, provide a powerful combination for healthcare organizations. LuxSci owns the space where movement of sensitive data is a necessary business process by applying their encryption technology to keep that data safe. StepAhead provides tools to further leverage that data, in an anonymized form with the highest level of utility, so it can be distributed freely without fear of breach. This helps expand the value of the sensitive data without increasing the risk profile for all situations where the original sensitive data is not necessary,” said Kurt Ring, Co-Founder and VP of Sales at StepAhead.

StepAhead’s innovative Tarmiz technology offers a new model for protecting PHI with targeted data anonymization. This process enables organizations to maintain the integrity and authenticity of their native data without being exposed to unnecessary risk or undesirable outcomes.

LuxSci provides secure email solutions to help healthcare organizations meet compliance requirements and protect patient data. LuxSci’s SecureLine encryption technology helps healthcare providers reduce risk profiles while providing easy-to-use email tools.

The partnership between LuxSci and StepAhead will help further expand the security around sensitive data and provide additional options for organizations looking to utilize that data in the most effective and safest ways possible. To learn more about SecureLine visit www.luxsci.com and for more information on Tarmiz visit https://stepahead.dev/learnmore/.