" ePHI Archives - Page 3 of 10 - LuxSci

Posts Tagged ‘ePHI’

LuxSci and StepAhead Partner to Protect Patient Data

Thursday, November 17th, 2022

Boston, MA- November 2022 – LuxSci, a provider of HIPAA-compliant email services, is pleased to announce a new partnership with StepAhead, a software company focused on protecting healthcare data. By partnering with LuxSci, StepAhead helps healthcare technology organizations protect sensitive data so they can utilize it in ways that do not compromise patient privacy.

“LuxSci is thrilled to work with StepAhead. Their unique approach to data security and patient privacy is a perfect complement to LuxSci’s email encryption technology. By partnering with StepAhead, we can support our enterprise technology customers as they develop the solutions that will change the future of healthcare delivery for the better,” said Heather Clark, Vice President of Partnerships at LuxSci.

The healthcare ecosystem is rapidly changing, and digital innovation is essential to serve the needs of patients. However, digital tools introduce risk to sensitive data like protected health information. The partnership allows LuxSci and StepAhead to help healthcare technology companies address the complex data security and compliance questions that arise during digital transformation.

“The synergies between our two companies and the complementary security solutions we offer, provide a powerful combination for healthcare organizations. LuxSci owns the space where movement of sensitive data is a necessary business process by applying their encryption technology to keep that data safe. StepAhead provides tools to further leverage that data, in an anonymized form with the highest level of utility, so it can be distributed freely without fear of breach. This helps expand the value of the sensitive data without increasing the risk profile for all situations where the original sensitive data is not necessary,” said Kurt Ring, Co-Founder and VP of Sales at StepAhead.

StepAhead’s innovative Tarmiz technology offers a new model for protecting PHI with targeted data anonymization. This process enables organizations to maintain the integrity and authenticity of their native data without being exposed to unnecessary risk or undesirable outcomes.

LuxSci provides secure email solutions to help healthcare organizations meet compliance requirements and protect patient data. LuxSci’s SecureLine encryption technology helps healthcare providers reduce risk profiles while providing easy-to-use email tools.

The partnership between LuxSci and StepAhead will help further expand the security around sensitive data and provide additional options for organizations looking to utilize that data in the most effective and safest ways possible. To learn more about SecureLine visit www.luxsci.com and for more information on Tarmiz visit https://stepahead.dev/learnmore/.

Tags: anonymization, data protection, data security, email security, ePHI, hipaa compliance, phi
Posted in Industry News, Affiliates & Resellers
Comments Off on LuxSci and StepAhead Partner to Protect Patient Data

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

using PHI for patient engagement

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Servicesyou must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.  

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

  • Physically protecting data and where it is stored,
  • Training staff on handling PHI, and
  • Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

  • Protect data at rest and
  • Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

hipaa compliant applications

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

  • Design targeted patient journeys
  • Deliver better patient outcomes
  • Improve ROI and reduce costs

Contact us today to learn more about how to securely engage patients using PHI.

Tags: business associate agreement, email marketing, ePHI, hipaa compliance, hipaa privacy rule, hipaa security rule, patient engagement, personalization, phi, quasi compliance, segmentation
Posted in HIPAA Marketing
Comments Off on Rules for Using PHI in Patient Engagement

4 Email Personalization Strategies for Member Engagement

Friday, November 4th, 2022

For many benefits administrators, it’s open enrollment season! During this period, individuals can make changes to their insurance coverage. It’s vital to engage members to educate them about their plans and benefits to increase satisfaction, retain members, and acquire new enrollees. This article presents four email personalization strategies for member engagement.

member engagement strategies

Insurance Information is ePHI

Before we get to strategies for improving engagement, it’s worth reflecting on the regulatory hurdles. According to the Department of Health and Human Services, healthcare payers, insurers, and benefits administrators are covered entities. This means they must abide by HIPAA regulations when transmitting and storing protected health information (PHI).

Emails about an individual’s insurance coverage and eligibility, plan types and offerings, health status, and financial information are considered PHI and must be protected accordingly. We’ve written extensively about the HIPAA requirements for email elsewhere, but in brief, this means that emails containing PHI need to be encrypted and archived appropriately. Do not proceed with the following strategies until a HIPAA-compliant email solution is implemented correctly.

 

4 Email Personalization Strategies for Member Engagement

Segmentation and personalization are the keys to crafting messages that appeal to your audience. Particularly when it comes to healthcare coverage, there is no one-size fits all approach. Personalization techniques allow marketers to create highly relevant emails that the audience will find beneficial.

Age-Related Changes

In the US health insurance market, insurance coverage is often tied to age. As individuals reach new stages of life, there is an opportunity for them to change their insurance coverage. For example, insurers and benefits administrators can create targeted messaging to:

  • 26-year-old individuals about to enter the healthcare marketplace and
  • 65-year-old individuals who qualify for Medicare

It would not make sense to send these messages to a sizeable non-segmented email list because they would be irrelevant to the majority of recipients. By segmenting your email list by age and creating targeted messaging, you will receive a better response and return on investment from your email campaigns.

Plan and Benefit Educational Opportunities

There are many different types of health insurance coverage and benefit plans. Educating enrollees on their plan benefits makes them more likely to utilize their coverage and be satisfied with their plan. For example, if eligible members are not taking advantage of a dental benefit, it may be wise to create an email campaign that educates them on what they can access with their benefits.

Geography-Specific Messaging

There are often differences in enrollment periods, eligibility, and benefits in the US market on a state-by-state basis. Creating personalized messages based on the recipient’s residence makes the messages more relevant. For example, sending recipients the accurate enrollment date based on their residence is essential to getting people to sign up!

Health Status Messaging

You can also use information you know about your members to craft messages that can help improve their health. For example, it may be possible to know who is overdue for an annual appointment, and email messages can help them reschedule care. Similarly, several standard preventative screenings are tied to age and gender, like annual mammograms for women at 40 years old. By sending an email to all members who meet that criteria reminding them to get screened, it can improve population health and reduce costs.

Conclusion

Today’s consumers prefer email communications from businesses and brands. Personalizing your approach can improve your campaign performance and deliver significant results. If you want help improving your enrollment outreach with HIPAA-compliant email, contact LuxSci.

Tags: benefits administration, email marketing, email personalization, ePHI, health insurance, hipaa compliance, hipaa marketing, patient engagement, personalization, segmentation
Posted in HIPAA Marketing
Comments Off on 4 Email Personalization Strategies for Member Engagement

Personalize Healthcare Communications to Improve the Patient Experience

Tuesday, August 16th, 2022

Recent survey results from CVS Health indicate that healthcare patients desire a more personalized healthcare experience. Over the last ten years, the online experience has become highly customized. Online vendors have more customer data and use it to extend personalized offers, reminders, and updates. Although people are concerned about online privacy, they are more likely to open and engage with relevant marketing communications.

As the healthcare industry has undergone digital transformation, more data is available in a digital format. But how and when can it be used? This article discusses how to use patient data to personalize healthcare communications without violating HIPAA requirements.

personalize healthcare communications

What is Healthcare Personalization?

Personalized health care places individuals at the center of the health care experience. Health care is a complex issue, and one system does not work for everyone. A person’s health status is influenced by many factors, including genetics, age, environment, social determinants, income, and countless others. A health care program that considers as many of these variables as possible can better address patient needs and increase access to care.

Why Personalize Healthcare Communications

Patients understand that their healthcare providers manage a lot of their personal data and want a personalized experience that respects their preferences. As audience segmentation and personalization techniques become more common in other industries like e-commerce and personal care, consumers expect the same experiences from their health care providers.

For example, say you order a jug of laundry detergent on Amazon. They can use common consumer data in combination with your last order date to estimate when you are likely to run out. Then, they can send an email reminder to encourage a reorder before you run out again. In a similar manner, healthcare providers should know when someone’s prescription is running low and could send a notification to let the patient they need to refill and help improve medication adherence.

A recent survey by CVS Health found that 85% of patients find personalized care to be important. In fact, 83% expect their primary care provider to be aware of their family medical history, genetics and inherited lifestyle habits. 71% of consumers said it was very or somewhat important to their health that they have customized alerts and reminders of screenings and checkups. This is even more common among patients under 40. The next generation of healthcare consumers expects their healthcare to fit seamlessly into their normal lives.

Ways to Personalize the Healthcare Experience

There are many ways to personalize the healthcare experience, but they all depend on the available data. An easy way to start is by asking for patient preferences. Some common ways to personalize healthcare communications include collecting information about patient preferences:

  • Communication methods: How do they prefer to be contacted? Ask patients their preferred channels- email, texting, phone, and paper notifications are standard options.
  • Language proficiency: Is English their first language? If not, send communications in the person’s primary language.
  • Patient status: Are they active patients or overdue for regular screenings and appointments?

Looking at these attributes can help craft messages that appeal to patient subgroups.

The next level of personalization uses protected health information (PHI) to deliver extremely customized healthcare communications. The possibilities are truly endless, but here are a few examples to spark some ideas:

  • Medical conditions: use information about patient medical conditions to send highly targeted communications about managing or preventing chronic conditions like depression, diabetes, and heart conditions.
  • Screening reminders: Remind patients when they are due for mammograms, colonoscopies, or other screenings that are ordered based on age or risk factors.
  • Patient retention and re-engagement: Did a patient skip their annual appointment or screening? Make it easy to reschedule by sending periodic reminders.
  • Insurance status: send relevant communications based on the patient’s insurance status. For example, letting healthcare marketplace insurance holders know about re-enrollment periods to ensure they don’t drop their coverage.

Personalization provides a customizable healthcare experience for patients that eliminates friction and barriers to care. Using personalization to create educational campaigns can also help improve health outcomes. See How to Use ePHI to Segment and Personalize Email Marketing Campaigns for more information.

HIPAA Considerations in Customizable Healthcare

One reason that healthcare has been slow to adopt personalization techniques is HIPAA. These guidelines protect sensitive medical information and govern how it can be used. To send personalized messages like the examples discussed above, HIPAA guidelines must be followed. Some of the core requirements for sending HIPAA-compliant emails include:

  • Encryption
  • Access Controls
  • Backups and Archival
  • Anti-Malware Defenses
  • Identity Authorization
  • Reporting Mechanisms
  • Review Procedures and Policies

See our HIPAA-Compliant Email Checklist for more information about the requirements.

LuxSci offers several solutions for sending HIPAA-compliant personalized messages. Contact us today to learn more about our Secure High Volume Email and Secure Marketing tools.

Tags: digital transformation, email marketing, ePHI, HIPAA email, patient engagement, patient experience, personalization, segmentation
Posted in HIPAA Marketing
Comments Off on Personalize Healthcare Communications to Improve the Patient Experience

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.

Tags: email automation, email marketing, ePHI, high volume email, hipaa, hipaa compliance, hipaa-compliant email, medical billing, phi, Transactional email
Posted in Email, HIPAA Marketing
Comments Off on Is Medical Billing Information Protected Under HIPAA?

« Older Entries
Newer Entries »