" ePHI Archives - Page 6 of 10 - LuxSci

Posts Tagged ‘ePHI’

HIPAA-Compliant Web Sites: Requirements and Best Practices

Tuesday, March 23rd, 2021

It is not easy to create a HIPAA-compliant web site and webmasters often ask us for clarification on best practices when it comes to HIPAA compliance.

We have previously discussed what makes a web page secure and also what makes a web site HIPAA-compliant, but it seems that an explainer on what you should and should not do with web sites in shared and dedicated environments would be useful to many.

hipaa compliant web site

Read the rest of this post »

What Are Your Goals for Sending HIPAA-Compliant Emails?

Wednesday, October 7th, 2020

…and how Do They Influence Which Provider You Choose?

So, you’ve heard that you need to send HIPAA-compliant emails. Maybe your company is only just starting to send ePHI in its messages. Perhaps it just wants to be extra careful, and limit the potential repercussions if ePHI is accidentally sent in an email. It could have even been skirting HIPAA regulations all along, and has suddenly realized the error of its ways.

Whatever led you up to this point, you are doing the right thing by looking for a HIPAA-compliant email provider. But the regulations and the services that have been developed to abide by them can be complex, so it’s important to do your research and carefully think through your decision.

hipaa compliant email sending

Secure email sending

On top of making sure that a potential service meets your compliance and security needs, you also need to consider the goals of your HIPAA-compliant email sending. Obviously, we can’t tell you what your goals are, but we can give you some suggestions that will help you refine them.

Are You Intending to Send ePHI, or Do You Just Want a HIPAA-Compliant Service to Be Careful?

Some organizations may want to directly email ePHI to their patients, so they need to focus on how they can do this effectively, while keeping both their patients and their businesses safe. For example, a doctor’s clinic may want to offer to send out test results via email.

Due to the high risk of exposing this information, it will probably want to opt-out encryption, rather than opt-in. Measures like this can significantly reduce the chances of accidentally sending out unprotected ePHI.

In contrast, other companies may only want to send ePHI on rare occasions, so they may find opt-in encryption more convenient. The point is that every organization has its own set of requirements, and they need to find a suitable email service for their individual circumstances.

Some will want a service that is tightly locked down to limit their risks, while others May have a high risk tolerance.

Do You Plan on Using It as Your Everyday Email Service, or for High Volume Messaging?

If you just want a HIPAA-compliant email service for everyday use, something like LuxSci’s Secure Email is a great option. Alternatively, if your main goal is to send out emails in bulk, you will need something like our Secure High Volume Sending.

Do You Want to Send Transactional Messages, Marketing Emails, or Both?

As obvious as it seems, marketing emails are messages that are mainly sent out for marketing purposes. These include newsletters and product updates. On the other hand, transactional emails are those that are essential for customer interactions with the company. Many different things qualify as transactional emails, from onboarding messages, to password resets, to receipts, and much more.

Savvy companies don’t just see transactional emails as a bland part of conducting business. Instead, they use them as opportunities to add in a little marketing for their products, services, or simply overall brand awareness.

Before you make your decision on an email platform, you should consider how you want to use the service, and which solutions cater best to those needs.

Do You Have an In-House Graphic Designer, or Do You Need Intuitive & Professional-Looking Templates?

If your company has its own graphic designer, or the budget to outsource it, then it may not need beautiful email templates. Not every organization has those resources on hand, and many just want something that looks good without having to put in a lot of effort. Your company’s current setup and goals will influence whether you look for a HIPAA-compliant email provider that offers these ready-made templates.

Do You Need Analytics that Help You Measure the Effectiveness of Your Campaigns?

If your goal is to have the most effective campaign possible, then you need to measure everything. Of course, this is only possible with a marketing service that has a comprehensive analytics platform. LuxSci’s Secure Marketing solution offers A/B testing, which allows you to compare two different approaches to see which is best.

It also features a range of reports that tell you who opened emails, what they clicked on, the bounce rate, whether messages were marked as spam, and much more. If you need this type of in-depth knowledge in your email campaigns, it will be an important factor in which email service you ultimately end up choosing.

LuxSci’s HIPAA-compliant email services aim to combine the functional features you need for high performance, alongside the security mechanisms required to stay within the regulations. Together, these provide adaptable services for those in the healthcare sector and for other businesses that deal with ePHI.

When Should You Send ePHI in Your Marketing Emails?

Monday, July 20th, 2020

secure marketing email from LuxSci

If you operate in the healthcare sector, you should always be wary of your organization’s electronic protected health information (ePHI). One of the most complicated situations involves email marketing, because carelessly sent messages can easily lead to HIPAA violations and their costly ramifications.

Because of this danger, you should only send ePHI in your marketing messages under certain conditions:

When Using a HIPAA-compliant Email Marketing Service

If you want to send ePHI in your marketing emails, you will need a HIPAA-compliant marketing service. If you send ePHI through Mailchimp or its equivalents, the messages won’t be encrypted or compliant with the regulations.

Because email is so inherently insecure by nature, using a normal email marketing service makes it easy for hackers to access ePHI in messages. They can intercept the messages, then use the data to commit a range of crimes.

The result? Sending ePHI over one of these services can lead to your organization violating the privacy of everyone whose sensitive data was sent. Not only is this a shocking breach of their rights, but it leaves you open to damages from fraud, extortion and other crimes.

Each instance/email also counts as a HIPAA violation for your company. These can result in huge fines, disruption to business, harm to your company’s reputation and even jail time in the most egregious offenses.

Unless your company is hellbent on its own destruction, it must use a HIPAA-compliant email marketing service when sending ePHI in its messages.

The Features of a HIPAA-compliant Email Marketing Service

If you need to send ePHI in your marketing emails, LuxSci’s HIPAA-compliant Secure Marketing tool is the perfect fit. It combines a state-of-the-art marketing interface with all of the necessary HIPAA-compliant measures to safely send ePHI.

With easy-to-use and beautiful design templates, A/B testing, analytics tools and everything else you need to run a successful marketing campaign, Secure Marketing is an excellent solution for organizations in the health industry.

Protect Your ePHI with Opt-out Encryption

If you plan to regularly send ePHI, make sure you use the opt-out encryption feature in our HIPAA-compliant Secure Marketing service. When you use the opt-out feature to set up encryption by default, then the worst case scenario is that someone sends a message that’s needlessly encrypted. Sure, it might be a little more difficult for the recipient to access, or you might have to send through an unencrypted version as well, but no major damage is done.

Now, compare this to the opposite scenario. Let’s say that one of your staff members creates an email that includes ePHI – perhaps it’s some test results from a patient’s latest psychiatric evaluation. In a moment of forgetfulness, the employee forgets to encrypt the message before they send it.

If it hasn’t been encrypted, then the patient’s family members could read it on an unlocked device. Hackers could also intercept it and blackmail the person, or use the sensitive data for identity theft and other types of fraud.

The point is that such a simple mistake can easily become a HIPAA violation, something that could have disastrous effects for the individual, as well as the company responsible. It’s pretty clear that this outcome is far worse than sending a needlessly encrypted message.

When Should You Avoid Sending ePHI in Marketing Emails?

You shouldn’t send ePHI in any situation where there isn’t a serious benefit to your patients or your company. Even though ePHI can certainly be secured with tools like LuxSci’s Secure Marketing, why bother sending out such sensitive data for no major gain?

Of course, it goes without saying that you should also avoid sending ePHI in your marketing emails if you don’t have the appropriate HIPAA-compliant tools. If you really need to send ePHI in your messages, subscribe to a suitable service that gives you the business advantages of email marketing campaigns, without having to constantly worry about violations.

CEO Erik Kangas Featured on Total HIPAA Podcasts

Thursday, July 16th, 2020

 

 

Erik recently sat down with our friends at Total HIPAA to discuss a variety of HIPAA topics, including:

The first of the 2-part conversation can be heard here or on a mobile device via Apple Podcasts.

 

 

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing, and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype. So, while Skype may not be compliant, it is OK to use during the pandemic. However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.