" ePHI Archives - Page 7 of 10 - LuxSci

Posts Tagged ‘ePHI’

Secure & Compliant Remote Work

Thursday, April 16th, 2020

As a result of the pandemic, many businesses have closed their offices and have employees working from home, which is an excellent compromise for keeping operations ongoing and while keeping employees safe.

However, the shift to working from home is a big jump for many companies and their employees, mainly if an existing remote work policy isn’t in place. Organizations need to tread carefully because, with certain exceptions for the public health emergency, coronavirus doesn’t change their security and compliance obligations.

This is especially critical for organizations that process electronic protected health information (ePHI) and for employees that deal with valuable or sensitive data. If the appropriate precautions aren’t taken, companies could breach regulations like HIPAA or PCI DSS and face the significant penalties that come with violations. 

They may also have their sensitive data stolen by cybercriminals or leaked through negligence, which could lead to all kinds of problems, ranging from the theft of intellectual property to blackmail.

How Can Organizations Establish a Secure & Compliant Remote Work Policy

Even in these difficult times, a secure and compliant remote work policy needs to be designed carefully. It needs to meet company requirements and its employees, as well as any legal obligations and the needs of customers.

To address each of these needs, all of these stakeholders should be involved in the process. It’s critical to get legal advice and engage security experts to make sure that the policy and technical measures are adequate for your company’s unique circumstances.

A secure and compliant remote work policy should include:

  • Who is covered, when, and in which situations.
  • What are the organization’s responsibilities and obligations.
  • What are the employee’s responsibilities and obligations.
  • What hardware and software must be used, and in what configurations.
  • What security and privacy measures should be in place.
  • How reliability and availability will be ensured.

Companies may still have specific legal obligations for their remote workers, so a secure and compliant remote work policy needs to take these into account. For example, the company may still need to take measures to ensure that laws such as the Fair Labor Standards Act are followed and that employees are working in a safe environment. 

Once your company has developed its remote work policy, it should have each of its employees sign it so that they are aware of the expectations and committed to following them.

What Security Measures Do Companies Need as Part of Their Remote Work Policies?

The particular measures will vary from situation to situation, depending on a company’s setup, the regulations it is subject to, the data assets it has, as well as how it transmits and stores valuable or sensitive information.

Some measures for remote work, found in the HITRUST and other security guidelines, include:

  • All data should be encrypted when it is transmitted over public networks. FIPS-approved ciphers should be implemented in any of the security protocols used.
  • Wireless access points should be encrypted with AES WPA2 as a minimum security standard.
  • Emails and other digital messages should be protected from end-to-end and sensitive information should never be sent without encryption.
  • Faxes should only be used for protected information if more secure alternatives are not possible.
  • Employees should use VPNs to connect to corporate systems, and all traffic should flow through the VPN. Any access should be remotely logged and monitored. Unauthorized connections should be monitored and reviewed quarterly at a minimum, and appropriate actions should be taken after the review process.
  • Effective authorization systems need to be in place for privileged connections and access to sensitive business information. Remote administration sessions should have heightened security measures in place.
  • The authentication process for remote devices should include additional measures on top of passwords, such as the verification of IP or MAC addresses.
  • Employee use of portable storage devices should be strictly controlled, and the information should be encrypted. 
  • Any data transfers outside of controlled areas require approval, and the details need to be recorded. Cryptographic measures need to be in place to protect the integrity and confidentiality of data when it is transferred.
  • Sensitive or valuable data should not be available to unauthorized individuals or left unattended. This includes leaving the information out on desks, on printers, or viewable by others on computer monitors.
  • External services (such as new SaaS vendors) should not be used to store or transmit information without prior approval.
  • Controls and training should be in place if personal devices are allowed to be used in the workplace.

Solutions for Secure & Compliant Remote Work

In the wake of the rapid spread of coronavirus and the significant changes it has brought, many companies are scrambling to provide secure and compliant remote work solutions to their employees.

This poses a significant challenge because when new systems are implemented abruptly, it can easily lead to mistakes. If these errors involve data leaks or compliance violations, they can have substantial long-term consequences for businesses.

To minimize risk, the best option is to use well-established and specialized solutions like LuxSci’s many offerings. All of our products are designed to be secure and comply with various sets of regulations and optimize our users’ workflows.

These services include our secure and HIPAA-compliant email service, as well as tools like SecureText. The rise of coronavirus may have permanently changed work environments, but adopting LuxSci’s safe and carefully designed tools can help prevent further threats from harming your business in these difficult times.

What We Call “Quasi-HIPAA-Compliance”

Thursday, March 26th, 2020

Are your organization’s service providers HIPAA-compliant, or are they only quasi-HIPAA compliant?

What do we mean? 

Okay, we’ll be honest quasi-HIPAA compliant isn’t an accepted term yet but it should be.

When we talk about quasi-compliance, we’re referring to setups and services that look HIPAA-compliant and share some of the features; however, they may not be entirely in line with HIPAA requirements if you actually use them in the way that you want.

Quasi-HIPAA compliance is common, particularly in popular services. It can also be hazardous for businesses because quasi-HIPAA compliance can lead organizations into a false sense of security while they may be violating the regulations unwittingly.

Quasi HIPAA-Compliance

What Is Quasi-HIPAA Compliance?

The best way to explain the concept of quasi-HIPAA compliance is through example. A quasi-HIPAA compliant service could come from an email-hosting provider, web hosting provider, or an organization that offers a range of other solutions. 

If these providers are quasi-HIPAA compliant, they will include elements of HIPAA compliance. Still, the services may not be appropriately tailored to keep their clients within the lines of the regulations when used in various ways. A provider may be willing to sign a HIPAA business associates agreement (BAA) with your company, but its services may not include the appropriate protections for compliance.

As a good example: Google is willing to sign a BAA with customers using its Google Workspace service. However, Google does not actually provide HIPAA-compliant email encryption — so using Google Workspace email in a HIPAA context can immediately leave you in non-compliance and subject to breach. This is quasi-HIPAA compliance. You assume that by signing a BAA, you can use the services as you like and be “all set.” In truth, you need to understand what is allowed and what is not allowed. You need to either (a) avoid performing non-compliant actions or (b) add additional measures to fill those gaps.

Quasi-HIPAA compliance

Business Associates Agreements & Quasi-HIPAA Compliance

A BAA is essential for HIPAA compliance. Your company can’t be completely HIPAA-compliant if it uses the services of another entity without a BAA in place. It doesn’t matter if the entity’s services are technically HIPAA-compliant; you will fall afoul of the regulations unless a BAA exists between the two parties.

Even if you have a BAA with your provider, that alone may not be enough to keep your organization on the right side of HIPAA. The provider may not have the security measures your organization needs and instead have a carefully worded BAA that will leave you vulnerable.

Let’s say your email marketing service provider is a quasi-HIPAA compliant provider. It may not offer email encryption, or the necessary access control measures your organization needs to send ePHI and other sensitive information safely. The “HIPAA Compliance” may be limited only to data stored at rest on their servers. You may be stunned to learn that an email marketing company offering “HIPAA compliance” does not recommend sending any sensitive data over email

The BAA offered by a company may be carefully worded to say that the service is technically HIPAA-compliant, but only if you don’t use it to send ePHI. This is legal, and the provider isn’t necessarily doing anything wrong by offering such a service, as long as this is clearly stated in the agreement. Without understanding clearly what is actually “covered,” you leave yourself at risk.

The compliance and breach danger comes when organizations use quasi-HIPAA compliant services without completely understanding them. If they don’t take the time to do their research or thoroughly read the agreement, they could use the service in a way that isn’t covered under the BAA.

Doctor Video Conference

Dangers of Quasi-HIPAA Compliance

In our example, an organization might subscribe to a quasi-HIPAA compliant service and use it to send ePHI. Suppose ePHI isn’t allowed to be sent via email or text under the BAA, and it’s sent without encryption and other security measures in place. In that case, the messages will violate HIPAA regulations.

This is an easy trap to fall into for several significant reasons. 

  1. BAAs can be complex and need to be studied carefully. 
  2. People make assumptions about what is covered by an organization’s “HIPAA compliance.”
  3. It’s very easy to send ePHI in an email accidentally. The definition of ePHI is broad, so employees can include ePHI in messages without even realizing it.

Even if your organization specifies that ePHI shouldn’t be sent through a particular service, all it takes is one mistake, and your company will have a costly HIPAA violation on its hands. Suppose your organization does use an email marketing service that’s only quasi-HIPAA compliant. In that case, the restrictions on ePHI will prevent your organization from being able to market effectively and communicate appropriately with its clients.

How Your Organization Can Avoid Quasi-HIPAA Compliance

The most important way to protect your organization is to do your research beforehand and ensure that any prospective provider will cover your intended uses. This means that you need to read through their BAAs to ensure that they align with your business’s requirements.

To save you some time, services like Google Workspace and the vast majority of email marketing services can be seen as quasi-HIPAA compliant. Only providers that specialize in HIPAA-compliant services will be able to deliver the solutions that healthcare organizations and those that process ePHI require.

If your company needs proper HIPAA compliance, then a provider like LuxSci is the best way to stay on the ride side of the regulations. We have been providing HIPAA-compliant secure email since 2005. Not only are our solutions tailored to abide by HIPAA, but we have also developed the services you need to conduct essential business tasks.

We provide HIPAA-compliant bulk email solutions for clients that need to send at scale. These services are set up over our secure infrastructure, and we provide dedicated servers for clients.

LuxSci focuses on both compliance and ease of use, so we have developed secure email hosting, email marketing, and transactional email solutions among our offerings. Our services help your organization comfortably market itself and conduct business while staying in line with HIPAA compliance.

LuxSci Pursuing HITRUST Certification

Thursday, January 30th, 2020

Update: As of June 7th, 2020, LuxSci’s services are HITRUST CSF certified for HIPAA, GDPR, and Massachusetts Privacy Law.  See: Announcement of HITRUST CSF Certification.

LuxSci is working toward its HITRUST certification as part of our constant efforts to meet the highest levels of security and compliance. The threat landscape and regulatory environment are ever-evolving, and LuxSci is on track to be HITRUST CSF Level 3 certified (for HIPAA and GDPR, among other things) by the third quarter of 2020.

While LuxSci already follows the best practices in a variety of areas, the HITRUST certification is an industry-standard, ongoing, evolving, independent third-party review that shows just how committed we are to providing secure and compliant solutions and which enables anyone to really trust that LuxSci is doing all the right things.

HITRUST is an association that was formerly known as the Health Information Trust Alliance. A group of organizations came together in 2007 to develop the HITRUST Common Security Framework (CSF). The HITRUST CSF includes elements of a variety of different standards such as:

  • HIPAA
  • ISO/IEC 27000-series
  • NIST 800-53
  • PCI-DSS

How Does the HITRUST Certification Help?

By establishing a framework that encompasses many other important sets of regulations, the HITRUST certification makes it easier to provably meet all of the different requirements in a streamlined manner.

The framework is especially critical for organizations in the healthcare field and those that process electronic protected health information (ePHI), but it is also useful for security and compliance in other situations, such as GDPR.

The HITRUST certification is beneficial for any organization that deals with sensitive, valuable or highly regulated data, whether it creates it, transfers it, or processes it in any other way.  This is because the HITRUST CSF certification not only makes it easier to manage risk and compliance, but it also demonstrates to other parties that these critical areas are being properly taken care of.

All of LuxSci’s central services fall within the HITRUST umbrella and will be HITRUST certified. These services include:

  • Secure email hosting
  • Secure email marketing
  • Secure high volume email sending
  • Secure web site hosting
  • Secure form processing

Once LuxSci finishes the HITRUST certification process, its clients can be even more confident that they have chosen a provider that places security first and that LuxSci is committed to staying on top of all of the HIPAA security requirements.  

HITRUST is not a “one and done” process, it is a process that requires yearly refinements, yearly third party reviews, and yearly recertification.

A HITRUST certification proves both that you have all of the needed policies and procedures for compliance (hundreds of them) and that you have properly implemented and are following these policies and procedures.  HITRUST requires organizations to actively prove they are doing the right thing.  It’s not simple. It takes a lot of work and attention and buy in from all levels of an organization.  This is what makes HITRUST so valuable.

LuxSci’s Existing Certifications

LuxSci is 100 percent HIPAA-compliant and undergoes yearly internal and external HIPAA audits, penetration tests, and other internal and external reviews to ensure it continues to go above and beyond the regulations.

On top of this LuxSci maintains a TRUSTe Privacy Certification.  This is a yearly third-party review of LuxSci’s privacy policies and procedures (kind of like a mini-HITRUST for privacy) to ensure that our privacy policies meet industry best practices.  This certification enables LuxSci to keep our US-EU Privacy Shield status.

These certifications ensure that your business can be confident in LuxSci’s services. They let you know that one of the most trusted service providers in the industry is guiding your organization through the security and compliance minefield.

The HITRUST certification is simply another step in our constant effort to ensure that we provide the highest degree of security and compliance in all of LuxSci’s services.

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not monolithic encryption entities that you use or do not use to securely connect to email servers, websites, and other systems. SSL and TLS are evolving protocols with many nuances to how they may be configured. The “version” of the protocol and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is the successor of SSL (version 3.0). See SSL versus TLS – what is the difference? In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone; TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) and which “ciphers” are permitted significantly impact security. A “cipher” specifies the encryption algorithm, the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated. Some ciphers that have long been used, such as RC4, have weakened over time and should never be used in secure environments. Other ciphers protect against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance. Simply “turning on TLS” without configuring it appropriately is likely to leave your transmission encryption non-compliant.

Read the rest of this post »

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business! A well-thought-out marketing strategy can help you outshine your competition, but providers must keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is essential to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask and one that’s not precisely clear-cut because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.” The term “protected health information” refers to any data relating to a person’s health, treatment, or payment information, whether in the past, present, or future.

Under this definition, some examples of PHI may include:

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked to the individual. There is a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t, your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry, and it is best to proceed cautiously.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it could use this information not just to help mothers-to-be but also to bring in new business. The clinic then sends out an email to all expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, ensuring that all of your emails are sent securely is a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, it is crucial to ensure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization must sign a HIPAA Business Associate Agreement with any service provider you work with. Using the appropriate encryption, access controls, and other security mechanisms is essential to protect ePHI. Be sure to vet your email provider thoroughly, and remember signing a BAA is not enough to ensure compliance.