" hipaa compliance Archives - Page 6 of 10 - LuxSci

Posts Tagged ‘hipaa compliance’

HIPAA Compliance for Mobile Apps

Tuesday, November 9th, 2021

Many people rely on mobile devices to access the Internet, and apps are a convenient way to deliver online services. The health industry has also turned to mobile apps to provide health care services on the go.

In some industries, developing apps may be relatively straightforward. However, those that deal with PHI need to understand the HIPAA compliance requirements for mobile apps. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a data breach, which could seriously harm your business’s finances and its reputation.

To develop a HIPAA-compliant app, privacy and security need to be considered from the start.

hipaa compliance for mobile apps

What Exactly Is an App?

Before we get too deep into HIPAA compliance, we should take a step back and clarify what an application is. Most people use them every day, but not everyone will know how they differ from other kinds of software.

At its highest level, an app is a software program that is designed to help users perform activities. This contrasts with system software, such as an operating system, which generally works in the background.

The three main types are web apps, desktop apps and mobile apps. Web apps run in your browser, things like your webmail or Google Translate. Desktop apps tend to be full-featured, while mobile apps are stripped-back versions that focus on making the most out of the tablet or smartphone experience. There are also hybrid apps that embed mobile websites inside apps.

While Microsoft Word and the alarm clock on your phone are both apps, people will often be referring to mobile apps when they use the term.

Does My App Need to Be HIPAA-Compliant?

Health and wellness apps have become more sophisticated and are often recommended by medical practitioners to help patients manage medical conditions. However, not every app is required to meet HIPAA regulations. To determine whether an app should be HIPAA-compliant, consider whether your business practices make you a covered entity or a business associate of an entity.

Another complex aspect is understanding what actually counts as PHI. PHI is identifiable information that includes medical test results, prescriptions, billing details and insurance, among an array of other things. Weight loss data, calories burned, heart rate and other similar readings are not normally considered PHI unless they are attached to identifiable information.

If your business processes PHI as a covered entity or a business associate, you are subject to HIPAA regulations. If your company offers services directly to customers that are unrelated to their healthcare provider or insurance, it is unlikely to be covered by HIPAA.

Because of this, apps like MyFitnessPal are exempt from the regulations, because they don’t process PHI, nor do they conduct their business through healthcare providers. Conversely, an app from your health plan that stores your healthcare records would be regulated under HIPAA. Similarly, email, chat, texting, and video conferencing apps that may be used by healthcare providers to communicate with their patients would also need to be HIPAA-compliant. 

If you do not secure PHI properly, you could be subjected to financial penalties. The FTC recently announced it will begin enforcing the Health Breach Notification Rule for health apps. The rule requires entities to deliver breach notices to customers by first class mail no later than 60 calendar days after discovering a breach. Companies must also notify the FTC and in some cases, the media. Companies can face penalties up to $43,000 per violation per day for noncompliance.

HIPAA Compliance for Mobile Apps

If your company has an app that falls under HIPAA regulations, you will need to put serious consideration into its privacy and security measures. It is best to keep HIPAA in mind from the earliest planning stages to ensure that the app is compliant and to reduce the chance of penalties or any significant breaches. App security starts with corporate compliance; your company and your developers need to do all of the things necessary for compliance (see HIPAA Compliance Checklist), including training, risk assessments, etc.

From the app design stage forward, you should limit the use and sharing of PHI in your App to the minimum that is necessary to complete the task. If your data is processed by any outside entities, you will also need to sign a business associate agreement (BAA) with them to ensure that they are complying with the regulations as well.

You should also understand the additional risks that come with processing PHI on devices. Smartphones and tablets can easily be lost or stolen and they have a range of features that bring new security challenges.

Developing an app brings up a different set of complications when compared to SaaS (software-as-a-service .. i.e. using web-based applications), because apps generally store data locally and need access control measures in place to ensure that the data is secure. Because of this, it is best to go above and beyond HIPAA regulations to safeguard your customer data.

Control Access to Protect PHI

Access control is critical for apps that process PHI. Mobile devices have a high risk of being stolen or accessed by unauthorized entities. With the right access control measures in place, the risk of anyone being able to view sensitive patient data is minimized.

First, ensure that your app can only be accessed with a unique ID. To authenticate their identity, a user also needs to prove who they are. Require the use of a strong password or biometric data (like fingerprints) to login.

If PHI is going to be available in an app, automatic logoff is important for preventing unauthorized access. People often keep their apps logged in and leave their devices unattended. Without automatic logoff after a set period of time, the user’s PHI becomes more vulnerable to unauthorized access. Many apps neglect auto-logoff and keep users logged in indefinitely, relying instead on the device’s own login and logoff functionality instead. This may be sufficient to pass your HIPAA risk assessments; however, it is far more secure (though far more annoying) to institute app-level login and logoff requirements. Perhaps the pervasiveness of biometrics will make remove the annoyance factor of requiring authentication to gain access on demand.

We highly recommend that app developers institute auto-lockout after a short period of inactivity and use fingerprints or other means to resume access. Several access failures should cause your app to back off and require the full regular password to re-authenticate. This mitigates the weaker nature of a fingerprint or pin for access resumption.

Encrypt App Data

Encryption is another key aspect of preventing PHI from being exposed. Data should be encrypted at all times except when it is in use. This prevents anyone who may be listening in from accessing the data. Instead of being able to view the PHI, all they will see is ciphertext. Data encryption can safeguard PHI from other running apps and from attackers who may be trying to break into a device’s hard drive. Relying on a device’s disk encryption provides a basic layer of safety, but it does not protect data against other malicious running apps.

Auditing to Monitor Access

Any HIPAA-compliant app should have mechanisms in place to monitor and log access to PHI. These logs help detect any unauthorized access in the event of a breach.

HIPAA-Compliant Web Hosting

Apps are often just the front-end interface of a company’s website. To protect data on the back-end, host the website with a HIPAA-compliant provider. Your company needs to sign a business associate agreement with the provider to ensure that they are safeguarding PHI. LuxSci offers HIPAA-compliant hosting and we even have a free eBook that goes through the subject in more depth.

Keep Your App Updated

The threat landscape is constantly changing. Update your app whenever new vulnerabilities are discovered to protect patient data. Outdated apps are easy targets for hackers, so it is essential to patch regularly.

Be Careful with Push Notifications

Push notifications are visible even when a screen is locked. Do NOT include PHI in these notifications. If someone else sees a push notification that contains PHI, it could be considered an unauthorized access violation. This unauthorized disclosure could result in fines for your organization.

Mobile Apps Are Easy to Use, but Are They Secure?

Many healthcare organizations are seeing the value in developing apps for their patients because of their simple nature and ubiquity. While apps can certainly be useful, companies need to tread carefully and consider HIPAA regulations from the start.

Devices and apps introduce a range of security and privacy issues. It is exceedingly important that adequate measures are taken to guard the PHI of users. If neglected, your organization could face significant penalties or a serious breach. When developing a mobile application, consider your security and compliance requirements from the start.

Tags: access control, app, hipaa, hipaa compliance, hipaa-compliant web site, mobile app, phi, smartphone, web hosting
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

Online Reviews and HIPAA Compliance

Tuesday, September 28th, 2021

Online reviews are critical for success in our modern business world. Many of us turn to online reviews when searching for a new health provider, but HIPAA compliance issues complicate how providers can use online reviews.

Savvy health care marketers want to use online reviews to attract new patients. But how can they do so while also protecting sensitive data and complying with HIPAA?

online reviews HIPAA

Online Reviews and Medical Marketing

Online reviews are extremely popular and are often consulted by patients looking for new providers. Google, Yelp, and Facebook are just a few of the most common review websites that people visit. Skilled digital marketers in every industry recognize the power of a positive review and want to incorporate online reviews and testimonials into their marketing strategies. How many times have you been contacted and asked to leave a review after visiting a restaurant, supermarket, or retail store?

However, when it comes to the health care industry, it’s not as simple as sending off an automated email or survey. Health care marketers need to keep HIPAA compliance in mind when crafting their review campaigns.

The HIPAA Compliance Issues Involved In Asking For Online Reviews

A traditional email campaign to request a review is quite simple. The sender creates a message that says something like “Thanks for visiting Dr. Smith’s office today. We hope you had a positive experience and we would appreciate your feedback. Please click here to leave a review on Google.” You may not realize it, but this simple ask is more complicated than it seems from a HIPAA compliance perspective. Why? Because even the most seemingly mundane details constitute electronic protected health information (ePHI).

ePHI is defined as “individually identifiable health information” relating to:

  • An individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual.

A patient’s name and even their email address are considered individually identifiable information, while asking for a review of their appointment clearly relates to the “…provision of health care to the individual.”

Most messages that ask for an online review include ePHI and must be protected. If this information isn’t adequately secured, the message will be sent in violation of HIPAA. These violations can result in significant penalties for your organization.

How Can You Ask For Patient Reviews And Maintain HIPAA Compliance?

Is it possible for healthcare marketers to solicit patient reviews via email? Keeping the message content as generic as possible may help you avoid a violation. However, when it comes to HIPAA and patient security, we always recommend stepping up your game.

Sending normal emails or text messages is risky, but a HIPAA-compliant email solution allows you to circumvent this problem. Services like LuxSci’s Secure Marketing and Secure High Volume Email are designed with HIPAA compliance in mind. They have the appropriate protections (including message encryption) in place to keep ePHI secure.

Using these services allows you to ask patients for online reviews, all in a HIPAA-compliant manner. Not only will this help your company get more positive online reviews, but LuxSci’s solutions allow you to automate the whole process. You can set up the systems to automatically email patients after they have an appointment, making it simple for your company to boost its online reputation.

How To Respond To Online Reviews While Maintaining HIPAA Compliance

Most marketers know that it is a good practice to respond to patient reviews, whether they are positive or negative. However, public correspondence regarding patient appointments can be a nightmare when it comes to HIPAA compliance.

Even acknowledging that a patient had an appointment with your organization can be a HIPAA violation, because it combines details of their health care with individually identifiable information in a public forum.

This means that even if a patient publicly writes about their medical conditions or treatments, you can’t acknowledge them. This means messages like “Thanks so much! We’re glad Dr. Smith was able to stitch you up.” or “We’re sorry to hear you had a bad experience refilling your anti-depressant prescription. How can we fix the situation?” are off-limits.

It’s counter to how most marketers would like to reply, but for compliance reasons you cannot acknowledge their visit or the specifics. A HIPAA-compliant message could be something like* “We really appreciate your review.” It may seem impersonal, but the law is the law, and you face huge fines if you disobey it.

(*Please note that this is not intended as legal advice. You should consult a lawyer if you have questions about online reviews and compliance.)

Responding To Online Reviews In A HIPAA-Compliant Manner

There are many situations where you may want to give a more sincere reply than the example above, especially if a patient had a negative experience. If the review is not anonymous, we recommend having a staff member reach out privately.

It’s best to see these as opportunities to listen to your patients and try to rectify the situation. By taking the right approach, you can turn a negative review into a positive experience.

However, you can’t have a detailed discussion about the online review on the website while still maintaining your HIPAA compliance. This means that you need a way to reach out to your patients without violating the regulations. LuxSci’s Secure Email is perfect for these kinds of situations, because it is designed from the ground up to be HIPAA-compliant. You can email your patients to discuss the situation without worrying about exposing their ePHI and violating the law.

Contact LuxSci now to find out how you can use our services to reach out to your patients and collect reviews that drive new business.

Tags: email encryption, healthcare marketing, hipaa compliance, online reviews, secure email, secure high volume, secure marketing
Posted in Email Marketing, LuxSci Library: HIPAA
Comments Off on Online Reviews and HIPAA Compliance

When Should You Use An Email Encryption Gateway?

Tuesday, September 14th, 2021

An email encryption gateway is a great way to protect sensitive emails for HIPAA compliance. You probably know just how important encryption is for sensitive data, as well as information that is protected by law, like ePHI. However, embracing these protections can sometimes be challenging. Gateways that rely on opt-in encryption put your company at risk, because employees may forget to encrypt protected health information.

Email encryption gateways like LuxSci’s Secure Connector automatically encrypt all outgoing emails, drastically reducing the risk of breaches caused by human errors.

email encryption gateway

What Is An Email Encryption Gateway?

By default, email is incredibly insecure. Protecting it requires additional effort, and it is easy for employees to make mistakes. The main purpose of an email encryption gateway is to encrypt outgoing emails. Some common ways to trigger encryption are:

  • by using keyword prompts
  • pushing a button or switch to enable encryption
  • using content scanners to encrypt emails according to administrator settings.

LuxSci’s Secure Connector automatically encrypts every email message using TLS encryption for a seamless delivery to recipient accounts. LuxSci’s solution allows you to choose the right type of encryption to suit your email use cases. For example, you may want to send highly sensitive messages like patient lab results using a more secure form of encryption like Portal Pickup to protect patient privacy. Not every gateway can provide that level of flexibility so it’s important to understand how you want to use the tool when shopping for a solution.

When Should You Use An Email Encryption Gateway?

There are several situations when using an email encryption gateways is appropriate. These include:

Email Encryption Gateways For Microsoft 365 And Google Workspace

One of the most useful applications is for businesses that use Microsoft Office 365 or Google Workspace. These extremely popular email platforms do not come automatically configured for HIPAA compliance. To make Google Workspace HIPAA-compliant, you must use a third-party encryption tool to secure your emails. Microsoft Office 365 has an encryption add-on option, but it can be difficult to configure and cumbersome for your email recipients.

LuxSci’s own email encryption gateway Secure Connector works with both Google Workspace and Microsoft Office 365 and is simple to configure. All it requires are LuxSci smart hosting accounts for your Google or Microsoft users. For example, if you have 20 users for your company’s domain in Microsoft, you would simply need LuxSci accounts set up in the same domain for those 20 users.

Once the user accounts are configured and smart hosting is enabled in Google or Microsoft, the outbound email for all of these users will flow through LuxSci’s Secure Connector. Every outbound email will be automatically encrypted, without the user noticing or having to do anything. This setup can help your organization meet its HIPAA obligations without having to switch email hosting providers.

Email Encryption Gateways Can Solve A Wide Range Of Problems

While one of the most popular uses of LuxSci’s Secure Connector is for automatically encrypting outbound email for Google and Microsoft, this has much to do with the ubiquity of these services, rather than the limitations of email encryption gateways.

LuxSci’s Secure Connector can also solve the following problems:

  • An ISP does not allow your mail server to send outbound email, or limits the number of outbound emails to a set quantity. Secure Connector gives you a way to circumvent these limitations and send more emails.
  • Your Exchange Server can’t send email directly for your organization, Secure Connector provides another means to do so.
  • If an outbound email system does not support SMTP authentication, Secure Connector can perform the authentication instead. It supports username and password authentication, which can help to keep your organization secure.
  • Your IP address has a poor reputation and your outbound emails are filtered out as spam by the recipients. Secure Connector can help to stop this from happening.
  • You want to hide your mail server’s IP address. With Secure Connector, your mail server’s IP address can be hidden. This helps prevent mail from being blocked by recipients.
  • Archive your outbound emails.

Is LuxSci’s Secure Connector The Ideal Email Encryption Gateway for Your Organization?

If your company needs an email encryption gateway to automatically secure all of its outbound email, LuxSci’s Secure Connector is the only choice. Our opt-out approach to email encryption sets us apart from other companies. It is a HIPAA-compliant solution that supports multiple types of encryption to increase security for highly sensitive emails. Contact our team now to learn more about how Secure Connector can help solve your problems.

Tags: email encryption, email security, encryption gateway, hipaa compliance, opt out, secure connector, smtp services
Posted in Email, SMTP Connector
Comments Off on When Should You Use An Email Encryption Gateway?

Case Study: Securely Email Medical Laboratory Results to Patients

Tuesday, August 17th, 2021

Medical laboratories use LuxSci’s secure services to email lab test results to patients. Although medical laboratories are not always HIPAA Covered Entities themselves, they are Business Associates with hospitals and doctors who are required to abide by HIPAA. By the “transitive” nature of the HIPAA privacy laws, Business Associates must abide by HIPAA security and privacy standards, protect patient data, and ensure confidentiality.

email lab results

In order to send patients their results via email, these labs must use a HIPAA-compliant system that can send email to anyone with an email address. We work with labs to securely send Covid-19 test results, cancer screening results, and many other kinds of medical test results via email.

This post describes how one large medical lab uses LuxSci’s Secure High Volume Email sending service to safely deliver lab results to thousands of people every day.

Read the rest of this post »

Tags: bulk mailing, case study, email marketing, ePHI, hipaa, hipaa compliance, lab results, medical laboratory, Transactional
Posted in Business Solutions, Case Studies, LuxSci Library: HIPAA
No comments »

How to Use ePHI to Segment and Personalize Email Marketing Campaigns

Tuesday, June 1st, 2021

Segmentation and personalization are powerful marketing tactics that are widely used across all industries. It is well-documented that marketers who send emails that are segmented and personalized experience much higher open and click rates. However, when healthcare marketers want to use these tactics, they must be aware of HIPAA! Any message that contains ePHI must be protected. In the past, these regulations made it difficult to send bulk marketing messages beyond generic office newsletters. However, using ePHI to segment and personalize marketing campaigns is possible!

To leverage patient data and create highly engaging and effective email campaigns that do not compromise security, marketers must use a HIPAA-compliant email marketing solution. We will walk you through how to use ePHI to segment and personalize healthcare marketing emails and improve your patient engagement.

how to use ephi to segment and personalize emails

How to Use ePHI to Segment Email Lists

Every campaign starts with identifying the target audience. When you use segmentation, you simply break down your email list into smaller subsets based on shared characteristics. The benefit of segmenting a list based on shared data is that you can adjust your messaging to speak more directly to that group of customers. When you are using a HIPAA-compliant marketing solution, you can segment your list using any data that you have from your patients (make sure you obtain appropriate permissions and opt-ins first!), including ePHI.

Ways to Segment lists using ePHI

Some examples of ways you can break down your lists using ePHI include:

  • Demographic characteristics
    • Gender
    • Age
  • Geographic location
  • Primary care provider
  • Date of last visit
  • Reason for last visit
  • Sensitive medical information
    • Medical conditions
    • Treatment history

The possibilities are only limited by the data that you collect.

How to Use ePHI to Personalize Emails

Once you have identified who the email is going to, the next step for sending an engaging email is to personalize the content for that audience. Much like segmentation, the possibilities for personalizing emails are only limited by the data that you collect. Anything that you can do to make the email feel like it’s a 1:1 communication instead of a generic blast email will increase the likelihood that it will be opened and engaged with by your target.

How to Personalize Emails with ePHI

The most common way to personalize an email is by using the person’s name in the subject line or email greeting. However, personalization can go much deeper when you also segment the list with ePHI. When you narrow down your list, it is much easier to create campaigns that appeal to the audience with relevant content and targeted promotions. A good example would be offering free breast cancer screenings for women during October. Men would be unlikely to engage with that email, because the subject matter is not relevant to them. By sending the email to only women of a certain age bracket, you are likely to increase the response rate and not irritate others on your list by sending them unnecessary information.

Other ways you can personalize emails with ePHI include:

    • Using a unique “From” name (e.g. saying the email is from Dr. Jones, who is the patient’s PCP, instead using the name of the medical practice or billing department).
    • Providing program recommendations based on past behavior (recommending a support group for a specific condition).
    • Automating workflows based on behavior triggers (appointment reminders, pre- and post-op instructions, prescription refills, etc.).
    • Customizing the content based on data.

Segmentation and Personalization Example

Say we are auditing some patient data and realize that in our patient population, men at risk for diabetes are much less likely to schedule up a follow up appointment. As a result, this group is becoming much sicker than they otherwise would with early intervention. How can we reach this population? By using ePHI to segment and personalize an email campaign just for them.

First, we create a segment based on the pattern we observed: men who are over 40 with elevated A1C levels at their last test.

Then, the marketing team can create personalized content like blogs, white papers, or guides designed specifically to influence the segment’s behavior. One email in the campaign might look something like this:

“Dear [first name],

During your last visit on [last appointment date], your A1C levels were elevated, which indicates that you are at a higher risk of developing diabetes. Download our guide with nutritional advice and example meal plans designed to help control your blood sugar.”

Perhaps the nutritional guide mentioned in this email example has a call to action that invites readers to schedule a free consultation with a dietician to learn more about dietary changes they can make to prevent diabetes.

Likewise, by segmenting the audience, you can create personalized offers that are more likely to drive the behavior you want. In this example, maybe you offer discounted rounds of golf to anyone who joins a men’s diabetes support group.

Use Personalization Tags for Scalability

Best of all, with email marketing, you can create these emails at scale. You do not need to write individual emails to each of the patients that falls into this segment. You can use personalization tags to automatically pull in the information you have uploaded to the platform. As you see in the example above, where it says “[first name]” and “[last appointment date]” the platform will pull in the corresponding information tied to each unique email address, saving you time and improving your email performance. This is an advanced technique, but most email marketing platforms include this capability. Once again, make sure you are using a HIPAA-compliant platform before uploading any medical information.

Now you know how to use ePHI to Segment & Personalize emails- what’s next?

It’s important to find a vendor that will allow you to use these techniques without violating HIPAA. Many of the most common vendors like Constact Contact and Mailchimp are only quasi-compliant at best. Do your research, sign a BAA, and ask the right questions to ensure you can send ePHI in any email you send.

 

Tags: email marketing, hipaa, hipaa compliance, HIPAA-compliant email marketing, secure email marketing
Posted in Email Marketing
Comments Off on How to Use ePHI to Segment and Personalize Email Marketing Campaigns

« Older Entries
Newer Entries »