" hipaa compliance Archives - Page 8 of 10 - LuxSci

Posts Tagged ‘hipaa compliance’

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing, and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype. So, while Skype may not be compliant, it is OK to use during the pandemic. However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.

Tags: business associate agreement, chat, ePHI, hipaa, hipaa compliance, microsoft, phi, skype, telemedicine, video, video conferencing
Posted in Business Solutions, LuxSci Library: HIPAA
1 Comment »

What We Call “Quasi-HIPAA-Compliance”

Thursday, March 26th, 2020

Are your organization’s service providers HIPAA-compliant, or are they only quasi-HIPAA compliant?

What do we mean? 

Okay, we’ll be honest quasi-HIPAA compliant isn’t an accepted term yet but it should be.

When we talk about quasi-compliance, we’re referring to setups and services that look HIPAA-compliant and share some of the features; however, they may not be entirely in line with HIPAA requirements if you actually use them in the way that you want.

Quasi-HIPAA compliance is common, particularly in popular services. It can also be hazardous for businesses because quasi-HIPAA compliance can lead organizations into a false sense of security while they may be violating the regulations unwittingly.

Quasi HIPAA-Compliance

What Is Quasi-HIPAA Compliance?

The best way to explain the concept of quasi-HIPAA compliance is through example. A quasi-HIPAA compliant service could come from an email-hosting provider, web hosting provider, or an organization that offers a range of other solutions. 

If these providers are quasi-HIPAA compliant, they will include elements of HIPAA compliance. Still, the services may not be appropriately tailored to keep their clients within the lines of the regulations when used in various ways. A provider may be willing to sign a HIPAA business associates agreement (BAA) with your company, but its services may not include the appropriate protections for compliance.

As a good example: Google is willing to sign a BAA with customers using its Google Workspace service. However, Google does not actually provide HIPAA-compliant email encryption — so using Google Workspace email in a HIPAA context can immediately leave you in non-compliance and subject to breach. This is quasi-HIPAA compliance. You assume that by signing a BAA, you can use the services as you like and be “all set.” In truth, you need to understand what is allowed and what is not allowed. You need to either (a) avoid performing non-compliant actions or (b) add additional measures to fill those gaps.

Quasi-HIPAA compliance

Business Associates Agreements & Quasi-HIPAA Compliance

A BAA is essential for HIPAA compliance. Your company can’t be completely HIPAA-compliant if it uses the services of another entity without a BAA in place. It doesn’t matter if the entity’s services are technically HIPAA-compliant; you will fall afoul of the regulations unless a BAA exists between the two parties.

Even if you have a BAA with your provider, that alone may not be enough to keep your organization on the right side of HIPAA. The provider may not have the security measures your organization needs and instead have a carefully worded BAA that will leave you vulnerable.

Let’s say your email marketing service provider is a quasi-HIPAA compliant provider. It may not offer email encryption, or the necessary access control measures your organization needs to send ePHI and other sensitive information safely. The “HIPAA Compliance” may be limited only to data stored at rest on their servers. You may be stunned to learn that an email marketing company offering “HIPAA compliance” does not recommend sending any sensitive data over email

The BAA offered by a company may be carefully worded to say that the service is technically HIPAA-compliant, but only if you don’t use it to send ePHI. This is legal, and the provider isn’t necessarily doing anything wrong by offering such a service, as long as this is clearly stated in the agreement. Without understanding clearly what is actually “covered,” you leave yourself at risk.

The compliance and breach danger comes when organizations use quasi-HIPAA compliant services without completely understanding them. If they don’t take the time to do their research or thoroughly read the agreement, they could use the service in a way that isn’t covered under the BAA.

Doctor Video Conference

Dangers of Quasi-HIPAA Compliance

In our example, an organization might subscribe to a quasi-HIPAA compliant service and use it to send ePHI. Suppose ePHI isn’t allowed to be sent via email or text under the BAA, and it’s sent without encryption and other security measures in place. In that case, the messages will violate HIPAA regulations.

This is an easy trap to fall into for several significant reasons. 

  1. BAAs can be complex and need to be studied carefully. 
  2. People make assumptions about what is covered by an organization’s “HIPAA compliance.”
  3. It’s very easy to send ePHI in an email accidentally. The definition of ePHI is broad, so employees can include ePHI in messages without even realizing it.

Even if your organization specifies that ePHI shouldn’t be sent through a particular service, all it takes is one mistake, and your company will have a costly HIPAA violation on its hands. Suppose your organization does use an email marketing service that’s only quasi-HIPAA compliant. In that case, the restrictions on ePHI will prevent your organization from being able to market effectively and communicate appropriately with its clients.

How Your Organization Can Avoid Quasi-HIPAA Compliance

The most important way to protect your organization is to do your research beforehand and ensure that any prospective provider will cover your intended uses. This means that you need to read through their BAAs to ensure that they align with your business’s requirements.

To save you some time, services like Google Workspace and the vast majority of email marketing services can be seen as quasi-HIPAA compliant. Only providers that specialize in HIPAA-compliant services will be able to deliver the solutions that healthcare organizations and those that process ePHI require.

If your company needs proper HIPAA compliance, then a provider like LuxSci is the best way to stay on the ride side of the regulations. We have been providing HIPAA-compliant secure email since 2005. Not only are our solutions tailored to abide by HIPAA, but we have also developed the services you need to conduct essential business tasks.

We provide HIPAA-compliant bulk email solutions for clients that need to send at scale. These services are set up over our secure infrastructure, and we provide dedicated servers for clients.

LuxSci focuses on both compliance and ease of use, so we have developed secure email hosting, email marketing, and transactional email solutions among our offerings. Our services help your organization comfortably market itself and conduct business while staying in line with HIPAA compliance.

Tags: baa, ePHI, hipaa, hipaa compliance, quasi hipaa compliance
Posted in Industry News
No comments »

Is Constant Contact HIPAA-Compliant?

Monday, January 6th, 2020

In a perfect world, using Constant Contact would make it easy for your business to perfect its email marketing strategy, while still staying within the narrow lanes of HIPAA regulations.

Back on earth, it may be possible to use the software and remain HIPAA-compliant, but things aren’t so straightforward.

Constant Contact HIPAA compliant

Constant Contact is renowned for its package of services, including:

  • Email templates that make it easy to design professional newsletters and other marketing materials
  • Email marketing automation
  • Marketing tools for ecommerce
  • Contact management
  • Analytic tools for tracking results

Constant Contact has a lot to offer, but is it a good choice for organizations that want to send electronic protected health information (ePHI)? Can Constant Contact be a HIPAA-compliant marketing email solution?

Is Constant Contact HIPAA-Compliant?

A cursory search of the website seems to imply that Constant Contact is HIPAA-compliant. The company even has a page dedicated to business associate agreements (BAAs), which are a critical part of compliance whenever an organization may be sharing ePHI with another entity.

BAAs are formal agreements that set out how the two parties will share the data, what protection measures need to be in place, and who is responsible for what.

The BAA page states that Constant Contact will only sign their own BAA and won’t make changes to it “under any circumstances.” This isn’t necessarily unusual for a service provider, but it could make HIPAA compliance impossible for any organization that requires alterations to the agreement. To check if the BAA is right for your company, you will need to email the legal department listed in the above-linked page for a copy.

If you think you may have found the HIPAA-compliant email marketing service you were looking for, reading on may crush your dreams. It states that you:

Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.

This section is a little confusing, because HIPAA makes no mention of “highly sensitive PHI.” The law doesn’t generally differentiate between HIV results and eczema diagnoses, treating all breaches of PHI equally. This is the first red flag that Constant Contact may not be a good option for HIPAA compliance.

The BAA says that you should avoid using the service if you “have such information to send.” While the whole paragraph isn’t exactly straightforward, the only safe assumption is that Constant Contact is not HIPAA-compliant for sending PHI in email. Although the company will sign a BAA, it acknowledges that its services are not designed to secure PHI, and using them could put the data at risk.

A final major factor in this consideration is that Constant Contact does not have the ability to encrypt emails containing PHI. HIPAA requires, among many other things, that all ePHI be encrypted during transmission. This is probably why Constant Contact recommends against using their bulk emailing service for the actual sending of HIPAA-compliant emails.

Constant Contact HIPAA-Compliant Alternatives

If you are looking for a HIPAA-compliant email marketing service that is suitable for the health sector, you don’t have to despair. LuxSci provides HIPAA-compliant solutions that are built with the regulations in focus.

From our email marketing service to our secure forms, we offer solutions that can bring your company results without violating HIPAA regulations. We also keep our BAA process as straightforward as we can, to avoid the confusion that comes with some other providers.

Tags: constant contact, email marketing, hipaa compliance, HIPAA-compliant email marketing, marketing email, marketo
Posted in Email, Email Marketing
No comments »

How to Evaluate any New Software or Service for HIPAA Compliance

Friday, August 9th, 2019

If your organization operates in the health sector or processes data for clients that are, then it will need to deal with all ePHI in a HIPAA-compliant manner. This means that HIPAA-compliant software and services are required whenever and wherever protected health information is dealt with.

HIPAA regulations limit the range of services that a company can use. Due to the complexity of the laws, it’s important to evaluate any potential service in a thorough manner to ensure that it is in fact HIPAA compliant. To make the process a little less daunting, we’ve collected a list of steps that make it easier to discern whether a provider can protect your organization’s data appropriately:

Does the Provider Say That the Service Is HIPAA Compliant?

This is the easiest and perhaps most obvious step. Organizations that provide HIPAA-compliant services generally advertise it quite prominently. If they are putting in the extra work to keep their clients secure and within the regulations, then the odds are that they are going to tell potential customers about it.

If you visit the company’s website (or talk to a sales rep) and don’t come across any information about HIPAA compliance, then it’s pretty safe to assume that the software or service is not HIPAA Compliant. If you want to make sure that you didn’t overlook anything, you can do a site search of the company’s website, looking for “HIPAA Compliant” and related keywords.

If you don’t find any results, it’s probably best to move on to other providers. If a company was actually HIPAA Compliant but didn’t make the information clear, it raises some serious questions about the company’s practices and strategies. Given the importance of HIPAA Compliance, it’s probably best to move on to another provider.

Let’s not get ahead of ourselves and assume that we can trust a company just because it says it’s HIPAA Compliant. This is simply the first step of the evaluation process and it helps to rule out a large number of providers. Once your organization has narrowed down the list, it still needs to analyze other aspects of the service and the company behind it.

Is the Service Provider Willing to Sign a Business Associate Agreement?

The next step is to determine whether the provider is willing to sign a business associate agreement (BAA) with your organization. If the service provider will be processing your company’s ePHI, but won’t sign a BAA with it, then any data sharing will not be HIPAA Compliant.

According to HIPAA, a BAA is required for any third party that may process your organization’s ePHI. This agreement stipulates how the data will be protected and processed, as well as where the responsibilities are delineated.

Let’s say a hypothetical organization did actually secure the data in a HIPAA-compliant manner without having signed the agreement – this would still violate the regulations, because there is no written agreement that ensures the protection of the patient data.

Look at the Company’s Reputation and Reviews

Trust is critical when it comes to HIPAA compliance. While you can’t look into the future and see how your organization’s experience with a service will play out, you can get a rough idea by looking at the company’s reputation, as well as any public reviews that may have been posted.

If a service provider has been in the industry for a long time, it’s generally a good sign. But be wary if the organization is branching out into a new service. A company could be industry-renowned for its HIPAA-compliant email, but if it have just launched a new chat service, it may not necessarily be up to the same standards. While new services aren’t necessarily bad by default, it’s probably best to do additional research before signing up to be a guinea pig.

Another key indicator is the service provider’s reviews. Do you know anyone personally or that you trust who has used the service? What did they say? Did their experience show that the company was committed to security and HIPAA compliance?

You can also look to online reviews and industry forums to find more information and stories from service providers. It’s important to not throw all of your trust into what someone says on the internet, but if you come across negative experience after negative experience, it may be a decent warning sign to steer clear. Watch out for digital marketing though – some companies are especially cunning and post ads that look like honest forum posts or reviews.

Investigate the Details

The steps listed above are a good way to narrow things down, but they are no substitute for a thorough evaluation. It’s your organization’s responsibility to make sure that a potential service has every technical, administrative, and operational measure that it needs to stay within the lines of HIPAA.

While a service provider will be responsible for compliance in a number of areas (if a BAA is in place), your organization is not at all free of obligations. It needs to make sure that it is encrypting data where necessary, that it implements effective access control, and has a host of other measures in place. It also needs an overarching policy that brings all of the elements together in a comprehensive plan.

Any HIPAA-compliant provider should be more than happy to share the technical, privacy, and legal details with a potential client. If not, your organization should be extremely suspicious of its services. If your organization lacks the expertise to thoroughly evaluate a provider, then it may be best to engage an outside consultant who can handle it for you.

HIPAA compliance is serious and complex. It’s important to get it right from the start, through careful examination and planning. If your organization doesn’t tread carefully from the beginning, it could very well find itself on the wrong side of the regulations, facing significant legal penalties.

Tags: hipaa compliance, software
Posted in Business Solutions, LuxSci Library: Security and Privacy, New Feature Announcements
No comments »

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business! A well-thought-out marketing strategy can help you outshine your competition, but providers must keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is essential to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask and one that’s not precisely clear-cut because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.” The term “protected health information” refers to any data relating to a person’s health, treatment, or payment information, whether in the past, present, or future.

Under this definition, some examples of PHI may include:

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked to the individual. There is a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t, your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry, and it is best to proceed cautiously.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it could use this information not just to help mothers-to-be but also to bring in new business. The clinic then sends out an email to all expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, ensuring that all of your emails are sent securely is a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, it is crucial to ensure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization must sign a HIPAA Business Associate Agreement with any service provider you work with. Using the appropriate encryption, access controls, and other security mechanisms is essential to protect ePHI. Be sure to vet your email provider thoroughly, and remember signing a BAA is not enough to ensure compliance. 

Tags: email, email marketing, email security, ePHI, hipaa, hipaa compliance
Posted in Email Marketing, LuxSci Library: HIPAA
No comments »

« Older Entries
Newer Entries »