" hipaa compliant Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘hipaa compliant’

AWS – Is It HIPAA Compliant?

Tuesday, September 18th, 2018

Is Amazon Web Services or AWS HIPAA Complaint? This is a question that many healthcare providers have a hard time finding a real answer to. However, we at LuxSci have put in the effort to answer the question once and for all. Hopefully, you’ll find it helpful.

To begin with, AWS definitely includes features that can be used to help you meet all of the requirements of the HIPAA Security Rule. Amazon will even sign a BAA (Business Associate Agreement) with healthcare customers.

All of this can create the impression that using AWS is automatically HIPAA compliant. However, this isn’t the whole story.

AWS is it HIPAA compliant

You see, it is still very easy to commit information architecture or configuration mistakes that leave data, or in this case, Protected Health Information (ePHI) exposed to unauthorized access, which is a clear HIPAA violation.  It is also easy to omit security controls, such as access auditing, logging, backups, and encryption, that are essential for compliance.

Read the rest of this post »

Is Microsoft Email HIPAA Compliant?

Wednesday, September 12th, 2018

To be HIPAA compliant a healthcare organization needs to ensure that all parties that have access to their data need to sign a Business Associate Agreement (BAA). The BAA helps to protect data security by requiring all parties involved to only share and use data within the HIPAA guidelines. As a healthcare organization or a health insurance company, if you have a third party email services provider you will need the provider to sign a BAA.

There are several other guidelines in place that are required for an email provider to be HIPAA compliant; companies that use these services need to ensure that the guidelines are followed. Any company that doesn’t keep track of its service providers risks being in violation of HIPAA.

is Microsoft email HIPAA compliant

Is Microsoft Outlook Online safe to use for HIPAA?

We first have to look at which version of Microsoft Outlook is being used. Outlook.com is not HIPAA compliant. The free service is not recommended for healthcare organizations and health insurance providers as it does not meet the HIPAA guidelines.

Read the rest of this post »

HIPAA Email: Does it Require Encryption?

Tuesday, July 31st, 2018

HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:

  • encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
  • there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned

What exactly is mutual consent?

Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.

HIPAA Email Encryption

Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA complaint systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.

Encryption at rest is ‘addressable’

‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.

Read the rest of this post »

Is FAXing really HIPAA Compliant?

Tuesday, September 12th, 2017

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

Go back in time 10-15 years.  Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth.  It was essential technology that became ingrained into business processes through constant, repetitive use.  Everyone knows how to use a FAX machine, even the most technologically challenged staff member.

IS a FAX really HIPAA compliant?

Fast forward to now:

  1. Fax Machines have changed.  They are now all-in-one devices that scan, print, copy, send files to your computer, and more.  The “FAX” ability is now just a minor extra feature.
  2. HIPAA has arrived and evolved.  It used to be that sending patient (ePHI) data via FAX was the norm.  Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA.  E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
  3. Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
  4. Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically.  Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
  5. Low resolution. Faxes are low-resolution.  They are slow and they do not contain a great amount of detail.  They are not great for sending anything graphical.

Read the rest of this post »

WordPress Security Overview: Can WordPress be HIPAA-compliant?

Monday, March 13th, 2017
For a deep dive, see our white paper: Securing WordPress

WordPress is a content management system that dominates the internet, powering more than 24% of the web. Although it has many great features that make it quick and easy to set up, the complications associated with HIPAA standards can make it difficult to achieve compliance. WordPress has recovered from a checkered past as far as security is concerned, but it is still a third party tool which is not specifically designed to conform to HIPAA standards.

WordPress Security

Read the rest of this post »