When health care organizations review their operations to see where electronic protected health information (ePHI) is being saved, transmitted, and viewed, a great deal of time is spent on the obvious candidates: email, chat, stored files, and health records, etc.
Many overlook the fact that ePHI can be embedded in Contacts, Calendars, and Tasks. Consider for example:
Read the rest of this post »
For legal reasons, LuxSci’s HIPAA customers must physically sign a “Business Associate Agreement” and return it to us. While this is a simple and commonplace request, it creates a lot of busy work for the customer and LuxSci!
The customer might have to
Then, LuxSci might have to
Multiplied by many customers, this creates a lot of unproductive busy work for everyone, which costs money this time.
To simplify this process, LuxSci uses its own Secure Form and Ink Signatures technologies to submit signed contracts in a snap for customers and eliminate most of the busy work LuxSci itself has to do to manage the process.
In this post, we describe how both technologies work.
Read the rest of this post »
You buy a HIPAA compliant web hosting infrastructure. You configure your web site to send out email messages in the simplest way, e.g. through PHP mail, or some other generic and standard mechanism. You think you are all set — but you are not.
HIPAA compliant web hosting services provide a server infrastructure that allows you to be compliant; however, it doesn’t make you compliant. Your web designers must make choices and program your site so that it properly respects ePHI. If they do not do all the appropriate things, you will be out of compliance. E.g. see: 7 steps to make your web site HIPAA-secure.
In particular, email messages sent in the “normal way” from a web site will go out insecurely in a way that will violate the HIPAA Security Rule if they contain ePHI of any kind. E.g. they will not be encrypted and will not be archived.
Read the rest of this post »
We are frequently asked who supports TLS to secure inbound email delivery. This is especially important for customers who need to be HIPAA-compliant, as email transport encryption over TLS is sufficient for HIPAA-compliant communications to end-users, so long as the TLS is configured to be sufficiently strong.
While it is possible to tell who supports TLS, it is somewhat technical to do it yourself. So, we have assembled a table with many of the most popular free and public email domains in use across the internet. We indicate which currently (as of July 8, 2022) supports SMTP TLS for inbound email.
The results are surprising. A majority of domains these days do support TLS. With Microsoft’s recent TLS implementation on its email domains (hotmail.com/live.com/outlook.com), this rounds out consistent TLS support (for inbound delivery–outbound may or may not be supported) for all of the most popular free email providers (e.g., aol.com, gmail.com yahoo.com, hotmail.com).
Note: lists below have been updated as of 7/8/22.
Read the rest of this post »
Twice in the past few weeks I have received appointment reminders or scheduling information from doctors via email — via insecure, non-HIPAA-compliant email.
An email message contains identifying information: my email address and my name. The appointment email messages also contain information about “the past, present, or future provisioning of health care to an individual” … me! Taken together, this means that these email messages are ePHI (more details – what is ePHI?) and needed to be secured in a HIPAA compliant manner.
That they were not compliant was obvious to me:
Read the rest of this post »
