" hipaa Archives - Page 2 of 21 - LuxSci

Posts Tagged ‘hipaa’

What is HIPAA Compliant Email Marketing?

Tuesday, January 14th, 2025

Incorporating HIPAA compliant email marketing into healthcare marketing practices offers a powerful avenue to engage patients and promote services by using a specifically designed healthcare marketing solution that is 100% HIPAA compliant.

It is imperative to ensure that email marketing communications comply with the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and secure protected health information (PHI).

If you are one of the 92% of Americans with an email address, you are likely familiar with email marketing. It is a tried and true marketing strategy that delivers a superior return on investment compared to other digital channels. However, when healthcare organizations want to utilize these strategies, out-of-the-box solutions are not a good fit. Healthcare organizations must utilize email marketing platforms specifically designed to meet HIPAA’s unique privacy and security requirements.

When Do You Need a HIPAA Compliant Email Marketing?

Healthcare organizations are required to use a HIPAA compliant email marketing because their messages often contain electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number, and more. By default, every email marketing communication includes the patient’s email address and is, therefore, individually identifiable. Not only does the definition of ePHI cover people’s past, present, and future health conditions, but it also includes treatment provisions and billing details. This information is often contained in email marketing messages.

While the law does not cover anonymous health details or individual identifiers sent by themselves, you must be careful and abide by HIPAA regulations when the two are brought together. You will need a HIPAA compliant email marketing service whenever you send ePHI. As we will see, even if you think an email may not contain ePHI, it is still best to be cautious.

Types of HIPAA Compliant Email Marketing Communications

An excellent example of an email blast that must comply with HIPAA is a newsletter sent to a clinic’s cancer patients. At first glance, the email doesn’t contain any specific PHI. It doesn’t mention Jane Smith’s chemotherapy treatments, other specific patients, or their medical information. However, upon closer look, it may violate HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which also tells you personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to create a segment of email recipients, the email campaign must comply with HIPAA.

Sometimes, it can be challenging to identify if an email contains ePHI. If you sent the same practice newsletter to a list of all current and former medical clinic patients, it may or may not contain ePHI. Even if the newsletter contained benign info about the practice’s operating hours or parking information, if the practice is centered around treating a specific condition like cancer or depression, it may be possible to infer information about the recipients regardless of the message.

There are a lot of gray areas, and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations.

The Benefits of Using a HIPAA Compliant Marketing Platform

After reading this, you may think the answer is to avoid sending PHI in email campaigns. However, by keeping your communications bland, generic, and broadly targeted, you miss out on significant opportunities to engage your patients.

Using a HIPAA compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list.

Results of leveraging PHI

Sending the right information to your patients at the right time is an effective patient engagement strategy. Think about it using an e-commerce example- when a retailer sends you product recommendations based on past purchases; they use your data to influence future purchasing decisions. By utilizing patient data to create highly relevant and personalized campaigns and offers, you receive a better return on investment in your efforts.

What is Required for HIPAA Compliant Email Marketing?

Finding the right HIPAA compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest but still will not enable you to send PHI via email. Finding a provider that suits your business needs and protects the email messages requires careful vetting.

Generally speaking, a HIPAA compliant email platform must meet three broad requirements:

  1. The vendor will sign a Business Associates Agreement that outlines how they will protect your data and what happens in case of a breach.
  2. The vendor protects the data at rest using appropriate storage encryption, access controls, and other security features.
  3. The vendor protects messages in transit using an appropriate level of encryption with the proper ciphers.

LuxSci’s Secure Marketing email platform has been designed to meet the healthcare industry’s unique needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, organizations can send fully HIPAA compliant email marketing messages to the right patients at the right time and receive a better return on their marketing investment.

Tags: email marketing, email marketing platform, hipaa, hipaa compliance, HIPAA-compliant email marketing, marketing, personalization, phi, segmentation
Posted in HIPAA Marketing, HIPAA Compliant Email Marketing
No comments »

HIPAA Compliance Checklist

Saturday, January 11th, 2025

Our HIPAA compliance checklist was designed to help organizations understand their obligations under the law. The checklist items are not a complete list, just a starting point for your compliance program. HIPAA requires a yearly risk analysis to identify new vulnerabilities. Any business process change or new technology usage introduces new risk into an organization’s security program, so it’s important to review the standards regularly.

HIPAA Compliance Checklist

Who Does HIPAA Apply To?

First, recall that HIPAA regulations only apply to covered entities and their business associates. Individuals (unless they fall into one on of the following categories) do not have responsibilities under HIPAA. It is okay for a patient to disclose information about their medical conditions and treatments to others in whatever format they choose.

Covered Entities

Covered entities are organizations that provide health care, process medical information, or manage health insurance plans. There are three main categories of covered entities that include:

  1. Health care providers, payers and suppliers: Individuals or organizations that provide care, services, or supplies related to the health of an individual. This category also includes those who sell or dispense pharmaceuticals, medical devices, and equipment in accordance with a prescription.
  2. Health plans: An individual or group plan that provides or pays the cost of medical care.
  3. Health care clearinghouses: An entity that processes medical claims submitted by health care providers to insurance companies.

Business Associates

The HITECH Act extended HIPAA compliance requirements to the business associates of covered entities. A business associate is a company that collects, processes, or stores protected health information (PHI) on behalf of a covered entity. A few examples of business associates include marketing agencies, IT companies, financial services, or legal offices. LuxSci is a business associate. We store and transmit PHI on our servers and networks, and we have a responsibility to our customers to keep that data safe under the law.

Furthermore, the Omnibus rule requires business associates of business associates to also follow HIPAA regulations if they handle ePHI. An example of this scenario would be if a marketing agency working for a hospital contracted LuxSci for web hosting or online form services. Even though we don’t directly work with the hospital in this instance, we must still sign a business associates agreement that outlines how we will secure sensitive information.

Understanding PHI

Before diving into the HIPAA compliance checklist, it’s important to understand what data needs to be secured. HIPAA regulations safeguard protected health information. Otherwise known as PHI, it is simply defined as individually identifiable health-related information. Health-related information includes information about past, present, or future medical conditions, treatments, provisioning, and payments.

To fall under the PHI category, health-related information must be linked to an individual identifier. Some of the most common personal identifiers include: names, email addresses, phone numbers, medical record numbers, photos, and driver’s license numbers. When PHI is electronically stored or transmitted, it is called ePHI.

Medical records are an obvious example of PHI. However, even less sensitive items like email or text appointment reminders can infer medical information about a patient and also need to be properly secured. Think about it: something like an appointment reminder may mention the doctor’s name and the place of treatment in combination with an individual’s name and email address. Depending on the message content, it may be ePHI.

For more details, see: What exactly is ePHI? Who has to worry about it? Where can it be safely located?

It is crucial that organizations understand exactly what PHI they are responsible for protecting. Even seemingly innocuous text messages or email communications can land an organization in trouble if not properly secured.

Understanding the HIPAA Compliance Checklist

HIPAA uses the terms ‘required’ and ‘addressable’ to describe standards within the law. Required (R) means that the standard is mandatory. Addressable (A) means that the standard must be implemented by the organization unless a risk analysis concludes that implementation is not reasonable and appropriate. Important Note: Addressable does not mean optional.

The HIPAA Security Standard reflects a technology-neutral approach. This means that there are no specific technological systems to implement. Organizations must decide and document how they plan to meet each standard.

Which standards should be addressed?

One general rule is that any time there is risk, it should be addressed. If an organization decides to send unencrypted ePHI over the email, then there is a major risk of disclosure. An organization could be considered willfully negligent if an unauthorized user gained access to unencrypted ePHI. If the organization chooses not to encrypt the data, they should fully document and outline their reasoning for why they are choosing not to implement the standard.

Ignoring HIPAA requirements, addressable or required, is “willful negligence.” If there is a breach or violation, the penalties in cases of willful negligence are severe. Ignorance is no excuse.

HIPAA Compliance Checklist

HIPAA standards fall into four categories. Standards denoted with a (R) are required, while those with an (A) are addressable.

Administrative Requirements

Administrative requirements pertain to employee training. Organizations must implement security measures to reduce systemic risks and safeguard electronic and physical information.

  1. Risk Analysis: (R) Perform a risk analysis to understand where PHI is stored to determine what data is at risk.
  2. Risk Management: (R) Implement measures to reduce identified risks to an appropriate level.
  3. Sanction Policy: (R) Implement sanction policies for employees who fail to comply.
  4. Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc.
  5. Officers: (R) Designate HIPAA Security and Privacy Officers.
  6. Employee Oversight: (A) Create procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
  7. Multiple Organizations: (R) Protect PHI from unauthorized parent or partner organizations or by unauthorized subcontractors.
  8. ePHI Access: (A) Implement procedures for granting access to ePHI. Document access to ePHI or to services and systems which grant ePHI access.
  9. Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees.
  10. Protection Against Malware: (A) Implement procedures to guard against and detect malicious software.
  11. Login Monitoring: (A) Monitor logins to systems and report discrepancies.
  12. Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords.
  13. Response and Reporting: (R) Identify, document, and respond to security incidents.
  14. Contingency Plans: (R) Ensure that there are accessible backups of ePHI and procedures to restore lost data.
  15. Contingency Plans Updates and Analysis: (A) Periodically test and revise contingency plans.
  16. Emergency Mode: (R) Establish procedures to enable continuation of critical business operations. These procedures include securing electronic protected health information while operating in emergency mode.
  17. Evaluations: (R) Perform periodic evaluations to see if any changes in business operations or the law require changes to HIPAA compliance procedures.

HIPAA Organizational Requirements

Organizational Requirements include the development, documentation, and implementation of security policies and procedures and the management business associate agreements.

  1. Business Associate Agreements: (R) Create and manage contracts with business partners who will have access the organization’s PHI to ensure that they will adequately safeguard data.
  1. Policies, Procedures and Documentation Requirements: (R) A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications.

HIPAA Physical Requirements

Physical Safeguards concern physical access to buildings, workstations, computer servers, and networks. Only allow authorized access to ePHI and monitor access through established policies to prevent violations.

  1. Contingency Operations: (A) Establish procedures that allow facility access in emergency situations to support the restoration of lost data.
  2. Facility Security: (A) Implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft.
  3. Access Control and Validation: (A) Institute procedures to control and validate an individual’s access to facilities based on their role or function. Log visitors and control access to software programs.
  4. Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security.
  5. Workstations: (R) Establish policies to govern software usage. Set up procedures for proper configuration on systems that provide access to ePHI. Safeguard all workstations the provide access to ePHI and restrict access to only authorized users.
  6. Devices and Media Disposal and Re-use: (R) Create procedures to securely dispose of media that contains ePHI. Put policies in place for the reuse of devices and media that formerly stored ePHI.
  7. Media Movement: (A) Record movements of hardware and media associated with ePHI storage. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

HIPAA Technical Requirements

Technical Safeguards ensure the security of data at rest and in transmission. Controlling access to ePHI provides a reviewable log of users in case of a security incident.

  1. Unique User Identification: (R) Assign a unique name or number for identifying and tracking user identities.
  2. Emergency Access: (R) Establish procedures for obtaining necessary electronic protected health information during an emergency.
  3. Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  4. Encryption and Decryption: (A) Institute a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
  5. Audit Controls: (R) Establish hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  6. ePHI Integrity: (A) Create policies and procedures to secure electronic protected health information from improper alteration or destruction.
  7. Authentication: (R) Implement procedures to verify the identities of people or entities seeking access to electronic protected health information.
  8. Transmission Security: (A) Institute technical security measures to guard against unauthorized access to electronically transmitted protected health information.

What else should you know about HIPAA compliance?

Compliance is an ongoing process, not a one-time event. This HIPAA compliance checklist represents only an overview of the major points. Each organization will need to complete their own risk assessment to understand what data is at risk and the steps they need to take to secure it. It’s easy to see why many organizations choose to work with third parties to secure their technology. If your company needs help with HIPAA compliant email and web services, reach out to LuxSci today.

Tags: addressable, compliant, encryption, ePHI, hipaa, hipaa checklist, hipaa compliance, hitech, omnibus, phi, protected health information, security
Posted in LuxSci Library: HIPAA
No comments »

7 Ways You Could be Unknowingly Violating HIPAA

Wednesday, August 14th, 2024

Non-compliance with HIPAA can easily lead to unintended breaches where PHI data is exposed to unauthorized parties. This can be very expensive! Violating HIPAA can cost anywhere from $100 to $70,000 per violation (or per data record).

You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in violating HIPAA. Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.’

If any of the following scenarios apply to you, it is worth bringing them up to the person responsible for your IT or compliance (your HIPAA Security Officer) to include them in your mandatory yearly Risk Analysis.

Is the risk of breach worth continuing with “business as usual?”

1. “Automatic” Email Encryption

Hopefully, by now most people know that Electronic Protected Health Information (ePHI) and email don’t mix unless you have a HIPAA compliant email provider who has signed a Business Associate Agreement with your organization. However, in our experience, most HIPAA compliant email security is not automated or automatic. With manual email encryption, messages are sent insecurely unless the sender explicitly designates that it needs encryption (e.g. checking a box or entering a word such as “secure” in the message subject).

These manual or opt-in systems are popular because (a) messages are HIPAA compliant when encryption is chosen, and (b) when not sending ePHI, it is “email as usual.” People are not required to change or think about it … they just use email as they always have.

However, this is the fatal flaw with 0pt-in or manual systems, especially for HIPAA marketing. If the sender simply “forgets” (or doesn’t think, or maybe can’t be bothered) to enable encryption, then the ePHI-laden message is sent insecurely and violates HIPAA. This happens all the time with opt-in systems.

When it is up to a person to determine for every message whether encryption is needed, it is guaranteed that sometimes the wrong choice will be made or the person will forget to choose, and ePHI will go out insecurely in breach of HIPAA. It’s human nature. Even data loss prevention systems, which automatically encrypt when a message has specific words, phrases, or patterns, are imperfect and cannot be relied on to catch all messages with ePHI.

The risk of using manual encryption is simply too great. It is much better to either encrypt everything that is sent from an email address that sends or receives ePHI (e.g. have one email addresses for sensitive material and another separate one for regular correspondence) or to employ an opt-out mechanism. With opt-out, all messages go securely unless the sender explicitly indicates that the message does not contain ePHI.

When it is up to the sender to explicitly choose if a message is allowed to be insecure, it is very much harder to send ePHI insecurely “by accident.” The senders are automatically accountable for the security, or lack thereof, of messages sent. Opt-out email encryption stops employees from violating HIPAA and creates accountability on the part of the sender.

2. Violating HIPAA When Sending Text Messages

Medical professionals (e.g. doctors, nurses, psychologists, therapists, dentists, etc.) frequently text each other and even text patients (e.g. for scheduling appointments). Texting is easy and patients like to communicate via text. However, many of these text messages (even scheduling ones) contain ePHI. Sending them using your regular phone texting system is violating HIPAA.

It would seem that many people do not yet realize that texting falls under the same HIPAA security rules as does email, and that sending regular texts can be a violation. Continuing to send ePHI over text constitutes willful neglect of HIPAA and can result in the largest of fines.

Instead, if you want to use a text-like real-time communication system, you need to use a HIPAA-compliant secure text application for your mobile devices. This must provide, among other things, strong encryption, audit trails, archival, and a Business Associate Agreement.

3. Email and Text Appointment Notifications

If your office sends email or text messages that indicate a patient has a doctor’s appointment, this almost always includes ePHI. Appointment confirmations are ePHI because they indicate that a particular person (i.e. this is “identifiable” via the patient’s email address, name, or phone number) has an appointment with a specific health care provider (i.e. gives information about the “future provisioning of health care”).

This information must be sent securely … and too many times it is not.

If your organization sends electronic appointment reminders, it’s critical to deliver these notifications securely to your patients, otherwise you are violating HIPAA. For example, delivery can be via a tie-in to a HIPAA-compliant email or text messaging system.

4. Insecure Web Forms

Every day we find medical web sites that have web forms for “getting more information” for general intake and for other purposes.  These forms are often not encrypted and the form submissions themselves are not processed in a compliant manner. They are often insecurely emailed to an administrative assistant for processing.

If your web site is requesting and collecting ePHI via forms, then your web site is required to handle that information with care commensurate with HIPAA standards.

Check your web site and see what forms you have there, what they collect, and how the information is handled. You may need to update your site to secure your forms with TLS and to incorporate a secure form processing solution to properly deliver that sensitive data to you and also store it securely. Without this, every form submission may be in breach.

5. Sharing a Login

Sharing logins and email addresses is easy and cheap. Everyone just knows the shared login and password and logs into the same system. HIPAA, however, requires unique logins for everyone in an organization. HIPAA also requires auditing to indicate when people do what (e.g. who logged in when?). When you are sharing a login, you lose accountability and that can be a direct violation of your HIPAA requirements.

Are you sharing logins? Add that to your HIPAA Risk Assessment to see if its worth it. In many cases, there are ways to achieve the same results and still have unique logins for everyone.

6. No Risk Assessments or Training?

This is the situation in many smaller organizations:

  1. Employees are not trained on HIPAA, on how to do their jobs in a compliant way, and on how to deal with and report breaches.
  2. Yearly Risk Assessments are not performed, resulting in no action being taken to mitigate the risk of breach.

These requirements apply even if you are the only person in your business (e.g. a sole practitioner). In this case, you are the the “HIPAA Compliance Officer,” and you must be sure that you are trained on HIPAA. Uou must perform your Risk Analysis, and you must be sure that all ePHI under your purview is safe.

If you are neglecting these basics and something goes wrong, your HIPAA fines will be much larger due to apparent “willful neglect.” If you are in this situation, start with a detailed Risk Assessment to see where you stand. Then start mitigating your risks, training your employees, putting policies into place, and working continuously to minimize the possibility of data leakage. HIPAA compliance is an ongoing process as the security landscape and your business’ processes and vendors change over time.

7. I Took Care of HIPAA Last Year

Smaller companies, especially, tend to make a push to become “HIPAA compliant” and then forget it, assuming that they are all set. They have limited resources and would rather devote as little time and thought to HIPAA as possible; that is completely understandable from a business point of view. However, HIPAA mandates yearly reviews of your policies and risk. You need to update yours and your employees training, as well as your organization’s policies yearly. There are even some things that you may need to be doing on a quarterly basis. Keep a calendar and make sure that you are devoting the appropriate time and resources to both continued compliance and continued risk management.

How to Get Started

While this may seem very intimidating, especially if you have limited resources, getting started and addressing your HIPAA requirements and the concerns presented here will pay off in the long run. Simply knowing where you are at risk, in many cases, goes a long way towards enabling you to mitigate that risk through changes in behavior, vendor, or policy. The fact that you are working on it, know where you stand, and are taking steps to improve (however fast or slowly based on the resources at hand and the degree of risk) can also goes a long way toward turning breaches due to “willful negligence”  … to much less expensive fines if something goes wrong.

Finally, there are many companies whose focus is on helping you meet your HIPAA compliance requirements. From performing a Risk Analysis, to writing internal policy documents, to outsourcing your email, web, and text messaging services. Getting help from third party expert companies reduces your liability, reduces your workload, reduces the burden of knowledge and expertise on you, and ensures that your needs are taken care of by specialists.

LuxSci specializes in HIPAA compliant email, text, marketing and forms. Contact us to learn more.

Tags: asymmetric key encryption, encryption, ePHI, hipaa, hipaa compliance, web forms
Posted in LuxSci Library: HIPAA
No comments »

17 Questions To Ask Before Sending A HIPAA-Compliant Marketing Email

Saturday, April 20th, 2024

You’ve just been told that your email marketing program is putting your company at risk of violating HIPAA. What now? If you want to continuing using email to communicate with patients, you must implement HIPAA-compliant email marketing.

Start by breaking down that goal into two components: becoming HIPAA compliant and achieving your HIPAA marketing objectives. Setting up HIPAA compliant systems and procedures will ensure your patient data is protected. However, you don’t have to let your marketing objectives suffer for the sake of security. Implementing a HIPAA-compliant marketing program can actually help you achieve better marketing results.

Ask yourself these 17 questions to ensure your email marketing plan aligns with your business goals and HIPAA.

Read the rest of this post »

Tags: compliance, email marketing, hipaa, hipaa compliance, secure email
Posted in HIPAA Marketing, HIPAA Compliant Email Marketing, Patient Engagement
No comments »

HIPAA Compliant Forms

Saturday, February 3rd, 2024

When it comes to digital data collection, there is often a lot of uncertainty surrounding HIPAA compliant forms.

Do Healthcare Websites Need HIPAA Compliant Forms?

We often have customers ask if their website forms need to be HIPAA compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

person entering info into login form

Criteria for HIPAA Compliant Forms

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

  1. You are a Covered Entity or Business Associate and,
  2. The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
  2. Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
  3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health
  2. Past, present, or future provisioning of healthcare
  3. Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA Compliant Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

  1. Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
  2. That warning is understandable to most laypeople without further explanation.
  3. They must check a box (or sign their name) to consent to the insecure form transmission.
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.

Tags: ePHI, form, hipaa, hipaa compliant forms, hipaa compliant online forms, hipaa compliant websites, hipaa websites, phi, protected health information, secure, web form
Posted in HIPAA Compliant Forms, LuxSci Library: HIPAA
No comments »

« Older Entries
Newer Entries »