" hipaa Archives - Page 2 of 22 - LuxSci

Posts Tagged ‘hipaa’

When Do Online Forms Need to Be HIPAA-Compliant?

Tuesday, August 22nd, 2023

When it comes to digital data collection, there is often a lot of uncertainty surrounding the HIPAA compliance requirements for online forms. We often have customers ask if their website forms need to be HIPAA-compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

person entering info into login form

Criteria for HIPAA-Compliant Online Forms

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice on your particular situation.

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

  1. You are a Covered Entity or Business Associate and,
  2. The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
  2. Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
  3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health
  2. Past, present, or future provisioning of healthcare
  3. Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA-Compliant Online Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

  1. Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
  2. That warning is understandable to most laypeople without further explanation.
  3. They must check a box (or sign their name) to consent to the insecure form transmission.
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.

HIPAA-Compliant Secure Email: Understanding Encryption

Tuesday, August 15th, 2023

Email encryption is an important topic to understand when evaluating HIPAA-compliant, secure email vendors. Encryption is an addressable standard for HIPAA compliance, but if you send sensitive information via email, encryption is the easiest way to meet the standard.

The two most common email encryption methods include SMTP TLS and Secure Portal Pick Up. This article will discuss their differences and guide users on selecting the right option for HIPAA-compliant secure email.

secure email sending

Read the rest of this post »

7 Essential Steps to Creating a HIPAA Website

Tuesday, August 8th, 2023

The recent focus on tracking pixels and analytics codes by enforcement agencies has many healthcare organizations reassessing their website security and compliance. As technology has evolved over the past thirty years, HIPAA rules have adapted to secure sensitive data. In this article, we review the requirements for HIPAA websites and what you need to do to ensure your website is compliant and secure.

healthcare website on laptop screen

Read the rest of this post »

HIPAA Email Rules: 8 Requirements for Secure Email

Tuesday, August 1st, 2023

The Health Insurance Portability and Accountability Act (HIPAA) is a complicated law that sets the standards for collecting, transmitting, and storing protected health information (PHI). When information is stored or exchanged electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard its integrity and confidentiality. One of the most common ways that PHI is shared electronically is via email. Understanding how HIPAA rules apply to email is essential to meet HIPAA requirements and protect sensitive data.

hands on keyboard checking off tasks

The HIPAA Email Security Rule

It’s important to note that HIPAA does not require the use of any specific technology or vendor to meet its requirements. Generally speaking, the Security Rule requirements for email fall into four categories:

  1. Organizational requirements state the specific functions a covered entity must perform, including implementing policies and procedures and obligations concerning business associate contracts.
  2. Administrative requirements relate to employee training, professional development, and management of PHI.
  3. Physical safeguards encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backup and storage, and the destruction of obsolete data.
  4. Technical safeguards ensure the security of email data transmitted over an open electronic network and the storage of that data.

Below, we discuss some of the main requirements that apply to email and the steps you need to take to secure email accounts that transmit and store PHI.

HIPAA Email Rules-Compliant Email Checklist

While email encryption gets most of the spotlight during discussions on email security, HIPAA regulations for email cover a range of behaviors, controls, and services that work together to address eight key areas.

1. Access: Access controls help safeguard access to your email accounts and messages. Implementing access controls is essential to keep out unauthorized users and secure your data. Some key steps to take include:

  • Using strong passwords that cannot be easily guessed or memorized.
  • Creating different passwords for different sites and applications.
  • Using two-factor authentication.
  • Securing connections to your email service provider using TLS and a VPN.
  • Blocking unencrypted connections.
  • Being prepared with software that remotely wipes sensitive email off your mobile device when it is stolen or misplaced.
  • Logging off from your system when it is not in use and when employees are away from workstations.
  • Emphasizing opt-out email encryption to minimize breaches resulting from human error.

2. Encryption: Email is inherently insecure and at risk of being read, stolen, eavesdropped on, modified, and forged (repudiated). Covered entities should go beyond the technical safeguards of the HIPAA Security Rule and take steps beyond what is required to futureproof their communications. Some email encryption features to adopt include the following:

  • The ability to send secure messages to anyone with any email address.
  • The ability to receive secure messages from anyone.
  • Implementing measures to prevent the insecure transmission of sensitive data via email.
  • Exploring message retraction features to retrieve email messages sent to the wrong address.
  • Avoiding opt-in encryption to satisfy HIPAA Omnibus Rule.

3. Backups and Archival: HIPAA email rules require copies of messages containing PHI to be retained for at least six years. To address these requirements, organizations must consider the following:

  • How are email folders backed up?
  • Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
  • Have you maintained separate, permanent, and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests, and support business-critical scenarios.

4. Defense: Cyber threats against healthcare organizations are continually increasing. Some may be surprised to learn that HIPAA secure email requirements mandate that organizations take steps to defend against possible attackers. To defend against malicious messages, consider implementing the following technologies:

  • Server-side inbound email malware and anti-virus scanning to detect phishing and malicious links
  • Showing the sender’s email address by default on received messages
  • Email filtering software to detect fraudulent messages and ensure it uses SPF, DKIM, and DMARC information to classify messages
  • Scanning outbound email
  • Scanning workstations for malware and virus
  • Using plain text previews of your messages

5. Authorization: A crucial aspect of HIPAA secure email requirements is ensuring that bad actors cannot impersonate your company or employees. Configuring your domains with SPF and DKIM is essential to verify your identity as an authorized sender of mail from your domains. Also, ensure that users cannot send messages through your email servers without authentication and encryption.

6. Reporting: Setting accountability standards for email security is essential to establishing and improving your HIPAA compliance posture. Some important steps to take include:

  • Creating login audit trails.
  • Receiving login failure and success alerts.
  • Auto-blocking known attackers.
  • Maintaining a log of all sent messages.

7. Reviews and Policies: Humans are the greatest vulnerability to any security and compliance plan. Create policies and procedures that focus on plugging vulnerabilities and preventing human errors. Some ways to reduce risk include:

  • Inviting independent third parties to review your email policies and user settings. Fresh, unbiased eyes can weed out issues quickly.
  • Disallowing the use of public Wi-Fi for devices that connect to your sensitive email.
  • Creating email policies prohibiting users from clicking on links or opening attachments that are not expected or requested.

8. Vendor Management: Most people do not manage their email in-house. Properly vetting and researching whoever will be responsible for your email services is essential. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.

LuxSci’s secure email solutions were designed to help organizations tackle complicated HIPAA email rules. Contact us today to learn more how we can help you secure sensitive data.

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.