" hipaa Archives - Page 3 of 22 - LuxSci

Posts Tagged ‘hipaa’

HIPAA Email Rules: 8 Requirements for Secure Email

Tuesday, August 1st, 2023

The Health Insurance Portability and Accountability Act (HIPAA) is a complicated law that sets the standards for collecting, transmitting, and storing protected health information (PHI). When information is stored or exchanged electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard its integrity and confidentiality. One of the most common ways that PHI is shared electronically is via email. Understanding how HIPAA rules apply to email is essential to meet HIPAA requirements and protect sensitive data.

hands on keyboard checking off tasks

The HIPAA Email Security Rule

It’s important to note that HIPAA does not require the use of any specific technology or vendor to meet its requirements. Generally speaking, the Security Rule requirements for email fall into four categories:

  1. Organizational requirements state the specific functions a covered entity must perform, including implementing policies and procedures and obligations concerning business associate contracts.
  2. Administrative requirements relate to employee training, professional development, and management of PHI.
  3. Physical safeguards encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backup and storage, and the destruction of obsolete data.
  4. Technical safeguards ensure the security of email data transmitted over an open electronic network and the storage of that data.

Below, we discuss some of the main requirements that apply to email and the steps you need to take to secure email accounts that transmit and store PHI.

HIPAA Email Rules-Compliant Email Checklist

While email encryption gets most of the spotlight during discussions on email security, HIPAA regulations for email cover a range of behaviors, controls, and services that work together to address eight key areas.

1. Access: Access controls help safeguard access to your email accounts and messages. Implementing access controls is essential to keep out unauthorized users and secure your data. Some key steps to take include:

  • Using strong passwords that cannot be easily guessed or memorized.
  • Creating different passwords for different sites and applications.
  • Using two-factor authentication.
  • Securing connections to your email service provider using TLS and a VPN.
  • Blocking unencrypted connections.
  • Being prepared with software that remotely wipes sensitive email off your mobile device when it is stolen or misplaced.
  • Logging off from your system when it is not in use and when employees are away from workstations.
  • Emphasizing opt-out email encryption to minimize breaches resulting from human error.

2. Encryption: Email is inherently insecure and at risk of being read, stolen, eavesdropped on, modified, and forged (repudiated). Covered entities should go beyond the technical safeguards of the HIPAA Security Rule and take steps beyond what is required to futureproof their communications. Some email encryption features to adopt include the following:

  • The ability to send secure messages to anyone with any email address.
  • The ability to receive secure messages from anyone.
  • Implementing measures to prevent the insecure transmission of sensitive data via email.
  • Exploring message retraction features to retrieve email messages sent to the wrong address.
  • Avoiding opt-in encryption to satisfy HIPAA Omnibus Rule.

3. Backups and Archival: HIPAA email rules require copies of messages containing PHI to be retained for at least six years. To address these requirements, organizations must consider the following:

  • How are email folders backed up?
  • Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
  • Have you maintained separate, permanent, and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests, and support business-critical scenarios.

4. Defense: Cyber threats against healthcare organizations are continually increasing. Some may be surprised to learn that HIPAA secure email requirements mandate that organizations take steps to defend against possible attackers. To defend against malicious messages, consider implementing the following technologies:

  • Server-side inbound email malware and anti-virus scanning to detect phishing and malicious links
  • Showing the sender’s email address by default on received messages
  • Email filtering software to detect fraudulent messages and ensure it uses SPF, DKIM, and DMARC information to classify messages
  • Scanning outbound email
  • Scanning workstations for malware and virus
  • Using plain text previews of your messages

5. Authorization: A crucial aspect of HIPAA secure email requirements is ensuring that bad actors cannot impersonate your company or employees. Configuring your domains with SPF and DKIM is essential to verify your identity as an authorized sender of mail from your domains. Also, ensure that users cannot send messages through your email servers without authentication and encryption.

6. Reporting: Setting accountability standards for email security is essential to establishing and improving your HIPAA compliance posture. Some important steps to take include:

  • Creating login audit trails.
  • Receiving login failure and success alerts.
  • Auto-blocking known attackers.
  • Maintaining a log of all sent messages.

7. Reviews and Policies: Humans are the greatest vulnerability to any security and compliance plan. Create policies and procedures that focus on plugging vulnerabilities and preventing human errors. Some ways to reduce risk include:

  • Inviting independent third parties to review your email policies and user settings. Fresh, unbiased eyes can weed out issues quickly.
  • Disallowing the use of public Wi-Fi for devices that connect to your sensitive email.
  • Creating email policies prohibiting users from clicking on links or opening attachments that are not expected or requested.

8. Vendor Management: Most people do not manage their email in-house. Properly vetting and researching whoever will be responsible for your email services is essential. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.

LuxSci’s secure email solutions were designed to help organizations tackle complicated HIPAA email rules. Contact us today to learn more how we can help you secure sensitive data.

Tags: email security, email security in the cloud, hipaa, hipaa security, hipaa-compliant email
Posted in Email, LuxSci Library: HIPAA
No comments »

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.

Tags: email automation, email marketing, ePHI, high volume email, hipaa, hipaa compliance, hipaa-compliant email, medical billing, phi, Transactional email
Posted in Email, HIPAA Marketing
Comments Off on Is Medical Billing Information Protected Under HIPAA?

Is Email Archival Required by HIPAA?

Tuesday, April 5th, 2022

Customers often inquire if email archival is required by HIPAA regulations.

There is a great deal of confusion and uncertainty here because:

  1. HIPAA lists many requirements but does not provide specific instructions on implementing them. It’s ambiguous but provides a great deal of flexibility for organizations.
  2. Email archival adds a fixed cost to any email solution – and everyone prefers to avoid unnecessary costs.
  3. Due to time and budgetary constraints, many organizations want to do the minimum needed for compliance.

email archival hipaa

In our opinion, email archival is an implicit requirement of HIPAA for all organizations that send ePHI via email. In the next section, we’ll review why.

Read the rest of this post »

Tags: backup, disaster recovery, email, email archival, hipaa, HIPAA email, required
Posted in Email Archival, LuxSci Library: HIPAA
No comments »

Promoting Health Literacy with Email Engagement

Tuesday, March 29th, 2022

In the final installment of our series on using digital technology for patient engagement, we discuss how email can promote health literacy and help patients manage chronic conditions.

health literacy

Patient Education and Health Literacy

Chronic diseases like diabetes and heart disease require a high degree of health literacy to manage effectively at home. Health literacy is the ability to understand, engage, and act upon health information. Researchers from the Mayo Clinic found that heart failure patients with lower levels of health literacy saw higher hospital admission and mortality rates. Therefore, boosting levels of health literacy for chronic disease patients is essential to improving health outcomes.

Of course, patient education and health literacy start with the in-person interactions a patient has with their health care provider. However, once a patient leaves the office, education should not stop. Using digital channels to reinforce medical messaging and can help keep patients up to date with developments in their treatment plans and prognosis.

Email is an excellent way to engage patients. It is minimally intrusive and asynchronous, meaning patients can read the material whenever it is convenient for them. Better yet, email messages can be personalized to meet the needs of individual patients with minimal time and effort.

Email Campaign Examples to Promote Health Literacy

To illustrate how email can improve health literacy, let’s take an example. A patient recently diagnosed with diabetes has a lot to learn about managing their health. Diabetes is a chronic condition that requires substantial lifestyle changes. Non-adherence to treatment can have serious consequences, including hospitalization and death. A patient is likely to meet with a health care provider on a regular basis to discuss their treatment plan, but the amount of information can be overwhelming. Sending follow up emails that reiterate important information can help patients understand and absorb the messaging received from their doctor.

Some potential campaign ideas include:

  • how to use insulin pumps
  • managing blood sugar
  • what to do if blood sugar is too low or too high
  • learning about A1C levels
  • information on preventing serious complications
  • information on nutrition and meal planning
  • exercise ideas
  • sharing information about diabetes support groups and events

Being diagnosed with a chronic health condition can have serious mental health impacts. Helping patients feel supported with resources and access to medical information throughout the lifestyle changes is very important.

Personalizing Email Campaigns

Here comes our regular reminder: sending emails that contain ePHI like those mentioned above, need to comply with HIPAA. Once HIPAA requirements are met, organizations can personalize emails with patient data. In addition to sending medical information, campaigns can be personalized further using demographic data.

Patients that suffer from chronic conditions and are members of ethnic minority groups often experience worse health outcomes than their white counterparts. To address health equity issues, use segmentation to target select groups with messaging specific to their needs. This could include creating campaigns in multiple languages, addressing diet and exercise tips in a culturally sensitive way, or providing more resources to help these groups afford testing and insulin.

The power of email personalization allows health care providers to provide accurate and timely information to their patients.

Conclusion

Learning to live with a chronic health condition is not an easy task. To help prevent hospital visits and deteriorating health, promoting health literacy is essential. Supplementing doctor visits with personalized email campaigns can help answer patient questions and help them adjust to living with a chronic illness. Contact LuxSci today if you would like to learn more about HIPAA-compliant email marketing campaigns.

Tags: email engagement, email marketing, health literacy, hipaa, patient education, patient engagement
Posted in HIPAA Marketing, LuxSci Library: HIPAA
Comments Off on Promoting Health Literacy with Email Engagement

Should You Integrate Secure Email Sending with an EMR or EHR?

Tuesday, February 8th, 2022

Email is the preferred medium for business communications. Although those in the healthcare industry face restrictions on how they can use email, it is a powerful tool if properly secured. By integrating secure email with an EMR or EHR system, healthcare organizations can automate communications to maximize efficiency.

integrate secure email

What Are EMRs and EHRs?

Electronic medical records (EMRs) are digitized versions of medical records. EMRs are sometimes referred to as electronic health records (EHRs). Even though these terms are often used interchangeably, there are slight distinctions between them.

Let’s start with electronic medical records. EMRs are essentially electronic versions of patient charts. They record a patient’s medical history and treatments at one hospital or practice. EMRs tend to stay at the practice, even if a patient switches to a new provider.

In contrast, EHRs contain a record of a patient’s medical history and treatment. They are long-term records that offer insight into a patient’s health, following them as they seek healthcare from different providers. EHRs are designed for information sharing. They help facilitate care when patients visit new clinics or hospitals.

Simply put, an EMR or EHR is the system used to manage or process these respective types of health records. Both EMRs and EHRs come with many of the same benefits and downsides as other forms of digitized information. The data is easier to find, access, and share, which can help speed up medical treatment and improve care. However, if the right data protection mechanisms aren’t in place, EHRs and EMRs are susceptible to data breaches and violations of privacy.

Why Integrate Secure Email with your EMR or EHR?

One of the main advantages of integrating secure email with an EMR or EHR is the ability to automate communications. Actions taken in the EMR can trigger email sequences. For example, an upcoming appointment can trigger an appointment reminder email. It requires no effort on the part of the office staff to send the email or make a phone call. The IT or marketing team simply creates the email template language and uses dynamic variables to personalize each email with the patient’s name, appointment date, and time.

If an organization integrates secure email with its EMR or EHR systems, they can set up automatic emails for a wide range of actions. Whenever there is relevant activity or an update on a patient’s chart, emails can be sent off without having to lift a finger. Some examples of emails that can be triggered by EMR activity include:

  • a request for a review post-appointment
  • follow up information on lab work or scheduling testing
  • flu shot or other vaccine reminders
  • password resets to access EHR

Ultimately, integrating secure transactional email with an EMR makes it easy to promote the organization and increase patient satisfaction. In addition, automating email workflows decreases the administrative burden on office staff without sacrificing the patient experience.

The Risks of Integrating Secure Email with an EMR or EHR 

It’s extremely important to select the right provider to integrate secure emails with an EMR or EHR. The HIPAA laws that govern medical records are stringent, and organizations face serious repercussions for violating them. The provider must comply with HIPAA regulations and encrypt outgoing emails that contain protected health information.

All encryption is not equal. A secure email provider like LuxSci allows users to choose the appropriate type of encryption to suit their email use cases. TLS encryption, which allows recipients to read encrypted emails directly in their inboxes, is appropriate for emailed appointment reminders, but is not suitable for something like lab or test results. Choose a provider who can meet your encryption needs.

Another factor to consider is desired sending rate. Many email providers use shared cloud servers which limit how quickly emails can be sent from an EMR. However, for emails that are time-sensitive, this can be an issue. Using a dedicated server configuration separate from the office’s regular day-to-day email sending has performance and security benefits. Improve your security posture by keeping EMR or EHR data isolated from other customers of your email provider. Learn more: Dedicated Server Benefits: How They Improve Security and Reliability.

Conclusion

Despite these challenges, services like LuxSci’s HIPAA-compliant Secure High Volume Email are specifically designed to help navigate the complex intersections of the regulations and transactional email sending. Our dedicated email solutions are custom-designed to meet our client’s sending needs while adhering to HIPAA requirements.

Tags: EHR, email integration, email marketing, emr, high volume email, hipaa, secure email sending, Transactional email
Posted in HIPAA Marketing, Email
No comments »

« Older Entries
Newer Entries »