" hipaa Archives - Page 9 of 22 - LuxSci

Posts Tagged ‘hipaa’

What Level of SSL or TLS is Required for HIPAA Compliance?

Thursday, January 2nd, 2020

SSL and TLS are not monolithic encryption entities that you use or do not use to securely connect to email servers, websites, and other systems. SSL and TLS are evolving protocols with many nuances to how they may be configured. The “version” of the protocol and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is the successor of SSL (version 3.0). See SSL versus TLS – what is the difference? In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone; TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) and which “ciphers” are permitted significantly impact security. A “cipher” specifies the encryption algorithm, the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated. Some ciphers that have long been used, such as RC4, have weakened over time and should never be used in secure environments. Other ciphers protect against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA compliance. Simply “turning on TLS” without configuring it appropriately is likely to leave your transmission encryption non-compliant.

Read the rest of this post »

Tags: AES256, cipher, ePHI, hipaa, NIST 800-52, ssl, sslv3, tls, tls v1.0, tls v1.2
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business! A well-thought-out marketing strategy can help you outshine your competition, but providers must keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is essential to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask and one that’s not precisely clear-cut because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.” The term “protected health information” refers to any data relating to a person’s health, treatment, or payment information, whether in the past, present, or future.

Under this definition, some examples of PHI may include:

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked to the individual. There is a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t, your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry, and it is best to proceed cautiously.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it could use this information not just to help mothers-to-be but also to bring in new business. The clinic then sends out an email to all expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, ensuring that all of your emails are sent securely is a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, it is crucial to ensure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization must sign a HIPAA Business Associate Agreement with any service provider you work with. Using the appropriate encryption, access controls, and other security mechanisms is essential to protect ePHI. Be sure to vet your email provider thoroughly, and remember signing a BAA is not enough to ensure compliance. 

Tags: email, email marketing, email security, ePHI, hipaa, hipaa compliance
Posted in Email Marketing, LuxSci Library: HIPAA
No comments »

What is Willful Neglect Under HIPAA?

Thursday, March 7th, 2019

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), spells out rules for the privacy and protection of health information. The HIPAA Privacy and Security Rules establish standards for implementing physical, administrative, and technical safeguards to ensure that Protected Health Information (PHI) is handled with the utmost confidentiality and integrity.

The failure to adhere to the regulations established under HIPAA can lead to criminal and civil penalties, followed by progressive disciplinary actions. These penalties apply to healthcare entities, as well as individuals.

The reckless or intentional failure to comply with the rules set forward under HIPAA is called “Willful Neglect.” Violations, as a result of willful neglect, can carry severe penalties, civil or criminal depending on the exact facts of the case.

Case in point

In early 2011, the HHS (The Department of Health and Human Services) levied a fine of $4.3 million on an entity named Cignet Health Center for willful neglect. What’s unique about this case is that the entity was not fined for breach of privacy.

Read the rest of this post »

Tags: hipaa, hipaa compliance, HIPAA email, HIPAA rules, willful neglect
Posted in LuxSci Library: HIPAA
No comments »

What You Need To Know About the HIPAA Security Rule

Thursday, January 10th, 2019

In this day and age of rampant cybercrime, protecting a patient’s electronic health information is of the utmost importance. But, how do you know if the protections are adequate? Well, that’s where the HIPAA Security Rule comes in.

What is the difference between the privacy and security of health information?

With respect to health information, privacy is defined as the right of an individual to keep his/her individual health information from being disclosed. This is typically achieved through policy and procedure. Privacy encompasses controlling who is authorized to access patient information; and under what conditions patient information may be accessed, used and/or disclosed to a third party. The HIPAA privacy Rule applies to all protected health information.

Security is defined as the mechanism in place to protect the privacy of health information. This includes the ability to control access to patient information, as well as to safeguard patient information from unauthorized disclosure, alteration, loss or destruction. Security is typically accomplished through operational and technical controls within a covered entity. Since so much PHI is now stored and/or transmitted by computer systems, the HIPAA Security Rule was created to specifically address electronic protected health information

Now, the HIPAA Security Rule isn’t extensive regarding the regulatory text. However, it is quite technical. It is the codification of specific information and technological best practices and standards.

The HIPAA Security Rule mainly requires the implementation of three key safeguards, that is, technical, physical, and administrative. Other than that, it demands certain organizational requirements and the documentation of processes, as it is with the HIPAA Privacy Rule.

Developing the necessary documentation for the HIPAA Security Rule can be complex, compared to the requirements of the HIPAA Privacy Rule. Healthcare providers, especially smaller ones, need to be given access to HIT (Health Information Technology) resources for this purpose.

Having said that, the HIPAA Security Rule is designed to be flexible, which means covering all the required aspects of security shouldn’t be tough. There is no need for leveraging specific procedures or technologies. Organizations are allowed to determine the kind of resources necessary for ensuring compliance.

Read the rest of this post »

Tags: ePHI, hipaa, hipaa compliance, hipaa security rule
Posted in LuxSci Library: HIPAA
No comments »

HIPAA Email: Does it Require Encryption?

Tuesday, July 31st, 2018

HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:

  • encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
  • there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned

What exactly is mutual consent?

Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.

Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA-compliant systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.

Encryption at rest is ‘addressable’

‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.

Read the rest of this post »

Tags: encrypted email, hipaa, hipaa compliant, hipaa-compliant email
Posted in Email Marketing, LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

« Older Entries
Newer Entries »