" hipaa Archives - Page 9 of 21 - LuxSci

Posts Tagged ‘hipaa’

What We Call “Quasi-HIPAA-Compliance”

Thursday, March 26th, 2020

Are your organization’s service providers HIPAA compliant, or are they only quasi-HIPAA compliant?

What do we mean? Okay, we’ll be honest quasi-HIPAA compliant isn’t an accepted term yet but it should be.

When we talk about quasi-compliance, we’re referring to setups and services that look HIPAA-compliant and share some of the features; however, they may not be entirely in line with HIPAA requirements if you actually use them in the way that you want.

Quasi-HIPAA compliance is common, particularly in popular services. It can also be hazardous for businesses because quasi-HIPAA compliance can lead organizations into a false sense of security while they may be violating the regulations unwittingly, especially around HIPAA compliant email and HIPAA compliant email marketing.

Quasi HIPAA-Compliance

What Is Quasi-HIPAA Compliance?

The best way to explain the concept of quasi-HIPAA compliance is through example. A quasi-HIPAA compliant service could come from an email-hosting provider, web hosting provider, or an organization that offers a range of other solutions. 

If these providers are quasi-HIPAA compliant, they will include elements of HIPAA compliance. Still, the services may not be appropriately tailored to keep their clients within the lines of the regulations when used in various ways. A provider may be willing to sign a HIPAA business associates agreement (BAA) with your company, but its services may not include the appropriate protections for compliance.

As a good example: Google is willing to sign a BAA with customers using its Google Workspace service. However, Google does not actually provide HIPAA-compliant email encryption — so using Google Workspace email in a HIPAA context can immediately leave you in non-compliance and subject to breach. This is quasi-HIPAA compliance. You assume that by signing a BAA, you can use the services as you like and be “all set.” In truth, you need to understand what is allowed and what is not allowed. You need to either (a) avoid performing non-compliant actions or (b) add additional measures to fill those gaps.

Quasi-HIPAA compliance

Business Associates Agreements & Quasi-HIPAA Compliance

A BAA is essential for HIPAA compliance. Your company can’t be completely HIPAA-compliant if it uses the services of another entity without a BAA in place. It doesn’t matter if the entity’s services are technically HIPAA-compliant; you will fall afoul of the regulations unless a BAA exists between the two parties.

Even if you have a BAA with your provider, that alone may not be enough to keep your organization on the right side of HIPAA. The provider may not have the security measures your organization needs and instead have a carefully worded BAA that will leave you vulnerable.

Let’s say your email marketing service provider is a quasi-HIPAA compliant provider. It may not offer email encryption, or the necessary access control measures your organization needs to send ePHI and other sensitive information safely. The “HIPAA Compliance” may be limited only to data stored at rest on their servers. You may be stunned to learn that an email marketing company offering “HIPAA compliance” does not recommend sending any sensitive data over email

The BAA offered by a company may be carefully worded to say that the service is technically HIPAA-compliant, but only if you don’t use it to send ePHI. This is legal, and the provider isn’t necessarily doing anything wrong by offering such a service, as long as this is clearly stated in the agreement. Without understanding clearly what is actually “covered,” you leave yourself at risk.

The compliance and breach danger comes when organizations use quasi-HIPAA compliant services without completely understanding them. If they don’t take the time to do their research or thoroughly read the agreement, they could use the service in a way that isn’t covered under the BAA.

Doctor Video Conference

Dangers of Quasi-HIPAA Compliance

In our example, an organization might subscribe to a quasi-HIPAA compliant service and use it to send ePHI. Suppose ePHI isn’t allowed to be sent via email or text under the BAA, and it’s sent without encryption and other security measures in place. In that case, the messages will violate HIPAA regulations.

This is an easy trap to fall into for several significant reasons. 

  1. BAAs can be complex and need to be studied carefully. 
  2. People make assumptions about what is covered by an organization’s “HIPAA compliance.”
  3. It’s very easy to send ePHI in an email accidentally. The definition of ePHI is broad, so employees can include ePHI in messages without even realizing it.

Even if your organization specifies that ePHI shouldn’t be sent through a particular service, all it takes is one mistake, and your company will have a costly HIPAA violation on its hands. Suppose your organization does use an email marketing service that’s only quasi-HIPAA compliant. In that case, the restrictions on ePHI will prevent your organization from being able to market effectively and communicate appropriately with its clients.

How Your Organization Can Avoid Quasi-HIPAA Compliance

The most important way to protect your organization is to do your research beforehand and ensure that any prospective provider will cover your intended uses. This means that you need to read through their BAAs to ensure that they align with your business’s requirements.

To save you some time, services like Google Workspace and the vast majority of email marketing services can be seen as quasi-HIPAA compliant. Only providers that specialize in HIPAA-compliant services will be able to deliver the solutions that healthcare organizations and those that process ePHI require.

If your company needs proper HIPAA compliance, then a provider like LuxSci is the best way to stay on the ride side of the regulations. We have been providing HIPAA-compliant secure email since 2005. Not only are our solutions tailored to abide by HIPAA, but we have also developed the services you need to conduct essential business tasks.

We provide HIPAA-compliant bulk email solutions for clients that need to send at scale. These services are set up over our secure infrastructure, and we provide dedicated servers for clients.

LuxSci focuses on both compliance and ease of use, so we have developed secure email hosting, email marketing, and transactional email solutions among our offerings. Our services help your organization comfortably market itself and conduct business while staying in line with HIPAA compliance.

Tags: baa, ePHI, hipaa, hipaa compliance, quasi hipaa compliance
Posted in Industry News
No comments »

Is Amazon Simple Email Service (SES) HIPAA Compliant?

Thursday, March 19th, 2020

Because Amazon Web Services (AWS) is very inexpensive, very well known, and offers “HIPAA-compliant” solutions to some degree, we are often asked if, and to what degree, Amazon Simple Email Service (SES) is HIPAA compliant. AWS is a big player offering countless services on which companies can build and/or host applications and infrastructures. One of the myriad of services provided by Amazon is their “Simple Email Service” (AWS SES for short).  Organizations are very interested in determining if the services offered are appropriate for their use cases and if use of specific Amazon services will leave them non-compliant or at risk.  Indeed, the larger the organization, the more concern we encounter.

 

Read the rest of this post »

Tags: amazon, aws, baa, business associate agreement, email, hipaa, ses
Posted in LuxSci Library: HIPAA, HIPAA Marketing
No comments »

What Level of SSL or TLS is Required for HIPAA Email Compliance?

Thursday, January 2nd, 2020

To meet HIPAA email compliant requirements for secure email transmission, the level of SSL/TLS (Secure Sockets Layer / Transport Layer Security) used must ensure the confidentiality and integrity of Protected Health Information (PHI) in transit.

What Does HIPAA Says about TLS and SSL

HIPAA doesn’t specify exact SSL/TLS versions, but industry standards — including NIST (National Institute of Standards and Technology) guidelines — effectively set the floor:

  • TLS 1.2 or 1.3: Required for HIPAA-compliant email.

  • SSL 2.0, 3.0, and TLS 1.0/1.1: Obsolete and insecure. Use of these protocols is not HIPAA-compliant.

The Department of Health and Human Services has published guidance for TLS to secure health information in transit. In particular, they say:

Electronic PHI has been encrypted as specified in the HIPAA Security Rule by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.

To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.

The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. 

They go on to state what valid encryption processes for HIPAA compliance are:

Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

The FIPS specifications refer back to NIST 800-52 to define what cipher suites and settings are “FIPS-approved.” In other words, TLS usage must comply with the details in NIST 800-52 rev 2. This implies that other encryption processes, especially those weaker than recommended by this publication, are not valid and are thus non-compliant.

Is TLS Email HIPAA compliant?

SSL and TLS are not monolithic encryption entities that you use or do not use to securely connect to email servers, websites, and other systems. SSL and TLS are evolving protocols with many nuances to how they may be configured. The “version” of the protocol and the ciphers used directly impact the level of security achievable through your connections.

Some people use the terms SSL and TLS interchangeably, but TLS (version 1.0 and beyond) is the successor of SSL (version 3.0). See SSL versus TLS – what is the difference? In 2014 we saw that SSL v3 was very weak and should not be used going forward by anyone; TLS v1.0 or higher must be used.

Among the many configuration nuances of TLS, the protocol versions supported (e.g., 1.0, 1.1, 1.2, and 1.3) and which “ciphers” are permitted significantly impact security. A “cipher” specifies the encryption algorithm, the secure hashing (message fingerprinting / authentication) algorithm to be used, and other related things such as how encryption keys are negotiated. Some ciphers that have long been used, such as RC4, have weakened over time and should never be used in secure environments. Other ciphers protect against people who record a secure conversation from being able to decrypt it in the future if somehow the server’s private keys are compromised (perfect forward secrecy).

Given the many choices of ciphers and TLS protocol versions, people are often at a loss as to what is specifically needed for HIPAA email compliance. Simply “turning on TLS” without configuring it appropriately is likely to leave your transmission encryption non-compliant.

Read the rest of this post »

Tags: AES256, cipher, ePHI, hipaa, NIST 800-52, ssl, sslv3, tls, tls v1.0, tls v1.2
Posted in HIPAA Compliant Email Marketing, HIPAA Email Compliance, HIPAA Marketing
No comments »

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business! A well-thought-out marketing strategy can help you outshine your competition, but providers must keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is essential to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask and one that’s not precisely clear-cut because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.” The term “protected health information” refers to any data relating to a person’s health, treatment, or payment information, whether in the past, present, or future.

Under this definition, some examples of PHI may include:

  • Test results
  • Prescription refill notifications
  • Appointment reminders
  • A receipt or bill for healthcare services

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked to the individual. There is a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t, your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry, and it is best to proceed cautiously.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it could use this information not just to help mothers-to-be but also to bring in new business. The clinic then sends out an email to all expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, ensuring that all of your emails are sent securely is a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, it is crucial to ensure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization must sign a HIPAA Business Associate Agreement with any service provider you work with. Using the appropriate encryption, access controls, and other security mechanisms is essential to protect ePHI. Be sure to vet your email provider thoroughly, and remember signing a BAA is not enough to ensure compliance. 

Tags: email, email marketing, email security, ePHI, hipaa, hipaa compliance
Posted in HIPAA Marketing, LuxSci Library: HIPAA
No comments »

What is Willful Neglect Under HIPAA?

Thursday, March 7th, 2019

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), spells out rules for the privacy and protection of health information. The HIPAA Privacy and Security Rules establish standards for implementing physical, administrative, and technical safeguards to ensure that Protected Health Information (PHI) is handled with the utmost confidentiality and integrity.

The failure to adhere to the regulations established under HIPAA can lead to criminal and civil penalties, followed by progressive disciplinary actions. These penalties apply to healthcare entities, as well as individuals.

The reckless or intentional failure to comply with the rules set forward under HIPAA is called “Willful Neglect.” Violations, as a result of willful neglect, can carry severe penalties, civil or criminal depending on the exact facts of the case.

Case in point

In early 2011, the HHS (The Department of Health and Human Services) levied a fine of $4.3 million on an entity named Cignet Health Center for willful neglect. What’s unique about this case is that the entity was not fined for breach of privacy.

Read the rest of this post »

Tags: hipaa, hipaa compliance, HIPAA email, HIPAA rules, willful neglect
Posted in LuxSci Library: HIPAA
No comments »

« Older Entries
Newer Entries »