" hitech Archives - LuxSci

Posts Tagged ‘hitech’

What exactly does HIPAA say about Email Security?

Wednesday, February 26th, 2025

Performing daily business transactions and communications through electronic technologies is accepted, reliable, and necessary across the nation’s healthcare providers, payers and suppliers. As a result, email has become a standard in the healthcare industry as a way to conduct business activities that commonly include:

  • Interacting with patients
  • Real time authorizations for medical services
  • Transcribing, accessing and storing health records
  • Appointment scheduling
  • Referring patients
  • Explanation of benefits
  • Marketing offers
  • Submitting claims to health plan payers for payment of the services provided

Collaborative efforts amongst healthcare providers have improved the delivery of quality care to patients in addition to the recognized increase in administrative efficiency through effective use of email and other types of digital communication. Patients are becoming more and more comfortable with emailing their physician’s office to schedule an appointment, discuss laboratory results, or request refills on medication. Medicare and some other insurance payers also recognize and pay for virtual care where the health provider and patient interact over video (telemedicine).

Using digital communications, undoubtedly, poses concerns about the privacy and security of an individual’s information. In healthcare, the confidentiality of a patient’s information has been sacred since the days of the Hippocratic Oath (Hippocrates – the Father of Medicine, 400 B.C.). Today, merely taking an oath to respect one’s privacy has been overshadowed by regulations that govern how certain healthcare establishments must handle an individual’s health information. So, if a healthcare organization employs email as a means of communicating medical and/or mental health data to appropriate parties, including patients and customers, they must also ensure that information is well safeguarded.

This article addresses the specific issues that healthcare provider, payers and suppliers must address in order to be in compliance with HIPAA and HITECH certified. It will also lay out how LuxSci enables healthcare organizations to meet these requirements though HIPAA compliant email outsourcing.

Overview of HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implemented new rules for the healthcare world. Mandating compliance with its Privacy and Security Rules, the federal government is committed to enforcing patients’ rights. Industry professionals – financial, administrative and clinical – are no strangers to the regulatory compliance culture. HIPAA laws apply to a covered entity; i.e. healthcare providers, suppliers, clearinghouses and health plan payers that meet certain conditions. In essence, most providers are covered entities if they employ digital communications, meaning they function by storing and exchanging data via computers through intranets, Internet, dial up modems, DSL lines, T-1, etc. Additionally, HITECH extends the requirements of HIPAA to any business associate of a covered entity and to all business associates of  business associates (all the way down the line) who may come into contact with Protected Health Information originating from a covered entity.

HIPAA email security applies specifically to protected health information, not just personal information. Protected Health Information (PHI), as defined in HIPAA language, is health information of an identifiable individual that is transmitted by electronic media; maintained in any electronic medium; or transmitted or maintained in any other form or medium. For example, all administrative, financial, and clinical information on a patient is considered PHI and must abide by the following standards:

  • Privacy Standards: The HIPAA Privacy Rule sets standards for protecting the rights of individuals (patients). Covered entities must follow the laws that grant every individual the right to the privacy and confidentiality of their health information. Protected Health Information is subject to an individual’s rights on how such information is used or disclosed.
    Privacy Standard Key Point: Controlling the use and disclosure of oral, written and electronic protected health information (any form).
  • Security Standards: Taking the Privacy Rule a step further, HIPAA implemented the Security Rule to cover electronic PHI (ePHI). To this end, more secure and reliable information systems help protect health data from being “lost” or accessed by unauthorized users.
    Security Standard Key Point: Controlling the access to electronic forms of protected health information (not specific to oral or written).

The Privacy and Security Rules focus on information safeguards and require covered entities and their business associates to implement the necessary and appropriate means to secure and protect health data. Specifically, the regulations call for organizational and administrative requirements along with technical and physical safeguards.

Provisions of the HIPAA Email Security Rule

The HIPAA language uses the terms required and addressable. Required means that complying with the given standard is mandatory and, therefore, must be complied with.  Addressable means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting.  Important Note: Addressable does not mean optional.

With regard to addressable, an organization should read and decipher each Security standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.

The General Rules of the Security Standards reflect a “technology-neutral” approach. This means that there are no specific technological systems that must be employed and no specific recommendations, just so long as the requirements for protecting the data are met.

Organizational requirements refer to specific functions a covered entity must perform, including the use of business associate contracts and the development, documentation and implementation of policies and procedures.

Administrative requirements guide personnel training and staff management in regard to PHI and require the organization to reasonably safeguard (administrative, technical and physical) information and electronic systems.

Physical safeguards are implemented to protect computer servers, systems and connections, including the individual workstations. This section covers security concerns related to physical access to buildings, access to workstations, data back up, storage and obsolete data destruction.

Technical safeguards affect PHI that is maintained or transmitted by any electronic media. This section addresses issues involving authentication of users, audit logs, checking data integrity, and ensuring data transmission security.

Risk Analysis

Risks are inherent to any business and, therefore, with regard to HIPAA, each organization must take into consideration the potential for violating an individual’s right to privacy of their health information. HIPAA allows for scalability and flexibility so that decisions can be made according to the organization’s approach in protecting data. Covered entities and their Business Associates must adopt certain measures to safeguard PHI from any “reasonably anticipated” hazards or threats. After a thorough yearly risk analysis, a yearly assessment of the organization’s current security measures should be performed. Additionally, a cost analysis will add another important component to the entire compliance picture. A plan to implement secure electronic communications starts with reviewing the Security Rule and relating its requirements to the available solution and your business needs.

HIPAA Administrative and Physical Safeguards

Below are the administrative and physical safeguards as outlined in the Federal Register. These requirements are items that must generally be addressed internally, even if you are outsourcing your email or other services.  We will discuss these safeguards in more detail below.

Standard: ADMINISTRATIVE SAFEGUARDS Sections Implementation Specification Required or Addressable
Security Management Process 164.308(a)(1) Risk Analysis R
Risk Management R
Sanction Policy R
Information System Activity Review R
Assigned Security Responsibility 164.308(a)(2) R
Workforce Security 164.308(a)(3) Authorization and/or Supervision A
Workforce Clearance Procedures R
Termination Procedures A
Information Access Management 164.308(a)(4) Isolating Health Care Clearinghouse Function R
Access Authorization A
Access Establishment and Modification A
Security Awareness and Training 164.310(a)(5) Security Reminders A
Protection from Malicious Software A
Log-in Monitoring A
Password Management A
Security Incident Procedures 164.308(a)(6) Response and Reporting R
Contingency Plan 164.308(a)(7) Data Backup Plan R
Disaster Recovery Plan R
Emergency Mode Operation Plan R
Testing and Revision Procedure A
Applications and Data Criticality Analysis A
Evaluation 164.308(a)(8) R
Business Associates Contracts and Other Arrangement. 164.308(b)(1) Written Contract or Other Arrangement R
Standard: PHYSICAL SAFEGUARDS Sections Implementation Specification Required or Addressable
Facility Access Controls 164.310(a)(1) Contingency Operations A
Facility Security Plan A
Access Control and Validation Procedures A
Maintenance Records A
Audit Controls 164.312(b) R
Integrity 164.312(c)(1) Mechanism to Authenticate EPHI A
Workstation Use 164.310(b) R
Workstation Security 164.310(c) R
Device and Media Controls 164.310(d) Disposal R
Media Re-use R
Accountability A
Data Backup and Storage A

Importance of Encryption for Email Communication

The security risks for email commonly include unauthorized interception of messages en route to recipient, messages being delivered to unauthorized recipients, and messages being accessed inappropriately when in storage. These risks are addressed in the Security Rule’s technical safeguards section, particularly:

  1. Person or Entity Authenticationrequired procedures must be implemented for identification verification of every person or system requesting access to PHI. This means the identity of the person seeking information must be confirmed within the information system being utilized.  It also means that shared logins are not permitted.
  2. Transmission Securityaddressable data integrity controls and encryption reasonable and appropriate safeguards.
  3. Business Associates – if you outsource your email services to another company and your email may contain ePHI in any form, then that company must be HIPAA compliant, sign a Business Associate Agreement with you, and actively safeguard your ePHI.

Each healthcare organization using email services must determine, based on technologies used for electronic transmission of protected health information, how the Security standards are met.

Addressable specifications include automatic log off, encryption, and decryption. Covered entities must also assess organizational risks to determine if the implementation of transmission security which includes integrity controls to ensure electronically-transmitted PHI is not improperly modified without detection is applicable. E.g. it is applicable for any ePHI going over the public Internet; it may not be necessary for information flowing between servers in your own isolated office infrastructure. Encryption of ePHI at rest (as it is stored on disk) is also addressable and not a requirement under HIPAA regulations; however, a heightened emphasis has been placed on encryption due to the risks and vulnerabilities of the Internet.

Ultimately, according to the Department of Health and Human Services, covered entities and their business associates can exercise one of the following options in regard to addressable specifications:

  • Implement the specified standard;
  • Develop and implement an effective security measure to accomplish the purpose of the stated standard; or
  • If the specification is deemed not reasonable and appropriate for the organization but the standard can still be met, then do not implement anything.

Reasonable and appropriate relate to each organization’s technical environment and the security measures already in place.

Questions to Consider When Choosing an Email Service Provider

When your organization is responsible for critical data such as protected health information, choosing an email provider is more than a matter of trust. Does the email service provider build on the administrative, physical and technical safeguards while delivering to its customers:

  • Signed Business Associate Agreement
  • Awareness of their responsibilities under HITECH and Omnibus
  • Solutions that meet or exceed HIPAA’s Security Standards
  • Willingness to work with you and advise you on your security and privacy choices
  • Protect data integrity
  • Flexible, scalable services – no account is too small
  • Administrative access to assign or change a user’s password
  • Controls to validate a user’s access
  • Audit controls to track user access and file access
  • Allow access to users based on role or function
  • Automatic log off after specified time of inactivity
  • Data transmission security
  • Unlimited document or email transfer
  • Ability for encryption
  • Emergency access for data recovery
  • Minimal server downtime
  • Secure data back up and storage
  • Secure data disposal
  • User friendly, web-based access without the necessity of third party software
  • Privacy in not selling or sharing its client contact information

A Scalable, Flexible, HIPAA-Compliant Email Services

LuxSci offers secure, premium email services including extensive security features, Spam and virus filtering, robustness, and superior customer service. The offerings are scalable to any size healthcare organization.

In addition to LuxSci itself protecting your ePHI by following the HIPAA Security and Privacy Rules as required by the HITECH amendment to HIPAA, LuxSci also provides a clean set of guidelines for using its services that enable your ePHI to be safeguarded; these guidelines are automatically enforced by the use of any “HIPAA Compliant” account.  If you follow these guidelines and sign LuxSci’s Business Associate Agreements, LuxSci will certify your account as HIPAA compliant and give you a HIPAA Compliance Seal.

Take a look at the table below to see examples of how LuxSci enables you to meet HIPAA’s requirements for protecting electronic communications in your organization.

Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Access Control 164.312(a)(1) Unique User Identification R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Assign a unique name and/or number for identifying and tracking user identity.”
Solution: Use of unique usernames and passwords for all distinct user accounts.  No shared logins; but sharing of things like email folders between users is permitted.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Emergency Access Procedure R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency”
Solution: PHI in email communications can be accessed from any location via the Internet. There are also mechanisms for authorized administrative access to account data.  Optional Email Archival and Disaster Recovery services provide enhanced access to email in case of emergency.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Automatic Logoff A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”
Solution: An organization can set screen savers on their desktops to log users out. Additionally, WebMail and other email access services (e.g. POP, IMAP, and Mobile) automatically log off all users after a predetermined amount of time; the WebMail session time is user- and account-configurable.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Encryption and Decryption A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: Implement a mechanism to encrypt and decrypt electronic protected health information.
Solution: All usernames, passwords, and all other authentication data are be encrypted during transmission to and from LuxSci’s servers and our clients using SSL/TLS. Additionally, SecureLine permits end-to-end encrypted email communications with anyone on the Internet, SecureForm enables end-to-end encryption of submitted web site form data, and WebAides permit encryption of sensitive documents, passwords databases, and internal blogs.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Audit Controls 164.312(b) R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Solution: Detailed audit trails of logins to all POP, IMAP, SMTP, LDAP, SecureLine,and WebMail services are available to users and administrators. These include the dates, times, and the IP addresses from which the logins were made. Auditing of all sent and received email messages is also available. SecureLine also permits auditing of when messages have been read.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Integrity 164.312(c)(1) Mechanism to Authenticate ePHI A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
Solution: To prevent unauthorized alteration or destruction of PHI, the use of SSL, TLS, PGP, and SecureLine will verify message and data integrity.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Person or Entity Authentication 164.312(d) R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Solution: Username and Password are used for access control (Two-factor verification is also available); strict control is given over who can access user’s accounts. LuxSci’s privacy policy strictly forbids any access of email data without explicit permission of the user (unless there are extenuating circumstances). Also, use of SecureLine end-to-end encryption in email and document storage ensures that only the intended recipient(s) of messages or stored documents can ever access them.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Transmission Security 164.312(e)(1) Integrity Controls A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
Solution: SSL-based encryption during the transmission of data to/from our clients for WebMail, POP, IMAP, SMTP, and document storage services is provided. SMTP TLS-based encryption of inbound email at LuxSci ensures that all email sent internally at LuxSci meets “Transmission Security” guidelines and allows you to securely receive email from other companies whose servers also support TLS. LuxSci also provides SecureLine for true end-to-end encryption of messages to/from non-clients.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Encryption A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
Solution: SSL encryption for WebMail, POP, IMAP and SMTP services is provided. Additionally, encrypted document and data storage is available and use of SecureLine for end-to-end security is enforced.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Device and Media Controls 164.310(d) Data Backup and Storage R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”Solution: Daily on-site and weekly off-site backups ensure exact copies of all ePHI are included. Live data is stored on redundant RAID disk arrays for added protection. Furthermore, Premium Email Archival provides permanent, immutable storage on servers in multiple geographic locations.
Standard: TECHNICAL SAFEGUARDS Sections Implementation Specification R/A?
Data Disposal R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”Solution: Clients can delete their data whenever desired. Additional security comes in automatic expiration of data backups (cease to exist after 1 month). Alternate expiration plans are available for large clients.

Healthcare staff using LuxSci can send and receive email from anywhere in the world using existing or new email clients or web browsers.  A comprehensive solution for a complex law – managed by your account administrators in-house or remotely by our company. Risk assessments for potential HIPAA violations can be performed by administrators through the use of audit trails. Reliability and cost effective solutions are the backbone of LuxSci – even for extremely large client organizations. And, count on the physical security of our servers.

Chart of LuxSci Services and the HIPAA Rules they Satisfy

If you are interested in specific services at LuxSci and would like to know exactly which of the HIPAA rules each service meets, the following charts will assist you. Please contact LuxSci for more information.

HIPAA Rule 1. View Email: Secure WebMail, POP, IMAP, or Mobile Sync 2. Send Email: Secure WebMail, SMTP, or Mobile Sync 3. Encryption with SecureLine combined with 1 and 2 4. Secure Collaboration (WebAides)
Access Control – Unique User Identification
Access Control – Emergency Access (a) (a)
Access Control – Automatic Logoff
Audit Controls
Integrity (b) (b)
Person or Entity Authentication (b) (b)
Transmission Security > Integrity Controls (c) (c)
Transmission Security > Encryption (c) (c)
Device and Media Controls > Data Backups
Device and Media Controls > Data Disposal

(a) Our secure document storage service and use of SecureLine for communications may assume that the recipients have special passwords for their “Secure data access certificates” (PGP or S/MIME). These passwords are may be stored in a “Password Escrow” (a special secure password database) if the users so choose. In these cases, passwords to security keys can be retrieved in case of emergency or in case of loss.

(b) Our secure document storage service and use of SecureLine for communications encrypts data so that only the intended recipient(s) can ever view the data. The encryption process also allows the recipient(s) to verify that the data was not altered since it was sent or stored using digital signatures.

(c) SSL/TLS solutions encrypt the message during transport to and from LuxSci’s servers and your personal computer. Email sent from LuxSci to external addresses is secured with the use of SecureLine.

LuxSci provides complete transport layer and end-to-end email security compatible with any email user anywhere, no matter what software they may have.

HIPAA Compliance Checklist

Saturday, January 11th, 2025

Our HIPAA compliance checklist was designed to help organizations understand their obligations under the law. The checklist items are not a complete list, just a starting point for your compliance program. HIPAA requires a yearly risk analysis to identify new vulnerabilities. Any business process change or new technology usage introduces new risk into an organization’s security program, so it’s important to review the standards regularly.

HIPAA Compliance Checklist

Who Does HIPAA Apply To?

First, recall that HIPAA regulations only apply to covered entities and their business associates. Individuals (unless they fall into one on of the following categories) do not have responsibilities under HIPAA. It is okay for a patient to disclose information about their medical conditions and treatments to others in whatever format they choose.

Covered Entities

Covered entities are organizations that provide health care, process medical information, or manage health insurance plans. There are three main categories of covered entities that include:

  1. Health care providers, payers and suppliers: Individuals or organizations that provide care, services, or supplies related to the health of an individual. This category also includes those who sell or dispense pharmaceuticals, medical devices, and equipment in accordance with a prescription.
  2. Health plans: An individual or group plan that provides or pays the cost of medical care.
  3. Health care clearinghouses: An entity that processes medical claims submitted by health care providers to insurance companies.

Business Associates

The HITECH Act extended HIPAA compliance requirements to the business associates of covered entities. A business associate is a company that collects, processes, or stores protected health information (PHI) on behalf of a covered entity. A few examples of business associates include marketing agencies, IT companies, financial services, or legal offices. LuxSci is a business associate. We store and transmit PHI on our servers and networks, and we have a responsibility to our customers to keep that data safe under the law.

Furthermore, the Omnibus rule requires business associates of business associates to also follow HIPAA regulations if they handle ePHI. An example of this scenario would be if a marketing agency working for a hospital contracted LuxSci for web hosting or online form services. Even though we don’t directly work with the hospital in this instance, we must still sign a business associates agreement that outlines how we will secure sensitive information.

Understanding PHI

Before diving into the HIPAA compliance checklist, it’s important to understand what data needs to be secured. HIPAA regulations safeguard protected health information. Otherwise known as PHI, it is simply defined as individually identifiable health-related information. Health-related information includes information about past, present, or future medical conditions, treatments, provisioning, and payments.

To fall under the PHI category, health-related information must be linked to an individual identifier. Some of the most common personal identifiers include: names, email addresses, phone numbers, medical record numbers, photos, and driver’s license numbers. When PHI is electronically stored or transmitted, it is called ePHI.

Medical records are an obvious example of PHI. However, even less sensitive items like email or text appointment reminders can infer medical information about a patient and also need to be properly secured. Think about it: something like an appointment reminder may mention the doctor’s name and the place of treatment in combination with an individual’s name and email address. Depending on the message content, it may be ePHI.

For more details, see: What exactly is ePHI? Who has to worry about it? Where can it be safely located?

It is crucial that organizations understand exactly what PHI they are responsible for protecting. Even seemingly innocuous text messages or email communications can land an organization in trouble if not properly secured.

Understanding the HIPAA Compliance Checklist

HIPAA uses the terms ‘required’ and ‘addressable’ to describe standards within the law. Required (R) means that the standard is mandatory. Addressable (A) means that the standard must be implemented by the organization unless a risk analysis concludes that implementation is not reasonable and appropriate. Important Note: Addressable does not mean optional.

The HIPAA Security Standard reflects a technology-neutral approach. This means that there are no specific technological systems to implement. Organizations must decide and document how they plan to meet each standard.

Which standards should be addressed?

One general rule is that any time there is risk, it should be addressed. If an organization decides to send unencrypted ePHI over the email, then there is a major risk of disclosure. An organization could be considered willfully negligent if an unauthorized user gained access to unencrypted ePHI. If the organization chooses not to encrypt the data, they should fully document and outline their reasoning for why they are choosing not to implement the standard.

Ignoring HIPAA requirements, addressable or required, is “willful negligence.” If there is a breach or violation, the penalties in cases of willful negligence are severe. Ignorance is no excuse.

HIPAA Compliance Checklist

HIPAA standards fall into four categories. Standards denoted with a (R) are required, while those with an (A) are addressable.

Administrative Requirements

Administrative requirements pertain to employee training. Organizations must implement security measures to reduce systemic risks and safeguard electronic and physical information.

  1. Risk Analysis: (R) Perform a risk analysis to understand where PHI is stored to determine what data is at risk.
  2. Risk Management: (R) Implement measures to reduce identified risks to an appropriate level.
  3. Sanction Policy: (R) Implement sanction policies for employees who fail to comply.
  4. Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc.
  5. Officers: (R) Designate HIPAA Security and Privacy Officers.
  6. Employee Oversight: (A) Create procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
  7. Multiple Organizations: (R) Protect PHI from unauthorized parent or partner organizations or by unauthorized subcontractors.
  8. ePHI Access: (A) Implement procedures for granting access to ePHI. Document access to ePHI or to services and systems which grant ePHI access.
  9. Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees.
  10. Protection Against Malware: (A) Implement procedures to guard against and detect malicious software.
  11. Login Monitoring: (A) Monitor logins to systems and report discrepancies.
  12. Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords.
  13. Response and Reporting: (R) Identify, document, and respond to security incidents.
  14. Contingency Plans: (R) Ensure that there are accessible backups of ePHI and procedures to restore lost data.
  15. Contingency Plans Updates and Analysis: (A) Periodically test and revise contingency plans.
  16. Emergency Mode: (R) Establish procedures to enable continuation of critical business operations. These procedures include securing electronic protected health information while operating in emergency mode.
  17. Evaluations: (R) Perform periodic evaluations to see if any changes in business operations or the law require changes to HIPAA compliance procedures.

HIPAA Organizational Requirements

Organizational Requirements include the development, documentation, and implementation of security policies and procedures and the management business associate agreements.

  1. Business Associate Agreements: (R) Create and manage contracts with business partners who will have access the organization’s PHI to ensure that they will adequately safeguard data.
  1. Policies, Procedures and Documentation Requirements: (R) A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications.

HIPAA Physical Requirements

Physical Safeguards concern physical access to buildings, workstations, computer servers, and networks. Only allow authorized access to ePHI and monitor access through established policies to prevent violations.

  1. Contingency Operations: (A) Establish procedures that allow facility access in emergency situations to support the restoration of lost data.
  2. Facility Security: (A) Implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft.
  3. Access Control and Validation: (A) Institute procedures to control and validate an individual’s access to facilities based on their role or function. Log visitors and control access to software programs.
  4. Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security.
  5. Workstations: (R) Establish policies to govern software usage. Set up procedures for proper configuration on systems that provide access to ePHI. Safeguard all workstations the provide access to ePHI and restrict access to only authorized users.
  6. Devices and Media Disposal and Re-use: (R) Create procedures to securely dispose of media that contains ePHI. Put policies in place for the reuse of devices and media that formerly stored ePHI.
  7. Media Movement: (A) Record movements of hardware and media associated with ePHI storage. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

HIPAA Technical Requirements

Technical Safeguards ensure the security of data at rest and in transmission. Controlling access to ePHI provides a reviewable log of users in case of a security incident.

  1. Unique User Identification: (R) Assign a unique name or number for identifying and tracking user identities.
  2. Emergency Access: (R) Establish procedures for obtaining necessary electronic protected health information during an emergency.
  3. Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  4. Encryption and Decryption: (A) Institute a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
  5. Audit Controls: (R) Establish hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  6. ePHI Integrity: (A) Create policies and procedures to secure electronic protected health information from improper alteration or destruction.
  7. Authentication: (R) Implement procedures to verify the identities of people or entities seeking access to electronic protected health information.
  8. Transmission Security: (A) Institute technical security measures to guard against unauthorized access to electronically transmitted protected health information.

What else should you know about HIPAA compliance?

Compliance is an ongoing process, not a one-time event. This HIPAA compliance checklist represents only an overview of the major points. Each organization will need to complete their own risk assessment to understand what data is at risk and the steps they need to take to secure it. It’s easy to see why many organizations choose to work with third parties to secure their technology. If your company needs help with HIPAA compliant email and web services, reach out to LuxSci today.

HIPAA 2010: HITECH Impact on Email and Web Outsourcing

Wednesday, January 20th, 2010

Surprise!  HIPAA has changed, gotten bigger, and grown teeth.

The American Recovery and Reinvestment Act (ARRA, or The Obama Stimulus Bill), signed into law in February 2009, includes new, more comprehensive provisions for HIPAA. These provisions are in a section of the bill known as the Health Information Technology for Economic and Clinical Health Act (HITECH).

For organizations that are already required to abide by HIPAA (i.e. the “Covered Entities” of HIPAA), HITECH adds the following requirements:

Read the rest of this post »