" omnibus Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘omnibus’

What exactly is ePHI? Who has to worry about it? Where can it be safely located?

Friday, September 15th, 2017

There is often a great deal of confusion and misinformation about what, exactly, constitutes ePHI (electronic protected health information) which must be protected due to HIPAA requirements.  Even once you have a grasp of ePHI and how it applies to you, the next question becomes … where can I put ePHI and where not?  What is secure and what is not?

We will answer the “what is ePHI” question in general, and the “where can I put it” question in the context of web and email hosting, and SecureForm processing at LuxSci.

Read the rest of this post »

Opt-out email security: A step towards better HIPAA Privacy Rule compliance

Tuesday, August 22nd, 2017

Breaches of electronic Personal Health Information (ePHI) from email communications amongst HIPAA covered entities, their business associates, and health care consumers reveals a common pattern. Patient records are often emailed unencrypted (see here, here and here), or sent to unintended recipients (examples here and here).  Poor email practices might also cause bulk emails (e.g., health newsletters, office closing notices etc.) to be sent without masking the names/emails of the recipients (see here). All of these can be breaches of HIPAA.

Email Breach

Email breaches continuously leak ePHI from healthcare

While not as prominently exposed by the media as hacking incidents, where large numbers of records can be compromised in a single attack, HIPAA violations owing to poor email practices proceed at steady rate. However, the consequences can be as just as problematic for the healthcare provider, despite the smaller number of exposed individuals. The insidious drip-drip-drip leakage of ePHI via improper email usage is often harder to handle and the sort of ePHI exposed can be subtle.

Read the rest of this post »

HIPAA Law and HITECH/Omnibus Conformance – Small Medical Practice

Monday, August 14th, 2017

As the owner of a small to medium-sized medical business (a 1-19 physician practice, say, with 5-50 employees) you have many concerns – how to hire and retain competent staff, how to deal with your vendors such as office payroll, billing and collection services, and, above all, how to serve your patients’ needs in the most economical and expeditious way.  I.e., by speeding up scheduling, quickly accessing medical records, coordinating treatment with other doctors, etc. Time spent managing your information and communications infrastructure for HIPAA or HITECH compliance may not seem to be the most critical aspect of your work.

HIPAA / HITECH

However, the use of ICT – information and communications technologies –  in the healthcare industry has become increasingly pervasive and has special relevance for every medical practitioner, given the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which adds more substance to the original Health Insurance Portability and Accountability Act (HIPAA)  privacy and security rules.  HITECH also incentivizes medical practitioners to step up their use of electronic health records (EHR) to “exchange electronic health information with, and integrate such information from, other sources.”

Read the rest of this post »

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.

Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.  Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of.

Read the rest of this post »

HIPAA Compliance Checklist: What You Need To Do

Thursday, January 29th, 2015

LuxSci provides HIPAA-compliant services and must itself maintain HIPAA-compliant business operations in order to comply with HIPAA HITECH and Omnibus regulations.  As such, many of our customers and leads look to us to find out exactly what they need to do to be compliant.

This article provides you with a quick and easy-to-read overview of the various things needed for compliance.  The items given below should not be considered a complete or formal list for compliance, nor will doing all of these things guarantee that you are compliant.  As always, we recommend that you consult a lawyer to determine the compliance needs specific to your particular situation

Read the rest of this post »

LUXSCI