" opt out Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘opt out’

Opt-out email security: A step towards better HIPAA Privacy Rule compliance

Tuesday, August 22nd, 2017

Breaches of electronic Personal Health Information (ePHI) from email communications amongst HIPAA covered entities, their business associates, and health care consumers reveals a common pattern. Patient records are often emailed unencrypted (see here, here and here), or sent to unintended recipients (examples here and here).  Poor email practices might also cause bulk emails (e.g., health newsletters, office closing notices etc.) to be sent without masking the names/emails of the recipients (see here). All of these can be breaches of HIPAA.

Email Breach

Email breaches continuously leak ePHI from healthcare

While not as prominently exposed by the media as hacking incidents, where large numbers of records can be compromised in a single attack, HIPAA violations owing to poor email practices proceed at steady rate. However, the consequences can be as just as problematic for the healthcare provider, despite the smaller number of exposed individuals. The insidious drip-drip-drip leakage of ePHI via improper email usage is often harder to handle and the sort of ePHI exposed can be subtle.

Read the rest of this post »

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.

Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.  Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of.

Read the rest of this post »

How to breach your HIPAA-compliant email in 5 minutes while getting coffee

Thursday, June 9th, 2016

Who knew that a quick cup of coffee could lead to the report of a HIPAA beach to the Secretary of Health and Human Services … and a bad day, overall.

Here is what happened:

Read the rest of this post »

Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?

Friday, September 11th, 2015

We have long held that leaving it to each sender/employee to properly enable encryption for each sensitive message (a.k.a “Opt In Encryption”) is too risky.  Why? Any mistake or oversight immediately equals a breach and liability.

Instead, LuxSci has always promoted use of “Opt Out Encryption,” in which the account default is to encrypt everything unless the sender specifically indicates that the message is not sensitive.  The risk with Opt Out Encryption is very much smaller than with Opt In.  (See Opt-In Email Encryption is too Risky for HIPAA Compliance).

The problem is: many companies use Opt In Encryption because it is convenient when sending messages without sensitive information — you just send these messages “as usual,”  without forethought.  These companies are trading large risks in return for conveniences.

LuxSci has solved the “Opt In vs. Opt Out” conundrum with its SecureLine Email Encryption Service.  You could say that SecureLine enables the “Next Generation” of Opt In Email Encryption — combining both usability and security.

Read the rest of this post »

How to Setup HIPAA Mutual Consent for Insecure Email at LuxSci

Friday, January 10th, 2014

We have recently discussed how mutual consent may be used to send individuals ePHI via insecure email under HIPAA in certain cases.

If you have decided to use mutual consent in your organization and are properly informing and warning your patients of the privacy risks, getting proper written waivers from them, and well documenting everything in preparation for a HIPAA audit, then all you’re all set to send the ePHI insecurely.

Right?  Well, there is a little more to it than that.

Read the rest of this post »

High Volume Bulk Email: Key Ingredients for Good Deliverability

Monday, October 14th, 2013

How do you ensure your messages make it into your recipients’ INBOXes?

Deliverability is key to anyone sending newsletters, announcements, notifications, or any other type of bulk email.  As a provider of premium and bulk email services, we constantly advise customers on how they can legitimately avoid having messages marked as spam and ensure that they are not black listed. In this article, we consolidate our advice for everyone’s benefit.  This includes: ensuring you have a good mailing list, maintaining your mailing list, email message content, and reputation management techniques like SPF, DKIM, and IP anonymization.

Read the rest of this post »

Email Encryption Opt Out Now Available for Outlook and Other Email Programs

Friday, December 7th, 2012

A few weeks ago, we introduced the option for users in security-enabled accounts (such as users subject to HIPAA compliance requirements) to determine for themselves which messages need to be encrypted and which do not.  See: HIPAA Compliant Email – You Decide Which Messages Need Encryption

The  “SecureLine Opt Out” feature was then only available to users of our web-based email interface.  Now, the “SecureLine Opt Out” feature is also available to:

  • Premium Mobile Sync users on mobile devices
  • Customers using SMTP from mobile devices
  • Customers using SMTP from most email programs (e.g. Outlook, Thunderbird, Mac Mail, etc.)
We have also enhanced Opt Out to enable administrators to have more control over who can and cannot opt out of SecureLine email encryption.

HIPAA Compliant Email – You Decide Which Messages Need Encryption

Friday, November 16th, 2012

Customer feedback is extremely important to LuxSci and we have listened once again.  Customers faced with the need for HIPAA-compliant email now have the option to decide on a per-message basis which messages need encryption (e.g. contain Protected Health Information – PHI) and which do not.  Routine non-PHI-laden correspondence no longer needs to be encrypted and users no longer have to use separate users or profiles to send regular email messages.

Read the rest of this post »