" phi Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘phi’

Does HIPAA really permit reminding patients to pick up their prescriptions?

Thursday, December 8th, 2016

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Read the rest of this post »

Is Skype HIPAA Compliant? If not, what is?

Wednesday, April 6th, 2016

Revision 2016:  Since the article was published, Microsoft has started offering a Business Associate Agreement (BAA) for Office 365 Online of which Skype is a part.  While online documentation is very unclear, Microsoft has indicated that Skype is covered under this BAA and thus use of Skype can be “HIPAA compliant” as long as you have “Skype for Business” and the signed BAA with Microsoft.

However, Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting.  This makes it unclear what the usefulness of its being “covered” under Microsoft’s BAA really is.  Microsoft is really just leaving it up to the Skype user to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really could be compliant.  Additionally, even though Skype is covered under Microsoft’s BAA, the regular, free Skype used by most people is not covered.  So, for example, a therapist should under no circumstances have a session with a patient, where that patient is using the regular free Skype program.

Original Article Content:

In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.

Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video?  Why?  Everyone else is doing it … shouldn’t I thus be able to as well?

The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.”  For the long answer, read on.

Read the rest of this post »

Opt-In Email Encryption is too Risky for HIPAA Compliance

Monday, April 13th, 2015

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g. if the user “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it is encrypted and HIPAA-compliant.

Opt-in encryption is desirable as it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if most of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in  imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.

Read the rest of this post »

Interview with Mason Rothert, CEO of Mediprocity our partner for SecureChat

Friday, February 20th, 2015

Mason Rothert is the CEO of Mediprocity, the company that we have partnered with and worked closely with to provide LuxSci SecureChat.

Mason Rothert & Nicholas Magers conceived Mediprocity while working together in the healthcare field calling on physician offices and healthcare provider centers. At the time, Mason Rothert was working as V.P. of Sales and Technology for a management company overseeing long-term care facilities and a full range therapy company. Nicholas Magers was finishing up his MBA at USC and working for a pulmonary company as a sales director. They decided to combine forces in order to solve the fragmentation of communication amongst covered entities and business associates in healthcare. They would focus on the new technologies available as well as the growing need to encrypt patient health information in order to prevent data breaches.

Mediprocity begin in 2009 as a social network for healthcare.  The Company culture has always been to be physician-centric and to help improve communications.  As smartphone and text messaging popularity grew rapidly, it was clear in 2010 that Mediprocity needed to become a simple secure solution for HIPAA-compliant communication.  They set out to combine the best elements of instant messaging, SMS text, and Email.

LuxSci has integrated the Mediprocity secure communications product into its offering and is continuing to work closely with them to integrate the SecureChat service more and more tightly with LuxSci’s SecureLine secure emailing offerings.

Mason has agreed to this interview so that we can answer many common SecureChat-related questions for you.

Read the rest of this post »

HIPAA Compliance Checklist: What You Need To Do

Thursday, January 29th, 2015

LuxSci provides HIPAA-compliant services and must itself maintain HIPAA-compliant business operations in order to comply with HIPAA HITECH and Omnibus regulations.  As such, many of our customers and leads look to us to find out exactly what they need to do to be compliant.

This article provides you with a quick and easy-to-read overview of the various things needed for compliance.  The items given below should not be considered a complete or formal list for compliance, nor will doing all of these things guarantee that you are compliant.  As always, we recommend that you consult a lawyer to determine the compliance needs specific to your particular situation

Read the rest of this post »

Is a FAX document HIPAA-Secure?

Wednesday, January 28th, 2015

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

However, with HIPAA security regulations ever-present, our clients are concerned that their use of FAX is compliant, similar to making sure that their email and web sites meet HIPAA security standards.

Update – for electronic FAXing options, see: HIPAA Faxing: How to Send and Receive FAXes in a Secure and Compliant Way.

Beyond compliance issues, a FAX is not really useful — you essentially get a printout or an image and not an electronic document that can be efficiently used.  This is not good for productivity or for meeting other standards.

Can data sent via FAX be “secure enough” for HIPAA?

Read the rest of this post »

Does sending email using BCC make it HIPAA Compliant?

Thursday, January 30th, 2014

HIPAA Email SecurityPeople have asked us if sending an email to someone via BCC (Blind Carbon Copy) is HIPAA-compliant.  For example, a doctor’s office sending a newsletter to its patients via BCC.  The presumption is that because when a message is sent via BCC, the recipient’s email address is not visible in the message that there is no way to identify the individual(s) to whom the message was sent and thus the messages do not contain any “personally identifiable health information” (ePHI) that is protected by HIPAA.

The short answer is “BCC is not good enough“.  For the long answer, read on.

Read the rest of this post »

Are Replies to my HIPAA-Compliant Secure Emails also Secure?

Friday, October 11th, 2013

HIPAACustomers of LuxSci HIPAA-compliant email accounts can send secure email messages in a secure and compliant manner to anyone with an email address.   One common question is whether the replies back to these messages will also be HIPAA compliant.  This is especially a concern when customers choose to use TLS only a a secure means of email delivery.

In this article we will break down the various ways that messages are sent securely from LuxSci to recipients across the Internet, and how replies behave — and whether they are secure and compliant.  At the end, we provide some recommendations for best practices for maximizing data security.

Read the rest of this post »

What exactly does HIPAA say about Email Security?

Friday, August 30th, 2013

Performing daily business transactions through electronic technologies is accepted, reliable, and necessary across the nation’s healthcare sectors. Therefore, electronic communications and email have become a standard in the healthcare industry as a way to conduct business activities that commonly include:

  • Interacting with web-savvy patients;
  • Real time authorizations for medical services;
  • Transcribing, accessing and storing health records;
  • Appointment scheduling;
  • Referring patients; and
  • Submitting claims to health plan payers for payment of the services provided.

Read the rest of this post »

How the HIPAA Omnibus Rule Affects Email, Web, FAX, and Skype

Monday, May 6th, 2013

We have written extensively in the past about the impact of HIPAA regulations on email services, web hosting, faxing, and Skype use.  The recent HIPAA changes reflected in the Omnibus rule have a significant impact on the use of these types of services.  Here, we examine the new and important considerations based upon the HIPAA Omnibus Rule.

Read the rest of this post »