" phi Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LuxSci

Posts Tagged ‘phi’

High Volume Transactional Email: Balancing Utility and Marketing

Friday, May 18th, 2018

Your eCommerce customer, Paul, has ordered a special mattress for his bed. He’s put the item into the cart, and paid for it. Now you send a confirmation of purchase email.  But, instead of just a note stating that “we’ve received your payment, and your item has been posted for shipment…” or whatever boilerplate many companies send, you include that message and add photos of three sheets-and-pillowcases products that fit the mattress you just sold him. Paul has his own sheets, but has been thinking about replacing them – now your confirmation email makes him decide to buy them.

All eCommerce companies have to send transactional email, a type of email sent to facilitate an agreed-upon transaction between the sender and the recipient. Common transactional email use cases include doctor appointment reminders, account creation emails, password resets, purchase receipts, account notifications, medical lab results, and social media updates like friend and follower notifications.

What makes transactional email different from ordinary marketing email is that they are sent as part of doing actual business with people – not just chatting with, marketing to, or selling to a customer. In this respect, they are also different from so-called “triggered” emails which may be generated by a number of customer actions – not just transactions.

Transactional email are effective for marketing

Transactional emails are opened eight times more than traditional marketing messages, according to a study by EPSILON.  So it only makes sense to adapt your transactional email for marketing, to take advantage of this unparalleled opportunity to reach your customer with a personalized offer.

Read the rest of this post »

The HIPAA Breach Notification Rule: What it Really Means to Providers and Insurers

Friday, September 15th, 2017

For many providers and insurers, the Breach Notification Rule is still a puzzle waiting for a solution. Partly, this is due to the fact that the rule is complex in itself, and requires attention to every detail. As a matter of fact, we cannot expect to be at our best when someone has stolen our sensitive information.

Do you understand the HIPAA breach notification rule?

To address this problem in the wake of rising health data breaches, we have compiled an easy-to-understand guide to the Breach Notification Rule. Let’s begin the journey with a quick overview of the Breach Notification Rule and its purpose.

Read the rest of this post »

A Complete Guide To HIPAA Law: How It Keeps Your Privacy Protected

Wednesday, September 13th, 2017

HIPAA law was made to protect your health data. But increasing data breaches often raise questions. Learn what HIPAA regulations mean to your privacy.

HIPAA stands for Health Insurance Portability and Accountability Act. Back in 1996, the ever-charming president Bill Clinton signed the papers to enact HIPAA law. The law aims to protect patient’s right to privacy through a secured electronic transmission and storage of health data.

It won’t be an exaggeration if we say the HIPAA regulations came into existence at the right time. In fact, this was the same time patient information began to take a leap from papers to computers.

HIPAA Law protects patient privacy

Before we dig deeper to reveal the current status of HIPAA law, it is of paramount importance that we first learn what it means. After reading this article, you will have insight of HIPAA law, related rules, and what you can do to keep your data safe.

Read the rest of this post »

Is FAXing really HIPAA Compliant?

Tuesday, September 12th, 2017

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

Go back in time 10-15 years.  Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth.  It was essential technology that became ingrained into business processes through constant, repetitive use.  Everyone knows how to use a FAX machine, even the most technologically challenged staff member.

IS a FAX really HIPAA compliant?

Fast forward to now:

  1. Fax Machines have changed.  They are now all-in-one devices that scan, print, copy, send files to your computer, and more.  The “FAX” ability is now just a minor extra feature.
  2. HIPAA has arrived and evolved.  It used to be that sending patient (ePHI) data via FAX was the norm.  Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA.  E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
  3. Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
  4. Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically.  Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
  5. Low resolution. Faxes are low-resolution.  They are slow and they do not contain a great amount of detail.  They are not great for sending anything graphical.

Read the rest of this post »

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.

Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.  Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of.

Read the rest of this post »

What makes an App HIPAA-Compliant?

Monday, July 10th, 2017

In the last ten or so years, apps have swept through the world alongside the smartphone boom. Smartphones enabled us to carry miniature computers everywhere we went, so we quickly began to integrate them into our everyday lives.

We stopped asking for directions and used the GPS app instead, we checked out the Yelp app when we wanted to find somewhere good to eat, and we kept track of our friends on Facebook from our mobiles.

People have become accustomed to using apps these days, which has put pressure on many organizations to conduct their services through them. If they don’t offer an app, they may lose customers to their more tech-savvy competitors. The health industry is no different, so apps have become an essential offering for many organizations.

Secure App

In some industries, developing apps may be relatively straightforward, but those that deal with PHI need to make sure that their app is HIPAA compliant. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a breach of patient data, which could seriously harm your business’s finances and its reputation.

To make a HIPAA-compliant app, privacy and security need to be consider at each step of development.

Read the rest of this post »

How Is HIPAA-Compliant Email Different from Secure Email?

Wednesday, June 21st, 2017

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

HIPAA-compliant email vs secure email

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

Read the rest of this post »

What is HIPAA-compliant Email Marketing?

Monday, February 27th, 2017

To achieve HIPPA-compliant email marketing, you need to satisfy two objectives. First, you need to understand the fundamentals of email marketing. Second, you need to execute your email marketing activities within HIPPA’s requirements and restrictions.

HIPAA-compliant email marketing

It’s easy to make a mistake with HIPAA-compliant email marketing, especially when you’re in a rush.

Picture this:

You leave your clinic early on a Thursday afternoon to head off on a vacation. Before you go, you ask your office manager to send off an email blast. You were just certified on a new procedure and you know at least 200 patients in your files would likely benefit from it. A simple message inviting them to the office for a consultation next week is the perfect next step. Your office manager takes some quick notes and promises to send off the note tomorrow. And off you go for a weekend of golf at Pebble Beach.

On your way home, you check your email. You see an angry email from a patient and start reading. It turns out that you’ve violated some arcane HIPAA rules… Even worse, that patient’s sister is an attorney who has promised to call you tomorrow. You’re pretty sure you’ve done nothing wrong but you’re nervous on the flight home.

This situation could have been prevented if your office manager had asked you one simple question:

Read the rest of this post »

Is sharing my patient list with a marketing company OK under HIPAA?

Saturday, February 11th, 2017

We received this questions via Ask Erik from the head of a Dental Practice (who wished to remain anonymous):

“I want to create a Refer-a-Friend program, for a dental practice, that will be managed by a third party marketing agency.  The third party needs only my patient names and address to do an on-going e-mail campaign, no PHI will be given to the third party — just name and e-mail address.

Because I am ‘Marketing” to my own list, and I am NOT marketing any third party products, and I am not receiving any third party payment for anything:

* Am I in any HIPAA danger? (No PHI is ever exchanged, and I am NOT marketing anyone else’s product.)

* Because my PHI is de-identified from the associated names and e-mail addresses, is it OK for me to hand over my patient mail list to my marketing agency (being very careful of course to include NO PHI)?

* Does HIPAA specifically prevent me from marketing my own products to my patient list? I know that marketing other people’s products to my list will require prior consent. But, marketing my own Refer-a-Friend program… how is that a violation?

NOTE: PHI is defined as: “(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

So, is a mail list of my patients’ names and e-mail addresses considered to be PHI (if it contains no associated PHI as defined above)? The definition above would say NO. The definition above states that it is ONLY the health information about a patient — NOT the patient’s name and e-mail addresses themselves.

Also, on the mail list for the Refer-a-Friend marketing program, there will be names other than patients, probably about 5% are not patients. Does this influence the phi/non-phi question?

This is a very important distinction. Having clarity on this question could free up a lot of us to proceed with e-mail marketing.

If a mailing list, for a dentist, that contains 95% patients and 5% non-patients, and NO health information (just names and addresses)… is it considered PHI?”

Read the rest of this post »

Does HIPAA really permit reminding patients to pick up their prescriptions?

Thursday, December 8th, 2016

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Read the rest of this post »