" phi Archives - LuxSci

Posts Tagged ‘phi’

Infographic: Most Email Software Cannot Use PHI

Thursday, January 12th, 2023

Email Communication is Necessary- But Introduces Risk

When it comes to receiving communications from businesses, 93% of people say that email is their preferred communication channel. In the healthcare industry, organizations must take extra care to comply with HIPAA. Only some email marketing platforms can adequately protect PHI. If not properly secured, email can introduce significant risks to sensitive data. 72% of organizations report experiencing an email cyberattack.

As the definition of PHI is ever-expanding to include information like biomarkers, organizations need to adopt a more secure posture for their personal, transactional, and marketing email. Cybercriminals seek out personal data because it is highly valued on the dark web. Data Loss Prevention (DLP) and policies preventing users from sending PHI insecurely are not enough.

Humans are prone to error and often make mistakes classifying PHI. Even DLP technology is not infallible- keywords can be misspelled, and PHI only sometimes fits cleanly into pre-determined filters. 40% of threats stem from internal actors. Many are not malicious, just mistakes! You must account for errors when humans are part of your security program.

So how can you prevent data leakage and ensure the security of sensitive data at rest and in transit? It’s simple when you choose the right solution. Resolve the tension between security risk and business engagement objectives by choosing a fully compliant email marketing solution.

infographic email phi(Click to Expand)

Two Requirements for Including PHI in Marketing Emails

Secure Application

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability. When using email marketing platforms or customer relationship management systems that contain PHI, it’s essential to keep that information protected. You must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from being improperly accessed, and generally protects the data no matter what happens (unless the keys are stolen). Encryption is essential to protect private health data at rest in an application.

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases. Non-compliant and quasi-compliant applications do not offer transmission encryption that is secure enough to comply with HIPAA. You should only send communications containing PHI if they are encrypted.

Types of Email Marketing Solutions

Non Compliant (1)

Many of the most popular email solutions on the market were not designed to protect the sensitive data of the healthcare industry. These vendors will not sign Business Associate Agreements and do not provide the storage or transmission encryption needed to meet HIPAA requirements. Healthcare organizations should only use these solutions if they do not send PHI- which may be impossible if you plan to email lists of patients with any information about their healthcare. 

Quasi Compliant (2)

HIPAA does not require any specific technology to meet its requirements, which allows for flexibility, but also creates uncertainty. No central government organization certifies HIPAA compliance, and as a result, many organizations advertise themselves as “HIPAA-compliant” but don’t enable you to take full advantage of their functionality. We call this “Quasi compliance.”

Quasi-compliant solutions often provide a secure application and protect patient data at rest. However, they will not permit you to send emails or transmit PHI outside the database. This can seriously limit the usefulness of the solution. Take a real-life example: one healthcare organization purchased a CRM system and set it up, uploaded their contacts, and was ready to start using it, so they enabled the “HIPAA Compliance” toggle on the backend. They quickly found that much of the functionality was no longer available and wouldn’t allow them to email or log certain data types. The solution was almost useless for their patient engagement efforts.

Other applications will permit you to use the full functionality of the solution, but when you read the terms of the Business Associate Agreement, it is clear that you are not allowed to send PHI. If signed, your organization will be responsible for any breaches caused by sending PHI insecurely, not the vendor.

Full Compliance (4)

This is why it’s crucial to vet solutions carefully and not take shortcuts regarding HIPAA compliance. Any CRM, CDP, or email marketing solution must protect data at rest in a secure application and encrypt transmitted messages. Even more importantly, it shouldn’t take any extra training or require any extra steps to use in a compliant way.

At LuxSci, (3) we provide a secure application to manage your email campaigns that encrypts transmitted messages automatically. Our Secure Marketer solution is designed to meet the unique security needs of healthcare organizations. All email transmissions are encrypted automatically, and users can choose the right type of encryption (TLS, Portal Pickup) to meet their email use cases. Automatic encryption gives your security and compliance teams peace of mind that all messages are sent securely. Data is protected throughout the lifecycle and does not require employees to decide whether a message contains PHI. Healthcare marketers can fully use PHI to personalize and customize messaging to increase patient engagement and get better ROI on their marketing campaigns. 

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

LuxSci and StepAhead Partner to Protect Patient Data

Thursday, November 17th, 2022

Boston, MA- November 2022 – LuxSci, a provider of HIPAA-compliant email services, is pleased to announce a new partnership with StepAhead, a software company focused on protecting healthcare data. By partnering with LuxSci, StepAhead helps healthcare technology organizations protect sensitive data so they can utilize it in ways that do not compromise patient privacy.

“LuxSci is thrilled to work with StepAhead. Their unique approach to data security and patient privacy is a perfect complement to LuxSci’s email encryption technology. By partnering with StepAhead, we can support our enterprise technology customers as they develop the solutions that will change the future of healthcare delivery for the better,” said Heather Clark, Vice President of Partnerships at LuxSci.

The healthcare ecosystem is rapidly changing, and digital innovation is essential to serve the needs of patients. However, digital tools introduce risk to sensitive data like protected health information. The partnership allows LuxSci and StepAhead to help healthcare technology companies address the complex data security and compliance questions that arise during digital transformation.

“The synergies between our two companies and the complementary security solutions we offer, provide a powerful combination for healthcare organizations. LuxSci owns the space where movement of sensitive data is a necessary business process by applying their encryption technology to keep that data safe. StepAhead provides tools to further leverage that data, in an anonymized form with the highest level of utility, so it can be distributed freely without fear of breach. This helps expand the value of the sensitive data without increasing the risk profile for all situations where the original sensitive data is not necessary,” said Kurt Ring, Co-Founder and VP of Sales at StepAhead.

StepAhead’s innovative Tarmiz technology offers a new model for protecting PHI with targeted data anonymization. This process enables organizations to maintain the integrity and authenticity of their native data without being exposed to unnecessary risk or undesirable outcomes.

LuxSci provides secure email solutions to help healthcare organizations meet compliance requirements and protect patient data. LuxSci’s SecureLine encryption technology helps healthcare providers reduce risk profiles while providing easy-to-use email tools.

The partnership between LuxSci and StepAhead will help further expand the security around sensitive data and provide additional options for organizations looking to utilize that data in the most effective and safest ways possible. To learn more about SecureLine visit www.luxsci.com and for more information on Tarmiz visit https://stepahead.dev/learnmore/.

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

using PHI for patient engagement

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Servicesyou must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.  

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

  • Physically protecting data and where it is stored,
  • Training staff on handling PHI, and
  • Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

  • Protect data at rest and
  • Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

hipaa compliant applications

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

  • Design targeted patient journeys
  • Deliver better patient outcomes
  • Improve ROI and reduce costs

Contact us today to learn more about how to securely engage patients using PHI.

Is Medical Billing Information Protected Under HIPAA?

Tuesday, August 9th, 2022

Electronic medical billing requires access to protected health information to accurately bill and receive payment for medical treatments. While not covered entities, medical billing companies are often contracted as business associates and fall under HIPAA regulations.

Title II of HIPAA applies directly to medical billing companies. It dictates the proper uses and disclosures of protected health information (PHI) and simplifies claims and billing processing.

electronic medical billing

What is Protected Health Information (PHI)?

Protected health information is “individually identifiable” health information. It specifically refers to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

As listed in item three, payment-related information tied to healthcare provisioning is protected data under HIPAA. This can include information about insurance carriers and payments, billing statements, receipts, credit card numbers, bank accounts, and other financial information.

To be classified as PHI, payment-related information must be tied to an individual identifier. For example, a medical bill with a patient’s address can be tied back to a specific individual. These identifiers can sometimes be quite indirect. There are 18 types of identifiers for an individual (listed below). Any of one of these, combined with information on healthcare payments, would constitute PHI:

  • Name
  • Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone number
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

The Risks to Medical Billing Companies

It should be evident that medical billing companies work with a lot of PHI. As such, they must take steps to protect that information under HIPAA regulations.

Third-Party Risk

Many healthcare systems contract medical billing companies to process claims and bill patients and insurance companies. These companies can present significant risks to protected health information if not adequately vetted. All third-party companies that handle PHI on behalf of a covered entity must sign a business associate agreement. This document discusses how sensitive medical billing information will be stored, secured, and transmitted. It is also essential to ensure that the billing companies understand their obligations under the privacy and security rules and have implemented the proper physical, technical, administrative, and organizational standards. This can be verified via security audits and assessments.

Third parties like medical billing companies are often targets for cyberattacks. From 2020 to 2021, cyberattacks on business associates increased by 18%. The rich trove of financial and health data they have is often more comprehensive and less secure than a hospital’s electronic health records system. Unlike covered entities who frequently work under HIPAA regulations, third parties may not wholly understand it. As a result, they may fail to take the technical steps needed to secure sensitive data.

How to protect electronic medical billing information

Like many healthcare organizations, financial institutions are also undergoing digital transformation and are moving to digitize healthcare payment processes. Digitization is an effective way to reduce payment times and improve patient satisfaction. However, it also introduces risk. Digital systems that contain healthcare billing information must implement the proper safeguards, including:

  • Organizational requirements that describe how policies and procedures will be implemented and obligations concerning business associate contracts.
  • Administrative requirements related to how employees access PHI.
  • Physical safeguards that encompass the security of computer systems, servers, and networks, access to the facility and workstations, data backups and storage, and the destruction of obsolete data.
  • Technical safeguards that ensure the security of data transmitted over an open electronic network and the storage of that data.

Protecting Electronic Medical Billing Information In Databases

Digital billing information that is stored in electronic databases or online web portals must be secured in the following ways:

  • Using a secure and HIPAA-compliant web and database host.
  • Limiting access to only authorized users.
  • Requiring unique logins and complex passwords with multifactor authentication to access ePHI.
  • Encrypting the contents of the database so they cannot be accessed if there is a breach.
  • Making regular backups of the database and storing them independently of the main system.

Sending Healthcare Billing Notifications Digitally

Many people now prefer to receive electronic medical billing notifications via email. A survey of 3,000 US consumers found that 85% are already using e-billing, and 47.6% find it is faster to pay bills electronically. However, using email, text messaging, or other digital communication forms introduces new risks and requires remediation to protect ePHI in transmission. These safeguards include:

  • Encrypting messages in transit
  • Authenticating user identities and sending domains
  • Requiring unique user logins and complex passwords
  • Protecting against threats with anti-virus software, email filtering, and other malicious scanning tools.
  • Creating audit logs and reviewing them for suspicious activities.

Services like LuxSci’s Secure High Volume Email can integrate with existing systems to send automated encrypted billing notifications via API or SMTP.