" phi Archives - LuxSci

Posts Tagged ‘phi’

Does Sending Email Using BCC Make It HIPAA Compliant?

Tuesday, July 13th, 2021

People have asked us if sending an email to someone via BCC (Blind Carbon Copy) is HIPAA-compliant. Take for example, a doctor’s office sending a newsletter to its patients via BCC. When the patients receive a message sent via BCC, they cannot see who else received it. Some may think that because the recipients are hidden, then this email does not contain any individually identifiable information. They assume that this means that the messages do not contain any “electronic protected health information” (ePHI) that is subject to HIPAA regulations.

However, BCC is actually not good enough to protect ePHI.

email bcc hipaa

Read the rest of this post »

Are Replies to my HIPAA-Compliant Secure Emails also Secure?

Friday, June 18th, 2021

Sending HIPAA-compliant secure emails is easy- LuxSci’s services allow you to send secure emails to anyone with an active email address. One common question is whether the replies back to these messages will also be HIPAA compliant. This is especially a concern when customers choose to use TLS only a a secure means of email delivery.

In this article we will break down the various ways that messages are sent securely from LuxSci to recipients across the Internet, and how replies behave — and whether they are secure and compliant. At the end, we provide some recommendations for best practices for maximizing data security.

Read the rest of this post »

Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

Tuesday, April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Does HIPAA Allow Mutual Consent?

Read the rest of this post »

What is HIPAA-Compliant Email Marketing?

Tuesday, April 13th, 2021

Why does your organization need HIPAA-compliant email marketing? It’s simple. Email marketing is a tried and true marketing strategy that can deliver a major return on investment. Healthcare organizations can also benefit from email marketing, but they need to take steps to make sure their messages comply with HIPAA. 

HIPAA email marketing

When Should You Send HIPAA-Compliant Email Marketing?

A HIPAA-compliant email marketing platform is essential to use whenever your organization could be sending electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number and much more. Not only does the definition of ePHI cover people’s past, present and future health conditions, but it also includes treatment provisions and billing details.

While anonymous health details or individual identifiers sent by themselves are not covered by the law, when the two are brought together you need to be careful and abide by HIPAA regulations. You will need a HIPAA-compliant email marketing service whenever you send ePHI, and if you think an email may not contain ePHI, it is still best to be cautious.

Examples of HIPAA-Compliant Email Marketing

A good example of an email blast that needs to comply with HIPAA is a newsletter sent to all of a clinic’s cancer patients. At first glance, you might think the email doesn’t not contain any specific PHI. However, upon closer look, it could end up violating HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which is also personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to segment email recipients, the email campaign must comply with HIPAA.

It can be difficult to determine if an email contains ePHI. If you sent the exact same newsletter to a list of all current and former patients of the medical clinic, it may or may not contain ePHI. There are a lot of gray areas and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations. 

After reading this, you may be thinking that you should never use patient information to segment email lists. However, if you use a HIPAA-compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list. Sending the right information to your patients at the right time is a very effective patient engagement strategy. 

HIPAA-Compliant Email Marketing Solutions

Finding the right HIPAA-compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest, but still require you to not send anything sensitive via email.  Finding a provider that can suit your business needs and can also protect the actual email messages is difficult.

Thankfully, LuxSci’s Secure Marketing email platform has been designed to cater to both needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, send fully HIPAA-compliant email marketing messages to the right patients at the right time and receive a better return on your marketing investment.

Is Skype HIPAA Compliant? If not, what is?

Saturday, May 9th, 2020

In recent times we have seen a huge push toward telehealth, so many are wondering, “Is Skype HIPAA compliant?” While Skype is a practical tool that many people have access to, it’s important to consider any regulatory obligations you need to meet before you use it.

If your business collects, stores, transmits or processes electronic protected health information (ePHI), then it is subject to HIPAA regulations. Organizations that process ePHI on behalf of other parties also need to stick within the rules, otherwise they may face heavy fines.

Regardless of whether your organization provides health services through video or it uses video platforms to process ePHI in any other way, it needs to make sure it is using software that abides by the regulations.

Wondering, “Is Skype HIPAA compliant?” is a good starting point, but there are several things to consider before you commit to a video conferencing service.

Do You Need a BAA to Make Skype HIPAA Compliant?

A business associates agreement (BAA) is a contract between your organization and any others that process its data. In essence, these agreements outline how ePHI will be used, what control measures will be in place, and where the responsibilities lie between the two parties.

BAAs are absolutely necessary for HIPAA compliance. Even if your organization and its partner share ePHI with every control and security mechanism imaginable, as well as following all other aspects of the regulations, it would still be violating HIPAA if a signed BAA was not in place.

If your organization is going to be sharing ePHI over a video service, then it needs to be HIPAA-compliant.* However, the only way that it can be HIPAA compliant is if a BAA is in place.

Is Only the Business Version of Skype HIPAA Compliant?

Skype comes in several different versions, but the basic, consumer oriented one is not HIPAA compliant. The only type that offers BAAs and which could be made HIPAA compliant is Skype for Business, which is one of Microsoft Office’s business communication tools.  Note that “Skype for Business” is a completely different service than consumer Skype. 

However, it’s also worth noting that Skype for Business is currently being phased out in favor of Microsoft Teams. If you don’t already have a supported version of Skype for Business, you should look for HIPAA-compliant alternatives instead. Support for Skype for Business Online ends in 2021, while support for Skype for Business Server will be extended until 2025.

With this in mind, it’s probably not worthwhile pursuing any version of Skype for HIPAA compliance. If you use the basic version of Skype, you will be violating the regulations, and even if you can get Microsoft to sign a Skype for Business BAA, you may have to switch your software in 2021 anyway.

HIPAA-Compliant Alternatives to Skype

Considering that Skype for Business doesn’t have much time left and that it is not even the same as “regular Skype,” your organization will be better off finding a HIPAA-compliant alternative. One option is LuxSci’s SecureVideo, which was designed specifically to make it easy to stay within the regulations.

SecureVideo was developed from the ground up with HIPAA compliance in mind, ensuring that it became a practical video calling service that made security and compliance simple. The Zoom for Healthcare-based platform is great for telemedicine and other forms of sharing ePHI.

SecureVideo includes handy features like screen-sharing, file-sharing and virtual clinics, with a capacity of up to 100 participants. This makes LuxSci’s SecureVideo a convenient and compliant alternative to Skype.

 

* During the Covid-19 pandemic, HHS has waived responsibility for breaches through non-compliant video conferencing services, like Skype.  So, while Skype may not be compliant, it is OK to use during the pandemic.  However, as the pandemic subsides and this waiver is lifted, you should have transitioned to a service that is actually HIPAA compliant.

LUXSCI