" phi Archives - Page 2 of 5 - LuxSci

Posts Tagged ‘phi’

HIPAA Compliance for Mobile Apps

Tuesday, November 9th, 2021

Many people rely on mobile devices to access the Internet, and apps are a convenient way to deliver online services. The health industry has also turned to mobile apps to provide health care services on the go.

In some industries, developing apps may be relatively straightforward. However, those that deal with PHI need to understand the HIPAA compliance requirements for mobile apps. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a data breach, which could seriously harm your business’s finances and its reputation.

To develop a HIPAA-compliant app, privacy and security need to be considered from the start.

hipaa compliance for mobile apps

What Exactly Is an App?

Before we get too deep into HIPAA compliance, we should take a step back and clarify what an application is. Most people use them every day, but not everyone will know how they differ from other kinds of software.

At its highest level, an app is a software program that is designed to help users perform activities. This contrasts with system software, such as an operating system, which generally works in the background.

The three main types are web apps, desktop apps and mobile apps. Web apps run in your browser, things like your webmail or Google Translate. Desktop apps tend to be full-featured, while mobile apps are stripped-back versions that focus on making the most out of the tablet or smartphone experience. There are also hybrid apps that embed mobile websites inside apps.

While Microsoft Word and the alarm clock on your phone are both apps, people will often be referring to mobile apps when they use the term.

Does My App Need to Be HIPAA-Compliant?

Health and wellness apps have become more sophisticated and are often recommended by medical practitioners to help patients manage medical conditions. However, not every app is required to meet HIPAA regulations. To determine whether an app should be HIPAA-compliant, consider whether your business practices make you a covered entity or a business associate of an entity.

Another complex aspect is understanding what actually counts as PHI. PHI is identifiable information that includes medical test results, prescriptions, billing details and insurance, among an array of other things. Weight loss data, calories burned, heart rate and other similar readings are not normally considered PHI unless they are attached to identifiable information.

If your business processes PHI as a covered entity or a business associate, you are subject to HIPAA regulations. If your company offers services directly to customers that are unrelated to their healthcare provider or insurance, it is unlikely to be covered by HIPAA.

Because of this, apps like MyFitnessPal are exempt from the regulations, because they don’t process PHI, nor do they conduct their business through healthcare providers. Conversely, an app from your health plan that stores your healthcare records would be regulated under HIPAA. Similarly, email, chat, texting, and video conferencing apps that may be used by healthcare providers to communicate with their patients would also need to be HIPAA-compliant. 

If you do not secure PHI properly, you could be subjected to financial penalties. The FTC recently announced it will begin enforcing the Health Breach Notification Rule for health apps. The rule requires entities to deliver breach notices to customers by first class mail no later than 60 calendar days after discovering a breach. Companies must also notify the FTC and in some cases, the media. Companies can face penalties up to $43,000 per violation per day for noncompliance.

HIPAA Compliance for Mobile Apps

If your company has an app that falls under HIPAA regulations, you will need to put serious consideration into its privacy and security measures. It is best to keep HIPAA in mind from the earliest planning stages to ensure that the app is compliant and to reduce the chance of penalties or any significant breaches. App security starts with corporate compliance; your company and your developers need to do all of the things necessary for compliance (see HIPAA Compliance Checklist), including training, risk assessments, etc.

From the app design stage forward, you should limit the use and sharing of PHI in your App to the minimum that is necessary to complete the task. If your data is processed by any outside entities, you will also need to sign a business associate agreement (BAA) with them to ensure that they are complying with the regulations as well.

You should also understand the additional risks that come with processing PHI on devices. Smartphones and tablets can easily be lost or stolen and they have a range of features that bring new security challenges.

Developing an app brings up a different set of complications when compared to SaaS (software-as-a-service .. i.e. using web-based applications), because apps generally store data locally and need access control measures in place to ensure that the data is secure. Because of this, it is best to go above and beyond HIPAA regulations to safeguard your customer data.

Control Access to Protect PHI

Access control is critical for apps that process PHI. Mobile devices have a high risk of being stolen or accessed by unauthorized entities. With the right access control measures in place, the risk of anyone being able to view sensitive patient data is minimized.

First, ensure that your app can only be accessed with a unique ID. To authenticate their identity, a user also needs to prove who they are. Require the use of a strong password or biometric data (like fingerprints) to login.

If PHI is going to be available in an app, automatic logoff is important for preventing unauthorized access. People often keep their apps logged in and leave their devices unattended. Without automatic logoff after a set period of time, the user’s PHI becomes more vulnerable to unauthorized access. Many apps neglect auto-logoff and keep users logged in indefinitely, relying instead on the device’s own login and logoff functionality instead. This may be sufficient to pass your HIPAA risk assessments; however, it is far more secure (though far more annoying) to institute app-level login and logoff requirements. Perhaps the pervasiveness of biometrics will make remove the annoyance factor of requiring authentication to gain access on demand.

We highly recommend that app developers institute auto-lockout after a short period of inactivity and use fingerprints or other means to resume access. Several access failures should cause your app to back off and require the full regular password to re-authenticate. This mitigates the weaker nature of a fingerprint or pin for access resumption.

Encrypt App Data

Encryption is another key aspect of preventing PHI from being exposed. Data should be encrypted at all times except when it is in use. This prevents anyone who may be listening in from accessing the data. Instead of being able to view the PHI, all they will see is ciphertext. Data encryption can safeguard PHI from other running apps and from attackers who may be trying to break into a device’s hard drive. Relying on a device’s disk encryption provides a basic layer of safety, but it does not protect data against other malicious running apps.

Auditing to Monitor Access

Any HIPAA-compliant app should have mechanisms in place to monitor and log access to PHI. These logs help detect any unauthorized access in the event of a breach.

HIPAA-Compliant Web Hosting

Apps are often just the front-end interface of a company’s website. To protect data on the back-end, host the website with a HIPAA-compliant provider. Your company needs to sign a business associate agreement with the provider to ensure that they are safeguarding PHI. LuxSci offers HIPAA-compliant hosting and we even have a free eBook that goes through the subject in more depth.

Keep Your App Updated

The threat landscape is constantly changing. Update your app whenever new vulnerabilities are discovered to protect patient data. Outdated apps are easy targets for hackers, so it is essential to patch regularly.

Be Careful with Push Notifications

Push notifications are visible even when a screen is locked. Do NOT include PHI in these notifications. If someone else sees a push notification that contains PHI, it could be considered an unauthorized access violation. This unauthorized disclosure could result in fines for your organization.

Mobile Apps Are Easy to Use, but Are They Secure?

Many healthcare organizations are seeing the value in developing apps for their patients because of their simple nature and ubiquity. While apps can certainly be useful, companies need to tread carefully and consider HIPAA regulations from the start.

Devices and apps introduce a range of security and privacy issues. It is exceedingly important that adequate measures are taken to guard the PHI of users. If neglected, your organization could face significant penalties or a serious breach. When developing a mobile application, consider your security and compliance requirements from the start.

Does Sending Email Using BCC Make It HIPAA Compliant?

Tuesday, July 13th, 2021

One common misconception is that sending emails to a list of recipients using BCC (Blind Carbon Copy) makes it HIPAA-compliant. For example, a doctor’s office sends a newsletter to its patients using BCC to hide the other recipients. Patients who receive a message sent via BCC cannot see who else received it. Some may think this email does not contain any identifiable information because the individual recipients are hidden. They assume the messages do not contain any “electronic protected health information” (ePHI) subject to HIPAA regulations.

However, BCC is not good enough to protect ePHI.

email bcc hipaa

Read the rest of this post »

Are Replies to my HIPAA-Compliant Secure Emails also Secure?

Friday, June 18th, 2021

Sending HIPAA-compliant secure emails is easy- LuxSci’s services allow you to send secure emails to anyone with an active email address. One common question is whether the replies back to these messages will also be HIPAA compliant. This is especially a concern when customers choose to use TLS only a a secure means of email delivery.

In this article we will break down the various ways that messages are sent securely from LuxSci to recipients across the Internet, and how replies behave — and whether they are secure and compliant. At the end, we provide some recommendations for best practices for maximizing data security.

Read the rest of this post »

Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

Tuesday, April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Does HIPAA Allow Mutual Consent?

Read the rest of this post »

What is HIPAA-Compliant Email Marketing?

Tuesday, April 13th, 2021

Why does your organization need HIPAA-compliant email marketing? It’s simple. Email marketing is a tried and true marketing strategy that can deliver a major return on investment. Healthcare organizations can also benefit from email marketing, but they need to take steps to make sure their messages comply with HIPAA. 

HIPAA email marketing

When Should You Send HIPAA-Compliant Email Marketing?

A HIPAA-compliant email marketing platform is essential to use whenever your organization could be sending electronic protected health information (ePHI). This includes information that is both individually identifiable and relates to someone’s healthcare.

Individually identifiable information includes identifiers like a patient’s name, address, birth date, email address, social security number and much more. Not only does the definition of ePHI cover people’s past, present and future health conditions, but it also includes treatment provisions and billing details.

While anonymous health details or individual identifiers sent by themselves are not covered by the law, when the two are brought together you need to be careful and abide by HIPAA regulations. You will need a HIPAA-compliant email marketing service whenever you send ePHI, and if you think an email may not contain ePHI, it is still best to be cautious.

Examples of HIPAA-Compliant Email Marketing

A good example of an email blast that needs to comply with HIPAA is a newsletter sent to all of a clinic’s cancer patients. At first glance, you might think the email doesn’t not contain any specific PHI. However, upon closer look, it could end up violating HIPAA regulations.

Every email in this campaign contains a personal identifier- the patient’s email address. In this example, only cancer patients received the newsletter, which is also personal medical information. A hacker could infer that anyone who received this email has cancer, which is ePHI and protected under HIPAA. If you use a medical condition to segment email recipients, the email campaign must comply with HIPAA.

It can be difficult to determine if an email contains ePHI. If you sent the exact same newsletter to a list of all current and former patients of the medical clinic, it may or may not contain ePHI. There are a lot of gray areas and it can be difficult to determine if an email contains PHI. We recommend using HIPAA-compliant email marketing for any promotional materials to reduce the risk of violations. 

After reading this, you may be thinking that you should never use patient information to segment email lists. However, if you use a HIPAA-compliant email marketing solution, you can leverage ePHI to send much more effective messages. In the above example, cancer patients actively receiving treatment at your clinic are much more likely to be interested in your business updates. Targeted emails receive much higher open and click rates than those sent to a general list. Sending the right information to your patients at the right time is a very effective patient engagement strategy. 

HIPAA-Compliant Email Marketing Solutions

Finding the right HIPAA-compliant email marketing platform can be challenging. Most of the common vendors aren’t HIPAA-compliant at all. Others claim compliance and will sign BAAs to protect your information at rest, but still require you to not send anything sensitive via email.  Finding a provider that can suit your business needs and can also protect the actual email messages is difficult.

Thankfully, LuxSci’s Secure Marketing email platform has been designed to cater to both needs. Our platform was built with both security and compliance at the forefront. With Secure Marketing, send fully HIPAA-compliant email marketing messages to the right patients at the right time and receive a better return on your marketing investment.