phi Archives - Page 3 of 7

Posts Tagged ‘phi’

Reduce Risk with Set It and Forget It Email Encryption

Tuesday, February 7th, 2023

Leveraging PHI in your communications provides relevant, meaningful information to patients while significantly increasing positive health outcomes. LuxSci’s secure and HIPAA-compliant always-on email encryption streamlines the communications process and reduces risk. Use PHI safely and securely with set it and forget it email encryption technology.

The Email Encryption Landscape

There are many ways to enable encryption for messages that contain protected health information. The most common include data loss prevention technology and manual opt-in encryption.

First, data loss prevention uses software to scan message contents to look for keywords, phrases, or patterns that indicate the presence of sensitive or confidential information. Administrators must create detailed rules that instruct the DLP technology on what information is privileged and should be encrypted. While this is effective for some common keywords and patterns like social security numbers, a lot of health data does not fall neatly into pre-defined rules. DLP can quickly be rendered inadequate by misspellings, typos, or other human errors that fail to trigger the technology.

The next way that email messages are commonly encrypted is through human decision-making. The user switches a toggle or types a word like “encrypt” into the subject line or message to notify the system that the message should be secured. This form of opt-in encryption is hazardous because it relies on staff members making the right decisions around confidentiality and security. Even the best employees will make mistakes. How many times have you forgotten to include an attachment with an email message?

A Better Way: Set It and Forget It Email Encryption

At LuxSci, we recommend a different approach. Encrypting every email message automatically drastically reduces the risk of user error and ensures 100% message encryption. In industries like healthcare and finance, even one mistake could lead to a breach with severe financial penalties.

By encrypting all messages with a baseline of TLS encryption, organizations can meet their compliance requirements and provide a better user experience for recipients because portal logins are not required.

Set It

Setting up LuxSci’s Secure Connector takes less than one hour. Administrators can set it up globally, with no local installation or download required by staff members to connect. Once DNS and encryption settings are configured, employees can send secure emails immediately.

Administrators can choose the encryption configuration option that best fits their business processes. TLS is suitable for most communications, but sensitive data like health records, financial reports, or other confidential information can be sent to a secure portal for increased security. Administrators can create and manage encryption settings on an individual or group level to provide maximum flexibility. LuxSci’s encryption technology is highly configurable to meet any business need.

Forget It

Administrators don’t have to rely on employee decision-making when all messages are automatically encrypted. Employees do not need to be trained on when to enable encryption. It just happens automatically in the background, which increases security and gives you peace of mind.

It’s also easier for administrators to manage. There is no need to create detailed lists of rules to trigger encryption technology. Once you’ve selected your encryption preferences, all emails are sent that way. Minimal ongoing training or support is needed, and administrators can be confident that their messages are protected. In addition, users can verify that secure message delivery occurred with comprehensive analytics reports.

The Results: Improved Patient Engagement

TLS encryption is a game-changer because it is secure enough to meet compliance requirements and is user-friendly. TLS-encrypted messages appear just like regular, unencrypted emails in the recipient’s inbox, making them easy to read and respond to but without the risk of interception or eavesdropping. This is crucial for users who are not tech-savvy and helps to increase engagement with the message contents. If a user needs to take an extra step to log into a portal or create an account, they are more likely to drop off and not read the message.

Reducing friction in patient communications helps improve conversions and nudges patients into taking actions that will improve their health outcomes. Access to health care needs to be equitable, and that means making clinical communications seamless for users of all technical abilities.

Tags: always on encryption, automatic encrypion, dlp, email encryption, human error, patient engagement, phi, risk analysis, secure connector, set it and forget it
Posted in Email, LuxSci Library: HIPAA
Comments Off on Reduce Risk with Set It and Forget It Email Encryption

Infographic: Most Email Software Cannot Use PHI

Thursday, January 12th, 2023

Email Communication is Necessary- But Introduces Risk

When it comes to receiving communications from businesses, 93% of people say that email is their preferred communication channel. In the healthcare industry, organizations must take extra care to comply with HIPAA. Only some email marketing platforms can adequately protect PHI. If not properly secured, email can introduce significant risks to sensitive data. 72% of organizations report experiencing an email cyberattack.

As the definition of PHI is ever-expanding to include information like biomarkers, organizations need to adopt a more secure posture for their personal, transactional, and marketing email. Cybercriminals seek out personal data because it is highly valued on the dark web. Data Loss Prevention (DLP) and policies preventing users from sending PHI insecurely are not enough.

Humans are prone to error and often make mistakes classifying PHI. Even DLP technology is not infallible- keywords can be misspelled, and PHI only sometimes fits cleanly into pre-determined filters. 40% of threats stem from internal actors. Many are not malicious, just mistakes! You must account for errors when humans are part of your security program.

So how can you prevent data leakage and ensure the security of sensitive data at rest and in transit? It’s simple when you choose the right solution. Resolve the tension between security risk and business engagement objectives by choosing a fully compliant email marketing solution.

infographic email phi (Click to Expand)

Two Requirements for Including PHI in Marketing Emails

Secure Application

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability. When using email marketing platforms or customer relationship management systems that contain PHI, it’s essential to keep that information protected. You must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from being improperly accessed, and generally protects the data no matter what happens (unless the keys are stolen). Encryption is essential to protect private health data at rest in an application.

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases. Non-compliant and quasi-compliant applications do not offer transmission encryption that is secure enough to comply with HIPAA. You should only send communications containing PHI if they are encrypted.

Types of Email Marketing Solutions

Non Compliant (1)

Many of the most popular email solutions on the market were not designed to protect the sensitive data of the healthcare industry. These vendors will not sign Business Associate Agreements and do not provide the storage or transmission encryption needed to meet HIPAA requirements. Healthcare organizations should only use these solutions if they do not send PHI- which may be impossible if you plan to email lists of patients with any information about their healthcare.

Quasi Compliant (2)

HIPAA does not require any specific technology to meet its requirements, which allows for flexibility, but also creates uncertainty. No central government organization certifies HIPAA compliance, and as a result, many organizations advertise themselves as “HIPAA-compliant” but don’t enable you to take full advantage of their functionality. We call this “Quasi compliance.”

Quasi-compliant solutions often provide a secure application and protect patient data at rest. However, they will not permit you to send emails or transmit PHI outside the database. This can seriously limit the usefulness of the solution. Take a real-life example: one healthcare organization purchased a CRM system and set it up, uploaded their contacts, and was ready to start using it, so they enabled the “HIPAA Compliance” toggle on the backend. They quickly found that much of the functionality was no longer available and wouldn’t allow them to email or log certain data types. The solution was almost useless for their patient engagement efforts.

Other applications will permit you to use the full functionality of the solution, but when you read the terms of the Business Associate Agreement, it is clear that you are not allowed to send PHI. If signed, your organization will be responsible for any breaches caused by sending PHI insecurely, not the vendor.

Full Compliance (4)

This is why it’s crucial to vet solutions carefully and not take shortcuts regarding HIPAA compliance. Any CRM, CDP, or email marketing solution must protect data at rest in a secure application and encrypt transmitted messages. Even more importantly, it shouldn’t take any extra training or require any extra steps to use in a compliant way.

At LuxSci, (3) we provide a secure application to manage your email campaigns that encrypts transmitted messages automatically. Our Secure Marketing solution is designed to meet the unique security needs of healthcare organizations. All email transmissions are encrypted automatically, and users can choose the right type of encryption (TLS, Portal Pickup) to meet their email use cases. Automatic encryption gives your security and compliance teams peace of mind that all messages are sent securely. Data is protected throughout the lifecycle and does not require employees to decide whether a message contains PHI. Healthcare marketers can fully use PHI to personalize and customize messaging to increase patient engagement and get better ROI on their marketing campaigns.

Tags: automatic encryption, data encryption, email encryption, email marketing, human error, infographic, phi, quasi compliance, secure application
Posted in Email Marketing, LuxSci Library: HIPAA
Comments Off on Infographic: Most Email Software Cannot Use PHI

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

Using unique passwords for each account
Requiring the use of special characters, numbers, and capitalization
Randomly generating passwords
Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their r egular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

Tags: access controls, account security, automatic logout, ePHI, hipaa compliance, mfa, multifactor authentication, password manager, phi, session timeout, time-based access control, vpn
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
Comments Off on Tips for Improving Account Security

LuxSci and StepAhead Partner to Protect Patient Data

Thursday, November 17th, 2022

Boston, MA- November 2022 – LuxSci, a provider of HIPAA-compliant email services, is pleased to announce a new partnership with StepAhead, a software company focused on protecting healthcare data. By partnering with LuxSci, StepAhead helps healthcare technology organizations protect sensitive data so they can utilize it in ways that do not compromise patient privacy.

“LuxSci is thrilled to work with StepAhead. Their unique approach to data security and patient privacy is a perfect complement to LuxSci’s email encryption technology. By partnering with StepAhead, we can support our enterprise technology customers as they develop the solutions that will change the future of healthcare delivery for the better,” said Heather Clark, Vice President of Partnerships at LuxSci.

The healthcare ecosystem is rapidly changing, and digital innovation is essential to serve the needs of patients. However, digital tools introduce risk to sensitive data like protected health information. The partnership allows LuxSci and StepAhead to help healthcare technology companies address the complex data security and compliance questions that arise during digital transformation.

“The synergies between our two companies and the complementary security solutions we offer, provide a powerful combination for healthcare organizations. LuxSci owns the space where movement of sensitive data is a necessary business process by applying their encryption technology to keep that data safe. StepAhead provides tools to further leverage that data, in an anonymized form with the highest level of utility, so it can be distributed freely without fear of breach. This helps expand the value of the sensitive data without increasing the risk profile for all situations where the original sensitive data is not necessary,” said Kurt Ring, Co-Founder and VP of Sales at StepAhead.

StepAhead’s innovative Tarmiz technology offers a new model for protecting PHI with targeted data anonymization. This process enables organizations to maintain the integrity and authenticity of their native data without being exposed to unnecessary risk or undesirable outcomes.

LuxSci provides secure email solutions to help healthcare organizations meet compliance requirements and protect patient data. LuxSci’s SecureLine encryption technology helps healthcare providers reduce risk profiles while providing easy-to-use email tools.

The partnership between LuxSci and StepAhead will help further expand the security around sensitive data and provide additional options for organizations looking to utilize that data in the most effective and safest ways possible. To learn more about SecureLine visit www.luxsci.com and for more information on Tarmiz visit https://stepahead.dev/learnmore/.

Tags: anonymization, data protection, data security, email security, ePHI, hipaa compliance, phi
Posted in Affiliates & Resellers, Industry News
Comments Off on LuxSci and StepAhead Partner to Protect Patient Data

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

An individual’s past, present, or future physical or mental health or condition.
The past, present, or future provisioning of health care to an individual.
The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Services, you must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

Physically protecting data and where it is stored,
Training staff on handling PHI, and
Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

Protect data at rest and
Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

Design targeted patient journeys
Deliver better patient outcomes
Improve ROI and reduce costs

Tags: business associate agreement, email marketing, ePHI, hipaa compliance, hipaa privacy rule, hipaa security rule, patient engagement, personalization, phi, quasi compliance, segmentation
Posted in Email Marketing
Comments Off on Rules for Using PHI in Patient Engagement