protected health information Archives

Posts Tagged ‘protected health information’

What Makes A Website HIPAA Secure?

Saturday, March 8th, 2025

In this article, we review the requirements for what makes a website HIPAA secure and what you need to do to ensure your website is compliant. The recent focus on tracking pixels and analytics codes by enforcement agencies has many healthcare organizations reassessing their website security and compliance. As technology has evolved over the past thirty years, HIPAA rules have adapted to secure sensitive data.

Read the rest of this post »

Tags: backup, disposal, encryption, form, hipaa, hipaa website, online tracking, patient, pixels, protected health information, ssl, web form, web site
Posted in Business Solutions, HIPAA Compliant Forms, LuxSci Library: HIPAA, Popular Posts
2 Comments »

What exactly does HIPAA say about Email Security?

Wednesday, February 26th, 2025

Performing daily business transactions and communications through electronic technologies is accepted, reliable, and necessary across the nation’s healthcare providers, payers and suppliers. As a result, email has become a standard in the healthcare industry as a way to conduct business activities that commonly include:

Interacting with patients
Real time authorizations for medical services
Transcribing, accessing and storing health records
Appointment scheduling
Referring patients
Explanation of benefits
Marketing offers
Submitting claims to health plan payers for payment of the services provided

Collaborative efforts amongst healthcare providers have improved the delivery of quality care to patients in addition to the recognized increase in administrative efficiency through effective use of email and other types of digital communication. Patients are becoming more and more comfortable with emailing their physician’s office to schedule an appointment, discuss laboratory results, or request refills on medication. Medicare and some other insurance payers also recognize and pay for virtual care where the health provider and patient interact over video (telemedicine).

Using digital communications, undoubtedly, poses concerns about the privacy and security of an individual’s information. In healthcare, the confidentiality of a patient’s information has been sacred since the days of the Hippocratic Oath (Hippocrates – the Father of Medicine, 400 B.C.). Today, merely taking an oath to respect one’s privacy has been overshadowed by regulations that govern how certain healthcare establishments must handle an individual’s health information. So, if a healthcare organization employs email as a means of communicating medical and/or mental health data to appropriate parties, including patients and customers, they must also ensure that information is well safeguarded.

This article addresses the specific issues that healthcare provider, payers and suppliers must address in order to be in compliance with HIPAA and HITECH certified. It will also lay out how LuxSci enables healthcare organizations to meet these requirements though HIPAA compliant email outsourcing.

Overview of HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implemented new rules for the healthcare world. Mandating compliance with its Privacy and Security Rules, the federal government is committed to enforcing patients’ rights. Industry professionals – financial, administrative and clinical – are no strangers to the regulatory compliance culture. HIPAA laws apply to a covered entity; i.e. healthcare providers, suppliers, clearinghouses and health plan payers that meet certain conditions. In essence, most providers are covered entities if they employ digital communications, meaning they function by storing and exchanging data via computers through intranets, Internet, dial up modems, DSL lines, T-1, etc. Additionally, HITECH extends the requirements of HIPAA to any business associate of a covered entity and to all business associates of business associates (all the way down the line) who may come into contact with Protected Health Information originating from a covered entity.

HIPAA email security applies specifically to protected health information, not just personal information. Protected Health Information (PHI), as defined in HIPAA language, is health information of an identifiable individual that is transmitted by electronic media; maintained in any electronic medium; or transmitted or maintained in any other form or medium. For example, all administrative, financial, and clinical information on a patient is considered PHI and must abide by the following standards:

Privacy Standards: The HIPAA Privacy Rule sets standards for protecting the rights of individuals (patients). Covered entities must follow the laws that grant every individual the right to the privacy and confidentiality of their health information. Protected Health Information is subject to an individual’s rights on how such information is used or disclosed.
Privacy Standard Key Point: Controlling the use and disclosure of oral, written and electronic protected health information (any form).
Security Standards: Taking the Privacy Rule a step further, HIPAA implemented the Security Rule to cover electronic PHI (ePHI). To this end, more secure and reliable information systems help protect health data from being “lost” or accessed by unauthorized users.
Security Standard Key Point: Controlling the access to electronic forms of protected health information (not specific to oral or written).

The Privacy and Security Rules focus on information safeguards and require covered entities and their business associates to implement the necessary and appropriate means to secure and protect health data. Specifically, the regulations call for organizational and administrative requirements along with technical and physical safeguards.

Provisions of the HIPAA Email Security Rule

The HIPAA language uses the terms required and addressable. Required means that complying with the given standard is mandatory and, therefore, must be complied with. Addressable means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.

With regard to addressable, an organization should read and decipher each Security standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization.

The General Rules of the Security Standards reflect a “technology-neutral” approach. This means that there are no specific technological systems that must be employed and no specific recommendations, just so long as the requirements for protecting the data are met.

Organizational requirements refer to specific functions a covered entity must perform, including the use of business associate contracts and the development, documentation and implementation of policies and procedures.

Administrative requirements guide personnel training and staff management in regard to PHI and require the organization to reasonably safeguard (administrative, technical and physical) information and electronic systems.

Physical safeguards are implemented to protect computer servers, systems and connections, including the individual workstations. This section covers security concerns related to physical access to buildings, access to workstations, data back up, storage and obsolete data destruction.

Technical safeguards affect PHI that is maintained or transmitted by any electronic media. This section addresses issues involving authentication of users, audit logs, checking data integrity, and ensuring data transmission security.

Risk Analysis

Risks are inherent to any business and, therefore, with regard to HIPAA, each organization must take into consideration the potential for violating an individual’s right to privacy of their health information. HIPAA allows for scalability and flexibility so that decisions can be made according to the organization’s approach in protecting data. Covered entities and their Business Associates must adopt certain measures to safeguard PHI from any “reasonably anticipated” hazards or threats. After a thorough yearly risk analysis, a yearly assessment of the organization’s current security measures should be performed. Additionally, a cost analysis will add another important component to the entire compliance picture. A plan to implement secure electronic communications starts with reviewing the Security Rule and relating its requirements to the available solution and your business needs.

HIPAA Administrative and Physical Safeguards

Below are the administrative and physical safeguards as outlined in the Federal Register. These requirements are items that must generally be addressed internally, even if you are outsourcing your email or other services. We will discuss these safeguards in more detail below.

Standard: ADMINISTRATIVE SAFEGUARDS	Sections	Implementation Specification	Required or Addressable
Security Management Process	164.308(a)(1)	Risk Analysis	R
		Risk Management	R
		Sanction Policy	R
		Information System Activity Review	R
Assigned Security Responsibility	164.308(a)(2)		R
Workforce Security	164.308(a)(3)	Authorization and/or Supervision	A
		Workforce Clearance Procedures	R
		Termination Procedures	A
Information Access Management	164.308(a)(4)	Isolating Health Care Clearinghouse Function	R
		Access Authorization	A
		Access Establishment and Modification	A
Security Awareness and Training	164.310(a)(5)	Security Reminders	A
		Protection from Malicious Software	A
		Log-in Monitoring	A
		Password Management	A
Security Incident Procedures	164.308(a)(6)	Response and Reporting	R
Contingency Plan	164.308(a)(7)	Data Backup Plan	R
		Disaster Recovery Plan	R
		Emergency Mode Operation Plan	R
		Testing and Revision Procedure	A
		Applications and Data Criticality Analysis	A
Evaluation	164.308(a)(8)		R
Business Associates Contracts and Other Arrangement.	164.308(b)(1)	Written Contract or Other Arrangement	R
Standard: PHYSICAL SAFEGUARDS	Sections	Implementation Specification	Required or Addressable
Facility Access Controls	164.310(a)(1)	Contingency Operations	A
		Facility Security Plan	A
		Access Control and Validation Procedures	A
		Maintenance Records	A
Audit Controls	164.312(b)		R
Integrity	164.312(c)(1)	Mechanism to Authenticate EPHI	A
Workstation Use	164.310(b)		R
Workstation Security	164.310(c)		R
Device and Media Controls	164.310(d)	Disposal	R
		Media Re-use	R
		Accountability	A
		Data Backup and Storage	A

Importance of Encryption for Email Communication

The security risks for email commonly include unauthorized interception of messages en route to recipient, messages being delivered to unauthorized recipients, and messages being accessed inappropriately when in storage. These risks are addressed in the Security Rule’s technical safeguards section, particularly:

Person or Entity Authentication – required procedures must be implemented for identification verification of every person or system requesting access to PHI. This means the identity of the person seeking information must be confirmed within the information system being utilized. It also means that shared logins are not permitted.
Transmission Security – addressable data integrity controls and encryption reasonable and appropriate safeguards.
Business Associates – if you outsource your email services to another company and your email may contain ePHI in any form, then that company must be HIPAA compliant, sign a Business Associate Agreement with you, and actively safeguard your ePHI.

Each healthcare organization using email services must determine, based on technologies used for electronic transmission of protected health information, how the Security standards are met.

Addressable specifications include automatic log off, encryption, and decryption. Covered entities must also assess organizational risks to determine if the implementation of transmission security which includes integrity controls to ensure electronically-transmitted PHI is not improperly modified without detection is applicable. E.g. it is applicable for any ePHI going over the public Internet; it may not be necessary for information flowing between servers in your own isolated office infrastructure. Encryption of ePHI at rest (as it is stored on disk) is also addressable and not a requirement under HIPAA regulations; however, a heightened emphasis has been placed on encryption due to the risks and vulnerabilities of the Internet.

Ultimately, according to the Department of Health and Human Services, covered entities and their business associates can exercise one of the following options in regard to addressable specifications:

Implement the specified standard;
Develop and implement an effective security measure to accomplish the purpose of the stated standard; or
If the specification is deemed not reasonable and appropriate for the organization but the standard can still be met, then do not implement anything.

Reasonable and appropriate relate to each organization’s technical environment and the security measures already in place.

Questions to Consider When Choosing an Email Service Provider

When your organization is responsible for critical data such as protected health information, choosing an email provider is more than a matter of trust. Does the email service provider build on the administrative, physical and technical safeguards while delivering to its customers:

Signed Business Associate Agreement
Awareness of their responsibilities under HITECH and Omnibus
Solutions that meet or exceed HIPAA’s Security Standards
Willingness to work with you and advise you on your security and privacy choices
Protect data integrity
Flexible, scalable services – no account is too small
Administrative access to assign or change a user’s password
Controls to validate a user’s access
Audit controls to track user access and file access
Allow access to users based on role or function
Automatic log off after specified time of inactivity
Data transmission security
Unlimited document or email transfer
Ability for encryption
Emergency access for data recovery
Minimal server downtime
Secure data back up and storage
Secure data disposal
User friendly, web-based access without the necessity of third party software
Privacy in not selling or sharing its client contact information

A Scalable, Flexible, HIPAA-Compliant Email Services

LuxSci offers secure, premium email services including extensive security features, Spam and virus filtering, robustness, and superior customer service. The offerings are scalable to any size healthcare organization.

In addition to LuxSci itself protecting your ePHI by following the HIPAA Security and Privacy Rules as required by the HITECH amendment to HIPAA, LuxSci also provides a clean set of guidelines for using its services that enable your ePHI to be safeguarded; these guidelines are automatically enforced by the use of any “HIPAA Compliant” account. If you follow these guidelines and sign LuxSci’s Business Associate Agreements, LuxSci will certify your account as HIPAA compliant and give you a HIPAA Compliance Seal.

Take a look at the table below to see examples of how LuxSci enables you to meet HIPAA’s requirements for protecting electronic communications in your organization.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
Access Control	164.312(a)(1)	Unique User Identification	R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Assign a unique name and/or number for identifying and tracking user identity.” Solution: Use of unique usernames and passwords for all distinct user accounts. No shared logins; but sharing of things like email folders between users is permitted.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
		Emergency Access Procedure	R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency” Solution: PHI in email communications can be accessed from any location via the Internet. There are also mechanisms for authorized administrative access to account data. Optional Email Archival and Disaster Recovery services provide enhanced access to email in case of emergency.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
		Automatic Logoff	A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.” Solution: An organization can set screen savers on their desktops to log users out. Additionally, WebMail and other email access services (e.g. POP, IMAP, and Mobile) automatically log off all users after a predetermined amount of time; the WebMail session time is user- and account-configurable.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
		Encryption and Decryption	A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: Implement a mechanism to encrypt and decrypt electronic protected health information. Solution: All usernames, passwords, and all other authentication data are be encrypted during transmission to and from LuxSci’s servers and our clients using SSL/TLS. Additionally, SecureLine permits end-to-end encrypted email communications with anyone on the Internet, SecureForm enables end-to-end encryption of submitted web site form data, and WebAides permit encryption of sensitive documents, passwords databases, and internal blogs.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
Audit Controls	164.312(b)		R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Solution: Detailed audit trails of logins to all POP, IMAP, SMTP, LDAP, SecureLine,and WebMail services are available to users and administrators. These include the dates, times, and the IP addresses from which the logins were made. Auditing of all sent and received email messages is also available. SecureLine also permits auditing of when messages have been read.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
Integrity	164.312(c)(1)	Mechanism to Authenticate ePHI	A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.” “Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.” Solution: To prevent unauthorized alteration or destruction of PHI, the use of SSL, TLS, PGP, and SecureLine will verify message and data integrity.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
Person or Entity Authentication	164.312(d)		R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” Solution: Username and Password are used for access control (Two-factor verification is also available); strict control is given over who can access user’s accounts. LuxSci’s privacy policy strictly forbids any access of email data without explicit permission of the user (unless there are extenuating circumstances). Also, use of SecureLine end-to-end encryption in email and document storage ensures that only the intended recipient(s) of messages or stored documents can ever access them.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
Transmission Security	164.312(e)(1)	Integrity Controls	A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” “Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.” Solution: SSL-based encryption during the transmission of data to/from our clients for WebMail, POP, IMAP, SMTP, and document storage services is provided. SMTP TLS-based encryption of inbound email at LuxSci ensures that all email sent internally at LuxSci meets “Transmission Security” guidelines and allows you to securely receive email from other companies whose servers also support TLS. LuxSci also provides SecureLine for true end-to-end encryption of messages to/from non-clients.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
		Encryption	A
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.” Solution: SSL encryption for WebMail, POP, IMAP and SMTP services is provided. Additionally, encrypted document and data storage is available and use of SecureLine for end-to-end security is enforced.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
Device and Media Controls	164.310(d)	Data Backup and Storage	R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.”Solution: Daily on-site and weekly off-site backups ensure exact copies of all ePHI are included. Live data is stored on redundant RAID disk arrays for added protection. Furthermore, Premium Email Archival provides permanent, immutable storage on servers in multiple geographic locations.

Standard: TECHNICAL SAFEGUARDS	Sections	Implementation Specification	R/A?
		Data Disposal	R
HIPAA COMPLIANT SOLUTION from LuxSci
The Rule States: “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”Solution: Clients can delete their data whenever desired. Additional security comes in automatic expiration of data backups (cease to exist after 1 month). Alternate expiration plans are available for large clients.

Healthcare staff using LuxSci can send and receive email from anywhere in the world using existing or new email clients or web browsers. A comprehensive solution for a complex law – managed by your account administrators in-house or remotely by our company. Risk assessments for potential HIPAA violations can be performed by administrators through the use of audit trails. Reliability and cost effective solutions are the backbone of LuxSci – even for extremely large client organizations. And, count on the physical security of our servers.

Chart of LuxSci Services and the HIPAA Rules they Satisfy

If you are interested in specific services at LuxSci and would like to know exactly which of the HIPAA rules each service meets, the following charts will assist you. Please contact LuxSci for more information.

HIPAA Rule	1. View Email: Secure WebMail, POP, IMAP, or Mobile Sync	2. Send Email: Secure WebMail, SMTP, or Mobile Sync	3. Encryption with SecureLine combined with 1 and 2	4. Secure Collaboration (WebAides)
Access Control – Unique User Identification
Access Control – Emergency Access			(a)	(a)
Access Control – Automatic Logoff
Audit Controls
Integrity			(b)	(b)
Person or Entity Authentication			(b)	(b)
Transmission Security > Integrity Controls	(c)	(c)
Transmission Security > Encryption	(c)	(c)
Device and Media Controls > Data Backups
Device and Media Controls > Data Disposal

(a) Our secure document storage service and use of SecureLine for communications may assume that the recipients have special passwords for their “Secure data access certificates” (PGP or S/MIME). These passwords are may be stored in a “Password Escrow” (a special secure password database) if the users so choose. In these cases, passwords to security keys can be retrieved in case of emergency or in case of loss.

(b) Our secure document storage service and use of SecureLine for communications encrypts data so that only the intended recipient(s) can ever view the data. The encryption process also allows the recipient(s) to verify that the data was not altered since it was sent or stored using digital signatures.

(c) SSL/TLS solutions encrypt the message during transport to and from LuxSci’s servers and your personal computer. Email sent from LuxSci to external addresses is secured with the use of SecureLine.

LuxSci provides complete transport layer and end-to-end email security compatible with any email user anywhere, no matter what software they may have.

Tags: access control, addressable, audit controls, authentication, covered entities, email security, email security rule, encryption, ePHI, Health Insurance Portability and Accountability Act, heathhealthcare, hipaa, hitech, integrity, omnibus, phi, privacy, protected health information
Posted in AAA Featured Articles, LuxSci Library: HIPAA
9 Comments »

What exactly is ePHI? Who has to worry about it? Where can it be safely located?

Wednesday, January 15th, 2025

There is often a great deal of confusion and misinformation about what constitutes ePHI (electronic protected health information) and how to protect it under HIPAA requirements. Even once you understand ePHI and how it applies to you, the next question becomes, where is ePHI permitted? What is secure and what is not?

In this post, we will answer the “what is ePHI” question in general and the “where can I put it” question regarding HIPAA compliant email, email hosting, and secure form processing with LuxSci.

What constitutes electronic Protected Health Information?

ePHI is individually identifiable protected health information that is sent or stored electronically. Protected health information refers specifically to three classes of data:

An individual’s past, present, or future physical or mental health or condition
The past, present, or future provisioning of health care to an individual
The past, present, or future payment-related information for the provisioning of health care to an individual

“Individually identifiable” means information that can be somehow linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual (listed below). Any one of these identifiers, combined with “protected health information” (e.g., an appointment with a particular doctor), would constitute ePHI.

Name
Address (all geographic subdivisions smaller than a state, including street address, city, county, zip code)
All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
Telephone number
Fax number
Email address
Social Security number
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Any vehicle or other device serial number
Device identifiers or serial numbers
Web URL
Internet Protocol (IP) address numbers
Finger or voiceprints
Photographic images
Any other characteristic that could uniquely identify the individual

An email message sent to an individual that says “your appointment with Dr. Shaw will be at 4pm on Friday” will be ePHI because the appointment with Dr. Shaw is “protected health information,” and the email address itself makes it identifiable. The fact that it is email makes it “electronic” (as opposed to a letter mailed the old-fashioned way).

ePHI Examples

The definition of ePHI seems very straightforward, but confusion arises when you start examining particular cases. Here are some examples:

I’m sending an email to someone whose email address is clearly not identifiable, e.g., “kjhw45376@gmail.com”…. therefore the message is not ePHI, right?

The definition of ePHI states that all email addresses, no matter what, are identifiable. Beyond that, at least people at gmail (in this case) will be able to match back the address to the actual person and thus identify the individual.

If it’s possible for anyone to identify the individual somehow, though some database or technique or association (even if you could never do it yourself … someone could), then the information is identifiable.

I am sending a newsletter with health care tips to a list of people that does not seem to be ePHI, right?

Here is a good example of a HIPAA marketing case where the answer is “it depends.” Is the information in the newsletter about the person’s past/present/future medical care or billing? Maybe, if this is a letter of tips on how to best recover from knee surgery, for example. If you are a doctor’s office and perform surgeries and send out this letter, that could be construed as ePHI. If, however, you are a general information web site where people can receive information about many different topics and you have no connection to the subscriber’s particular medical care, then this is not ePHI.

Who needs to worry about ePHI?

This has been a moving target over the years. It is especially important to know if you intend to do HIPAA compliant email marketing.

Currently, you have to protect all ePHI that you generate or come into contact (i.e., are given from patients) with per the HIPAA Security Rule if:

You are a HIPAA Covered Entity:
1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or another item following a prescription.
2. Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the ordinary course of business.
3. Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many organizations and government programs as health plans.
You are the Business Associate of a HIPAA Covered Entity. E.g., you perform services for such an entity and [may] come into contact with ePHI as part of your business with them.
You are a Business Associate of a Business Associate. If you do business with any company that is itself a HIPAA Business Associate and, as a result, may come into contact with ePHI, then you must also be a Business Associate and protect that PHI.

The HIPAA Omnibus rule defines this transitive chain of possession such that all businesses that may come into contact with ePHI are responsible for that information’s privacy and security. This includes many companies that previously had no idea they had to be HIPAA-compliant and technically excludes them from doing business with the medical community until they are.

Who does not have to protect ePHI?

Anyone who is not a “Covered Entity” or “Business Associate” per HIPAA does not have to worry about ePHI … at least in terms of violating HIPAA. Everyone should be sensitive about protecting this information, anyway.

The patient is the most notable example of someone who does not have to abide by HIPAA and protect ePHI. The patient (in most cases) is an individual and does not fall under the umbrella of HIPAA. The patient can send whatever sensitive, private, identifiable, protected health information (about themselves) to anyone (their doctor included) without encryption, security, or any other trappings to ensure privacy. While such is not a good idea, no one will be “in trouble with HIPAA” for that action.

So, what if your patient sent you an insecure email from @gmail.com with their complete medical history?

You did not violate HIPAA by receiving it.
They did not violate HIPAA by sending it.
As this is ePHI and HIPAA covers you, you are now responsible for protecting this information with all the security and privacy due per HIPAA.

This means that from the moment that patient’s email hits your account, you must take all reasonable measures to safeguard it. This could mean:

Immediately delete it if it was sent to a non-compliant account of yours. You might want to report this to HHS that ePHI was present in your insecure account and why. This is a reporting requirement and not necessarily a breach.
Ensure that patients only know your HIPAA-compliant email address, so any messages they send to you are protected as soon as they arrive.
Providing patients with an easy online mechanism to send you secure, HIPAA-compliant messages so that they are less likely to use their own insecure email systems.

Where can I put ePHI when sending an email?

When sending an email, you automatically include “identifiable” information: the recipient’s email address. Where can you put the “protected health information” so that the to-be-encrypted email is adequately secured and compliant? There are generally (and specifically with LuxSci and most email providers) only two places:

The message body
Any attachments

The content in the email message headers, including the Subject line, will not be encrypted (it will during transport only if TLS is used) and can be logged by various servers on the internet. Many of those logs are not likely to be HIPAA-compliant. Protected health information should thus never be present in the subject of email messages — always put it in the body.*

*LuxSci has a feature in its secure email where you can hide email subjects until the recipient actually comes to the LuxSci portal and opens the message. Until then the subject they see is just something like “You have received a secure message”. This feature allows medical information to be in the subject and protects you from the risk of such information being accidentally breached by being included in the subject when the subject could be delivered insecurely.

Where else can I put ePHI with LuxSci?

HIPAA-compliant LuxSci customers can also store ePHI:

In any App (e.g., calendar, address book, task list, blog, file storage, password storage, etc.)
In any hosted Database.
In Widgets (except custom ones that send data to 3rd parties).
In files on dedicated web/file servers.
In secue video sessions
In secure text messages

* On dedicated servers, the files do not have to be encrypted on disk, but these files should not be publicly accessible over the web, and any website should be designed with HIPAA compliance in mind.

Still have some questions? Contact us today.

Tags: business as, covered entity, email, ePHI, hipaa, omnibus, protected health information
Posted in LuxSci Library: HIPAA, Popular Posts
No comments »

HIPAA Compliance Checklist

Saturday, January 11th, 2025

Our HIPAA compliance checklist was designed to help organizations understand their obligations under the law. The checklist items are not a complete list, just a starting point for your compliance program. HIPAA requires a yearly risk analysis to identify new vulnerabilities. Any business process change or new technology usage introduces new risk into an organization’s security program, so it’s important to review the standards regularly.

Read the rest of this post »

Tags: addressable, compliant, encryption, ePHI, hipaa, hipaa checklist, hipaa compliance, hitech, omnibus, phi, protected health information, security
Posted in LuxSci Library: HIPAA
No comments »

HIPAA Compliant Forms

Saturday, February 3rd, 2024

When it comes to digital data collection, there is often a lot of uncertainty surrounding HIPAA compliant forms.

Do Healthcare Websites Need HIPAA Compliant Forms?

We often have customers ask if their website forms need to be HIPAA compliant.

The short answer is that securing patient data is always recommended. You never know what types of information individuals will volunteer in an online submission. It is always a good idea to prepare for the possibility of sensitive information being entered into an online form to build trust with your users.

Criteria for HIPAA Compliant Forms

HIPAA requires that all Protected Health Information (PHI) be secured to protect the privacy of the individuals identified in the PHI. If your form falls into both of the following categories, it must conform to HIPAA standards:

You are a Covered Entity or Business Associate and,
The form collects PHI.

Let’s look at the two criteria to determine if your forms need to be HIPAA-compliant.

1. Does HIPAA Apply to Your Organization?

HIPAA applies to your web form if your organization is a Covered Entity. It also applies if you are a Business Associate of a Covered Entity and collect data on their behalf.

HIPAA defines a Covered Entity as an organization that falls into one of the following categories:

Care: You provide services or supplies related to an individual’s physical or mental health care. This includes (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items by a prescription.
Provider: A provider of medical or health services or any other person or organization who furnishes, bills, or is paid for health care.
Clearinghouse: A public or private entity, including a billing service, repricing company, community health management information system, or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information.
Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care. The law specifically includes many organizations and government programs as health plans.

Covered Entities contract with Business Associates to process PHI on their behalf. In this scenario, a good example of a Business Associate is a website developer or marketing agency hired to create a website or application for a Covered Entity. They are responsible for protecting PHI on the website and must comply with HIPAA regulations.

2. Does the online form collect PHI?

So, HIPAA applies to your organization. Next, we must determine if a particular web form needs to be compliant. The second criterion is, does the form collect Protected Health Information?

What is ePHI?

ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

Past, present, or future physical or mental health
Past, present, or future provisioning of healthcare
Past, present, or future payment-related information for the provisioning of healthcare

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 identifiers for an individual (listed below), and together with health information, they constitute PHI.

Name
Address (all geographic subdivisions smaller than the state, including street address, city, county, and zip code)
All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
Telephone numbers
Fax number
Email address
Social Security number
Medical record number
Health plan beneficiary number
Account number
Certificate/license number
Any vehicle or other device serial number
Device identifiers or serial numbers
Web URL
Internet Protocol (IP) address numbers
Finger or voiceprints
Photographic images
Any other characteristic that could uniquely identify the individual

As you can see, a lot of data qualifies as “health information,” and just about every type of web form will collect individual identifiers. Even if your form doesn’t request health information, sometimes people will volunteer it to get faster responses. Covered entities are responsible for securing this data in compliance with HIPAA regulations. In many cases, it’s easier to make all online forms HIPAA-compliant rather than trying to lock them down to prevent the insecure transmission of health data.

Examples of HIPAA Compliant Forms

Some online forms are explicitly designed to collect protected health information. Here are some examples of web forms that generally must be secured to meet HIPAA compliance standards:

Appointment and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, requesting an appointment may imply information about “an individual’s past, present, or future physical or mental health or condition.”
Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. These forms collect identifiable information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of PHI (depending on the exact context of the site) because, while they are individually identifiable, they may not include or imply health information for that individual:

Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
Purchases of products that do not require a prescription: Purchasing a product does not imply who is to use it unless that product is restricted (e.g., via a prescription). Of course, this may also depend on whether you collect health information as part of the purchase for future marketing purposes.

Anything that identifies the person and relates to that person’s health or healthcare should be considered PHI and protected. It’s also important to note that as technology has advanced and online tracking has become ubiquitous, it’s possible to infer more about an individual and their health conditions indirectly. It is essential to proceed cautiously and recognize that even the smallest information you collect about a website user is part of a more extensive online profile.

Other industries can get away with not being secure. But why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything a website can do to make visitors more comfortable and secure will improve trust and conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form that patients can click to consent to use an insecure, non-compliant form. Presumably, if they do not click, they cannot submit the form.

This practice is highly advised against and is almost certainly not HIPAA-compliant. You should consult with a lawyer to ensure it is okay if you have a compelling reason to use this method.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

You and the patient agree that insecure transmission is okay,
The patient has been appropriately advised of the security risks involved,
The patient agrees in writing that insecure transmission is okay, and
The option for HIPAA-compliant transmission is available by implication.

However, this overcomplicates the process. It is much simpler to have secure web forms by default. You will not need to provide waivers, keep track of who has opted in/out, and maintain two different submission options.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

Your insecure form has a clear section advising the users of the risks of submitting their data via this form.
That warning is understandable to most laypeople without further explanation.
They must check a box (or sign their name) to consent to the insecure form transmission.
You may need to show that they understood and agreed to the risks and didn’t just click without reading.
When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You burden the end-user significantly by adding warnings and consent to online forms. No one wants to read through disclaimers and checkboxes before completing a submission on a general website form. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warnings, just simple, secure submission.

Conclusion: Set Up HIPAA-Compliant Online Forms Today

LuxSci’s Secure Form solution is designed to meet HIPAA compliance requirements for online data transmission and storage. Contact our sales team today to learn more about our options for secure online engagement.

Tags: ePHI, form, hipaa, hipaa compliant forms, hipaa compliant online forms, hipaa compliant websites, hipaa websites, phi, protected health information, secure, web form
Posted in HIPAA Compliant Forms, LuxSci Library: HIPAA
No comments »