" quasi compliance Archives - LuxSci

Posts Tagged ‘quasi compliance’

HIPAA-Compliant Email Marketing: FAQ

Tuesday, November 21st, 2023

Email is an essential channel for most marketers. However, HIPAA regulations raise many questions for healthcare marketers who need to execute email marketing campaigns without violating patient privacy.

HIPAA is a complicated law that offers a lot of guidance but does not require the use of any specific technologies to protect patient privacy. The ambiguity causes a lot of confusion for marketers trying to integrate email into their marketing strategy. This article addresses some frequently asked questions about HIPAA-compliant email marketing and offers advice for securing patient data and futureproofing your marketing.

Do generic practice newsletters need to be protected?

Some marketers assume practice newsletters do not contain health information and, therefore, do not fall under HIPAA requirements. However, this assumption is often incorrect. Many are surprised to learn that protected health information can be implied from seemingly benign information.

In this way, many generic email newsletters often indirectly contain PHI because they are sent to lists of current patients. Email addresses are individually identifiable and combined with the email content; it may imply that they are patients of the practice. For example, say you send a “generic” newsletter to the patients of a dialysis clinic. An eavesdropper may be able to infer that the recipients receive dialysis. Therefore, the email reveals information about an individual’s health treatment, is PHI, and should be secured in compliance with HIPAA regulations.

In some cases, it can be complicated to determine what is PHI and what is not. Using a HIPAA-compliant marketing solution is best to avoid ambiguity and ensure security.

How Do I Find a HIPAA-Compliant Email Marketing Vendor?

Unfortunately, using broadly popular email marketing platforms is not recommended. Many of these platforms were designed for e-commerce businesses and are not secure enough to meet HIPAA requirements. We do not recommend using a solution not specifically equipped to meet the healthcare industry’s unique security and compliance needs. To determine if your email marketing provider is compliant, they must meet three broad criteria at a minimum.

  1. The vendor must sign a Business Associate Agreement outlining how they plan to secure your data and what they will do in the event of a breach.
  2. Encrypt data at rest when it is stored in their systems.
  3. Encrypt email messages and data in transit as it is sent to the recipients.

 

email marketing vendor comparison

Not all vendors will be up to the task. Carefully vet your email marketing vendors to ensure they are taking steps to secure data and protect patient privacy.

What is an Email API?

API is an acronym that stands for “Application Programming Interface.” An email API gives applications (like CRMs, CDPs, or EHRs) the ability to send emails using data from the application. Email APIs also return campaign data to the platform or dashboards so you can assess the effectiveness of your marketing efforts. Trigger-based transactional or marketing emails are ideal for sending with an email API. In this situation, emails are sent when pre-determined conditions in the application are met. Healthcare organizations may use email APIs to send appointment reminders using electronic health records system data about a patient’s upcoming appointment.

Email APIs enable the automation of common email workflows. However, they are not interchangeable with email marketing platforms. Email APIs do not include the contact management systems standard in most email marketing platforms because all that data lives within the application they connect to. In addition, email API tools typically do not include drag-and-drop editor tools or other design features that help your emails stand out.

Does HIPAA permit providers to send unencrypted emails with PHI to patients?

Encryption is an addressable standard under the HIPAA Security Rule, but that does not mean it is optional. The HIPAA Privacy Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to protect privacy reasonably, such as limiting the amount or type of information disclosed through the unencrypted email.”

In addition, the Department of Health and Human Services also states that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” Some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.

However, we do not recommend this approach for several reasons:

  1. Keeping track of waivers over time and recording status changes and updates is challenging.
  2. Signed waivers do not insulate you from the consequences of a HIPAA breach.
  3. And finally, using waivers to send unencrypted emails doesn’t eliminate your other HIPAA obligations like data retention and disposal. Using a HIPAA-compliant solution is more manageable and eliminates ambiguity.

Can patients exercise their right of access by receiving PHI via unencrypted email?

Yes, but they must be fully informed of the risks and sign waivers acknowledging them. The caveats in the previous answer apply. It’s always better to utilize an encryption tool to protect patient data.

Is Microsoft 365 or Exchange 365 encryption sufficient for marketing emails?

Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, the program is not well-suited to send marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. If you are a marketer trying to increase engagement, the portal adds a barrier to access that many will not cross. Light-PHI marketing messages are best sent using TLS encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require a user to log in to read the message.

TLS versus Portal Pickup email encryption

In addition, Microsoft 365 is not configured to send high volumes of email. If you plan to send large marketing campaigns, you could unintentionally disrupt regular business communications by sending all the messages through the same infrastructure. You should separate your business and marketing email sending to protect your IP reputation and achieve your desired sending throughput.

What are common email marketing use cases for healthcare?

Email marketing in healthcare is not restricted to boring practice newsletters. When you utilize tools that enable the use of PHI in your targeting and personalization efforts, the sky is the limit. With consumer preferences shifting toward digital communications, marketers willing to utilize the email channel and tactics like segmentation and personalization can see better results.

Email is an excellent way to communicate with patients. A sampling of ways that healthcare marketers can use email include:

  • engaging patients in their healthcare journey
  • educating patients about their healthcare conditions and treatments
  • improving attendance and scheduling
  • retaining patients
  • increasing preventative procedures
  • collecting data on the patient experience
  • improving patient satisfaction

Conclusion

HIPAA can be difficult to understand, but choosing the right tools and adequately vetting your vendors makes it easy to execute HIPAA-compliant email marketing campaigns. If you are interested in learning more about LuxSci’s easy-to-use, Secure Marketing platform, please contact our sales team.

Infographic: Most Email Software Cannot Use PHI

Thursday, January 12th, 2023

Email Communication is Necessary- But Introduces Risk

When it comes to receiving communications from businesses, 93% of people say that email is their preferred communication channel. In the healthcare industry, organizations must take extra care to comply with HIPAA. Only some email marketing platforms can adequately protect PHI. If not properly secured, email can introduce significant risks to sensitive data. 72% of organizations report experiencing an email cyberattack.

As the definition of PHI is ever-expanding to include information like biomarkers, organizations need to adopt a more secure posture for their personal, transactional, and marketing email. Cybercriminals seek out personal data because it is highly valued on the dark web. Data Loss Prevention (DLP) and policies preventing users from sending PHI insecurely are not enough.

Humans are prone to error and often make mistakes classifying PHI. Even DLP technology is not infallible- keywords can be misspelled, and PHI only sometimes fits cleanly into pre-determined filters. 40% of threats stem from internal actors. Many are not malicious, just mistakes! You must account for errors when humans are part of your security program.

So how can you prevent data leakage and ensure the security of sensitive data at rest and in transit? It’s simple when you choose the right solution. Resolve the tension between security risk and business engagement objectives by choosing a fully compliant email marketing solution.

infographic email phi(Click to Expand)

Two Requirements for Including PHI in Marketing Emails

Secure Application

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability. When using email marketing platforms or customer relationship management systems that contain PHI, it’s essential to keep that information protected. You must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from being improperly accessed, and generally protects the data no matter what happens (unless the keys are stolen). Encryption is essential to protect private health data at rest in an application.

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases. Non-compliant and quasi-compliant applications do not offer transmission encryption that is secure enough to comply with HIPAA. You should only send communications containing PHI if they are encrypted.

Types of Email Marketing Solutions

Non Compliant (1)

Many of the most popular email solutions on the market were not designed to protect the sensitive data of the healthcare industry. These vendors will not sign Business Associate Agreements and do not provide the storage or transmission encryption needed to meet HIPAA requirements. Healthcare organizations should only use these solutions if they do not send PHI- which may be impossible if you plan to email lists of patients with any information about their healthcare. 

Quasi Compliant (2)

HIPAA does not require any specific technology to meet its requirements, which allows for flexibility, but also creates uncertainty. No central government organization certifies HIPAA compliance, and as a result, many organizations advertise themselves as “HIPAA-compliant” but don’t enable you to take full advantage of their functionality. We call this “Quasi compliance.”

Quasi-compliant solutions often provide a secure application and protect patient data at rest. However, they will not permit you to send emails or transmit PHI outside the database. This can seriously limit the usefulness of the solution. Take a real-life example: one healthcare organization purchased a CRM system and set it up, uploaded their contacts, and was ready to start using it, so they enabled the “HIPAA Compliance” toggle on the backend. They quickly found that much of the functionality was no longer available and wouldn’t allow them to email or log certain data types. The solution was almost useless for their patient engagement efforts.

Other applications will permit you to use the full functionality of the solution, but when you read the terms of the Business Associate Agreement, it is clear that you are not allowed to send PHI. If signed, your organization will be responsible for any breaches caused by sending PHI insecurely, not the vendor.

Full Compliance (4)

This is why it’s crucial to vet solutions carefully and not take shortcuts regarding HIPAA compliance. Any CRM, CDP, or email marketing solution must protect data at rest in a secure application and encrypt transmitted messages. Even more importantly, it shouldn’t take any extra training or require any extra steps to use in a compliant way.

At LuxSci, (3) we provide a secure application to manage your email campaigns that encrypts transmitted messages automatically. Our Secure Marketing solution is designed to meet the unique security needs of healthcare organizations. All email transmissions are encrypted automatically, and users can choose the right type of encryption (TLS, Portal Pickup) to meet their email use cases. Automatic encryption gives your security and compliance teams peace of mind that all messages are sent securely. Data is protected throughout the lifecycle and does not require employees to decide whether a message contains PHI. Healthcare marketers can fully use PHI to personalize and customize messaging to increase patient engagement and get better ROI on their marketing campaigns. 

Rules for Using PHI in Patient Engagement

Friday, November 11th, 2022

As you know by now, we believe strongly in the benefits of using protected health information (PHI) to create highly targeted and personalized email campaigns. However, before you dive in and kick off your campaigns, you must be aware of the complex compliance requirements governing healthcare organizations’ marketing communications.

using PHI for patient engagement

Reminder: What is PHI?

PHI, or protected health information, is “individually identifiable protected health information.” Protected health information refers specifically to three classes of data:

  1. An individual’s past, present, or future physical or mental health or condition.
  2. The past, present, or future provisioning of health care to an individual.
  3. The past, present, or future payment-related information for the provisioning of health care to an individual.

For protected health information to be “individually identifiable,” the data can be linked to a specific individual (even if this is very indirect). There are 18 types of identifiers for an individual. Any one of these identifiers, combined with “protected health information,” would constitute PHI.

It’s often more complicated than it looks. For example, if you are running email campaigns, an email address is an individual identifier because it can be connected to a specific individual. That, combined with the email content, which often refers to the name of the provider, information about their health conditions, insurance coverage, or upcoming appointments, means that most communications from a healthcare practice could qualify as PHI.

HIPAA Rules for Using PHI in Patient Engagement

HIPAA regulates patient privacy. Healthcare organizations and their associates must obtain consent and implement technical safeguards before starting marketing campaigns.

HIPAA Privacy Rule

According to the U.S. Department of Health & Human Servicesyou must acquire consent to send marketing communications under the HIPAA Privacy Rule. It reads, “With limited exceptions, the Rule requires an individual’s written authorization before a use or disclosure of his or her protected health information can be made for marketing.”

The Privacy Rule defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” This also applies to many patient engagement communications.  

Generally, if the communication is “marketing,” then the communication can only occur if the covered entity obtains an individual’s authorization. Organizations must keep track of who has consented to receive marketing communications and allow them to opt-out at any time. We further discuss the nuances of patient consent for marketing communications here.

HIPAA Security Rule

All covered entities and their Business Associates are subject to the HIPAA Security Rule. If you are working with a vendor (like a marketing consultant, email marketing platform, or ad agency) that will have access to PHI, you need to enforce a Business Associate Agreement.

The HIPAA Security Rule categorizes the necessary safeguards into three categories: Physical, Administrative, and Technical Safeguards. More details about the requirements for each can be found here. Any vendor you choose to work with must follow these regulations. Some basic requirements include the following:

  • Physically protecting data and where it is stored,
  • Training staff on handling PHI, and
  • Setting up technology to protect PHI properly.

Assuming your patient engagement campaigns are primarily occurring via email, at a minimum, you must ensure that the email marketing vendor will:

  • Protect data at rest and
  • Protect data in transmission.

This means utilizing encryption to ensure that PHI cannot be eavesdropped on. Many popular email marketing vendors do not encrypt PHI in transmission. It’s extremely important to choose a provider who can protect PHI following HIPAA regulations.

hipaa compliant applications

The Benefits of Using PHI for Patient Engagement

Once you have established the proper policies and procedures, signed a BAA, and put any technical requirements in place, you can start segmenting and personalizing emails using PHI. Here are some segmentation and personalization ideas to get started.

By applying these techniques and using PHI in your patient engagement strategy, you can:

  • Design targeted patient journeys
  • Deliver better patient outcomes
  • Improve ROI and reduce costs

Contact us today to learn more about how to securely engage patients using PHI.

5 Ways to Improve Your Dental Practice Email Marketing

Thursday, October 6th, 2022

Email marketing is a highly effective way to communicate the latest news about your dental practice to patients. However, stale newsletters and practice announcements are not enough to keep patients engaged with their oral health. Take your dental practice email marketing to the next level with these tips to improve your messaging. 

1) Choose an email marketing platform that allows you to use ePHI

Identifying the tools to market your practice is often trickier than it appears. Dental practices must abide by HIPAA regulations, affecting how they can transmit information about their services to their patients. Any vendor that handles PHI on behalf of a dental practice must sign a Business Associate Agreement outlining how patient data will be stored, transmitted, and disposed of. Don’t choose a vendor who is unfamiliar with HIPAA’s stringent requirements.

Also, watch out for quasi-compliance. Some self-identified “HIPAA-compliant” email vendors can protect data at rest but not in transmission, rendering their services moot. What’s the point of using a HIPAA-compliant email marketing service that doesn’t allow you to transmit relevant information?

quasi compliance

Some organizations try to avoid HIPAA regulations by having patients sign consent forms to waive their rights under HIPAA. However, this is unwise for several reasons. Even if patients agree, it does not remove the organization’s obligations to secure PHI under the law. If protected health information is improperly accessed, it is still a breach and can lead to severe financial and reputational consequences. Plus, keeping track of waivers and keeping email lists up to date is a major hassle. It’s much easier to do the right thing under the law.

2) Encrypt marketing emails to comply with HIPAA

Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as protected health information. PHI must be encrypted in transit and at rest to comply with HIPAA. Ensure your email marketing platform encrypts every email automatically instead of relying on your marketing team to secure sensitive data.

However, not all email encryption is created equal. TLS encryption meets HIPAA transport encryption requirements and provides a better user experience. Emails encrypted with TLS are sent directly to the patient’s inbox and are opened just like a regular email. This means that marketing emails sent with TLS encryption are more likely to be opened than those sent to a patient portal which requires users to login to read the email.

tls vs portal pickup

Learn more about the differences between TLS and Secure Portal Pickup.

3) Use PHI to send personalized emails that are relevant to your customers

Once you’ve selected a tool that complies with HIPAA email encryption transmission requirements, use patient data to create highly relevant messaging. Some organizations try to get around HIPAA requirements by sending very generic marketing content. However, these tactics do not deliver results. Marketers in other industries have found that using customer data to segment their audience allows them to create highly relevant messaging that delivers better open and click rates. 

personalization stats

Dental marketers can use PHI to segment and personalize emails and delivers results for both your practice and your patients. Healthcare marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

4) Use email marketing to engage patients 

Healthcare consumerism is rising, and patients are willing to change providers if they are unsatisfied with their experience. Educating and informing current and potential patients about your services is essential to improving new customer acquisition and patient retention. Many patients now prefer to receive communications about their health status, upcoming appointments, and relevant offers via email. 

online marketing stats

Adapting your communications to fit patient preferences is an easy change that can go a long way to increase patient satisfaction.

5) Track the results and use data to improve messaging

Unlike other traditional marketing channels, email marketing campaigns deliver a wealth of data that can be used to inform your strategic plans. Unlike social media, email isn’t subject to the whims of the latest algorithm change. Reviewing performance over time makes it possible to tell what is popular and unpopular with your customer base. Email marketing is so effective at delivering a positive return on investment because it is straightforward to track what is resonating and what is not. 

Conclusion

Using HIPAA-compliant email marketing tools allows dental practices to achieve better marketing results via segmentation and personalization without sacrificing patient privacy. LuxSci’s Secure Marketing platform was designed to help organizations connect with their patients without violating HIPAA.

Dental Practice Marketing & HIPAA

Thursday, September 29th, 2022

Dental practices face enormous challenges when it comes to acquiring new patients and expanding their practices. Marketing is all but essential to make sure your practice thrives. This article discusses how dental practices can thrive using personalized marketing without running afoul of HIPAA regulations.

Dental Practice Marketing Today

HITRUSTMarketing is essential to growing any business successfully, but operating in highly regulated spaces such as dentistry, there are serious compliance considerations. Whether responding to an online patient review or trying to increase patient engagement through marketing campaigns, misunderstanding HIPAA can lead to patient privacy breaches that place your finances and reputation at risk.

The Health Insurance Portability and Accountability Act (HIPAA), which controls what and when patient information may be shared for marketing purposes, was enacted before the electronic age. As a result, it can be challenging to find information regarding appropriate marketing practices using modern social and software technologies.

Most Common Misunderstandings of HIPAA

HIPAA is a complicated set of rules and regulations. When it comes to patient marketing, there are many misconceptions about what is and isn’t allowed. Here we unpack a few of the most common misunderstandings as they apply to HIPAA-compliant marketing.

1. As long as patient consent is acquired, HIPAA doesn’t matter

Acquiring patient consent does not remove the organization’s obligation to secure protected health information (PHI) under the law. If PHI is improperly accessed, it is a breach and can lead to severe consequences.

2. Marketing emails do not need encryption

Many marketing emails imply a relationship between patients and providers and, as such, can often be classified as PHI. HIPAA regulations require PHI to be encrypted in transit and at rest.

3. Personalizing marketing emails is a HIPAA violation

Marketing emails can be personalized as long as the proper safeguards and precautions are in place to protect patient privacy and meet compliance requirements.

The Power of Marketing Personalization for Dental Practices

When using a HIPAA-compliant email marketing solution, you can leverage the data and information you have about your patients to increase engagement.

personalization stats

Improve marketing results and drive better patient outcomes by connecting to your patients with messaging that matters to them. Using PHI to segment and personalize emails delivers results for both your practice and your patients.

A Cautionary Tale

In May 2022, Dr. U. Phillip Igbinadolor, D.M.D. & Associates, a dental practice with offices in Charlotte and Monroe, North Carolina, allegedly impermissibly disclosed a patient’s protected health information on a webpage in response to a negative online review. The Office for Civil Rights imposed a $50,000 civil penalty.

Marketing Directly Impacts Practice Success

In the last decade, patients have significantly changed how they seek healthcare. Most patients now consult digital channels as a primary source of information when searching for new treatments and providers. The information they find via internet searches, social media, and review websites substantially influences their choice of provider. For dental marketers, this change has required a significant adjustment to their marketing strategies.online marketing stats

The Answer is a Fully Compliant Marketing Communications Solution

Starting a new marketing program requires the right tools. Do not choose a solution that prohibits you from using PHI in a way that is fully compliant.

quasi compliance

How to Evaluate Secure Communications Solutions for Healthcare

Choosing the right email encryption solution is especially critical for dental organizations. HIPAA regulations, PHI risk, and improved patient engagement are absolute priorities. Not to mention the need for software that offers ease of use, simple integration, and high-level support. 

Meet Compliance Requirements for Email

LuxSci’s Secure Connector adds a layer of protection to Google Workspace and Microsoft 365 email accounts. Don’t leave your organization’s security up to employees. Prevent breaches by securing sensitive data by default. LuxSci is HITRUST certified and can meet compliance requirements for HIPAA, SOC, GDPR, and more.

evaluation details

Conclusion: Online Marketing Isn’t Optional

Marketing your dental practice is no longer as simple as creating a listing in a directory or sending mail to potential patients. To remain competitive, practices must adopt online advertising techniques that offer a solid return on investment. The perils of possible HIPAA violations may dissuade some from taking the leap- but by properly vetting vendors, training staff, and selecting the right tools, it’s possible to engage patients and achieve results.