" unencrypted email Archives - LuxSci

Posts Tagged ‘unencrypted email’

Frequently Asked Questions: HIPAA and Email Marketing

Thursday, October 27th, 2022

HIPAA is a complicated law that offers a lot of guidance but does not require the use of any specific technologies to protect patient privacy. This causes a lot of confusion when it comes to HIPAA-compliant marketing campaigns. This article addresses some frequently asked questions about HIPAA-compliant email marketing and what you need to do to be on the right side of the law.

Do generic practice newsletters still count as PHI?

In many cases, even generic email newsletters can be considered PHI because they are sent to lists of current patients. Email addresses are individually identifiable and combined with the email content; it may imply that they are patients of the practice. For example, say you send a “generic” newsletter to the patients of a dialysis clinic. An eavesdropper may be able to infer that the recipients receive dialysis. Therefore the email is PHI and should be protected.

In some cases, it can be complicated to determine what is PHI and what is not. Using a HIPAA-compliant marketing solution is best to avoid ambiguity and ensure you are secure.

What are email marketing best practices for organizations using Mailchimp?

The best practice is not to use Mailchimp! Mailchimp is NOT HIPAA-compliant and will not sign a Business Associate Agreement to protect your data. The best way to begin an email marketing program is to select a fully HIPAA-compliant vendor. Simply put, this means that emails are encrypted in transit, and stored data is also encrypted. 

 

quasi compliance

What is an Email API?

API is an acronym that stands for “Application Programming Interface.” An email API gives applications (like CRMs, CDPs, or EHRs) the ability to send emails and retrieve analytics. Email APIs are often used to send transactional or bulk marketing emails. Trigger-based emails are ideal for sending with an email API. In this situation, emails are sent when pre-determined conditions in the application are met. For example, an order confirmation is a transactional, trigger-based email. A person buys a product online, the transaction is processed, and an email is sent to the buyer with their transaction details. The email is sent automatically with an email API. When a new patient has an upcoming appointment, an email API could be used to send a reminder email and offer rescheduling options. Email APIs enable the automation of common email workflows.

Does HIPAA permit providers to send unencrypted emails with PHI to patients?

Encryption is an addressable standard under the HIPAA Security Rule, but that does not mean it’s optional. The HIPAA Privacy Rule does not explicitly forbid unencrypted email. Still, it does state that “other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted email.”

The Department of Health and Human Services (HHS) has clarified this by stating that “covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.” Some organizations use waivers to inform patients of the risks and acquire permission to send unencrypted emails.

However, we do not recommend this for several reasons. One, keeping track of waivers over time and recording status changes and updates is challenging. Two, signed waivers do not insulate you from the consequences of a HIPAA breach. And finally, using waivers to send unencrypted emails doesn’t eliminate your other HIPAA obligations. Using a HIPAA-compliant solution is more manageable and eliminates ambiguity.

Do patients have a right to exercise their right of access to their own PHI by receiving it via unencrypted email?

Yes, but they must be fully informed of the risks and sign waivers acknowledging them. The caveats in the previous answer apply. It’s always better to encrypt emails. 

Is Microsoft 365/Exchange 365 encryption sufficient for marketing emails?

Microsoft 365 can be configured with Office Message Encryption (OME) to comply with HIPAA. However, it is not well-suited to send marketing emails. OME primarily relies on portal pickup encryption, in which the message is stored securely on a server and requires the recipient to log in to the portal to read the email. If you are a marketer trying to increase open and response rates, the portal adds a barrier to access that many will not cross. Light-PHI marketing messages are best sent using TLS encryption. TLS-encrypted messages arrive in the recipient’s inbox just like a regular email and do not require a user to log in to read the message.

tls vs portal pickup

Conclusion

HIPAA can be difficult to understand, but choosing the right tools and properly vetting your vendors makes it easy to execute HIPAA-compliant email marketing campaigns. If you are interested in learning more about LuxSci’s easy-to-use, Secure Marketing platform, please get in touch with our sales team.

Can You Send ePHI in Insecure Emails and Texts with Mutual Consent?

Tuesday, April 27th, 2021

Email and text messaging are among the most common forms of business communication. However, if you are sending ePHI, regular texts and emails are off limits! If you are subject to HIPAA regulations, you will need mutual consent from your patients before sending ePHI insecurely via these methods.

This may seem frustrating because text and email are easy and switching to a secure service can feel like a lot of work. However, when ePHI is mishandled it can have significant repercussions. Personal information can be stolen, made public, and even used in fraud.

Text messaging and normal email carry significant risks to ePHI, because they aren’t designed to be secure. While it is best to only send ePHI over secure services, there may be instances where the patient wants to communicate over these insecure methods. Because of the risks, your organization needs signed mutual consent waivers to proceed with insecure communication.

Does HIPAA Allow Mutual Consent?

Read the rest of this post »

Patient Privacy Issues with Unencrypted Email

Monday, August 28th, 2017

We have scoured the internet for real-life examples of emails in medical scenarios to convince our readers of our points in past posts about the perils and pitfalls of using unencrypted emails for communications. Email is one of the oldest (some even refer to it as “legacy”) tools in our always-connected, digital world. However, its use between patients and their medical providers and between doctors and their business associates can be fraught with issues that may violate the Health Insurance Portability and Accountability Act (HIPAA) provisions.

The HIPAA privacy rules require covered entities and their business associates to protect patients’ health information from unauthorized disclosure. The HIPAA security rules do not mandate specific technologies or prohibit others. In fact, HIPAA:

“…allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.

An imperfect understanding of patients’ privacy concerns, lack of proficiency in using computers or access to them, and misguided policies on usage play a part in HIPAA privacy breaches. The consequences of such breaches can be quite burdensome for the medical provider.

HIPAA-compliant email

Medical providers often forget (or might even be unaware of) “reasonable safeguardsthat can easily be implemented to prevent emails from leaking information that patients might consider as compromising their privacy. By analyzing real-life examples of how email is used (well, actually misused) in practice, we hope this post can convince you of reasonable safeguards to make email a valuable and efficient part of your workflow while conforming to HIPAA.

Read the rest of this post »