HIPAA-compliant Email Hosting

LuxSci provides a Business Associate Agreement compatible with the HITECH amendments of HIPAA. This defines LuxSci's role in maintaining the Privacy of Protected Health Information (PHI) for you as you seek to be HIPAA-compliant. A document like this is required by HIPAA of any vendor that you use.

Once your account is certified by LuxSci as meeting its HIPAA Security Requirements, you can use a LuxSci HIPAA Compliance Seal on your web site or in your HTML Email Signatures, Taglines, or Disclaimers.

A sample HIPAA Seal looks like this (click on it to see an example certification page):

HIPAA accounts can be either globally secure, so all users are compliant and encryption and security are fully-enforced for all messages, or they can be secured on a per-domain basis. In the per-domain case, only users in specified "HIPAA Domains" are required to send all email securely; users in other domains can send insecure email messages but cannot deal with ePHI at all. All users in these accounts share certain basic security considerations such as strong passwords, required use of SSL and TLS for server access, etc.

Use of per-domain HIPAA allows organizations to easily manage their compliant and non-compliant domains in a single account and also permits limited collaboration and sharing between non-HIPAA and HIPAA user logins.

Customers can select account-wide or per-domain HIPAA accounts during the ordering process.

As required by the HITECH amendment to HIPAA, LuxSci follows the HIPAA Security and Privacy Rules with respect to all ePHI in your HIPAA-enabled accounts. This means that LuxSci actively ensures that the privacy of all electronic health information is safeguarded while it is stored on our servers, passing through our servers, or on our backups. It also means that LuxSci staff comply with all HIPAA Security and Privacy requirements:

• Physical safeguards and data access control for ePHI
• Staff training and administrative policies
• Facility access control and security for ePHI
• Contingency plans, backups plans, and disaster recovery for ePHI
• Workstation security and usage lock down with respect to ePHI

I.e. LuxSci staff themselves obey all of the same HIPAA Security and Privacy requirements that our customers face when dealing with ePHI.

In addition to enforced use of SSL and TLS for all connections to our servers, all users automatically send and receive email securely using our SecureLine^TM end-to-end encryption service. All outbound messages sent via SMTP, WebMail, or Premium MobileSync will be automatically encrypted. Additionally, SecureLine^TM allows your users to send secured messages to anyone with any valid email address, even if they do not have TLS or S/MIME or PGP support. Those recipients can easily reply back securely or use our SecureSend portal to register for free and initiate secure messages to your SecureLine^TM users.

To provide a user-friendly environment, certain work-arounds are possible, such as the use of TLS transmission for certain recipients instead of end-to-end encryption. See Restrictions to HIPAA Accounts at LuxSci.

LuxSci's SecureLine^TM and enforced connection encryption (SSL & TLS) ensures that the messages cannot be modified while in transit. Message integrity is assured. Additionally, LuxSci's SecureLine^TM permits the addition of digital signatures to encrypted messages to further ensure the message integrity and prove the identity of the sender.

LuxSci requires that user names and passwords be entered for access to any of its services. The system recognizes users based on their login information, and controls access based on their identity. HIPAA-compliant accounts are required to utilize a high level of password complexity: 8 characters consisting of letters and numbers or symbols. The password must have "high entropy" and not be easily guessable. Automatic auditing of password changes and password resets is required and performed for HIPAA accounts.

HIPAA compliant accounts have a 20 minute default idle period to web-based interfaces (WebMail). The system will automatically log users off after 20 minutes of inactivity; this can be increased to 3 hours by account administrators. Other services such as POP, IMAP, SMTP and MobileSync also have automatic idle timeouts.

LuxSci provides comprehensive security auditing for all accounts. Included in the security audits are password changes, resets, and lookups by LuxSci staff; user access to services such as WebMail, Email Sending (SMTP), POP, IMAP, MobileSync, and more; changes to any of the specific "Maximal Security" settings, as well as changes to the "Maximal Security" lock down status. These reports enable verification of user, administrator, and LuxSci Support staff activity on access and security specific changes to the account.

LuxSci automatically makes backup copies of all data on our servers, including all customer ePHI. Daily backup copies are kept on-site for 2 days and Weekly backup copies are kept off-site for 4 weeks. All data is transmitted securely to the backup servers and stored there in a HIPAA-compliant way. After 4 weeks, all backup copies are destroyed. Accounts can ask for data to be restored from backup for free once/month. LuxSci's Email Archival provides permanent, immutable email storage on servers in multiple geographic locations, updated in real-time, with weekly backups made to optical media. See our complete backup and restore statement for additional information.

The LuxSci "Maximal Security" setting provides individual accounts with the highest level of email security. Security includes implementing the 20 minute WebMail timeout maximum, forcing appropriate outbound encryption, setting password strength requirements, and forcing secure logins. LuxSci support manually reviews any account needing to be HIPAA compliant and ensures that the Maximal Security setting is locked down so these security settings cannot be altered.

Though disabled by default, administrators can choose to allow users the option to opt out of SecureLine^TM encryption for a particular message. However, the user must explicitly agree that the message they are sending does not contain any ePHI. All messages sent without SecureLine^TM encryption are logged for auditing purposes, and copies of them can be sent to an auditor email address for review.

Opt Out is available both in WebMail and for messages sent via email programs using our SecureLine^TM Outlook Plugin or via adding opt out content to the email subject line.

LuxSci can provide a Virtual Private Network (VPN) connection to further secure access to our email, web, and database servers.

LuxSci can offer you an archival solution that is comprehensive, cost-effective, and compliant with most current federal regulations including:

• Permanent single-instance storage on Write-Once Read-Many (WORM) media
• Redundant storage in 2 different locations.
• Powerful full-content search with immediate results
• Message export and import
• Unlimited storage capacity included
• Retention of email for 30-days to 10-years.

MobileSync is an optional Exchange ActiveSync service that enables you to synchronize email, calendars, contacts, tasks, and notes on your mobile devices automatically and in real time. MobileSync is HIPAA-compliant and provides "Remote Wipe", so you can delete ePHI from your mobile device should it become lost or stolen -- preventing possible HIPAA breaches.

Even without MobileSync, LuxSci's IMAP, POP, and SMTP services can be used to securely send and receive email on most mobile devices.

CalDAV and CardDAV and standard protocols for synchronizing calendars and contact lists with desktop and mobile devices. macOS and iOS devices, in particular, and excellent support for synchronization using these protocols. For Android and Windows, third-party applications (including Mozilla Thunderbird) also support them. CalDAV and CardDAV access is included at no additional fee for all email customers; MobileSync is not required.

LuxSci supports many versions of all popular email clients (though we recommend using the latest version of each product if possible), both licensed and shareware. If you use a lesser known email client, we should be able to help you configure it as long as the program supports either IMAP or POP, plus SMTP.

Blackberries, iPhones, iPod Touches, iPads, Android and Windows Mobile are some of the more popular mobile devices available to professionals. LuxSci supports all of these phones, as well as any other phone that properly supports the IMAP, POP and SMTP protocols. If your phone doesn't support these protocols but does have a mobile web browser, you have the option to access your email using LuxSci's Mobile Site.

LuxSci's MobileSync service includes "Push Email" for email viewing, real-time pushing of new email to your device, as well as for sending of outbound email from your device through LuxSci's servers.

Push email is good for mobile battery longevity and for getting notifications of new email messages as fast as possible.

WebMail is designed to work much like a desktop email program.

• Web 2.0 / AJAX
• Automated checking for new email and folder changes every 30s
• Automatic loading and display of new email
• Drag and drop attachments
• Drag and drop copy and move of messages
• Lots of customization preferences
• View shared email from multiple accounts in one screen
• Automatic concurrent checking for new email in multiple folders

LuxSci's WebMail interface ALWAYS gives you secure access to your email from any computer or mobile device with Internet access (via SSL with Extended Validation) unless you specify otherwise. WebMail is fully supported in Internet Explorer, FireFox, Opera, Safari, and Chrome. Our Mobile Site, which is a lightweight version of WebMail, is ideal for accessing email using the browser in your mobile phone or for extra security, privacy and simplicity.

WebMail supports Two-Factor authentication (simple via a Google Authenticator, text message, email, or advanced via integration with www.Duo.com), IP access restrictions, and more.

LuxSci provides a standard, full-featured, Web 2.0 WebMail interface (a.k.a the "Full Site"). For the sake of usability and feature richness, this full-featured portal makes extensive use of graphics, cookies, JavaScript, HTML5 and some features of modern web browsers to enhance the user experience. It is also designed for a wide screen viewing area.

The software requirements that make the full-featured portal good-looking and easy to use also have their down sides. The "Mobile Site" is the solution to these concerns:

Access the Mobile Site automatically with a mobile browser by visiting: https://xpress.luxsci.com

• Blazing Speed: If you have a slow Internet connection or limited bandwidth, the Mobile Site offers faster service. It has been optimized to use less bandwidth, which makes the pages smaller in size, faster to download, and easier to read on your mobile device.
• Mobile Devices and Narrow Screens: The Mobile Site will work with almost any mobile device, tablet, or PDA that has a web browser. We work tirelessly to ensure the quality of Mobile site pages, especially on smaller screens.

We provide you with online tools for creating, deleting, renaming, managing, and searching your email folders.

• Supports any number of folders
• Folders can contain messages and/or other folders
• Folders are accessible via WebMail and IMAP
• Remove Duplicates: Configure removal of duplicate messages in any folder based on message ID, subject, sender address and size. Message removal can run automatically on a nightly basis or manually at any time at the push of a button.
• Auto-deletion: Configuration options allow you to automatically remove "old" messages in any folder to: 1. Reduce the folder size to some fixed maximum 2. Reduce the number of messages in the folder to some fixed maximum 3. Eliminate messages older than a specified number of days.
• Auto-Archival: Archival options can be designed to your specific needs. The function can occur as you prefer; daily, weekly, monthly, bi-monthly, yearly or when YOU feel the folder has exceeded desired storage size of message allotment. You can even have a folder auto-archived; which will move messages to a new dated subfolder at your convenience.
• Offline Storage: Download your email folders as ZIP-compressed archive in UNIX- or EML-format for offline storage.
• Create, rename, move, and delete folders and directories.
• Concurrent Access: Makes it easy to share access to email by allowing multiple users, using different email clients, access to the same email folders concurrently without issue.

When composing email messages, WebMail will automatically give you recipient suggestions by searching all of your address books for matches; in the name, company, email and nickname fields. You can alter, eliminate or add to these suggestions via keyboard or mouse. This WebMail feature makes it quick and easy to enter recipient email addresses and avoid making errors.

WebMail signatures allow you to add personality to your email. In addition to adding a signature to the end of your messages, you can customize the sending name and address. This is ideal if you have many different email addresses [not all of which are hosted at LuxSci] and need to send email (from a single WebMail application) that appears to come from any one of them.

• Unique signature technology; similar to other services' "personalities".
• Support for unlimited signatures.
• Each signature has independent HTML and plain text versions.
• HTML signatures support embedded images
• With Signatures you can include files that will attach to all messages sent using those signatures (e.g. add a vCard or a PDF with all messages).
• Determine whom your email appears to be from (you specify the From address and name; From name can be in any language).
• Determine to whom replies to your email will be sent (you specify the Reply-to address).
• If you reply to an email, WebMail will try to match the recipient address of the email to one of your signatures so that you automatically use the right signature for the right email -- no mistakes.
• Change your signature "on the fly" in WebMail and have the signature content automatically updated in the message.
• Use signatures either at the top of or at the bottom of replies and forwards.

Use of signatures to send emails forged with addresses that you do not have permission to use is a violation of our Acceptable Use Policy.

LuxSci's WebMail interface fully supports sending and receiving email messages in any language or multiple languages:

• View messages encoded in any language or languages.
• Compose messages in any language or languages.
• Configure default encodings to use when none are specified.
• Support for encoded content in subject and sender name fields.
• UTF-8 Unicode is used throughout our site.
• Our user interface is translated into many different languages.

LuxSci WebMail is designed for optimized work with dozens of languages such as: English, Spanish, French, German, Russian, Chinese, Japanese, Korean, Swedish, Hebrew, Portuguese, and many more.

Additionally, WebMail allows you to configure:

• Preferred time zone
• Preferred date and time format
• Week start day

WebMail's feature-rich options include:

• International Email Support: Send and receive secure email in any language or character encoding. Support for multiple character encodings in one message.
• Security: WebMail is fully integrated with our SecureLine^TM end-to-end email encryption service.
• Full, robust HTML email composition supported in Internet Explorer v9+, FireFox, Opera, and Safari
• Automatically checks for new email in multiple folders.
• Spell checking in real time as you type. This feature supports multiple languages and customized user dictionaries. (Uses the SCAYT Text and HTML spell checking technology from SpellChecker.net.
• Defer email messages: hide messages in any folder and have them re-appear at later scheduled times for action.
• WebMail composition: Auto-save your work so you never lose a message in progress.
• Full screen viewing mode
• Automatic checking of your INBOX for new email
• Plain Text and HTML Email Templates
• Send any number of attachments
• Forward messages inline or as attachments
• Delete attachments from messages
• Save/resume compositions using a Drafts folder
• Request and respond to Read Receipts
• Set and view importance-level and flags on messages
• View images and HTML attached to your messages inline
• View/download attachments
• View complete email message headers
• View complete message source
• Download individual messages
• Sort messages by date, sender, subject, size, and more
• Address Books, personal and shared, are integrated with WebMail.
• A large number of personal preferences allow you to tweak WebMail to behave just the way you want it to. Some of these include:
  • Six different selectable layouts of the folder tree, message list, and message display areas
  • Choose destination of deleted messages: remove, mark as deleted and/or save to a trash folder
  • Customize both the information that displays in your message list and the order in which the information is displayed
  • Customize if message previews are used and if HTML and image content is displayed automatically inline
  • Many, many more -- get a Free Trial and see them all.

LuxSci provides SMTP Relaying so that you can send email from email programs (WebMail does not require "SMTP" service to send email).

• Secure SMTP via TLS and SSL
• Alternate Ports for secure and insecure SMTP -- including port 80 -- which is open in most firewalls.
• All of our email servers support TLS and will talk securely with other servers whenever possible (opportunistic TLS).
• Anonymous SMTP: Remove all information about your sending computer (its IP address) and email client when sending messages. This feature is available over SSL and TLS as well for email security. It is available to all clients who subscribe to SMTP services. More about Anonymous SMTP
• More about SMTP

Users can:

• Send copies of all outbound email to a designated email address
• Send copies of all outbound email messages to a server-side sent email folder (without IMAP)

Domain administrators can:

• Send copies of all outbound emails, from all users, to a designated email address. Certain users can be exempted from this process.

Global taglines or disclaimers in text and/or HTML cab be configured to appear at the end of all messages sent by your users.

• Applies to messages sent via WebMail and from email programs using SMTP.
• Configurable on a per-domain basis
• Taglines/disclaimers can be added as attachments or added as part of the message content itself.

Monitor the content of all messages sent from WebMail or from email programs using SMTP.

• Search for keywords or key phrases
• Use regular expressions
• Searches all HTML and plain text message parts
• Search your choice of the message subject, message body content, or both
• Can block messages, send copies of matching messages to an auditor email address, or auto-encrypt matching messages

LuxSci's authenticated SMTP services can be used as a "smart host", which allows users to relay all email from your internal server though our servers for processing before being sent out into the Internet.

With smart hosting, you can take advantage of all of LuxSci's SMTP features, such as automatic outbound email encryption, anonymization, taglines and content monitoring.

Our "Intelligent" Smart host feature treats your email as if it were sent by your individual users. It looks at the "From" address on each message, rather than the single user connecting to LuxSci's SMTP services. This permits enforcement of per-user SMTP limits, per-user reporting on SMTP usage, per-user customization of taglines, per-user exemptions from some tools, and full support SecureLine^TM automatic end-to-end outbound email encryption.

See: LuxSci Secure Connector.

View your own plus your users' IMAP, POP, SMTP, and WebMail login and connection histories for up to 30 days if you have administrative access.

Email auto-responders let you setup pre-defined responses to email messages that you receive while you are away -- out of the office, on vacation, or otherwise unavailable. They also allow for the configuration of complex automated response rules.

Features include:

• Automatic response to incoming email messages.
• Different responses based on to which of your email addresses or domains the message is addressed
• Configure responses based on arbitrary criteria such as: sender address, subject content, body content, email header content, etc.
• Sign the replies with your signatures.
• Specify the subject line and body of each reply.
• Activate and deactivate the auto-responders manually or set a scheduled time window for activation and de-activation.
• Enable "nags" to notify you that your responder is still enabled after a specified date.
• HTML-formatted or plain text-formatted response content.
• Configurable time window during which senders will not get duplicate responses for multiple messages sent.
• Rate limits so that the same sender does not receive too many responses from you and so that your responders cannot be used to create denial of service situations.
• Customer-accessible audit trails of all responses sent. Includes when, to whom, for what responder, and what the subject of the original message was.

An email alias is not an actual user, but rather a rule that indicates to whom the email should be delivered. Individual users can also configure email forwarding for their inbound email.

Features include:

• Catch-all aliases to capture email to non-existent address at your domain.
• Redirect email to any address at your domain to one or multiple real local or remote email address(es).
• Redirect email to multiple addresses at once. (Limit: 25 addresses or the number of users in your account, whichever is larger).
• Lots of aliases; change them anytime you wish via our secure online tools or our API.
• Domain Forwarding Catch All Aliases allow you to forward any address at one domain, "domain1.com", to the same user at a second domain, "domain2.com".
• Powerful Alias Manager has search features that allow easy management and reporting on thousands of aliases across hundreds of domains.
• Aliases can: forward email to one or more recipient addresses, send custom email bounce messages, and automatically delete all incoming email.
• User Groups WebAides^TM can be used to create and manage distribution lists to selected groups of users in your account.

If you have other email accounts with POP access, you can download messages from these remote accounts to your LuxSci email folders.

Features Include:

• Store information for an unlimited number of remote POP email accounts
• Download mail from each account to any email folder
• Have your email downloaded automatically every 20 minutes
• Use your inbound email, anti-Spam, and anti-Virus filters, including Premium Email Filtering to filter downloaded messages before forwarding to your LuxSci account. This is a great solution when your remote email account doesn't permit email forwarding but you want to download and filter those messages.
• Delete or leave the remote email on the remote server when downloading manually. Messages are deleted from the server with automatic message downloads.
• Optionally preview messages before downloading: select what to download or delete.
• Download email from one or ALL remote accounts individually or at once.
• Secure POP (SSL) connections to remote POP servers.
• Use "Signatures" to manage multiple email accounts.
• Full support of previewed email messages with text in most languages.

• When the message was sent
• Who sent it and from what address
• What the subject was
• The address of the recipient that failed
• Exactly why the delivery failed

These email alerts are HTML for easy reading and include a CSV (Excel) file with all of the data for easy analysis. With these reports you can always be aware of failed deliveries and do not have to worry about getting and reading bounce messages. You can configure these reports so that managers can get copies of the failure reports for users and thus can ensure that important messages are all properly delivered.