HIPAA Email API for Admission, Discharge, and Transfer Alerts

---

Table of Contents:

• Admission, Discharge, and Transfer (ADT) Alerts
• Protected Health Information (PHI)
• Transactional Email
• HIPAA Compliant Transactional Email
• HIPAA Compliant Email for ADT Alerts

---

We spoke to a prospect down in Melbourne Beach, Florida earlier this week about our HIPAA Compliant Email API. They were keenly interested in integrating it with their Admission, Discharge, and Transfer (ADT) Alert workflow platform.

Admission, Discharge, and Transfer (ADT) Alerts

The Admission, Discharge, and Transfer (ADT) system supports core administrative functions in healthcare.

These are:

• Registering a patient
• Discharging a patient
• Transferring a patient
• Merging patient files to avoid duplication

ADT is part of the HL7 standard and is considered a cornerstone to improving patient care coordination.

Protected Health Information (PHI)

According to the HIPAA Privacy Rule, Protected Health Information (PHI) is defined by HHS as individually identifiable health information held or transmitted by a Covered Entity or its Business Associate.

PHI can be in any form or media:

• Electronic (email, text, patient portal, etc)
• Paper
• Oral

In a nutshell, any information that can reasonably be used to identify an individual and is used during the course of care is considered PHI.

In the case of ADT alerts, we clearly see that PHI is being constantly transmitted.

Read full article: What is Protected Health Information (PHI)?

Transactional Email

Transactional Email is a type of email sent to assist an agreed-upon interaction between a sender and recipient. In US Healthcare, this is often between a provider and a patient.

Transactional Emails may also be called “triggered” emails because they can include any email that is generated by a patient’s interaction with a patient portal, a smartphone app, or in this case, ADT alerts.

HIPAA Compliant Transactional Email

Transactional email for most businesses often doesn’t have sensitive information and can be sent without worry of encryption. But because a transactional email for ADT alerts will have protected health information (PHI), it requires email providers to be HIPAA compliant.

Because there are limited options when it comes to HIPAA compliant transactional email providers, most providers, and as a result consumers, are left out in the cold.

But by using HIPAA compliant transactional email to securely deliver ADT alert information to a patient’s inbox, healthcare providers can meaningfully increase patient engagement.

Read full article: What is HIPAA Compliant Transactional Email?

HIPAA Compliant Email for ADT Alerts

In the case of the prospect we spoke to, they were eager to integrate our HIPAA Email API into their ADT alert workflow.

We are looking forward to working with them.

Try Paubox Secure Email API for FREE and make your transactional email HIPAA compliant today.

Start Your Free Trial

The post HIPAA Email API for Admission, Discharge, and Transfer Alerts appeared first on Paubox.

Source: https://www.paubox.com/blog/hipaa-email-api-adt-alerts

Does Infusionsoft offer HIPAA Compliant Email Service?

---

Table of Contents:

• Infusionsoft by Keap
• What is a Business Associate?
• Business Associate Agreement provisions
• InfusionSoft by Keap and the Business Associate Agreement
• HIPAA Compliant Email and Infusionsoft by Keap
• Does Infusionsoft by Keap offer HIPAA Compliant Email Service?

---

A customer recently asked us about whether they were able to use Infusionsoft by Keap as a HIPAA compliant email service.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

Today, we will determine if Infusionsoft by Keap offers HIPAA compliant email service or not.

Infusionsoft by Keap

Infusionsoft by Keap offers a subscription-based, all-in-one sales and marketing SaaS product for small businesses with fewer than 25 employees.

The private company is based in Chandler, Arizona

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

In the case of Infusionsoft by Keap, it would certainly qualify as a Business Associate if it provides services to Covered Entities.

Read full article: What does it mean to be a Business Associate?

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.

At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

Infusionsoft and the Business Associate Agreement

We checked the Infusionsoft by Keap site for mention of their ability to sign a Business Associate Agreement.

We found the answer we were looking for on a page called Keap HIPAA Compliance.

---

“Keap is pleased to announce that our flagship CRM and marketing automation platform may now be used by HIPAA covered entities and business associates to lawfully store, transmit, and otherwise process protected health information (also known as “PHI”).

To satisfy our growing community of healthcare users, Keap offers customers the opportunity to execute our standard Business Associate Agreement (or “BAA”) that satisfies the applicable subcontracting requirements under HIPAA and the HITECH Act.”

---

HIPAA Compliant Email and Infusionsoft by Keap

Covered Entities are required to take reasonable steps to protect PHI sent from email all the way to the recipient’s inbox. As such, HIPAA compliant email must be transmitted in-motion over the internet with encryption.

It should be noted however, the scope of the Keap Business Associate Agreement protects and encrypts data only at-rest in their platform. In other words, any email sent from their platform is not covered by the Keap BAA.

Read full article: HIPAA Compliant Email

Does Infusionsoft by Keap offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

We were able to learn that a BAA is offered by Keap.

If you are going to send email from their platform that contains PHI however, the Keap BAA does not include coverage for that. You must either find a HIPAA compliant email API provider that integrates with Infusionsoft by Keap or not include PHI in the emails.

Learn more: Sending HIPAA Compliant Email with Infusionsoft

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.

Start Your Free Trial

The post Does Infusionsoft offer HIPAA Compliant Email Service? appeared first on Paubox.

Source: https://www.paubox.com/blog/infusionsoft-keap-hipaa-compliant-email

HIPAA Breach Report for April 2019

The Paubox Breach Report analyzed HIPAA breach reporting submitted to the U.S. Department of Health & Human Services (HHS) in March to analyze the types of breaches of unsecured protected health information (PHI) affecting 500 or more people.

HIPAA Breaches Ranked by People Affected

Top Three Breach Types

• Email breaches ranked in first place with 473,114 people’s PHI affected.
• Network Server breaches ranked second with PHI of 352,895 people breached.
• Other breaches came in third with 28,216 people having their PHI breached.

Bottom Three Breach Types

• Electronic Medical Record ranked as the lowest number of people’s PHI being breached in March with 2,200 breaches.
• Laptop was the second lowest type of breach as ranked by people affected with 2,739.
• Paper/Films was the third lowest type of breach as ranked by people affected with 5,843.

HIPAA Breaches Ranked by Occurrence

The Most Common

• Email took the top spot as the most common breach type in March with an 12 reported breaches. Email has taken the top spot in this category for 11 of the past 13 months.
• Network Server came in second 7 breaches.
• Other and Paper/Films came in tied third with 3 reported breaches each in March.

Takeaways

Email regained the top spot in both categories for this month’s HIPAA Breach report.

Much as it was in 2018, the data clearly shows Email remains the most vulnerable attack vector for HIPAA breaches.

Full Data

Click here to view the raw data (Google Sheets).

About the Paubox HIPAA Breach Report

The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame in March 2019.

Minimize the risk of email getting you on the list with Paubox Encrypted Email.

Start Your Free Trial

The post HIPAA Breach Report for April 2019 appeared first on Paubox.

Source: https://www.paubox.com/blog/hipaa-breach-report-april-2019

Is HubSpot HIPAA Compliant?

---

Table of Contents:

• HubSpot
• What is a Business Associate?
• Business Associate Agreement provisions
• HubSpot and the Business Associate Agreement
• Does HubSpot offer HIPAA Compliant Service?

---

A customer recently asked us about whether they were able to use HubSpot in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

Today, we will determine if HubSpot offers HIPAA compliant service or not.

HubSpot

HubSpot is a developer and marketer of software products for inbound marketing and sales. It was founded by Brian Halligan and Dharmesh Shah in 2006.

Its products and services aim to provide tools for social media marketing, content management, web analytics and search engine optimization.

See also: Inbound Marketing (Revised and Updated): Our Takeaways

See also: HubSpot and AWS Meetup: Partnerships, Startups, and HubSpot Ventures

See also: Our Takeaways from The Sales Acceleration Formula

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

In the case of HubSpot, it would certainly qualify as a Business Associate if it provides services to Covered Entities.

Read full article: What does it mean to be a Business Associate?

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.

At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

HubSpot and the Business Associate Agreement

We checked the HubSpot site for mention of their ability to sign a Business Associate Agreement.

We found the answer we were looking for on HubSpot’s Terms of Service page.

---

The Subscription Service is not designed to comply with industry-specific regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the Federal Information Security Management Act (FISMA), so you may not use the Subscription Service where your communications would be subject to such laws.

---

Does HubSpot offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Thanks to their Terms of Service page, we clearly see HubSpot is not in the business of providing HIPAA compliant service.

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.

Start Your Free Trial

The post Is HubSpot HIPAA Compliant? appeared first on Paubox.

Source: https://www.paubox.com/blog/hubspot-hipaa-compliant

Can I use Salesforce Marketing Cloud and be HIPAA Compliant?

---

Table of Contents:

• Salesforce Marketing Cloud
• What is a Business Associate?
• Business Associate Agreement provisions
• Salesforce and the Business Associate Agreement
• HIPAA Compliant Email and Salesforce
• Does Salesforce Marketing Cloud offer HIPAA Compliant Service?

---

A customer recently asked us about whether they were able to use Salesforce Marketing Cloud in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud services in this sector.

Today, we will determine if Salesforce Marketing Cloud offers HIPAA compliant service or not.

Salesforce Marketing Cloud

Salesforce Marketing Cloud a provider of digital marketing automation and analytics software. It was founded in 2000 under the name ExactTarget.

The company filed for an IPO in 2007, but withdrew its filing two years later and raised $145 million in funding instead. Before it was acquired by Salesforce in 2013, it acquired CoTweet, Pardot, iGoDigital, and Keymail Marketing.

ExactTarget was renamed to Salesforce Marketing Cloud in 2014 after the acquisition.

What is a Business Associate?

A Business Associate is a person or company that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

In the case of Salesforce Marketing Cloud, it would certainly qualify as a Business Associate if it provides services to Covered Entities.

Read full article: What does it mean to be a Business Associate?

Business Associate Agreement provisions

If a Business Associate provides services to a Covered Entity, then a Business Associate Agreement must be in place.

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate and is required by law for HIPAA compliance.

At a minimum, a Business Associate Agreement contains 10 provisions.

Read full article: Business Associate Agreement Provisions

Salesforce and the Business Associate Agreement

We checked the Salesforce site for mention of a Business Associate Agreement for their Marketing Cloud solution.

We found the answer we were looking for on the Salesforce HIPAA Compliance page.

We see that Marketing Cloud, along with the following Salesforce solutions, are HIPAA compliant:

• Community Cloud
• Health Cloud
• Heroku
• Marketing Cloud – ExactTarget
• MuleSoft
• Other Lightning Platform Services
• Sales Cloud
• Service Cloud

HIPAA Compliant Email and Salesforce

Covered Entities are required to take reasonable steps to protect PHI sent from email all the way to the recipient’s inbox. As such, HIPAA compliant email must be transmitted in-motion over the internet with encryption.

It should be noted however, the scope of the Salesforce Marketing Cloud Business Associate Agreement protects and encrypts data only at-rest. In other words, any email sent from their Marketing Cloud is not covered by the Salesforce BAA.

Read full article: HIPAA Compliant Email

Does Salesforce Marketing Cloud offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

We were able to learn that a BAA is offered by Salesforce for Marketing Cloud.

If you are going to send email via Marketing Cloud that contains PHI however, the Salesforce BAA does not include coverage for that. You must either find a HIPAA compliant email API provider that integrates with Salesforce Marketing Cloud or not include PHI in the emails.

Not sure what to do next? Try Paubox for FREE and make your email HIPAA compliant today.

Start Your Free Trial

The post Can I use Salesforce Marketing Cloud and be HIPAA Compliant? appeared first on Paubox.

Source: https://www.paubox.com/blog/salesforce-marketing-cloud-hipaa-compliant

Sending HIPAA Compliant Email with InfusionSoft

Last Friday, we got an email from one our customers that began with:

---

Is there a way to use Paubox and email marketing automation?

Hello,

We use Paubox to secure our emails with patients that discuss PHI, and we’re working to automate some of the email communications that we have with patients. We’ve found that solutions like Salesforce and Infusionsoft will sign BAAs and secure PHI that is on the platform, but they have no way of securing the emails that are triggered by the automation campaigns.

---

Since their office was nearby in San Francisco, I arranged to meet the CEO for coffee later that day.

Email Marketing for Clinical Trials

Here’s what I learned as I got to know the CEO and his startup over coffee:

• They are focused in the clinical trials space
• They are looking to do complex email marketing campaigns that contain protected health information
• Only a few email marketing automation vendors will sign a Business Associate Agreement. InfusionSoft and Salesforce Marketing Cloud are among them.
• None of the email marketing vendors that will sign a BAA actually include support for sending HIPAA compliant email

Email Marketing Automation

Put simply, Marketing Automation refers to software that automates marketing actions.

When it comes to Email Marketing Automation, it refers to software and tactics that allow organizations to nurture prospects with highly personalized, useful, timely, email content that helps convert them to customers.

Patient Engagement

In a nutshell, patient engagement is any activity or tool a medical professional can use to engage people and get them involved in their own health care.

In the case of U.S. Healthcare, Email Marketing Automation is nearly non-existent.

Here’s why I think this is so:

• Highly personalized, useful content more than likely means protected health information (PHI) is involved
• If an email contains PHI, it falls under HIPAA compliance regulations
• To open and read a HIPAA compliant email, secure email vendors nearly always introduce an incredible amount of friction (e.g., portals, app downloads, plugins, PGP keys, etc)
• Email Marketing is not designed to allow friction. Even the slightest introduction of it will result in the message not even getting opened, let alone read

HIPAA Compliant Email Marketing Automation

With this context in mind, our customer asked me to see if we could figure out how to integrate Paubox with either InfusionSoft or Salesforce Marketing Cloud.

During our Monday staff meeting this week, I learned we recently helped a new customer, Boost Bariatrics, integrate Paubox Secure Email API with InfusionSoft.

Infusionsoft, now known as Keap, offers a subscription-based, all-in-one sales and marketing SaaS product for small businesses with fewer than 25 employees.

Integrating InfusionSoft with Paubox

Based in Texas, Boost Bariatrics helps grow bariatric programs with marketing automation. The reason Boost Bariatrics chose InfusionSoft was because of its ability to create powerful automations and campaigns. They were unable however, to use Infusionsoft to send encrypted, HIPAA compliant emails. Keep in mind, that’s precisely the issue our Clinical Trials customer is facing.

To get Paubox Secure Email API working with InfusionSoft, Boost Bariatrics found an intermediary service called WeDeliver. WeDeliver specializes in allowing InfusionSoft users to send email via third party email services like Paubox.

After signing up for WeDeliver and following their documentation, we worked together with Boost Bariatrics to successfully integrate Paubox SMTP Server API with InfusionSoft, with WeDeliver sitting in the middle of the data exchange.

Try Paubox Secure Email API for FREE and make your transactional email HIPAA compliant today.

Start Your Free Trial

The post Sending HIPAA Compliant Email with InfusionSoft appeared first on Paubox.

Source: https://www.paubox.com/blog/send-hipaa-compliant-email-infusionsoft

What are the 3 categories of Covered Entities?

---

Table of Contents:

• What is a Covered Entity?
• Who must comply with HIPAA privacy standards?
• What is a Business Associate?
• What is a Business Associate Agreement?
• Is an Employer a Covered Entity under HIPAA?
• Is a Pharmacy a Covered Entity?
• Is a TPA a Covered Entity?
• Are Health Insurance companies Covered Entities?
• Are you a Covered Entity?

---

What is a Covered Entity?

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, covers both individuals and organizations. Those who must comply with HIPAA are referred to as Covered Entities.

The 3 categories of HIPAA Covered Entities are:

• Health Plans: Health Insurance companies; HMOs (Health Maintenance Organizations); Employer-sponsored health plans; and Government programs that pay for healthcare (Medicare, Medicaid, and military and veterans’ health programs)
• Healthcare Clearinghouses: Organizations that process nonstandard health information to conform to standards for data content or format, or vice versa, on behalf of other organizations.
• Certain Healthcare Providers: Providers who submit HIPAA transactions, like electronic claims. Common examples are Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing homes, and Pharmacies

As you can see from the above, Covered Entities can be institutions, organizations, or persons.

Learn more: Covered Entities [HHS]

Who must comply with HIPAA privacy standards?

By law, the HIPAA Privacy Rule applies only to Covered Entities.

Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations.

If these services involve the use of protected health information, it means that organization is a Business Associate.

In summary, HIPAA compliance regulations apply to both Covered Entities and the Business Associates that serve them.

What is a Business Associate?

A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

Read full article: What does it mean to be a Business Associate?

What is a Business Associate Agreement?

A Business Associate Agreement is a written contract between a Covered Entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).

If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.

Read full article: Business Associate Agreement Provisions

Is an Employer a Covered Entity under HIPAA?

If an employer provides any of the following to their employees, they are considered a Covered Entity:

• Self-funded or self-administered health insurance benefits to their employees
• Certain wellness programs
• Employee assistance programs
• Medical reimbursement accounts
• On-site clinics (if operated by the employer)

Here’s another important distinction: If an employer receives protected health information while performing services for a Covered Entity or Business Associate, the employer is then itself considered a Business Associate.

Is a Pharmacy a Covered Entity?

Yes, pharmacies are classified as Healthcare providers under HIPAA.

Healthcare providers are one of the three categories of Covered Entities.

Is a TPA a Covered Entity?

A TPA, or Third Party Administrator, is typically a company that processes insurance claims and employee benefit plans for a separate entity.

According to HHS, the answer is no, TPAs are not considered Covered Entities. A TPA may however, be classified as a business associate instead.

As a caveat, if a TPA also provides other services like group health insurance, it then meets the definition of a Covered Entity.

Are Health Insurance companies Covered Entities?

Yes, Health Insurance companies are classified as Health Plans under HIPAA.

Health Plans are one of the three categories of Covered Entities.

Are you a Covered Entity?

Not sure if you’re a Covered Entity? The Center for Medicare and Medicaid Services (CMS) put out a useful pdf flowchart called the Covered Entity Guidance tool.

To determine if a person, business, or government agency is a Covered Entity, answer the questions in the guidance tool. If you are uncertain about which set of questions applies, answer all of them.

The post What are the 3 categories of Covered Entities? appeared first on Paubox.

Source: https://www.paubox.com/blog/3-categories-covered-entities-hipaa

How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance

Written by Adnan Raja, Vice President of Marketing for Atlantic.Net

HIPAA compliance entered the public eye in 1996 when the Health Insurance Portability and Accountability Act was passed. For organizations dealing with any facet of healthcare, it revolves around the protection of private information of patients. Any health information stored, accessed, or transmitted electronically falls under this protection. Penalties for violating HIPAA compliance come in many shapes. Monetary fines start as low as $100 for each violation and reaching as high as $1.5 million.

The punishment does not stop at a company’s pocketbook, however. More severe violations can result in jail time up to five years. Since HIPAA violations are made public record, failing to comply will cost your organization dearly in brand trust and the ability to land future clients as well as quality employees.

When HIPAA non-compliance occurs, it is often because of mistakes or a lack of knowledge of company employees and is done accidentally, without malice. Regardless of how it occurs, organizations must install the proper protocol to get violations down to a rate of zero. The best way to do this is to combine best practices with recurring training to ensure employees not only understand what needs to happen to ensure HIPAA compliance but also grasp the importance of it, to the organization and most importantly the patients.

Getting employees to value these higher concepts takes leadership, time, and training. A combination of educational guidance and technological mandates is the key to keeping your employees on the right side of the HIPAA compliance line.

Educating Employees on HIPAA

Every employee at every company has gone through some sort of education course prior to beginning work. But HIPAA compliance goes far beyond a one-time onboarding training package. It’s not something you pick up in a three-hour module spread out over the course of your first week on the job.

Experts will tell you that the real flaw in HIPAA training is a lack of passion from the course instructors. If the leaders of an organization, or a third party they hire to train staff in HIPAA compliance, cannot connect with employees and get them fundamentally connected to the task at hand, retention rates are bound to suffer.

A key is to make training sessions more interactive and present employees with real-life scenarios rather than written quizzes. While people learn in different ways, having employees engage in role play guarantees a level of interaction that can be more specifically remembered than words on a screen.

Of equal importance is the timing of the HIPAA compliance training. Once a year is not nearly frequent enough to meet the challenges of keeping compliance rules fresh in one’s mind. Training needs to happen at least once per quarter or when new rules and regulations come online, whichever happens in a shorter time period.

Ultimately, HIPAA compliance education is a true test of an organization’s leadership. Great leadership does not eliminate the possibility of non-compliance, but poor leadership will invariably lead to it at some point down the line.

HIPAA Technology Concerns

The exponential growth of technology is both a blessing and a curse to those working in the medical industry. New innovations are connecting doctors and research like never before, and breakthroughs are happening in real-time. But the advance of technology also exposes more gaps for patient information to be mishandled, exposed or stolen. Constant vigilance and adherence to set policies are imperative to maintain HIPAA compliance in the digital era. There are five basic tenets of this stance that require guiding policies and procedures to ensure they do not become leaks in an organization’s HIPAA security system.

1. Author and maintain a strict policy on work-issued mobile devices. The convenience of laptops, tablets, and smartphones is tempered by them being a bit too convenient in instances when they are lost or not shut down properly. Leadership must establish precise boundaries for where the devices can be taken, who can use them, what the procedure is when leaving them unattended, and more.
2. Enforce company policy about social media. The average employee seldom has restrictions on posting information or photos from their office. The opposite must be enforced for businesses practicing HIPAA compliance. No information should ever be posted to social media or blogs, and photos are risky because most can be enlarged to show background elements such as files, paper, or screens.
3. Never use personal email or IM accounts to transmit information that is work-related. All transmissions of protected documents should be through wire-to-wire encryption. Imagine your doctor telling you that he tried to send your test results through or SnapChat. Impress on employees how important the right channels are. Anything that’s not 100% approved should be traded as a major violation.
4. No sharing of credentials for access-controlled systems including cloud-based work environments. As prior attacks have shown us, the cloud is not always as safe as its proponents would have you believe. Every individual must have his or her own entry point into the system to ensure they are using the system precisely as they are intended to. Independent audits are a great way to ensure everything is proceeding as it should.
5. Beware of using screens to highlight patient information as they can be viewed by other patients, non-authorized staff, etc. The devil is in the details sometimes. Big display monitors might make your doctors and nurses’ jobs a lot easier, but if they’re making patient data visible to untrained staff members and other patients, you’re going to fall out of compliance. Patient privacy must supersede everything.

Conclusion

Technology has had a transcendent effect on healthcare in recent years but has also increased the number of ways that HIPAA compliance can be threatened. Healthcare industry leaders must be cognizant at all times of how technology is being used by their employees to ensure no violations are taking place. HIPAA compliance education is also vital to keep organizations from being cited for violations. Planned, passionate training sessions should be considered best practices.

The post How to Ensure Your Employees Aren’t a Threat to HIPAA Compliance appeared first on Paubox.

Source: https://www.paubox.com/blog/how-to-ensure-your-employees-arent-a-threat-to-hipaa-compliance

What does it mean to be a Business Associate?

---

Table of Contents:

• What is a Business Associate?
• Role of a Business Associate
• Are employees of a Covered Entity considered Business Associates?
• Is it possible to be both a Covered Entity and a Business Associate?
• Purpose of a Business Associate Agreement
• Do Business Associate Agreements expire?

---

What is a Business Associate?

Simply put, a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information for a Covered Entity.

By law, the HIPAA Privacy Rule applies only to Covered Entities. Covered Entities are typically health plans, health care clearinghouses, and certain health care providers.

Most Covered Entities however, do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other organizations.

If these services involve the use of protected health information, that means that organization is a Business Associate.

Learn more: Business Associates [HHS]

What is the Role of a Business Associate?

In a nutshell, the role of a Business Associate is to help Covered Entities comply with the HIPAA Privacy Rule.

Here are some examples of services provided by Business Associates:

• Claims processing or administration
• Data analysis, processing or administration
• Utilization review
• Quality assurance
• Billing
• Email security
• Benefit management
• Practice management
• Repricing

Are employees of a Covered Entity considered Business Associates?

No. Employees of a Covered Entity are not considered Business Associates.

Is it possible to be both a Covered Entity and a Business Associate?

Yes, it is possible to be classified as both a Covered Entity and a Business Associate.

For example, a covered entity such as a health care provider, health plan, or health care clearinghouse can also be a business associate of another covered entity.

What is the purpose of a Business Associate Agreement?

A Business Associate Agreement is a written contract between a covered entity and a Business Associate. It is required for HIPAA compliance. At a minimum, there are 10 provisions that must be covered by a Business Associate Agreement (BAA).

Read full article: Business Associate Agreement Provisions

If you are a covered entity entrusting protected health information to a third party, then a Business Associate Agreement is required by law.

Do Business Associate Agreements expire?

A Business Associate Agreement (BAA) is required to be in place for the entire duration of services provided by a Business Associate to a Covered Entity.

If a BAA has an expiration date in it, that’s a red flag and is the same as not having one at all.

The post What does it mean to be a Business Associate? appeared first on Paubox.

Source: https://www.paubox.com/blog/what-does-business-associate-mean

Integrating Secure Email with Adobe Experience Manager (AEM) Forms

A prospect reached out to us this week regarding the possibility of integrating our Secure Email API with Adobe Experience Manager (AEM) Forms.

This post is about how to integrate Paubox Secure Email API with AEM Forms.

SEE ALSO: Integrating Adobe Campaign Classic with Paubox Email API

Adobe Experience Cloud (AEC)

The Adobe Experience Cloud (AEC) is a collection of integrated online marketing and web analytics products. Adobe’s aim is to create a single integrated solution for Customer Experience Management (CXM).

AEC was previously known as the Adobe Marketing Cloud (AMC).

Adobe Experience Cloud includes the following eight solutions:

• Adobe Analytics
• Adobe Audience Manager
• Adobe Experience Manager
• Adobe Campaign
• Adobe Advertising
• Adobe Target
• Adobe Commerce Cloud
• Marketo Engage

Adobe Experience Manager (AEM) Forms

Adobe Experience Manager Forms, or AEM Forms, is itself a component of Adobe Experience Manager.

AEM Forms is marketed as an easy-to-use solution to create, manage, publish, and update complex digital forms while integrating with back-end processes, business rules, and data.

Integrating Secure Email with AEM Forms

In the case of the prospect we spoke to, they had a special business requirement for AEM Forms: They needed to have the form data sent via secure email.

Due to the fact they are affiliated with the healthcare industry, the form data will contain protected health information (PHI). As we’ve discussed at length, the presence of PHI in an email means that message must be HIPAA compliant.

After some research, we found a way to integrate Paubox Secure Email API with Adobe Experience Manager 6.4 Forms, which appears to be an on-premise solution.

As of this writing, it is assumed the same configuration options are available with AEM Forms, which is a cloud-based service. We were not able to access a demo version of AEM Forms, nor were we able to find any configuration options for it.

Here’s how to do it:

Part I: Sign up for Paubox Email API

The recommended solution for configuring AEM Forms with the Paubox Secure Email API is to use the SMTP Server option.

Click here to get started

Part II: Configure Adobe Experience Manager Forms

Once you have your Paubox Secure Email API credentials in place, you will next configure AEM Forms to send secure email via Paubox.

This is accomplished by configuring the Day CQ Mail Service. This can be done by pointing your browser to Felix Configuration Manager (this link points to localhost).

Using the above screenshot as guidance, adjust the following settings:

• SMTP server host name: api.paubox.com
• SMTP server port: 25
• SMTP user: [yourusername]@api.paubox.com
• SMTP password: [assigned to you upon signing up for Paubox]
• SMTP use SSL: [this box must be checked]

To complete the configuration, click Save.

Congratulations! You are now ready to send secure email from Adobe Experience Manager Forms via the Paubox Secure Email API.

Try Paubox Secure Email API for FREE and make your transactional email HIPAA compliant today.

Start Your Free Trial

The post Integrating Secure Email with Adobe Experience Manager (AEM) Forms appeared first on Paubox.

Source: https://www.paubox.com/blog/secure-email-adobe-experience-manager-forms