HIPAA Compliant Email Services

Discussion in 'Email Discussions' started by popowich, Jun 12, 2015.

  1. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    The new comparison page for HIPAA Compliant Email Services is ready.

    I started with listings for Email Pros, Google Apps, LuxSci, and Office 365 (HIPAA Edition)

    Please reply to this discussion if you have a service that would you like added, or any updates & corrections to the existing list of features.
     


  2. kangas

    kangas President at LuxSci.com

    Joined:
    May 14, 2013
    Messages:
    6
    Likes Received:
    6
    I think some things such as:

    1. Email archival
    2. TLS delivery support (forced TLS); and opportunistic TLS if other encryption methods are used
    3. S/MIME support
    4. PGP support
    5. Web-based secure email pickup support
    6. Minimum price which includes email encryption
    7. If they sign a Business Associate Agreemnet
    8. Secure email sending and receipt on mobile devices
    9. Ability to send a secure email to anyone (e.g. including people outside "the system")
    10. Ability to receive a secure email from anyone (e.g. a facility to enable anyone to send you a secure email for free if they have no secure email themselves)
    11. IMAP access to email
    12. ActiveSync access to email (calendars, contacts, etc.)
    13. Support for bulk or mass transactional compliant email messages
    14. Retracting of messages sent
    15. Read receipts (100% reliable) of messages sent
    16. White labeling of the secure email system
    17. Ability to "opt out" of security and send (non-PHI) messages without special encryption
    18. If encryption is "opt in" and reliant on the sender to tag it for encryption (not as good as opt out due to the potential for mistakes)
    19 SSL WebMail access to email
    20. TLS/SSL support is TLS v1.0+ only and only using FIPS recommended ciphers (not weak ones) needed for HIPAA compliance
    What Level of SSL or TLS is Required by HIPAA? - LuxSci FYI
    21. Option for email on a dedicated server for added security and privacy
    22. Email Marketing with a constant-contact like web-based mailing program for messages that may contain PHI.
    23. Level of support
    24. Two-factor auth for web logins
    25. password expiration, reuse, and strength options
    26. Support for DKIM and SPF
    27. No need for custom applications or software (e.g. you can just use your browser or something like thunderbird)
     

    Last edited by a moderator: Jun 12, 2015
  3. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    The above was mentioned to me as part of the HIPAA compliance features list, but to me some of this is encrypting "over the wire" but doesn't help much if the recipient has, for example, a Yahoo account.
     
  4. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    Excellent, thanks for the post! Give me a few minutes to get the next update saved. :)
     
  5. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    Another batch of updates saved. I'd like to push the most important features to the top.

    I'm curious about Secure Contacts vs. ActiveSync Contacts. Are these really the same thing?

    Secure email pickup = sender gets a link to go view an "email" on the web?

    LuxSci specific question. If a recipient doesn't have a mail server that supports TLS, do you refuse to relay the email? It appears there is an option to only send if TLS detected.
     
    Last edited: Jun 12, 2015
  6. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    100% reliable read receipts caught my attention too. Does that mean "within the system" and not related to 3rd party email service?
     
  7. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    ePHI Safeguards are defined as:
    • Physical safeguards and data access control
    • Staff training and administrative policies
    • Facility access control and security
    • Contingency plans, backups plans, and disaster recovery
    • Workstation security and usage lockdown
     
  8. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,986
    Likes Received:
    120
    Interesting note, at least to me.

    Microsoft sales understands that Azure Rights Management is needed to make an Office 365 business plan HIPAA compliant, but there is no information about features, at least not the same way I'm trying to present it.

    If anyone with the HIPAA plan can help figure out the features I'll be happy to list their service.

    The following information lists HIPAA requirements followed by text explaining Microsoft's implementation.

    HIPAA / HITECH Requirements - Microsoft’s QualysGuard Implementation


    Security Management Process.

    a. 164.308(a)(1)
    b. 164.308(a)(1)(ii)
    c. 164.308(a)(1)(ii)(A)
    d. 164.308(a)(1)(ii)(D)

    QualysGuard's Vulnerability Management and Policy Compliance solutions underpin security management with a complete, automated system for security audits and IT compliance management.

    Information Access Management.

    a. 164.308(a)(4)
    b. 164.308(a)(4)(ii)(A)
    c. 164.308(a)(4)(ii)(B)

    Audits user access to systems and databases containing PHI.

    Security Awareness and Training.

    a. 164.308(a)(5)
    b. 164.308(a)(5)(ii)(B)
    c. 164.308(a)(5)(ii)C
    d. 164.308(a)(5)(ii)(D)

    Security and configuration data revealed by QualysGuard reporting capabilities help staff and management with their network security posture and how to further protect it against emerging threats.

    Security Incident Procedures.

    a. 164.308(a)(6)

    Security and configuration audit assessments provide hard data for conceiving, implementing, and managing security policies.

    Evaluation.

    a. 164.308(a)(6)

    Automatically and regularly tests and documents security capabilities and configuration settings before and after installation and maintenance of networks, systems, or applications.

    Workstation Security.

    a. 164.310(C)

    QualysGuard automatically and regularly tests and documents security capabilities and configuration settings before and after installation and maintenance of networks, systems, or applications.

    Device and Media Controls.

    a. 164.310(d)(2)(i)
    b. 164.310(d)(2)(iv)

    Tests and documents configuration settings automatically before and after installation and maintenance of networks, systems, or applications.

    Access Control.

    a. 164.312(a)(1)

    Audits user access to systems and databases containing PHI.

    Audit Control.

    a. 164.312(b)

    Automatically and regularly tests and documents configuration settings before and after installation and maintenance of networks, systems, or applications.

    Integrity.

    a. 164.312(c)(1)
    b. 164.312(c)(2)

    Audits user access to systems and databases containing PHI.

    Transmission Security.

    a. 164.312(e)
    b. 164.312(e)(1)
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...