HIPAA Compliance

We don’t believe in making you choose between options in order to achieve HIPAA Compliant security and technology, which is why we’ve worked closely with our technology partners to develop service offerings that are 100% HIPAA Compliant.

 Signed HIPAA Business Associate Agreement

BxB Secure provides a Business Associate Agreement compatible with the HITECH amendments of HIPAA. This defines BxB Secure’s role in maintaining the privacy and security of Protected Health Information (PHI). BAA’s are a requirement for all covered entities and their business associates.

 HIPAA Compliance Seal

Once your account is certified by BxB Secure, subscribers may use a BxB Secure HIPAA Compliant Seal on their website or HTML email signatures, taglines, or disclaimers.

bxb-secure-hipaa-compliance-email

Example HIPAA Seal

ePHI Safeguards

As required by the HITECH amendment to HIPAA, BxB Secure follows all HIPPA Security and Privacy Rules with respect to all ePHI in your HIPAA-enabled accounts. BxB Secure and our partner companies ensure that the privacy of all electronic health information is safeguarded while it is stored on servers, passing through servers, or on backup servers. It also means that BxB Secure and our partner companies follow all of the Security Rule requirements, including:

  • Physical safeguards and data access control
  • Staff training and administrative policies
  • Facility access control and security
  • Contingency plans, backup plans, and disaster recover
  • Workstation security and usage lockdown

Safeguards are in place eliminating the possibility of BxB Secure staff gaining access to ePHI in your account. However, if by breach of some protocol or safeguard failure any member of BxB’s staff were exposed to ePHI, they are required to obey all the same HIPAA Security and Privacy rules that our customers face when dealing with ePHI.

Email, Calendar, Contact and Task Mobile Sync

This is the only optional add-on for BxB Secure HIPAA email. Because not all email addresses will be used on a mobile device, we offer Mobile Sync as an option. Clients with this feature will be able to synchronize email, calendars, contacts, and tasks automatically, in real time and in a HIPAA-compliant fashion. Additionally, Mobile Sync provides “Remote Wipe”, so you can delete ePHI from your mobile device should it become lost or stolen – preventing possible HIPAA breaches.

Even without Mobile Sync, BxB Secure’s IMPA, POP, and SMTP services can be used to securely send and receive email on most mobile devices.

10-Year Email Archive

All of our email packages include a simple archival solution that is comprehensive, cost-effective, and meets and exceeds the most current compliancy requirements:

  • Permanent single-instance storage on Write-Once Read-Many (WORM) media
  • Redundant storage in 2 different locations
  • Powerful full-content search with immediate results
  • Message export and import
  • Unlimited storage capacity included
  • Retention of email for 10-years

Data Transmission Security & Encryption

In addition to enforced use of SSL and TLS for all connections to our servers, all users must always send and receive email securely using our Secure Line Message Center that provides an end-to-end encryption service. All outbound messages sent via SMTP, WebMail, or Premium Mobile Sync will be automatically encrypted. Additionally, the Secure Line Message Center allows users to send secured messages to anyone with a valid email address, even if they do not have TLS or S/MIME or PGP support. Those recipients can easily reply back securely using Secure Send in the Message Center.

Message Integrity Controls

Use of our Secure Line Message Center and enforced connection encryption (SSL & TLS) for the transmission of messages ensures that the messages cannot be modified while in transit. Their integrity can be assured. Additionally, our Secure Line Message Center permits the use of digital signatures to encrypted messages to further ensure and prove the message integrity and identity of the sender.

Unique User Identification & Authentication

BxB Secure and our partner companies require use of login credentials for access to all services. This allows the system to recognize all users accessing it and to control access based on their identity. HIPAA compliant accounts are required to utilize the maximum level of password complexity: 8 characters of letters and numbers, and must be able to pass a standard “crack” dictionary. Automatic auditing of password changes and password resets is performed and required for HIPAA accounts.

Emergency Access to Email

All inbound and/or outbound messages are securely archived for backup and auditing purposes. This enables administrators to have secure access to copies of all messages for emergency, auditing, or other reasons.

Automatic System Logoff

HIPAA compliant accounts have a 20-minute maximum idle period to web-based interfaces, i.e.WebMail. The system will automatically log users off after 20 minutes of inactivity. Other services such as POP, IMAP, SMTP, Mobile Sync, and Secure FTP also have automatic idle timeouts.

Access Audit Controls

BxB Secure and our partners provide comprehensive security auditing for all accounts. Included in the security audits are password changes, resets, and lookups by us or our partner company’s staff; user access to services such as WebMail, Email Sending (SMTP), POP, IMAP, Mobile Sync, and more; changes to any of the specific “Maximal Security” settings, as well as changes to the “Maximal Security” lockdown status. These reports enable verification of user, administrator, and support staff activity on access and security specific changes to the account.

Data Backups & Data Disposal

BxB Secure’s Premium Email Archive provides permanent, immutable email storage on servers in multiple geographic locations, updated in real-time, with weekly backups made to optical media. See our complete backup and restore statement.

Maximal Security Enforcement

BxB Secure and our partners provide Maximal Security settings to cover individual account settings including the 20-minute WebMail timeout maximum, forcing appropriate outbound encryption, setting password strength requirements, and forcing secure logins. Our support team will perform a manual review of any account deemed to be HIPAA compliant, ensuring that the Maximal Security setting is locked down so that security settings cannot be altered.

Here are some of the most common Questions asked about our email service.

 

Q. Can I setup my website so visitors can send messages to me securely and be HIPAA compliant?

A. This is one of the areas that many medical practices overlook, as a standard web form that a web developer builds on your site is not HIPAA compliant. If you want a person visiting your website to be able to securely send AND be HIPAA compliant you will need to use the HIPAA email service combined with the HIPAA Forms solution. Otherwise any email sent to you from your website will not be encrypted and HIPAA compliant.

Q. Where can I find the exact federal HIPAA HITECH legislation?

A. The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act, and can be found beginning on page 112 in the official document at: http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf

Q. Where is it officially stated that I must use encryption for my emails to be HIPAA compliant?

A. The Security Rule of the original HIPAA legislation permits Covered Entities to use email as a way to electronically transmit protected health information (PHI) and requires that steps be taken to protect those transmissions. The requirements are detailed in the Technical Safeguards of the HIPAA Security Rule, section 164.312, which may be accessed in plain text LINK (http://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/xml/CFR-2007-title45-vol1-sec164-312.xml) or in a PDF document. LINK (http://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-sec164-312.pdf)

Q. Who or what agency certifies that BxB Secures HIPAA compliant solutions truly meet HIPAA compliance standards?

A. Currently there is no organization that certifies any other organization as HIPAA compliant. Covered entities can be audited by the department of Health and Human Services at any time and face steep fines and or other negative consequences for data breaches or other HIPAA violations. BxB Secure designates your account as HIPAA compliant in that we consider ourselves a Business Associate of your organization and that we have configured and locked down your organization’s use of our services to comply with our HIPAA Security Restrictions, which all meet or exceed the Technical Safeguards of the HIPAA Security Rule. BxB Secure does not certify HIPAA compliance of services whose usage is largely in the organization’s purview, such as web hosting, however, we provide strong recommendations and an infrastructure allowing for your organization to use these services in a HIPAA compliant manner.

Q. What is the definition of ePHI (electronic protected health information)?

A. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

“Individually identifiable health information” is information, including demographic data, that relates to:

-the individual’s past, present or future physical or mental health or condition,
-the provision of health care to the individual, or
-the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

[source: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html]

Q. Does HIPAA require that I have a dedicated server?

No, there is no explicit requirement…in fact, the HIPAA law is ‘technology neutral’ in that it makes no specific requirements for the implementation of technical security, e.g. the level of encryption (128 bits or 256 bits), the encryption type (RSA, AES, etc.), the level of auditing, etc. The security restrictions we enforce ensures that your shared hosting account meets the Technical Safeguards of the HIPAA Security Rule. Our partners Premium Dedicated Servers offer a solution for clients interested in a dedicated hosting environment for their HIPAA compliant requirements.

Q. Are BxB Secures HIPAA Compliant services NHIN (Nationwide Health Information Network) Direct Project compliant?

A. Our current HIPAA compliant accounts offer many of the security items described as requirements for Health Information Service Providers (HISPS) per the ‘Consensus Proposal’ and ‘Security and Trust Consensus Proposal’ documents. At this time we have no plans to implement the full complement of security protocols and specifications as laid out by the NHIN Direct Project guidelines.

The Direct Project discusses use of public certificate repositories of sorts such as ICAM (http://www.idmanagement.gov/), but we currently do not support integration with these type of centralized certificate databases. We do not intend to provide that service anytime soon. Additionally, we don’t currently support the use of DNS CERT records to perform recipient certificate fetching. Lastly, we may or may not be able to support the transmission of health industry specific formats such as HL7, CDA, and CCR, but we do not have intent at this time to make software changes to ensure support for these formats specifically.

The several key security requirements of the Direct Project that BxB Secure and our partners HIPAA compliant accounts meet include:

  • Forced use of S/MIME certificates for all outbound email for encryption and digital signing
  • Forced use of TLS encrypted transmission for inbound and outbound email (requires a dedicated proxy server)
  • Forced use of TLS encrypted transmission for POP, IMAP, and SMTP connections from email clients (i.e. Outlook)
  • Forced authentication for POP, IMAP, and SMTP services
  • Detailed auditing of sent messages

Will BxB Secure co-sign my own BAA or do I have to use BxB Secures BAA?

BxB Secure has constructed a Business Associate Agreement that is tailored to our services and what we provide in terms of HIPAA compliance. This agreement has been vetted by our lawyers and is used by all of our HIPAA customers for consistency in application, expectations, and training.

BxB Secure does not sign individual Business Associate Agreements (BAA) provided by our customers. This is because of : (a) the time and cost it would involve to legally review each one, (b) the additional time and cost involved in ironing out differences in the contents of the customer’s BAA and what BxB Secure can and will agree to, and (c) having differing, individualized expectations and contracts with each customer would make security and privacy training, policies, and procedures complicated and thus increase the chance of error. Nobody wants to increase the chance of error with regards to the treatment of PHI.