Healthcare Technology Vendor News

Is DocuSign HIPAA Compliant?

Can DocuSign be used by healthcare organizations in connection with electronic protected health information (ePHI) without violating HIPAA Rules? Is DocuSign HIPAA compliant?

DocuSign is a San Francisco-based provider of electronic signature technology and transaction management services. Via DocuSign, companies can send documents such as contracts to customers and business associates and obtain their electronic signatures to confirm that they have read the document and agree to any terms and conditions contained therein.

In healthcare, eSignature services can streamline administrative tasks and save many hours of chasing up paperwork. The DocuSign solution can be used by healthcare providers for a range of different purposes, including obtaining eSignatures on SLAs, business associate agreements, credentialing forms, and patient consent forms.

However, if the service is used in connection with any electronic protected health information, DocuSign would be classed as a business associate. HIPAA requires all business associates to enter into a HIPAA-compliant business associate agreement with covered entities prior to being provided with or given access to ePHI.

Is DocuSign HIPAA Compliant?

When considering if DocuSign is HIPAA compliant, a key test is whether the company is willing to sign a BAA with a HIPAA-covered entity. On the DocuSign website, the company states that it is prepared to sign a BAA and has already done so with many healthcare providers and life science customers.

DocuSign also confirms that while the company does not access ePHI, any ePHI that passes through its service is secured. DocuSign also confirms that it is in full compliance with the privacy and security requirements of HIPAA and its service meets HHS standards for digital signatures.

In order to obtain a BAA, customers must first sign up for an Enterprise account with DocuSign and they must ensure the signed BAA is obtained prior to using the service with any ePHI.

Provided a BAA is obtained, DocuSign can be considered a HIPAA compliant eSignature service.

The post Is DocuSign HIPAA Compliant? appeared first on HIPAA Journal.

Is Calendly HIPAA Compliant?

Calendly is a popular tool that is used by many businesses to schedule meetings and appointments, but can Calendly be used by healthcare organizations? Is Calendly HIPAA compliant?

Businesses can waste a considerable amount of time scheduling appointments and meetings. Lengthy email exchanges and phone tag are commonplace. Calendly aims to eliminate the time wasted attempting to connect with others and the platform can reduce no-show rates through automated email and text reminders. The solution integrates with Google Calendar, iCloud calendar, Office 365, Salesforce, and GoToMeeting and other popular software platforms and can also be integrated directly into business websites to allow customers to schedule appointments directly.

The platform is used by healthcare organizations for scheduling internal meetings, but in order to use Calendly with any electronic protected health information, healthcare organizations would first need to enter into a HIPAA-compliant business associate agreement with Calendly.

Is Calendly HIPAA Compliant?

Calendly explains on its website that the platform is secure and all data uploaded is protected. Data sent to and stored by the scheduling tool is protected by 256-bit encryption and Calendly is hosted on Amazon Web Services, which is a HIPAA-compliant hosting solution. Calendly cannot read medical charts and other private information as it only reads the busy/free status of calendar events to avoid double bookings.

While secure, Calendly explains in the help section of its website that “Calendly should not be used for collecting Protected Health Information” and that the solution should not be used for asking “any personal or medical questions in the question form invitees complete when scheduling.” Calendly also does not sign business associates with HIPAA covered entities.

As such, Calendly is not a HIPAA-compliant scheduling tool. The tool can be used by healthcare organizations, just not in connection with any ePHI. Healthcare organizations should ensure that only HIPAA-compliant scheduling tools are used for booking patient appointments.

The post Is Calendly HIPAA Compliant? appeared first on HIPAA Journal.

Is Evernote HIPAA Compliant?

Evernote is a useful cloud-based service that allows users to take notes, create to do lists, plan projects, and collaborate with teams, but is Evernote HIPAA compliant? Can Evernote be used in healthcare by physicians and other healthcare professionals without violating HIPAA Rules?

Evernote serves as an easily accessible repository for a wide range of information, including documents, audio files, images, and video files. One of the key features of Evernote which makes it so useful is the ability to automatically synch files and notes across multiple devices.

Evernote is available as a free app or a paid service for businesses and does incorporate access controls and security features such as single sign-on (SSO) and two-factor authentication to prevent unauthorized use of the applications.  Evernote stores data on the Google Cloud platform, which can be HIPAA compliant. Encryption is also supported by Evernote for Mac and Evernote for Windows Desktop. In-note encryption uses an AES 128-bit key.

Evernote is designed to make data sharing as easy as possible, which should raise a red flag if you are thinking about using Evernote with protected health information or files containing protected health information – patients documents or dictated notes for instance.

Is Evernote HIPAA Compliant?

So, with the above security controls, is Evernote HIPAA compliant? While the security controls mentioned above do offer some protection against unauthorized access, they are not currently sufficient to meet the requirements of the HIPAA Security Rule. Further, Evernote does not sign business associate agreements with HIPAA covered entities.

Therefore, Evernote is not a HIPAA compliant note taking app and it should therefore not be used in connection with any protected health information.

There are alternatives that can be used in its place.  You can read more about these on the links below:

Is Google Keep HIPAA Compliant?

Is Microsoft OneNote HIPAA Compliant?

The post Is Evernote HIPAA Compliant? appeared first on HIPAA Journal.

Sandboxing and DMARC Authentication Added to SpamTitan to Improve Email Threat Detection

Despite increased investment in cybersecurity, healthcare organizations still struggle to protect against advanced phishing threats and email impersonation attacks. Detection of new malware threats can also be a major challenge for small to medium sized healthcare organizations and managed service providers.

To better serve the healthcare market and improve protection against sophisticated phishing attacks and zero-day malware, TitanHQ has announced it has added two new features to its SpamTitan spam filtering solution: DMARC email authentication and sandboxing.

Due to the increase in email impersonation attacks, the Department of Homeland Security issued a binding operational directive in 2017 that required all executive branch agencies to fully adopt Domain-based Message Authentication, Reporting and Conformance (DMARC) to protect against email impersonation attacks and domain spoofing. DMARC authentication has now been incorporated into SpamTitan to improve detection of domain spoofing phishing attacks and prevent these phishing emails from reaching end users’ inboxes.

New malware and ransomware variants are now being released at unprecedented levels. Detecting these new malware threats require more than AV solutions. To better protect users against these new email-based malware threats, TitanHQ has added a new Bitdefender-powered sandboxing feature to SpamTitan.

Suspicious file attachments are now sent to the sandbox where they can be detonated and analyzed for malicious actions. Within this secure environment, files can be assessed safely to identify obfuscated malware, new malware threats, attempts to download malicious payloads, and calls to c2 servers. A broad range of file types are sent to the sandbox, including applications, executable files, and office documents.

“The sandbox service analyzes files by leveraging purpose-built, advanced machine learning algorithms, decoys and anti-evasion techniques, anti-exploit, and aggressive behavior analysis,” explained TitanHQ. “All results are checked across known threats in an extensive array of online repositories, and all in just a few minutes.” If files are confirmed as malicious, they are reported to the Bitdefender’s Global Protective Network and the threat is blocked globally.

“I’m delighted to launch both features today and we will continue with our commitment to continually invest in, develop and improve SpamTitan email security,” explained TitanHQ CEO Ronan Kavanagh. “These new features will help healthcare clients improve their defences against advanced malware and sophisticated phishing attacks.”

The post Sandboxing and DMARC Authentication Added to SpamTitan to Improve Email Threat Detection appeared first on HIPAA Journal.

Is Return Path HIPAA Compliant?

Return Path is an email marketing and optimization platform that allows businesses to automate and analyze their email marketing campaigns but is Return Path HIPAA compliant? Can the email marketing platform be used by healthcare organizations without violating HIPAA Rules?

Sending Marketing Emails to Patients and Health Plan Members

Before any healthcare organization can use an email service for sending marketing emails that contain electronic protected health information (ePHI) they must first:

  • Obtain consent from patients/plan members to receive marketing communications
  • Ensure that the service provider has appropriate security controls to protect the confidentiality of ePHI stored by or used by the platform
  • Ensure that ePHI can be uploaded to the platform securely without placing the information at risk of compromise
  • Enter into a HIPAA-compliant business associate agreement (BAA) with the service provider

Marketing messages are not included in the HIPAA Privacy Rule’s TPO definition. Consent must be obtained in writing from patients/members before ePHI can be used for marketing purposes.

A BAA is required, as the uploading of ePHI to a mailing service counts as a disclosure of ePHI. The service provider is considered a business associate and is required to be informed of its responsibilities with respect to HIPAA and must agree to abide by HIPAA Rules.

Provided the above conditions are met, a HIPAA-covered entity can use a third-party platform for sending marketing emails.

Is Return Path HIPAA Compliant?

Return Path naturally has a range of security protections in place to ensure the confidentiality, integrity, and availability data uploaded to its platform. However, Return Path makes no mention of HIPAA or business associate agreements in its terms and conditions.

Return Path also states in its T&Cs that it is the responsibility of users of its platform to ensure they comply with appropriate laws and regulations.

So, is Return Path HIPAA compliant? Without a BAA, Return Path is not a HIPAA compliant email service and cannot therefore be used in connection with any ePHI.

The post Is Return Path HIPAA Compliant? appeared first on HIPAA Journal.

Is Mandrill HIPAA Compliant?

Is Mandrill HIPAA compliant? Can MailChimp’s transactional email service be used by healthcare organizations without violating HIPAA Rules?

Use of Mandrill by Healthcare Organizations

Mandrill is a transactional email offering from MailChimp, the leading automated email marketing platform. Mandrill allows businesses to automatically send emails to customers and individuals that interact with their web apps and connects to MailChimp via an API.

Transactional emails differ from marketing emails in that they are programmed to be triggered by events such as password resets, confirmation of placement of orders, welcome messages, and sending receipts. In contrast to marketing emails, which require an opt-in from patients/plan members under HIPAA Rules, in most cases, transactional emails do not.

That does not mean that there are no HIPAA issues for healthcare organizations that are considering using Mandrill. Any email service used by a healthcare organization that requires electronic protected health information (ePHI) to be uploaded would have to have privacy and security safeguards built into the platform to prevent unauthorized ePHI access and an audit trail would need to be maintained. Any ePHI uploaded would need to be secured in transit, and stored data would need to be encrypted.

If the service is to be used with any ePHI, the service provider would be classed as a business associate and a business associate agreement would therefore be required.

Most service providers that support HIPAA compliance and are prepared to enter into a business associate agreement with HIPAA-covered entities make it clear that they support HIPAA compliance and offer a BAA.

Is Mandrill HIPAA Compliant?

Users of Mandrill are bound by the terms and conditions of MailChimp. You can find out more about Mailchimp and HIPAA compliance here, but to summarize that post, MailChimp states that “You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA” and since, at the time of writing, MailChimp does not offer a BAA, neither MailChimp or Mandrill are HIPAA compliant.

MailChimp and Mandrill can be used by healthcare organizations, but since they are not HIPAA compliant they cannot be used in connection with any ePHI.

The post Is Mandrill HIPAA Compliant? appeared first on HIPAA Journal.

Is Marketo HIPAA Compliant?

Marketo is a marketing automation solution for lead management and email marketing that was recently acquired by Adobe. Can Marketo be used by healthcare organizations in connection with ePHI? Is Marketo HIPAA compliant?

Healthcare Marketing

Healthcare organizations looking for a marketing automation platform need to ensure the platform provider complies with HIPAA regulations if the platform is to be used in connection with electronic protected health information.

Healthcare organizations can use marketing automation platforms for a range of purposes without having to enter into a business associate agreement (BAA) with the solution provider, but if the solution is to be used with ePHI, a BAA is essential.

HIPAA places restrictions on uses and disclosures of ePHI by HIPAA covered entities. ePHI can be used and disclosed for the purposes of providing treatment, in relation to payment for healthcare, or for healthcare operations (TPO) without having to obtain authorization from patients. Other uses and disclosures, which include marketing, require authorizations from patients.

HIPAA defines marketing as “communication to an individual about a product or service that encourages the individual to purchase or use that product or service.” – See 45 CFR 164.501(1).

Prior to sending any marketing communications, HIPAA-covered entities must obtain authorization from patients/members in writing, either physically or electronically with an e-signature.

Is Marketo HIPAA Compliant?

Marketo states on its website that its platform has Privacy Shield certification and has been SOC2 certified and Marketo has implemented safeguards to ensure customer data are kept private and confidential.

Connections to Marketo are encrypted using high-grade 2048-bit certificates and user sessions are protected by unique session tokens and require re-verification for each transaction. Marketo performs regular scans of its network and systems for vulnerabilities and patches are applied promptly. Marketo also performs pen tests and has its products assessed by independent third parties. Physical, technical and administrative safeguards are implemented to keep software, hardware, and data secured and all clients’ data are stored in separate databases.

Marketo’s use policy states that customers must not provide Marketo access to or upload “any of the following categories of data: social security numbers; passport or visa numbers; driver’s license numbers; taxpayer or employee ID; financial account or payment card information; passwords; medical or health records or information reflecting the payment of such treatment.”

So, is Marketo HIPAA compliant?

 

The Marketo website and associated forums contain no mention of a BAA. Without a BAA the solution cannot be considered HIPAA compliant and should not be used with ePHI.

That does not mean Marketo cannot be used by healthcare organizations. Many healthcare organizations, including GE Healthcare, Kindred Healthcare, Boston Children’s Hospital and EHR provider Allscripts use the platform. It is the responsibility of users of the platform to ensure that HIPAA Rules are followed.

The post Is Marketo HIPAA Compliant? appeared first on HIPAA Journal.

Is Constant Contact HIPAA Compliant?

Massachusetts-based Constant Contact has developed an online and email marketing solution that makes it easy to keep in touch with customers and send out newsletters and marketing messages, but can Constant Contact be used by HIPAA-covered entities? Is Constant Contact HIPAA compliant?

Sending Marketing Emails Containing ePHI

The HIPAA Privacy Rule does not prohibit HIPAA-covered entities from sending marketing emails, but before marketing messages can be sent, patients/plan members must give their authorization to receive those communications. Provided authorizations have been received in advance, marketing emails can be sent without violating the HIPAA Privacy Rule.

In order to improve efficiency, an email marketing solution may be considered, but HIPAA -covered entities need to exercise caution. Not all email marketing platforms have the necessary safeguards to meet the requirements of the HIPAA Security Rule, and some that do still cannot be used as the service provider is not prepared to enter into a business associate agreement with healthcare organizations.

Uploading any ePHI to an email marketing platform would be classed as an impermissible disclosure of ePHI if the covered entity has not first obtained satisfactory assurances that the service provider will protect any ePHI it receives and accepts that, as a business associate of a HIPAA-covered entity, it is also required to comply with certain aspects of HIPAA Rules.

Is Constant Contact HIPAA Compliant?

When assessing whether Constant Contact is HIPAA Compliant, the business associate agreement is a good place to start. Constant Contact states on its website that it is prepared to enter into a business associate agreement with healthcare organizations, which will allow them to use the serve for sending emails to patients and health plan members.

However, there are some caveats. Constant Contact will only sign its own BAA; not one provided by a HIPAA-covered entity. When using the platform, HIPAA-covered entities are responsible for any data that are stored in their Constant Contact account. They must ensure they set strong passwords and configure the platform correctly. That includes setting up multi-user access or single-sign-on and assigning user roles correctly to limit what users can do when logged in to the account.

Constant Contact also states that the platform should not be used for “transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR).”

So, while Constant Contact is prepared to sign a BAA and does support HIPAA compliance, there are restrictions on what the platform can be used for.

The post Is Constant Contact HIPAA Compliant? appeared first on HIPAA Journal.

EHR Vendor False Claims Act Violation Case Settled for $57.25 Million

The Tampa, FL-based electronic health record (EHR) software developer Greenway Health LLC has agreed to settle violations of the False Claims Act with the Department of Justice for $57.25 million.

The case concerns Greenway Health’s EHR product Prime Suite. The DOJ alleged that by misrepresenting the capabilities of the product, users submitted false claims to the U.S. government. Further, Greenway Health was alleged to have provided unlawful remuneration to users to induce them to recommend the EHR product to other healthcare providers.

The U.S. government provided incentives to healthcare organizations to encourage them to transition to EHRs from paper records through the Meaningful Use program. Most healthcare providers have now made the change and now rely on EHR systems to support the healthcare decision process. It is therefore essential that EHR products allow patient health information to be recorded and transmitted accurately.

In order for healthcare providers to qualify for Meaningful Use payments, they must only use EHR products that have been certified as meeting certain criteria stipulated by the Department of Health and Human Services (HHS). In order to receive certification, EHR software developers must have their products tested by an independent, accredited testing laboratory authorized by the HHS. Certification is then provided by an official certification body.

Greenway Health was alleged to have falsely obtained 2014 Edition certification for Prime Suite by concealing the fact that the product did not fully comply with all HHS criteria, such as the use of standardized clinical terminology to ensure reciprocal flow of patient information and the accuracy of electronic prescriptions. Greenway Health was alleged to have modified its test-run software to deceive the company that certified Prime Suite into believing it used the requisite clinical vocabulary.

Healthcare providers who used Prime Suite needed to meet targets for EHR-related activities in order to receive Meaningful Use incentive payments. One such target was to provide a certain percentage of patients with clinical summaries after office visits. The 2011 Edition of Prime Suite did not accurately calculate the percentage of office visits for which users distributed clinical summaries and, as a result, it caused users to submit false claims. Greenway Health chose not to correct the error as by doing so its users would not qualify for Meaningful Use incentive payments.

Greenway Health was also alleged to have violated the Anti-Kickback Statute by paying money to users as an incentive to recommend the product to other healthcare providers.

“This resolution demonstrates our continued commitment to pursue EHR vendors who misrepresent the capabilities of their products, and our determination to promote public health while holding accountable those who seek to abuse the government’s trust,” said Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division.

This is the second case against an EHR provider to have been pursued and resolved in the past two years. eClinicalWorks was also accused of covering up the failure of its platform to pass certification testing. eClinicalWorks paid $155 million to settle its case.

“These cases are important, not only to prevent theft of taxpayer dollars, but to ensure that the promise of health technology is realized in the form of improved patient safety and efficient healthcare information flow,” said United States Attorney Christina E. Nolan for the District of Vermont.

In addition to the financial penalty, Greenway Health has entered into a 5-year Corporate Integrity Agreement (CIA) with the HHS’ Office of Inspector General. Under the terms of the CIA, Greenway Health is required to retain an Independent Review Organization to assess its software quality control and compliance systems and to review arrangements with healthcare providers to ensure compliance with the Anti-Kickback Statute.

Greenway Health must also allow all users of Prime Suite to upgrade to the latest version of the platform at no additional charge and, if they so wish, allow customers to transfer their data to another EHR software provider without incurring penalties, service charges, or other contractual amounts owed in connection with the goods/services already provided.

The post EHR Vendor False Claims Act Violation Case Settled for $57.25 Million appeared first on HIPAA Journal.