KC News

HIPAA, Websites and Email

HIPAA

HIPAA security rule enforcement is on the rise. HIPAA is the Health Insurance Portability and Accountability Act. This law regulates the privacy and security of individually identifiable patient information.

HIPAA affects any company that regularly transmits or stores employee health insurance information (e.g. healthcare providers, health plans, healthcare clearing houses). Even organizations outside the heathcare industry must consider regulatory compliance requirements associated with HIPAA and implement "appropriate administrative, technical and physical safeguards to protect the privacy of patient information".

See also:

http://en.wikipedia.org/wiki/HIPAA

PHI

Protected Health Information (PHI) is "any information which identifies or could be used to identify an individual and has anything to do with past, present or future physical or mental health conditions, care or payment for care".

HIPAA and Email

HIPAA privacy provisions pose a compliance challenge. Organizations that fail to protect this information face stiff fines and possible jail time.

The privacy of PHI extends to email and computer files. HIPAA requires organizations to reduce or eliminate the risk of interception of emails and receipt of emails by unauthorized persons.

A new security rule focusing solely on PHI that is stored and transmitted electronically is part of HIPAA. The requirements of this rule, which are simply information security best practices, focus on the three cornerstones of a solid information security infrastructure – confidentiality, integrity, and availability of information.

HIPAA enforces well-known best practices that include:

* Ensuring that e-mail messages containing PHI are kept secure when transmitted over an unprotected link

* Ensuring that e-mail systems and users are properly authenticated so that PHI does not get into the wrong hands

* Protecting e-mail servers and message stores where PHI may exist

So HIPAA has requirements for transmission, storage and discoverability of private information (PHI). The technical standards of HIPAA's security rule require the use of encryption, such as PGP, for electronic communication of protected health information over open networks.

What Do We Do?

So what does your organization need to do about HIPAA?

Most likely you will be doing these two steps:

1) use a secure server for your website. Rather than emailing PHI data send links to the secure server.

2) set up encrypted email via PGP.

Still not sure what you need to do for HIPAA? Look here for answers:

H&HS Office for Civil Rights - HIPAA

http://www.hhs.gov/ocr/hipaa/

 

H&HS HIPAA FAQ

http://www.hhs.gov/hipaafaq/

 

California Office of HIPAA Implementation

http://www.ohi.ca.gov/

Email Tip

Many healthcare professionals add postscripts to their email signature lines. They are for the security of protected health information

 

Here is a HIPAA compliant example:

 

First Name Last Name

Organization

This email address is being protected from spambots. You need JavaScript enabled to view it.

w xxx.xxx.xxxx

p xxx.xxx.xxxx

c xxx.xxx.xxxx

http://example.com

This message may contain private information for persons named above. Please don't share that information with anyone without a need to know. If you received confidential information without a PGP wrapper, assume it was compromised, delete it, tell the sender, and try to tell the victim. Please don't send someone else's private information if you're not reasonably certain the recipient has a need to know and that the message will be kept private. Plain email is not private. In some cases, such as health information protected under the US HIPAA law or information protected under the US Privacy Act, plain email may be illegal. If you must relate a person's identity to their private information in email, use Hushmail or insist your recipients provide you their PGP public key. You can get my public key from the keyservers or my webpage.

E-mail Marketing and Spam


This is the summary of a lecture I recently gave to a local group of small business owners about email marketing and spam.

E-mail Marketing and Spam
==========================
by Alex Kahl, Kahl Consultants

 

What is Spam?
===============
Spamming is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

* e-mail spam
* instant messaging spam,
* newsgroup spam,
* Web search engine spam,
* blog spam,
* mobile phone messaging spam,
* junk fax transmissions.


How much?
=========
Kahl Consultants receives approx. 10,000 spams per day (but only has to read abut 10-20)
Bill Gates receives 4 million spams per year
In 2001: spam accounted for 5% of all e-mail .
In 2007: 95-98% of all E-mail is spam
Spam costs businesses over US$20 billion per year - lost productivity, additional equipment, software, and manpower


Why Spam?
=======
E-mail is extremely cheap. Spamming can be very profitable even at extremely low response rates.


Who Spams?
=======
28% USA
5% South Korea, 5% China, 5% Russia
80% of US spam is generated by a group of 200 hardcore professional spam gangs


How is spam sent out?
========================
Most ISPs do NOT allow spam. So spammers conceal the origins of their spam by sending it through insecure servers belonging to unwilling third parties. These "zombie networks" of infected PCs span the globe


How do spammers get my e-mail address?
=========================================
* E-mail addresses posted on Web sites in plain HTML (unobscured) attract the most spam as they are harvested by spambots
* Basic e-mail addresses (short names, initials like bob@ or tse@, basic combinations like larryt@ receive more spam
* "brute force" or "dictionary attacks" (e-mail is sent to common surnames and first initials)


Fighting Spam
==============
Best solution: an "Antispam Cocktail" (a mix of strategies)

* Remove or obscure address from public websites
* Use multiple e-mail addresses; create a free email account (aka disposable e-mail address)
for use when registering with websites (recommendation: Gmail)
* DNS-based blackhole lists (lists of IP addresses of known spammers, open relays, zombie spammers etc)
* Don't respond to spam from unknown companies
* Don't buy from a company that spams. Don't visit their website, don't ask for more information
* Disable HTML in email software
* Switch from Outlook to another email software (recommendation: Mozilla Thunderbird)
* Set up multiple levels of spam filtration
* Contact your ISP and ask for help setting up a spam filter
* Use spam filtering in your email client (* Spam filters detect spam based on the content of the e-mail)


Kahl Consultants and Spam
==============================
* Strict no-spam policy
* Hosting clients caught spamming are terminated
* 2 levels of spam filtration on our website servers (blacklists and SpamAssassin)
* Request our clients to help fight spam


Kahl Consultants and Email Marketing
=======================================
* We support our clients in all forms of online marketing (web and email)
* Email marketing cheaper than website marketing, both are best done synergetically
* We practice double opt-in email marketing
* We set up and monitor email campaigns (e.g. constantcontact.com)


Great sites for Music Listeners

OK here is a quick introduction to some very cool websites that will let you listen to music online - each has it's own incredible features so have fun exploring!

http://pandora.com/
Pandora is your personal online radio station (or you can call it an internet jukebox) that only plays musics according to your taste. You tell it what song or band you like, they choose the tunes to match your preference. Then you help it along by voting what you like and don't like. Works great. "Social radio" at it's finest... so far!

http://musicovery.com/
Another personal online radio station cum jukebox - you choose the music you like by cool categories such as: genre, mood, decade, popularity, and danceability!

http://www.slacker.com/
Online radio - choose by music category.

http://songza.com/
Super simple: you pick the exact song you want to hear (from a huge selection) and then you listen and enjoy!

http://www.jango.com/
Simple to use "social radio" - choose a station (a pre-mixed selection of artists), or artist - and you are ready to enjoy!

http://www.deezer.com/
Listen for free to any song you like. Create playlists and rate songs. Share your faves. Repeat as often as you like or until the boss catches you procrastinating!

http://www.purevolume.com/
Listen to cool new bands. You can even legally download free music from signed and unsigned artists. Free signup required.

You still here? Not enough online fun with music yet? OK wise guy, try this list of links from Technology Magazine!


Free Online File Conversion Tool

There are many FREE online tools for file conversion. They easiliy let you convert hundreds of file formats!

Say you can't read a file someone emailed you. You just might be able to use such a website to read it. 

There is no installation needed, and they convert the file within seconds.

The next time you need to convert a TIFF to a JPG or a XLS to a PDF and so forth, try it out!


Media Converter

http://media-converter.com/

Zamzar

http://www.zamzar.com/

You Convert it

http://www.youconvertit.com/ConvertFiles.aspx

Media Convert

http://www.mediaconvert.com/