Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes for some important usage notes.
# of Caveats: 0 view caveats→
# of Usage Notes: 5 view notes→

Relevant Product Characteristics

  • This product is designed specifically with the healthcare industry in mind.
  • The leadership or management behind this product includes at least one health care professional (but no mental/behavioral health professionals that we could find.)

What Is This Product?

The logo of Luxsci which is an image of an envelope merged with the image of a padlock.LuxSci SecureLine is a secure e-mail service that offers encrypted e-mail, versatile settings, and a BAA for your HIPAA-compliance needs.

Our Impressions

Very positive. Our technical and compliance-related questions were addressed quickly and thoroughly. We also experienced the company as being highly responsive to our questions and feedback. Their blog gives us the impression that they are constantly thinking about security, especially with an eye towards HIPAA.

We also recognized the benefits of LuxSci’s notification system for access attempts. By default it alerts on any failed login attempts, but one can also enable alerts for successful login attempts. It also provides an interface to view failed and successful attempts. This goes a long way in helping you achieve HIPAA-compliant use of their tools.

Caveats

Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

None

Notes

Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Be sure to change your password immediately

LuxSci sends your initial password over e-mail to a non-LuxSci account. Be sure to change this upon your first login, as there’s a possibility that first e-mail could be intercepted in transit (a low, low, possibility, and this would be true of most e-mail from most vendors).

We approve of LuxSci’s strong password requirements – a surprising rarity!

2) Follow simple security measures like using appropriate computer/device security

A chain is only as strong as its weakest link. Be sure that whatever device you are using to access LuxSci has appropriate security and access measures in place. Our Device Security Instruction Center covers smartphone security in detail. Our video on how to use the security features of your smartphone is also quite helpful.

3) Perform a risk assessment as to whether to use TLS (SecureLine) or escrowed (SecureLine Escrow) mail with clients

LuxSci gives you the choice of sending e-mail as TLS-encrypted (end-to-end encryption where the e-mail appears as a normal e-mail to the recipient — see our article about it here) or as escrowed e-mail, where the recipient simply receives a notice that there is a message waiting for them. They would then have to either create a free SecureSend account to read the message, or you have the option of prompting them for a question to which only they would have the answer.

While you could turn on escrowed e-mail by default, some users might not want to log in or answer a question every time. We recommend you perform a risk analysis with each client or with your general client population and make a determination based on that. For example, if you have a client who is dealing with intimate partner violence, and they consent to receive e-mail, escrowed mail may present a safer option if their partner might access their e-mail. However, the subject line of an escrowed e-mail WILL show up in the recipient’s e-mail. Also, if using the question/answer escrow authentication method, be sure the answer is something that only the client, and not a potential abuser, would know.

We also recommend that no matter what product you use for secure e-mail you have an informed consent discussion with every client about exactly which forms of communication they are comfortable using and for what specific subjects (scheduling, reminders, documents, clinical information, etc).

4) Request or select the “HIPAA-compliance” option when creating your account, then sign BAA/ARA

Be sure to select the “HIPAA-compliance” option when you are requesting or selecting your account with LuxSci. This automatically generates a ticket pertaining to HIPAA-compliance when your account is provisioned. LuxSci’s HIPAA Security & Privacy Officer will review your account security settings and apply a lockdown which enforces the security settings described in LuxSci’s HIPAA documents. If you do not select the “HIPAA-compliance” option, there will be account setting options which are not HIPAA compliant.

LuxSci has a required “Account Restriction Agreement,” in addition to their BAA, for HIPAA customers. Review the details of required account setting configurations, recommendations and customer responsibilities in the ARA. Be advised that clinician’s can send unencrypted emails without being in violation of the ARA.

You must sign LuxSci’s BAA and ARA within 2 weeks of opening your account, preferably online at https://luxsci.com/baa. Once the lockdown is complete and the BAA and ARA documents are signed and returned to LuxSci, the account is then designated as HIPAA-compliant by LuxSci. We recommend you sign and return the BAA and ARA immediately upon opening the account. Furthermore, we advise that you obtain confirmation from LuxSci that the lockdown has been completed and the account designed as HIPAA-compliant prior to utilizing your account.

5) Consider making SecureLine Escrowed e-mail the default in webmail

LuxSci offers settings that make it possible to have all sent e-mail encrypted while sitting on their servers; however, these settings are not automatic. LuxSci advises that you disable “TLS only” in your SecureLine settings. With “TLS only” disabled, all messages that you send securely will be encrypted at rest on LuxSci’s system. Please note that this only applies to messages sent from SecureLine Webmail.

To make this change, go into the settings for your account, under Outbound E-mail > E-mail Compose Settings > SecureLine, and set the option “Use SecureLine Escrow in WebMail instead of TLS-Only delivery by default?” to “Yes.”