- Staff Web Mail -
What's New               Services


VISA and Master Card Accepted

Information about HIPAA only as it pertains to our website or webmail use will be posted here for those of you who may be interested.

HIPAA and Pitfalls of Public eMail Use:

I know that many of you use Hotmail, Gmail or Yahoo email regularly, and you need to be aware of the use of any free public email and the risk of being in violation of HIPAA law that may result from its use. The ERC may soon be having a secured LAN set up in order to comply with HIPAA law which will become effective in June. At that time, connecting to any of these email systems from an ERC facility can very possibly cause you problems.

The LAN will not be related the ERC website, but since virtually all email enquiries from the public that you answer will be through the website's mail server, you should be aware of some pitfalls regarding email use. I am not picking on Gmail-- it's probably the best of the free systems-- but since it the most popular one I decided to post this information below.

This is from a technical article by Erik Kangas, PhD, President of LuxSci, Specialists in Network Secure Email, Web and Form Solutions.

We are frequently approached by people in need of HIPAA compliant email who are currently using Gmail, or who have users that are familiar with and like Gmail. They would, of course, like to add HIPAA compliance without changing any of their organizations processes or habits.

For example, some people may want to setup HIPAA compliant email and have those secure messages forwarded to Gmail, where they can access them in their "usual way". In general, this is a very bad idea - this will almost always be non-compliant and leave them at significant risk for breaches, disclosure, and HIPAA liability.

No one who must abide by HIPAA should be accessing ePHI though Gmail.

Gmail Supports TLS and SSL . so why isn't it Compliant?

Many public email services support SSL for access to their web site and TLS for inbound email transport encryption. These are good things and help the Internet become a more secure place. However, while these technologies provide the HIPAA-required transport encryption when you access email using Gmail's web interface and support optional inbound email transport encryption, many features are missing and most will probably never be added to Gmail. These include:

  1. No Enforced Outbound Email Encryption: If you send email with ePHI to someone using your Gmail account, it will almost certainly go over the Internet to the recipient's mail servers and folders in an insecure and unencrypted fashion, automatically violating HIPAA.
  2. Limited or No Auditing: Gmail provides little or no auditing of connections and accesses to accounts.
  3. No Secure Business Policies: HIPAA requires that you will:
    1. Ensure secure tracking of stored data
    2. Ensure secure disposal of used hard drives and other media
    3. Ensure secure access to facilities
    4. Ensure all employees with access to any data are trained in and abide by HIPAA privacy standards. Gmail engineers have complete access to user data and do look at it. . See Google worker fired for stalking teens

    Google would need to follow all of the steps in the HIPAA Compliance checklist, and more.

  4. Who owns and where is your data? Google scans all your mail (and ePHI?) to provide ads and other information to you. This data may be stored anywhere and in any format. While the data might not be tracked back to you easily, the data itself is the problem . privacy of the data cannot be ensured within the Google infrastructure.
  5. What happens to deleted data? Google doesn't like for you to delete data, ever. They would prefer it stick around. Private data, like ePHI, cannot be guaranteed to be removed from their servers even if you delete it from your account.
  6. Google doesn't appear to implement anything in the HIPAA checklist in a way that would be fully compliant. In the future, they may extend their security (as they have added SSL and TLS support and two-factor authentication) to give the appearance of more security. However, it will never be cost effective for them to offer fully HIPAA- compliant email and to police their huge workforce to ensure that proper policies are obeyed.

The above is from a man who is considered to be one of the top HIPAA compliance experts for server-side technology.

HIPAA, in my opinion, is a classic example of politicians making rules for technologies and services that they have no understanding of at all. Nevertheless, it is law, so we have no choice but to follow it... there's no law against griping about it though.

Many sections of HIPAA regulations are not clear. For example, the law takes two forms: Required and Addressable.

Addressable vs. Required

Required (R) means that complying with the standard is mandatory and, therefore, must be complied with. Addressable (A) means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.

With regard to Addressable, HIPAA suggests that an organization should read and decipher each HIPAA standard separately and deal with each piece independently in order to determine an approach that meets the needs of the organization... you can't get much more unclear than that.

Some Tips to keep you Safe

Here are a few tips that will help you to stay safe under the new laws.

Keep in mind that under HIPAA, even if you unknowingly violate a rule you may still be held liable. Even when using secured SSL email, if you have a virus, a BHO (Browser Helper Object) on your PC, a web bug (What Google calls a "pixel tag") or any other tracking device, when you log in to secure email you have also let that malware in with you.

This is not usually a huge threat to web mail, which ends up on the open internet anyway, but that same malware will be present during your inter-office LAN system sessions, that is due to be set up soon, and it can take confidential information from your secured LAN to the open internet as soon as you open your browser.

Keep your anti-virus tool updated regularly, and whatever you do, stay off of websites like FaceBook, Twitter, Gmail, Yahoo mail, or any other public sites like them. Save those sites for home visits. They all have very sophisticated tracking and information gathering systems and are in no way liable under HIPAA law and frankly don't five a hoot about it.

Sound paranoid? Well, it's not-- and it's not just hackers that do these things-- 95% of hidden tracking malware comes from popular social sites or sites that give you free software access like email. Not paranoid at all, just the truth. I know, internet security was my major.

How do you think you get birthday greetings on FaceBook, even when you have not made your birthday public? How do I know on my Android phone when someone using Gmail or the Windows version of Chrome logs into a chat program or is on a trip and not at home? It comes with the phone as a part of the popular social networking software. My phone even has an app that is called "buddy radar" that will give very nearly precise locations for anyone that's on my call list or FaceBook page and it comes with the phone, no installation required.

Probably millions have Android phones these days, and if they don't, any scanner radio can be easily modified to listen to any cell conversation and even get the coordinates of the user.

Do I worry about my location being tracked? No, I have an Android because it is based on Linux and I am able to program a fix for any and all spyware on the thing. For instance, as far as Google knows, I live in San Francisco, and sometimes in Dodge City, Kansas. While I very seldom have to use Gmail, I have a script on my phone and Linux PC that cripples their "pixel tag" recorder. But with Apple, Microsoft and other commercial systems, their code is compiled and inaccessible. While I could care less if friends know where I am, Google is not my friend-- nor yours.

So, what can you do about this? If you have a brand name Windows phone, iPhone or the like, you can turn off any and all location services. Only use them if you really have to. But if you check FaceBook or Gmail on your phone, the tracking system will automatically be turned back on without your knowing about it.

Why? You agreed to FaceBook's and Google's terms of service, didn't you? They don't have to tell you, you have alreaady agreed to let them do such things without your knowledge. Don't be like the gullible masses, always read those terms and conditions of use.

The following is only for those who want to learn.

Web bugs and Google's "pixel tag"

In the center of the image below I have placed a 1x1 pixel black web bug (Not a real one, just an image). Even with very good eyesight it's hard to see, and they are usually placed in other images to boot. That's the tiny size of most web bugs, but they can relay an amazing amount of data about you, and it is all downloaded by the likes of Google, FaceBook etc. and kept indefinitely in their databases. Unless you are a programmer, you can't delete these things.

Another tracker-recorder is LSOs (Local Shared Sbjects), commonly called flash cookies. These also cannot be deleted by the average user, and there are usually 50 to over 100 on most PCs. If you use FireFox as your browser, you can get a free add-on that will take care of these things for you and get rid of them, called "Better Privacy".

Why do they do this, you say? Knowledge is power. If it weren't so, they would not bother with all this skullduggery.

It's very safe to say that over 99% of all computer users don't know the following facts:

  • When you delete anything on a Windows PC, it is not actually deleted. I have found as many as 17 hidden copies of Word documents residing on a computer after being deleted. Illegal? No, even the government likes this practice to remain in effect.
  • The same thing applies to Gmail. Some of you may have the savvy to find out that you have to delete an email twice to actually get rid of it... but you are mistaken. Even after the the second "deletion" you can find it buried in your account if you have the know-how, and also find it in Google's massive databanks, where it is stored permanently.

Commercial Developers know that most people do not read terms and conditions or privacy statements. They also know that if they can make any application or service very easy to use and cute or friendly-looking, (in the same sense as the pervert giving candy to a chid) that they will develop a certain trust by most, and they use these things to their advantage.

As an aside, while Microsoft goes to great lengths to promote an easy user interface and build trust in their customers, it is a fact that Microsoft uses Linux web servers for their own website, even for their updates. They don't use their own Windows servers simply because they are inherently not secure.

By the way, how do you think Microsoft got out of their big prosecution by the government years ago? By "cooperating" with them, information-wise. Big Brother is not a joke anymore. Cover your backside.

I guess my main point here is just to get you to think. It's a busy world, with many pressures, but it's better to learn at least the basics of the technology you take for granted, so that it doesn't take you "for a ride".

Password Managers and Auto-logins

If you use a password manager to remember your username and passwords, be sure you have one with some integrity and that it doesn't save your passwords any place except on your own computer.

Many people do not set their PC to require a passswword when they start it up, usually for convenience. My best advice is to be sure to set a password requirement for your computer. I worked the evening shift at the ERC for many years, and one of the frequent things that happened was catching residents turning on staff computers, and even volunteers and paid staff members turning on computers that were not assigned to them, ie., they belonged to Advocates, Bettee or Patty. Be sure yours is secure for your own sake.

If you have one from AIM, DLink, Norton Identity Safe, McAfee etc., then you should uninstall it and get a safe one. If I were a Windows user the only one I would use is Password Safe from SourceForge. It is free and Open Source software. You can get it for free here:

Most Browsers have their own password manager built into them, but Internet Explorer is and always has been an insecure browser, and Google Chrome is filled with tracking mechanisms that store all your data on their databases, which were hacked last year by the Chinese government and easily accessible by any hacker or "script kiddee". Google is a nice browser but definitely a tracker (See "Some Tips to keep You safe"). Remember, while at work you are under HIPAA's new laws, starting in June, and will be liable. Our Data Center is constantly reminding me of this, since I also have two other sites under the new HIPAA regs.

I've already gotten an advisory notice about confidential info being sent from the ERC webmail to Snowcrest.... In June, the sender will be liable for that. Although I personally don't like all of the laws, and especially the extra workload, these new laws are not a joke.