HIPAA

Overview

The Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service (that is, the HIPAA add-on) enables marketers to interact directly with healthcare consumers in a secure and compliant way.

Note: The HIPAA add-on is included in some industry specific trims. The add-on is also available for all Eloqua trims (Basic, Standard and Enterprise). Contact your account representative for more information.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is United States legislation. Protected Health Information (PHI) is the core concept behind using the HIPAA-compliant add-on. Contacts must be certain that their data is not accessible to anyone other than the medical organization requesting it, and only to those within the organization who have the required permissions for that access. More information on PHI and how it relates to HIPAA can be found on the HIPAA website at the HIPAA PHI Discussion.

The Oracle Eloqua Add-on Secure Communications Process

In order for marketers to be compliant with HIPAA regulations, interactions with contacts follow a strict path that assures security throughout the process.

Opt-In Process

The following diagram illustrates the HIPAA opt-in process:

An image of a diagram showing the Secure Content Communication process.

Here is a detailed outline of the interaction between Eloqua and contacts:

  1. The contact opts-in to receive secure content, by submitting a form for instance.

    Important: To support HIPAA compliance, users must specifically opt-in and be subscribed to the HIPAA Communications email group. For more information, refer to the white paper titled "The HIPAA-Compliant Applicationation" by Andrew Hicks on http://www.coalfire.com.

  2. Eloqua subscribes the contact to the email group. A temporary access token is automatically created for the contact, which is stored encrypted in the Contact Database in Eloqua and mapped directly to this contact.

  3. Eloqua periodically—approximately every 5 minutes—polls the email group for newly opted-in contacts. When a new opt-in contact is identified, the contact is automatically sent a Welcome email that includes a link to the set password page.

    Note: The Welcome email is not associated with the email group because it does not contain secure content.

  4. The contact opens the Welcome email and clicks the Set Password link.

  5. Eloqua displays the Set Password landing page.

  6. The contact submits their desired password on the Set Password page.

  7. Eloqua verifies the password:

    • If the password is set correctly, Eloqua displays the Password Set Successful Landing Page. The contact can now access secure content from their personal secure portal.
    • If the password is not set correctly, Eloqua displays the Set Password Failure Landing Page.

HIPAA Secure Content Communication Process

The following diagram illustrates the communication process that is applicable after a contact has opted-in:

An image of a diagram showing the Secure Content Communication process after opt-in.

Here is a detailed outline of the interaction between Eloqua and contacts:

  1. When secure content needs to be communicated to the contact, Eloqua sends a notification email to the contact notifying them about the new message. This notification email typically contains a link to the login page— contacts can also navigate to the login page directly.

    Note: The notification email is not associated with the email group because it does not contain secure content.

  2. The contact clicks the login link in the notification email, or navigates to the login page directly.

  3. Eloqua displays the login page.

  4. The contact submits their username and password on the login page.

    • If the credentials are correct, a landing page (containing the secure content) is displayed to the contact.
    • If the credentials are incorrect or if an error occurs, an authentication failure landing page is displayed.

Roles (Personas)

There are a few roles associated with the installation, configuration, management (that is, administration), and usage of the Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service:

Note: In addition, there is an internal Oracle Eloqua Provisioning team that is responsible for enabling the Add-on in your Eloqua instance as a prerequisite for your portion of the implementation.

Customer Administrator Responsibilities and Tasks

If you are a member of the Customer Administrator Security Group in Eloqua, you have the ability to perform the following steps in the configuration of your HIPAA environment:

  • Configure the Secure Communications application.

  • Create a Secure Microsite certificate.

  • Manage membership to the ePHI Security Group that is created by default during the installation of the add-on, and membership in that group is required in order to view any contact or account data.

  • Create segments in the case that Marketers do not have access to the ePHI Security Group, the customer administrator may create customer segments to be used by marketers in their campaigns.

  • Create a set of test contacts visible to marketers who need to create segments and campaigns but do not have access to the ePHI Security Group.

  • Execute Classic Insight Reports.

Marketing User (Campaign Manager) Responsibilities and Tasks

A Marketing User in a HIPAA environment in Oracle Eloqua typically does not have visibility to any contact records that contain PII or PHI. Marketing users have the following rights and responsibilities:

  • Oracle Eloqua Customer Administrators create the Emails, Landing Pages and other assets for use in HIPAA-compliant campaigns. In order for your environment and campaigns to be compliant, a user must create a group of assets that contain specific content.

    Note: Eloqua offers an industry solution for Life Sciences Direct to Consumer marketing that contains best practice campaign workflows and assets to support HIPAA compliant marketing. Contact your account manager for more information.

  • Create campaigns.

  • Run Operational Reports via the Action Menu on the Campaign Canvas.

Contacts

Contacts are your target audience for email communications. Contacts have secure access to their PHI and must log in to your HIPAA site via secure landing pages before being to access their data.

Oracle Eloqua and HIPAA

The Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service is designed to enable your organization to develop marketing assets and campaigns that follow the requirements of the latest revisions of HIPAA regulations (http://www.hhs.gov/news/press/2013pres/01/20130117b.html). This add-on includes specific checkpoints that safeguard and enable this compliance.

  1. Authenticate Users and Authorize User Access - Electronic Protected Health Information (ePHI) applications must employ authentication mechanisms capable of validating user identity prior to the user accessing application resources (authentication).

    The Eloqua application and add-on provides methods of validating user identity prior to the user accessing application resources. The Eloqua application has the capability to create, modify, and deactivate or remove contacts and user IDs from the system. The Eloqua application also has authentication mechanisms capable of validating user identity prior to the user accessing application resources. All email contacts who access the Secure Communications portal must first be subscribed to secure communications and specify the correct username and password.

    ePHI applications should also be capable of assigning user rights and privileges that are aligned to sensitive functions (authorization), and restrict the user's access to the minimum necessary application functionality, resources and data they need to perform their duties.

    During add-on provisioning, a new ePHI security group and label marking is created and only the Customer Administrator has access to this group. Membership in the ePHI Security Group in Eloqua is required for viewing contact and account data related to the HIPAA-submitted data. Marketing users, by default, are denied rights from viewing any contact Personally Identifiable Information (PII) or PHI data unless they are explicitly added to the ePHI Security Group.

  2. Fortify Safeguards Over User Accounts - When using password authentication, special controls must be implemented in an ePHI application to prevent application security compromises due to weak password policies.

    During provisioning of the HIPAA add-on the Eloqua password policy is applied by default to all HIPAA sites. In addition, the HIPAA add-on limits the password reset attempts, which prevent third party denial-of-service attacks. It also requires a minimum password complexity to ensure no weak passwords are allowed to view secure content. The add-on service also limits the number of simultaneous sessions a Secure Communications user may sustain within the application by disabling ability to share the secure content URL with another user.

  3. Maintain Accountable Access to Sensitive Information - Organizations must implement strong user account management processes to maintain the validity of application access lists and prevent access to sensitive information by unauthorized individuals. These processes seek to ensure that the “minimum necessary,” "business need-to-know," and "least possible privilege" principles are rigorously observed.

    The HIPAA add-on will assist organizations in meeting this control in multiple ways:

    • Only authorized users can access PII and PHI of contacts. Users are only authorized if they are part of the ePHI Security Group. By default, marketing users are denied access to all contacts that are part of the HIPAA email group.

    • Contacts cannot receive emails sent as part of the HIPAA email group unless they have specifically opted-in or subscribed to the group via a Form Submission or other means.

    • Logs are available that provide audit trails on the following activities: access to contacts, accounts in the Eloqua system, access to contacts and accounts via data export, Email Security Group subscriptions and unsubscriptions, and access to contact and account data via Cloud API components. All contact access and changes to email group members are tracked by the application.

    • Contact fields can be marked as Protected, preventing unauthorized viewing or access via Web Data Lookups. Web Data Lookups allow for dynamically pulling data from Eloqua by way of Javascript or Form default values. Fields marked as Protected will not be accessible by way of Web Data Lookups.

    • Operational reports that access contacts are limited to marketing users who have access to ePHI Security Groups.

    • Classic Insight reports that access contact and account data are disabled for all marketing users.

  4. Encrypt Sensitive Information at Rest and in Flight – ePHI applications implement effective cryptography technologies to ensure the continued integrity and confidentiality of its sensitive information. This requires implementation of methods to encrypt and decrypt ePHI at rest and in flight.

    The add-on meets this control in multiple ways:

    • Email communications over a secure channel. A new Secure Communications application has been created for use with the add-on in your Eloqua instance. The Secure Communications application leverages new email group functionality for explicit opt in and send emails via secure channel. All email communications are displayed in secure landing pages with SSL encryption, secure microsites that use an SSL certificate provide an extra layer of data security.

    • PII and PHI are encrypted while being held temporarily in a secure area before being imported or exported during a bulk operation.

    • PII and PHI are encrypted in the database.

  5. Fortify applications for secure networks, creating audit trails and actionable event information.

    ePHI applications need to ensure a secure network configuration has been deployed to protect the transmission and storage of sensitive information. They also need to create audit trails and actionable event information

    Changes to the security group membership are logged so there is an audit trail on membership access. Audit logs include for application access, contact access, and security group access are included with the add-on. Cloud security operations creates event logs reports and periodically monitors the event logs for possible security breaches.

An image of the PDF icon. Download the HIPAA Advanced Data Security Add-on Cloud Service Configuration Guide.

Tasks

Configuring the HIPAA add-on

Using Eloqua with the HIPAA add-on

Related

Restricting contact fields from web data lookups