Configuring the HIPAA add-on

Note: Security group members can only access contacts that have the same labels as their security group. This also applies to contacts in Insight.

As of January 2021, HIPAA clients will have the Authenticated Portal enabled as part of their HIPAA solution. The HIPAA app, which is comparable to Authenticated Portals, is only available to customers enabled for the HIPAA solution before January 2021. The Authenticated Portals offers greater flexibility, personalization, and reporting capabilities for our HIPAA customers.

Configuration prerequisites:

  • The HIPAA add-on must first be enabled by Oracle. Contact your account representative for more information.
  • You must have a secure microsite configured in your Eloqua environment.
  • You must be an experienced Eloqua user with the knowledge and experience necessary to create assets.
  • The configuration will take approximately three hours to complete. This does not include additional time necessary to customize the look and feel of the assets.

Configuration

High level configuration steps:

  1. Verify the add-on is enabled.
  2. Create the required assets.
  3. Configure the HIPAA add-on secure communication application (Customer Administrator).
  4. Create a secure content campaign.
  5. Verify the HIPAA add-on configuration (Customer Administrator).
  6. (optional) Apply optional configurations.

Step 1: Verifying the add-on is enabled

Prior to beginning the configuration and installation of the HIPAA add-on, please perform the steps below to ensure the add-on is enabled in your environment and that all provisioning and database requirements are met.

  1. Verify that the appropriate HIPAA Communications email groups have been created.
    1. Navigate to Assets An image of the Assets icon, which is represented by a black pencil. > Email Setup, then click Email Groups.
    2. Check to ensure that two email groups have been created (secure and not secure).
  2. Verify that the ePHI security groups have been created successfully during your add-on installation.
    1. Click Settings An image of the Settings menu icon, which is represented by a black cog..
    2. Click Users in the Users and Security section.
    3. Click the Groups tab on the left-side pane, the security group should be listed.
    4. Click the drop-down to view security group details.
  3. Verify that the HIPAA contact category and ePHI Labels are enabled, by performing the following steps:
    1. Click Settings An image of the Settings menu icon, which is represented by a black cog..
    2. Click Users in the Users and Security section.
    3. Click Contact Security and select Manage Labels.
    4. Verify that the HIPAA category is shown as the available category.
    5. Click Edit next to the name of the HIPAA category.
    6. In the pop-up dialog box, verify that ePHI is listed as the label that will be applied to users in the corresponding Security Group.

Important: If the changes outlined above are not reflected in your environment, do not continue with the configuration of the add-on. Contact your account representative to inquire about the status of your add-on deployment.

Step 2: Creating the required assets

Note: This step can be performed by the Customer Administrator or a Marketing User.

The add-on is made up of many components. In order for a campaign to be successful and to adhere to regulatory requirements, users must create assets that contain elements approved as part of the add-on. Templates are provided with the Oracle Eloqua Marketing for Life Sciences Consumers Cloud Service, but are not included by default with the HIPAA add-on. Please contact your account representative to learn more about this offering that will ensure your adherence to all corresponding requirements.

After the assets are created, your users can customize the look and feel of the content rendered by the add-on. For more information, refer to styling the application. Depending on the type of content that is rendered by the Cloud Content services, it is best to design your pages such that the HTML that is displayed fits contextually with the rest of the page.

Important: To ensure a smooth configuration, we recommend creating the assets in the order specified below to ensure that all dependencies are created.

The following are the required assets that must be created in your Eloqua instance before making use of the secure email portal:

Required Asset Type Description
Set Password -Success Landing Page This page is rendered if the contact sets his or her password successfully for the first time.

Set Password -Failure

Landing Page This page is displayed for failures that occur when the contact attempts to set his or her password for the first time.
Set Password HIPAA Landing Page This page contains the Set Password Widget, which renders a form that contacts can use to set a password for the first time.
Reset Password Request - Success Landing Page This page is displayed after a contact successfully requests to change his or her password.
Reset Password Request HIPAA Landing Page This landing page contains the Reset Password Widget, which renders a form that contacts can use to specify their email address and request a password reset.
Reset Password Email Email sent to contacts to reset their password. This email is sent to an email group without the Require Opt in or Use Secure channel flags enabled
Secure Content - Default Content Landing Page This landing page is displayed when a user logs in successfully but there is no secure content waiting for the contact.
Secure Content - Failure Landing Page Defines the Landing Page to render if a failure occurs when rendering secure content. For example if a contact attempts to access this page without first providing credentials.
Secure Content - Container HIPAA Landing Page This landing page contains the Secure Content Cloud Service in order to display the secure content (that is, the most recent HIPAA Communications).
Secure Content - HIPAA Communication Email Email sent to the HIPAA Communications email group which has the Require Opt in or Use Secure channel flags enabled. This email will not be sent via SMTP. The contents of the email will be held for pickup and displayed inside a secure landing page after a contact clicks on a link in the Secure Content - Notification email.
Secure Content - Notification Email Email sent to contacts informing them they have secure content with a link to login and view secure content. This email is sent to an email group without the Require Opt in or Use Secure channel flags enabled.
Login HIPAA Landing Page This landing page renders the Login Form Widget in which contacts must use to access their secure content from a Landing Page. Contacts are required to login in order to access their secure content. The Login Form can be added to any Landing Page hosted on a Secure Microsite. This Form is a simple Form with User Name and Password, as well as a Submit button, however you can customize it as needed.

Welcome Email

Email When contacts subscribe to HIPAA Communications, they are automatically delivered a Welcome Email with a link to set their password. A windows service (HIPAA Management Service) periodically checks for contacts that have subscribed to HIPAA Communications and automatically delivers an email containing the Access Token Cloud Content Service. The Access Token Email service provides a link where contacts can go to Set Password. This email is sent to an email group without the Require Opt in or Use Secure channel flags enabled

Set Password - Success (Landing Page)

This page is rendered after the contact sets his or her password successfully for the first time.

To create a Set Password - Success landing page:

  1. Create a new landing page.
  2. Add content so the user understands the password was set successfully.
  3. Specify an appropriate name for your landing page (example: Landing Page - Set Password Successfully).
  4. Save your landing page.
Set Password - Success (Landing Page) Example

An image of a success message.

Set Password - Failure (Landing Page)

This Landing Page is used for failures that occur when the contact attempts to set his or her password. The failure can be due to one of several reasons, including but not limited to connection timeouts, required fields missing data, and so on.

To create a Set Password Failure landing page:

  1. Create a new landing page.

  2. Add content so the user understands the password was not set successfully on the Set Password landing page.

  3. Specify an appropriate name for your landing page (example: Landing Page - Failed to Set Password).

  4. Save your landing page.

Set Password - Failure (Landing Page) Example

An image of a failure message.

Set Password (Landing Page)

This service is responsible for rendering a form that contacts can use to set their passwords.

Note: This service requires a valid access token and should only be accessed via the Welcome Email (Access Token Email).

To create the Set Password landing page:

  1. Create a new landing page.

  2. Add the Set Password widget to the landing page.

    1. Double-click Cloud Content on the left panel.

    2. Drag the SetPassword widget from the Cloud Content toolbar onto the canvas.

      An image of the Set Password widget in the Cloud Content toolbar.

  3. Double-click the SetPassword widget on the canvas to access the configuration page:

    An image of the Set Password Configuration page.

  4. Specify the correct values for the Set Password widget configuration options:

    • Landing Page for Successful Authentication: Landing page that is rendered if the contact’s password was successfully reset.

    • Landing Page for Failed Authentication: Landing page that is rendered if an error occurs while setting the password.

    • Password Field Label: Defines the text that appears for the password field.

    • Password Confirm Field Label: Defines the text that appears for the password confirmation field.

    • Submit Button Label: Defines the text that appears on the submit button.

    Click Save and then click X to close the Cloud Content Configuration dialog box.

  5. Specify an appropriate name for your landing page (example: Landing Page - Set Password).

  6. Save your landing page.

Set Password (Landing Page) Example

An image of a Set Password landing page example.

The following is an example of the Set Password widget (i.e. form) after it is rendered on the landing page:

An image of the Set Password widget after it has been rendered on a landing page.

Reset Password Request - Success (Landing Page)

Upon successfully requesting the link to reset the password, a contact is redirected to this landing page. This landing page is only rendered if the request to reset password was successful. The content on this page should inform the contact that their request was successfully submitted.

To create the Reset Password Request Success landing page:

  1. Create a new landing page.

  2. Add content to the landing page so the user understands the password reset was successful and that they will receive an email shortly.

  3. Specify a microsite.

  4. Specify an appropriate name for your landing page (example: Landing Page - Send Password Reset Email Successfully).

  5. Save the landing page.

Reset Password Request - Success (Landing Page) Example

An image of a successful Reset Password Request.

Reset Password Request (Landing Page)

This landing page contains the Reset Password widget, which cloud content service. This service is responsible for rendering a form that contacts can use to reset their password. On submission, the form will deliver the Welcome Email (Access Token Email), containing a link where the contact can set their password.

To create the Reset Password Request landing page:

  1. Create a new landing page.

  2. Add the Password Reset widget to the landing page.

    1. Double-click Cloud Content on the left panel.

    2. Drag the Password Reset widget from the Cloud Content toolbar onto the canvas.

      An image of the Password Reset Form widget in the Cloud Content toolbar.

  3. Double-click the widget on the canvas to access the configuration page:

    An image of the Password Reset Configuration page.

  4. Specify the correct values for the following Reset Password widget configuration option:

    • Landing Page on Success: Defines the reset password request success landing page that is displayed if the request to reset password is successful.
    • Landing Page on Failure: Landing page that is rendered if an error occurs while resetting the password.
    • Password Reset email: Defines the reset password email that is sent to the user to facilitate the password reset (example: Email - Reset Password).
    • Email Address Field Label: Defines the text displayed for the email address field.
    • Submit Button Label: Defines the text displayed on the submit button.

  5. Specify a microsite.

  6. Specify an appropriate name for your landing page (example: Landing Page - Reset Password Request).

  7. Save the landing page.

Reset Password Request (Landing Page) Example

An image of a Reset Password Request landing page example.

When displayed to the user, the Reset Password widget (i.e. form) portion of the landing page looks like this:

An image of the Reset Password widget on a landing page.

Reset Password (Email)

This email is sent to contacts to reset their password. This email is sent to an email group without the Require Opt In or Use Secure channel options enabled.

To create the Reset Password email:

  1. Create a new email.

  2. Add the AccessTokenEmail to the landing page by performing the following steps:

    1. Double-click Cloud Content on the left panel.

    2. Drag the AccessTokenEmail from the Cloud Content toolbar onto the canvas.

      An image of the Access Token Email widget in the Cloud Content toolbar.

  3. Double-click the widget on the canvas to access the configuration page:

    An image of the Access Token Email Configuration page.

  4. Specify the correct values for the following Access Reset Password widget configuration option:

    • Landing Page for Set Password Form: Defines the set password landing page that is displayed so the user can reset the password.
    • Set Password Link Text: Defines the text for the set password link. If you do not set the link text, the link URL is used.

  5. Choose an email group that does not have the Require Opt in or Use Secure channel options enabled.

  6. Specify an appropriate name for your email (example: Email - Reset Password)

  7. Save your email.

Reset Password (Email) Example

An image of a Reset Password email example.

Secure Content - Default Content (Landing Page)

This landing page is displayed when a user logs in successfully but there is no secure content waiting for the contact.

This will act as a place holder until there is some secure content for the contact.

To create a Secure Content - Default Content landing page:

  1. Create a new landing page.

  2. Add appropriate content so the user understands there are no secure messages waiting.

  3. Specify an appropriate name for your landing page (example: Landing Page - Default secure content)

  4. Save your landing page.

Secure Content - Default Content (Landing Page) Example

An image of a Secure Content - Default Content landing page example.

Secure Content - Failure (Landing Page)

Defines the Landing Page to render if a failure occurs when rendering secure content. For example if a contact attempts to access this page without first providing credentials.

To create a Secure Content - Failure landing page:

  1. Create a new landing page.

  2. Add content so the user understands there was an issue rendering the secure content.

  3. (optional) Add a link to the reset password request landing page so the user can easily request a password change, if required.

  4. Specify an appropriate name for your landing page (example: Landing Page - Failed when display secure content).

  5. Save your landing page.

Secure Content - Failure (Landing Page) Example

An image of a Secure Content - Failure landing page example.

Secure Content - Container (Landing Page)

The Secure Content landing page must contain a Secure Content Widget. The Secure Content Widget is a Cloud Service that renders the secure content (that is, most recent HIPAA Communication) on the landing page.

Note: This page requires a valid temporary access token and should be accessed by the Login Form – as the Landing Page to render on Success.

To create the Secure Content - Container landing page:

  1. Create a new landing page.

  2. Add the Secure Content service to your landing page by performing the following steps:

    1. Double-click Cloud Content on the left panel.

    2. Drag the Secure Content from the Cloud Content toolbar onto the canvas.

      An image of the Secure Content widget in the Cloud Content toolbar.

  3. Double-click the widget on the canvas to access the configuration page:

    An image of the Secure Content Configuration page.

  4. Specify the correct values for the following Secure Content widget configuration options:

    • Display Content from the following Email Group: The cloud content service is responsible for rendering the most recent Email. This option allows you to isolate Emails that are part of a specific email group, for example the HIPAA Communications email group. You can also create a new email group.

    • Default Content Landing Page: Defines the landing page to display if there is no secure content to display (example: Landing Page - Default secure content).

    • Landing Page on Failure: Defines the landing page to display if there is problem rendering the secure content (example: Landing Page - Failed when display secure content).

  5. Specify an appropriate name for your landing page (example: Landing Page - Secure Content Container)

  6. Save the landing page.

Secure Content - Container (Landing Page) Example

An image of a Secure Content - Container landing page example.

Secure Content - HIPAA Communication (Email)

Email sent to the HIPAA Communications email group which has the Require Opt in or Use Secure channel flags enabled. This email will not be sent via SMTP. The contents of the email will be held for pickup and displayed inside a secure landing page after a contact clicks on a link in the Secure Content - Notification email.

To create a Secure Content - HIPAA Communication email:

  1. Create a new email

  2. Add your secure content to the email.

    Note: This email is not sent directly to the content. The user will login to view the secure content contained in this email.

  3. Specify an email subject.

  4. Specify a from address.

  5. Specify an email group.

    Important: The selected email group must be a HIPAA email group.

  6. Specify an appropriate name for your email (Example: Email -Secure Content Communication).

  7. Save your email.

Secure Content - HIPAA Communication (Email) Example

An image of a Secure Content - Data Privacy Communication email example.

Login (Landing Page)

The Login landing page contains the Login Form Widget. The Login Form Widget is a Cloud Content Service that allows contacts to login to access their secure content.

Note: The Login Form Widget can be added to any Landing Page hosted on a Secure Microsite.

To create a new Login landing page:

  1. Create a new landing page.

  2. Add the Login Form Widget to the landing page by performing the following steps:

    1. Double-click Cloud Content on the left panel.

    2. Drag the Login Form Widget from the Cloud Content toolbar onto the canvas.

      An image of the Login Form widget in the Cloud Content toolbar.

  3. Double-click the widget on the canvas to access the configuration page:

    An image of the Login Form Configuration page.

  4. Specify the correct values for the following Login Form Widget configuration options:

    • Landing Page for Password Reset Form: Provides a link to the landing page containing the password reset form – in the event that a contact has forgotten their password. (Example: Landing Page - Password Reset)

    • Landing Page for Successful Authentication: Defines the landing page to render when a contact successfully logs in (Example: Landing Page - Secure Content Container).

      Note: This is typically set to the landing page that contains the Secure Content service. However, to provide flexibility, you can choose any landing page.

    • Landing Page for Failed Authentication: Defines the landing page to display when an authentication failure occurs. This page is typically defined as the Login Page, and on failure, an error message is displayed indicating that an error has occurred. For flexibility, Marketing Users can choose to define any page as the Failure Landing Page. Please keep in mind that this page should indicate that a failure occurred when trying to authenticate the contact’s credentials. (Example: Landing Page - Failed when display secure content)

    • Username Field Label: Defines the text displayed for the username field label.

    • Password Field Label: Defines the text that is displayed for the password field label.

    • Submit Button Label: Defines the text that is displayed for the submit button.

    • Forgot Password Link Label: Defines the text that is displayed for the forgotten password link. Users can click this link to access the password reset request page.

    • Invalid Username or Password Label: Defines the error text that is displayed if a user enters an invalid username or password.

  5. Specify an appropriate name for your landing page (example: Landing Page - Login).

  6. Save your landing page.

Login (Landing Page) Example

An image of a Login landing page example.

When rendered, the Login Form Widget portion of the landing page looks like this:

An image of the Login Form widget on a landing page.

Secure Content - Notification (Email)

Email sent to contacts informing them they have secure content with a link to login and view secure content. This email is sent to an email group without the Require Opt in or Use Secure channel flags enabled.

To create a Secure Content - Notification email:

  1. Create a new email.

  2. Add content to the email so the user understands there is a secure message waiting.

  3. Include a link to your login landing page so the user can login easily.

  4. Specify an email subject.

  5. Specify a from address.

  6. Specify an email group.

    Important: The selected email group must be not be a HIPAA email group.

  7. Specify an appropriate name for your email (example: Email - Secure Content Notification).

  8. Save your email.

Secure Content - Notification (Email) Example

An image of a Secure Content - Notification email example.

Welcome Email (Access Token Email)

When a new contact opts-in (that is, the contact subscribes to the HIPAA Communicationsemail group), the Welcome Email is sent to the user. This email includes a link that directs the user to the set password landing page. The user can click the link, set a password, and then login to view their secure communication.

Note: The Oracle Eloqua Platform runs a service in the background that periodically checks for contacts who have recently opted in. Therefore, after a contact opts in, it can take 5-10 minutes for the Welcome Email to be sent.

Important: Once created, the email name must be communicated to the Customer Administrator because it is required in one of the configuration steps.

To create a Welcome email:

  1. Create a new email.

  2. Add the appropriate content to the welcome email.

    • The email text that is placed directly above the cloud content could be: “Welcome to HIPAA Communications…”

    • Followed by the HTML that will be rendered by the Cloud Content service: “Click here to set your password”

  3. Add the AccessTokenEmail to the landing page by performing the following steps:

    1. Double-click Cloud Content on the left panel.

    2. Drag the AccessTokenEmail service from the Cloud Content toolbar onto the canvas.

      An image of the Access Token Email widget in the Cloud Content toolbar.

  4. Double-click the widget on the canvas to access the configuration page:

    An image of the Access Token Email Configuration page.

    Note: The Cloud Content service should be contextually placed in the Email, such that the language flows.

  5. Specify the correct values for the following Welcome Email Widget configuration option:

    • Landing Page for Set Password Form: You must select a landing page that contains the Set Password widget (i.e. Set Password Landing Page )

    • Set Password Link Text: Defines the text that is displayed for the link that directs the user to the set password landing page. If you do not set the link text, the link URL is used.

  6. Specify an email subject.

  7. Specify a from address.

  8. Specify an email group.

    Important: The selected email group must not be a HIPAA email group.

  9. Specify an appropriate name for your email (example: Email - Welcome)

  10. Save your email.

Welcome Email Example

An image of a Welcome email example.

Step 3: Configuring the HIPAA secure communication application

Note: This step must be configured by a Customer Administrator.

The HIPAA add-on, as is the case with any HIPAA-enabled application, is designed to protect confidential information submitted via the web from being accessed by unauthorized parties. This section provides information on how the add-on for Oracle Eloqua enables this protection.

Prior to completing the steps outlined in this document, the Oracle Eloqua Provisioning and Database Management team must have enabled the add-on for your Eloqua instance, as described in the Provisioning chapter.

To configure the HIPAA secure communications application:

  1. Login to Eloqua.

  2. Click Settings An image of the Settings menu icon, which is represented by a black cog..

  3. Click HIPAA Configuration in the Users and Security section.

    Note: The HIPAA Configuration button is only available if your instance of Eloqua includes this add-on. Contact your account representative if you wish to obtain this add-on.

    The HIPAA configuration page looks like this:

    An image of the Data Privacy Configuration page.

  4. Specify the correct Welcome Email that was created in a previous configuration step (example: Email -Welcome).

  5. Click Save.

Step 4: Creating a secure content campaign

A campaign must be configured to send your email communications. The campaigns can trigger emails to be sent to contacts for them to log in and view their secure content. Contacts flow through the Campaign Steps based on how you create your campaign. While there is no set structure for creating a campaign which uses secure content delivery, you must adhere to the regulatory requirements for logins, the delivery of content over secure channels.

To create a campaign for secure content delivery:

  1. Create a new campaign.

  2. Add a segment to the campaign canvas. Ideally, this segment will include one or two test users.

  3. Add your secure content email to the canvas.

  4. Add your secure content notification email to the canvas.

  5. Add a wait object to the canvas.

  6. Connect the objects in the order outlined above.

  7. Specify an appropriate name for your campaign (example: Campaign - Communication Test).

  8. Save your campaign.

Secure Content Campaign Example

An image of a Secure Content Campaign example.

Step 5: Verifying the add-on configuration

High level verification steps:

  1. Verify that the Welcome email is sent and that the password can be set

  2. Verify the delivery of the secure content

Verifying that the Welcome email is sent and that the password can be set

  1. Subscribe a user to a HIPAA email group (example: HIPAA Communications):

    Note: For testing purposes, ensure you subscribe an internal user instead of actual contacts.

  2. Verify the Welcome Email is sent to the user.

    Note: It can take up to 5 minutes for the email to be sent to the user.

  3. Verify the set password page is displayed when the user clicks the link in the welcome email.

  4. Verify the user can successfully set a password on the set password page.

Verifying the delivery of secure content

  1. Activate a test campaign (example: Campaign - Communication Test)

    Note: For testing purposes, ensure the segment in your campaign only includes internal users and not actual contacts.

  2. Verify the secure content email is not emailed directly to the user.

  3. Verify the notification email is sent to the user.

  4. Verify the login page is displayed when you click the link contained in the notification email.

  5. Verify the secure content email is displayed on the secure content container landing page after you login successfully.

Step 6: Applying Optional Configurations

Applying Custom Labels

All of the default labels that are used in the HIPAA widgets can be customized from the widget configuration pages.

An image of a Data Privacy Configuration page.

Styling the application

The various Cloud Content services provided by the HIPAA application display HTML content within Eloqua landing pages and emails. The Cloud Content elements each contain unique identifiers that can be accessed by the hosting asset (Landing Page or Email), such that CSS styles can be applied.

Style Customization Example: Login Form Widget
<form method="POST"
    action="https://devsecure.eloquacorp.com/apps/HIPAA/WebHandler/LoginForm/HandleLoginRequest">
  Username: <input type="text" id="username" name="username" />
  <br />
  Password: <input type="password" id="password" name="password" />
  <br />
  <input type="hidden" id="content-service-site-id" 
    name="content-service-site-id" value="3" />
  <input type="hidden" id="content-service-instance-id" 
    name="content-service-instance-id" value="4a6937b9-b05e-4a1d-9f73-faae6f128cd5" />
  <p><input type="submit" value="Login" /></p>
  <a href="https://lsvertical.test234.com/LP=14">Forgot your password?</a>
</form>

To access and apply styles to any of the HTML controls, refer to their ID or CSS Class name in your CSS.

Creating a custom HIPAA email group

You can use the default HIPAA Communications email group, or you can create a new one.

Note: The HIPAA Communications Email Group. is used to filter contacts to which a Welcome Email is sent to. It is recommended to use the default HIPAA CommunicationsEmail Group to store contacts who subscribe to HIPAA communications.

To configure a HIPAA email group:

  1. Navigate to Assets An image of the Assets icon, which is represented by a black pencil. > Email Setup, then click Email Groups.

  2. Create a new email group.

  3. Ensure the following options are enabled:

    • Require opt-in: This setting ensures that HIPAA-secured emails are not sent to contacts until they have specifically selected to opt-in to this email group, either through a Form Submission or by your manually Subscribing them to the email group. This setting is enabled by default on the HIPAA Communications email group and must remain enabled for HIPAA compliance.

    • Use secure channel: This setting ensures emails are not sent from Eloqua directly but instead are marked for processing using a special process. This setting is enabled by default on the HIPAA Communications email group and must remain enabled for HIPAA compliance.

  4. Choose the appropriate Subscribe confirmation page that will be used to subscribe users to the HIPAA email group.

  5. Click Save to save your settings.

Note: There are some email group settings (example: Name of the email group As It Appears to contacts and Description of email group as it appears to contacts (optional)) that are pre-populated and cannot be changed. This is to ensure consistency throughout all HIPAA-compliant emails.

Learn more

HIPAA

Using Eloqua with the HIPAA add-on

Restricting contact fields from web data lookups