HIPAA-Compliant for Physician Practices: Easy, Convenient, Secure Communications from Virtru







Full text


HIPAA-Compliant Email

for Physician Practices:

Easy, Convenient, Secure Communications from Virtru


The Landscape

Increased data capture promotes a healthcare practice’s ability to optimize

deci-sion-making, collaboration, efficiency, and convenience. However, with these op -portunities comes a complex responsibility to secure proliferating and easily

trans-ferrable patient data.

Protected health information (PHI) – including 18 identifiers, such as names, social

security numbers, and identifying images – is safeguarded by the HIPAA Privacy

Rule. The rule protects sensitive information held in the stewardship of organiza

-tions that use it and gives patients rights with respect to that information.

To serve patients effectively and manage the best possible care – while operating a viable business – health providers must frequently share patient information. While

the value of leveraging relevant data for healthcare planning and decision-making

is clear, the risk of noncompliance with HIPAA privacy standards can be extremely costly. Consider:

Massachusetts Eye and Ear Infirmary was fined $1.5 million after a physician’s •

laptop – containing 3,500 patient health records – was stolen.1

CVS Caremark paid $2.5 million in HIPAA-related fines after employees disposed •

of patient health information in garbage bins. 2

Aberdeen Group determined that stolen identifiers – names and dates of birth – •

command $20 in black market transactions, while “identity theft kits” featuring social security numbers and credit card details may garner $1,500. 3

“With the flick of a switch, right there in my normal inbox, as I’m composing the mes-sage, I can activate Virtru to encrypt an email before it leaves my device.”


Information is today’s invaluable commodity. Securing it preserves the financial health and public reputation of healthcare businesses whose success depends on protected use of sensitive data.

Email Communications: Risks vs. Rewards

For many, including patients and providers, email has become the preferred means

of and expected standard in business communications.

“Patients are increasingly expecting the opportunity to communicate with care providers electronically,” said Darby Buroker, a health information exchange expert with more than 20 years of experience in the field. “It is how we interact as a society. But health practices at risk of divulging PHI are at risk of compromising their busi

-ness potential. They must find secure solutions for email communication in order to compete and to deliver effective healthcare services for their patients.”

While hospital electronic medical record systems may include a secure messaging component, small- to mid-sized physician practices – often without dedicated IT resources – need affordable, off-the-shelf, end-to-end email encryption solutions.

Many day-to-day functions and emerging trends lend themselves to email:

Provider-to-provider communications, including consult results, CT scans,


nostic images, prescriptions, and scheduling information.

Provider-to-patient communications, including appointment scheduling,


dure preparation information, and results.

Patient-to-patient communications, such as the connection of patients who •

share a condition and can support each other as physicians offer group care. The demand for this type of communication will increase as support groups and physician-sponsored group visits become more popular.

The ability to securely share healthcare information via email – seamlessly, without

the added cost and complexity of an electronic health record or patient portal


“Email has the potential to serve as a conduit toward greater collaboration, in

-creased convenience, and stronger patient engagement,” Buroker said. “Today’s financial pressures in healthcare require this, as it brings administrative burdens down and allows physicians to accomplish more in less time. But one breach in se

-curity, and practices can face significant penalties.”

If email communications open the door to expensive liability – the mishandling of

private patient information can incur fines from $100 to $50,0004 – why should phy -sicians rely upon them at all?

The answer is clear. Notwithstanding the risk, email is a staple of today’s culture and is here to stay. It is easy and time-efficient, and it offers an additional vehicle for fostering relationships and promoting patients’ involvement in their healthcare.

Proven Successes

A solution that works how physicians work.

Healthcare practices are discovering that, supported by Virtru for email encryption,

they can exchange sensitive data with the confidence that it is secure and easily ac


Consider Clark Venable, M.D., a private-practice anesthesiologist with Riverside Anesthesia Associates in central Pennsylvania. The nearly 50-physician group pro

-vides anesthesia services for three acute-care hospitals and six surgery centers. “We use the information systems and inpatient records of the facilities where we provide services,” Dr. Venable said. “As such, we needed to ensure that any sharing of protected health information our associates conducted via email would be safe and secure. Few small- to mid-sized practices like ours have dedicated IT resources, and fewer still have a security expert on staff. As someone who values privacy both personally and professionally, I took the lead on identifying a solution.”


“My challenge was to find a tool to solve a business need while making our process

-es easier, not more difficult,” he said. “With its seaml-ess integration with Google Apps, the suite we already use daily, Virtru sounded promising.”

While many of Riverside’s email communications do not include PHI and do not re -quire encryption to satisfy HIPAA re-quirements, certain routine communications fall

directly into the “sensitive” designation. Dr. Venable described the occasional need

to perform patient consults prior to surgeries or deliveries – often if the patient has an extenuating health circumstance or prior complication that increases risk – the

findings of which are communicated among the anesthesiologists to ensure all are informed should they encounter the patient. Other times, requests for specific

anesthesiologists are made by patients or referring physicians, and again are

com-municated by email across the team.

“With the flick of a switch, right there in my normal inbox, as I’m composing the message, I can activate Virtru to encrypt an email before it leaves my device,” Dr. Venable explained. “It leaves my computer encrypted, and arrives in colleagues’ inboxes encrypted. Before Virtru, we did not have an easy way to use end-to-end encryption.”

The anesthesiologist cited additional control factors that Virtru offers to increase his confidence in securing sensitive data shared by email. He can send encrypted email to the groups he has created in Google Apps, knowing that all recipients will easily yet securely read the messages within their usual inboxes, whether in a browser or on a mobile phone or tablet. He can restrict recipients’ abilities to for

-ward emails and can set emails to expire, disappearing from inboxes when their timeliness has passed. And although he’s never needed to recall a sent message, he finds peace of mind in knowing Virtru supports email revocation.

Valuing privacy himself, Dr. Venable respects all patients’ rights to it. Noncompli

-ance incurs potentially costly risks, such as audits, fines, ongoing oversight by

government entities, and legal activity, but there’s another risk he said carries even


“Failure to comply with privacy requirements is failure to uphold our promise to pa

-tients,” he said. “Breaching their trust by falling short in protecting their data is the greatest threat to our reputation and to our ongoing business success.”

In Dr. Venable’s view, most providers understand and uphold the HIPAA privacy rule, but the security rule can be more complex to implement. Virtru offers the seamless, end-to-end encryption that Riverside sought.

“To be used regularly by physicians, tools must integrate into existing workflows,” Dr. Venable said. “Google Apps was already a chosen resource for our practice, and Virtru allows me to add encryption directly within it. I don’t need new processes. I don’t need a new login ID or password. It works easily and effectively within my daily routine. I am a very enthusiastic user.”

It earns the approval of IT professionals, too.

Brian Grablin pays attention to email encryption for healthcare practices, too. As the president of G&A Medical Management Company, he’s charged with identify

-ing the right IT infrastructure for clients like Bear Creek Family Medicine in Colorado Springs. And one piece of that puzzle is a solution for email encryption that allows seamless communication while meeting compliance requirements.

Grablin also found Virtru.

“Virtru met all of our needs in terms of utility and value,” he said. “From a cost standpoint, Virtru fit our bottom line. From a functionality standpoint, it allows us to do everything we need to to keep protected health information safe while commu

-nicating smoothly with patients and healthcare professionals.”

Bear Creek was one of the first healthcare practices to which Grablin recommended Virtru. When his client purchased the practice, it required a complete information

technology overhaul and a comprehensive process evaluation to determine and

improve upon its state of HIPAA compliance.

“We have not seen a tremendous crackdown on breaches, but we know the poten


and I know what can happen when you try a shortcut. If it was a requirement, we were going to get it right.”

As such, the practice operated for its first month almost entirely without email. Information exchange was manual and time-consuming – but compliant.

“We knew we did not have a secure solution, so we went without one until we could do it safely,” Grablin said.

Enter Virtru. Grablin was drawn first to Virtru’s ease of use. No public or private keys

are required, and recipients aren’t directed to a secure portal site requiring special

access codes. Instead, for both senders and recipients, Virtru is available at the click of a button within their own inboxes and encrypts emails and attachments in transit and at rest.

The Financial Impact of HIPAA Violations

Individual unaware of violation


Violation per reasonable cause, not

willful neglect

Violation due to neglect, but

correct-ed within allowcorrect-ed timeframe

Violation due to neglect, left uncor-rected

Up to $50,000 per violation, up to $1.5 million total per year


Up to $50,000 per violation, up to $1.5 million total per year

Up to $50,000 per violation, up to $1.5 million total per year

$50,000 per violation, up to $1.5

million total per year

Source: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page


“I looked at a variety of options, several of which were good and several of which were free,” Grablin said. “But nothing else offered the absolute ease of use that Vir

-tru does. It has to be simple and seamless for our staff to embrace it. That’s critical for our patient recipients, too, who frequently are receiving one-time or occasional

communications and can’t be expected to go through complicated procedures to

get what they need.”

Grablin also cites Virtru’s administrator controls as a relevant distinction. He is able to monitor the practice’s email correspondence as a whole to confirm compliance, and can safeguard against potential breaches following sensitive instances – for example, if the practice should lose an employee.

0% FY 2013 2% 2% 3% 18% 20% 19% 18% 15% 20% 20% 15% 25% 22% 24% 17% 46% 48% 47% 49% 48% 49% FY 2012 FY 2011 10% 20% 30% 40% 50% 60%

Patient Data Lost or Stolen

Diverse forms of protected health information are at risk, as indicated by respon

-dents to the Ponemon Institute’s 2014 benchmark study on patient privacy and data security.


“Failure to address this puts your whole business at risk,” he concluded. “Whether you’re motivated by HIPAA compliance or by doing what’s right for your patients or both, Virtru is hitting the right area with a very solid product. It is important for me to know that I did everything I could in good faith to protect patient information. Virtru is an effective part of that.”

The Virtru Solution

“Pursuing digital security should be as much of a no-brainer as locking your door •

before you leave the house. Virtru is a walk in the park compared with some of the other options.”5 – The New York Times

“The key with what Virtru does, apart from making encryption work on most •

ordinary cloud emails, is that it works across different platforms, something that is largely a gap today.”6 – TechCrunch

“The challenge has always been to make it easy enough for everyone to use. But •

no one has ever figured out how to secure e-mail to everyone. We think these guys can do it.”7 – The Washington Post

How does the product earning these votes of confidence actually work? Simply put, with the sender’s flip of a digital switch, Virtru allows users to secure their emails

and attachments, keeping private communications private, and keeping it seamless

for recipients to decrypt and read.

Virtru is an email add-on that works with existing email providers, such as Gmail or Yahoo. With Virtru installed in a browser, email application, or mobile device, users are ready to send secure emails. Recipients can read the communications in a se

-cure viewer without requiring any downloads, keys, or portal access codes. It’s that easy.

For healthcare practices that regularly communicate many of the 18 HIPAA-defined identifiers that constitute PHI, an email encryption solution is a must.

Virtru stands out because:

It’s easy for the sender. It integrates easily with existing email platforms and •


familiar applications.

It’s easy for recipients. They can read securely sent messages without installing •

any software or creating an account to access a patient portal.

Its email and file revocation works. Users and administrators can take back mes


sages sent inside or outside their organizations.

It provides a full audit and “chain of custody” of emails, supporting tracing and •

restriction of email and file forwarding over the full lifespan of the communica


It offers the ability to add expiration dates to emails and attachments without •

restricting administrators’ opportunity to archive and recover. It provides easy monitoring, management, and auditing capabilities. •

Perhaps best summed up by the Daily Dot, Virtru “has one of the best encryption apps available to the public. It’s easy to use, requires no complicated keys, and takes less than a minute to get going.”8 Virtru is a healthcare practice’s fastest, easiest,

most effective route toward HIPAA compliance in email.

Take Action

Learn more about Virtru today. Visit us online, trial our free download, and contact

us to discuss the Virtru business solution best suited to support your HIPAA

com-pliance imperatives. www.virtru.com sales@virtru.com 1. http://www.healthcarecommunication.com/Main/Articles/HIPAA_What_happens_when_you_dont_comply_11657.aspx 2. Ibid. 3. http://www.fiercehealthit.com/node/32896/print 4. http://www.healthcarecommunication.com/Main/Articles/HIPAA_What_happens_when_you_dont_comply_11657.aspx 5. http://www.nytimes.com/2014/07/17/technology/personaltech/ways-to-protect-your-email-after-you-send-it. html?_r=0 6. http://techcrunch.com/2014/06/17/virtru-a-secure-email-app-built-by-an-ex-nsa-engineer-raises-6m/ 7. http://www.washingtonpost.com/business/capitalbusiness/former-national-security-agency-internet-specialist-gets-funds-for-e-mail-security-tool/2014/06/16/fd84708a-f593-11e3-8aa9-dad2ec039789_story.html 8. http://www.dailydot.com/technology/virtru-email-encryption-android-app/




  1. www.virtru.com
Related subjects :