/Total%20HIPAA%20Logo.webp?width=500&height=67&name=Total%20HIPAA%20Logo.webp)
"Just having data encrypted point-to-point doesn't solve the problem. If that's all it took, then Gmail, Google Workspace, and Office 365 would be sufficient. The real issue is, ‘What do you do when you send PHI to the wrong person?’ Virtru is a minimal expense for the security and safety it provides.”
Jason Karn
Chief Compliance Officer
The world of compliance is complex, but Total HIPAA aims to make things as simple as possible for its clients. Its team of experts assesses and advises organizations on establishing and maintaining compliance with evolving regulations like HIPAA and GLBA.
In fact, Virtru has been one of those clients: In our early days as a startup, the Virtru team turned to Total HIPAA for their expertise on establishing a HIPAA Business Associate Agreement (BAA) — a contract necessary for any provider of PHI protection for HIPAA compliance.
That’s how Total HIPAA also became a customer of Virtru — and it’s a great match. Here’s why.
With Virtru, Total HIPAA can:
Data security is a top priority for Total HIPAA’s Jason Karn (Chief Compliance Officer) and Tessa Pope (Director of Operations). In the world of HIPAA compliance, it’s vital not only to demonstrate responsible handling of sensitive health information, but also provide proof of how PHI is handled. This is where Virtru’s granular access controls, audit logs, and tracking capabilities come in — supporting Total HIPAA and many of its clients across healthcare, insurance, finance, tech, and beyond.
“Virtru is a minimal expense for the security and safety it provides,” Karn said. “It’s having that backstop, being able to say, ‘I've got a program where I can deny access to this information that I've errantly granted to somebody,’ and knowing that we can go into the logs, we can see that the person didn't download this, or did not open this. I mean, those are huge, huge benefits to having something like Virtru.”
Total HIPAA encourages its clients to adopt HIPAA compliant software for email and file sharing: The native TLS encryption (transport layer security) provided in many email clients is not enough on its own to meet HIPAA compliance, and while some software providers do offer a HIPAA Business Associate Agreement (BAA), they may not provide the robust protections that many organizations need to effectively govern PHI across its full lifecycle.
“Just having data encrypted point-to-point doesn't solve the problem,” said Karn. “It's just one issue, but if that's all it took, then Gmail, Google Workspace, and Office 365 would be sufficient. The real issue is, ‘What do you do when you send PHI to the wrong person?’ We have people with multiple ‘Johns’ in their contact list — they may send it to the wrong John. We had a client going through a major breach because of social engineering: Someone spoofed a member of upper management, and an employee sent out a file with names and PHI. It became a real issue — we had to report it as a breach to The Department of Health and Human Services. If they’d had Virtru, they could have just denied access to the email and this entire crisis could have been averted. The impact would have been limited, it would have had tracking, and they could have changed the access controls. Now, the horse is out of the barn. The barn is on fire. It’s, ‘What do we do now?’’“
“Sometimes we do get the pushback of, ‘Well, I’ve got a Business Associate Agreement with Google, or Citrix,’ and that's good,” Karn continued, “But how do you prove what’s happening with your data? With HIPAA, if you have a breach, you have to prove that information was not released, so you have that burden of proof that exists now. And how do you prove that? With Virtru, you’re able to deny access, and you’re able to show that, ‘Yes, this was sent, but then we were able to revoke access,’ and that's one of the reasons that we push Virtru.”
“A big thing that they're looking for when you get audited is forensic analysis,” added Pope. “HHS wants you to document exactly what happened in an event, how you mitigated it, how you learned about it, and then what you did. Being able to use a service like Virtru and be able to document those things is huge. It's a very low effort on the client’s part to say, ‘All I had to do is click a button, and that's the forensic analysis I need to provide to the auditor.’ So that is also huge.”
In the Virtru Control Center, administrators and users can see all secure emails and files shared and the policies attached to them — such as revoking access, setting expiration dates, restricting forwarding, adding watermarks, and preventing local downloads. Admins and users can change those policies at any time — if an email containing PHI goes to the wrong person, instant action can be taken to revoke that access and protect the information. The Virtru Control Center also shows whether the recipient has viewed an email or file, and it allows security teams to better understand their risk and exposure in a security event.
Total HIPAA advises clients on their HIPAA compliance posture, helping them establish compliant business workflows that protect PHI. As part of their collaboration with clients, Total HIPAA also comes into contact with sensitive information that needs to be protected, which is why they use, and recommend, Virtru.
“We do have the opportunity to test a lot of different email encryption vendors that people are using, and I will say that one of the biggest compliments we get about Virtru is the ease of use if you don't have Virtru downloaded,” Pope said. “And, with other products, you might have to sign in multiple times, it forgets you, you need to reauthenticate, and sometimes you get stuck in this vicious loop of signing in over and over again. It drives you a little bit crazy.”
“The barrier for entry and user experience is so much nicer with the Virtru product,” Karn added. “We reviewed a bunch of other products and kept running into issues. I have three or four Zix logins because each instance has its own separate Zix credentials. Granted, I have a password manager, but I have to remember, ‘This one is for Acme Incorporated, so I need to use this password.’ Whereas, with Virtru, I just log in using my Google profile, it knows who I am, and there’s nothing to download. If I’m not already logged in at that moment, I can just authenticate, and get right to it.”
“It’s the user experience that’s really helpful, because honestly, when we started this business, that was one of the biggest barriers we ran into with people using email encryption,” Karn emphasized. “They would say, ‘My clients hate email encryption. They’re always asking me to send them information unencrypted.’ And we don’t have that issue now like we used to, which is really nice.”
“One thing that we love about Virtru is that it makes it easy for us to interact with people,” said Pope. “We're big on customer service, so we're going to send documents encrypted just to make sure we're practicing what we preach. Therefore, our clients who don't use Virtru also need to be able to access that information. That's one of the reasons we have stuck with Virtru for so long, we have received zero to, maybe, five complaints since we started with Virtru — and usually that’s because of a user error.”
At the end of the day, Total HIPAA aims to make its customers’ lives easier, enabling them to meet HIPAA compliance with confidence. Virtru is proud to play a small role in Total HIPAA’s broad and powerful scope of work it delivers for its clients — which all culminates in stronger privacy and confidentiality for individuals.
