The Middle Alabama Area Agency on Aging (M4A) is a not-for-profit organization that provides resources and program support to the aging population in central Alabama. The heart of their mission is to help people comfortably age in place; and to do that, M4A is constantly collecting and exchanging protected health information (PHI) and personal identifiable information (PII) with healthcare providers and government entities. After hearing about Virtru from a neighboring agency and testing it out, M4A decided to test and ultimately choose Virtru.
With Virtru, M4A can:
- Meet HIPAA requirements for Microsoft email by safeguarding messages containing PHI with Virtru's encryption add-in, ensuring patients' information is kept safe and secure
- Offer admin greater visibility into emails sent across the organization with Virtru's Control Center, ensuring proper access control usage, email subject line protocol, and more
- Modernize operations and save time by replacing fax and phone calls with secure digital communications, streamlining operations and providing speedier care to clients, caregivers, and providers
- Succeed in implementation by using Virtru resources to train staff and external recipients on Virtru, unlocking the full potential of the solution
Modernize HIPAA Compliance Without Sacrificing Security
M4A helps connect older adults and their caregivers with public and private long-term care services and supports; this includes Medicare counseling, nutrition assistance, prescription assistance, in-home support, and much more. Coordinating these services involves collecting sensitive, confidential information which may be subject to HIPAA.
Virtru allows M4A to encrypt emails with confidential information that may be subject to HIPAA. In addition, by using the Virtru HIPAA Compliance package, M4A can ensure sensitive information in emails is flagged and automatically encrypted before ever leaving the perimeter.
“With the HIPAA package specifically, I’ve got DLP rules drilled down into when we send emails to a certain company, we get a warning or Virtru automatically locks the email. Or if we say a certain word,” said Crystal Crim, M4A’s Director of Operations and Strategy.
Teams dealing with PHI on a frequent basis have Virtru automatically configured on for every email, with the option to turn it off. Other teams have the opposite. With the HIPAA compliance package, reminders to safeguard sensitive data keep the teams on track.
“I’ve seen the progression of people’s confidence and competence levels increase by [encrypting data] and doing it daily,” said Crim.
Compliance also comes at a price. As an organization that receives federal and state funding, Crim and the M4A staff had to be strategic about meeting compliance without breaking the bank.
“The cost, of course, was right on point for us,” she explained. “We are a not-for-profit quasi-governmental agency, so we have to be good stewards of the funding that we have been blessed with and make sure that most of the funding is going to clients.” Using Virtru to safeguard sensitive data via email was a justifiable use of funding, and Virtru made the investment reasonable.
Greater Visibility for M4A Administrators
“I like being able to drill down into data,” said Crim. With Virtru’s Control Center, Crim has the ability to take inventory of all Virtru emails being sent from M4A, use it to find trends in behavior and usage, and correct it to maintain HIPAA compliance.
This is important for M4A because subject lines are another area needing HIPAA protection, and occasionally PHI or PII can be revealed if a staff member slips up.
“[The subject line] is the first line of defense of protecting [PHI] data,” said Crim. “Yes, we can lock data with Virtru, but I can see subject lines instantly and develop trainings for staff based on trends.”
M4A administrators also have insight into who is sending or receiving encrypted emails and have the ability to revoke the emails for their staff. They can also see if an email has been opened, forwarded, or if attachments were downloaded, and by whom. Crim uses the Control Center for an opportunity to locate these trends and provide additional training to staff on how to use Virtru to comply with HIPAA policies and training.
A Proactive Approach To Protecting and Respecting Patients’ Data
For M4A, it wasn’t just about deploying the tool and checking off the box. Their success with Virtru is due in part to their comprehensive training approach. Crim and her team customized their Virtru onboarding resources and Q&As to provide an M4A-specific guide for when and how to use Virtru for staff, and how to unlock a Virtru email for external partners. By supplying these resources, M4A gets buy-in on compliance from each employee.
“When I train staff,” Crim explained, “I let them know that yes, there are quite a few policies that surround security and privacy. But at the same time, I let them know that we have these policies to ensure that, at M4A, we treat our clients’ data the way we would want our own data treated.”
M4A takes its HIPAA obligations seriously, and with Virtru, M4A can put the same amount of care into their compliance as they do into their clients.
“If you're entrusted with data, that is part of someone's life. Virtru is a good way to protect that.”