Case Study

Valley Youth House Seeks Out HIPAA-Compliant Email Encryption for Sharing Sensitive Data with Government Agencies, Partners, and Staff

“We first considered deploying Virtru with just our behavioral health employees. But the reality is that sensitive data is flowing throughout each and every department. We needed to reign it in and take control of the data we are entrusted to protect.”

Shaun Michel, IT Director at Valley Youth House

Valley Youth House is a nonprofit organization that provides counseling, life skills training, housing, and emergency support to vulnerable, abused, and homeless youth. The agency partners with thousands of individuals annually to build a solid foundation for young people and their families. Because Valley Youth House provides behavioral and mental health services, they are required to comply with the Health Insurance Portability and Accessibility Act (HIPAA) and needed an email encryption solution for sharing information between staff, government agencies, and other partners. We spoke with Shaun Michel, IT Director, to learn why he and his team selected Virtru as their HIPAA-compliant data protection solution. With Virtru, Valley Youth House was able to:

  • Provide the entire organization with an easy-to-use, HIPAA-compliant email encryption solution.
  • Securely communicate with partners, agencies, and other third-parties without having to rely on TLS encryption.
  • Improve their services through more efficient collaboration and communication.

Client Privacy Is the Primary Concern

“Our youth clients are sophisticated enough to know that their most personal data is available to many different people for the purpose of providing services. Many of them have had negative experiences where their personal data has been misused or abused in the past. On top of that, many of our clients are teenagers and are sensitive to people talking about them. We respect that many of our youth clients understandably have reservations about what Valley Youth House employees may know about them; protecting their privacy is our primary concern.”

The Challenge with HIPAA Compliance and Email

“Aside from client privacy, HIPAA compliance is our other top concern as an IT department. Valley Youth House provides behavioral and mental health services for youth and their families and with this comes the responsibility of ensuring that HIPAA requirements are met when sharing protected health information (PHI).

“We deal with a lot of different funders, local governments, and local youth services agencies and we constantly need to share information back and forth. Some of it is extremely sensitive because it covers family history, mental health, and drug abuse issues. We value our clients’ privacy, and although we have to share their data, we must also be able to protect it.

“Case workers need to be able to share PHI back and forth and email is the path of least resistance, but prior to Virtru, email was not always HIPAA compliant. Previously, we relied on TLS encryption to protect PHI shared via email, but many of our case workers and staff members were communicating with partners who didn’t support TLS. We reached a point where we knew we had to take matters into our own hands and seek out an email encryption solution that checked all the boxes: HIPAA compliant, user-friendly for both the sender and the recipient, and end-to-end encrypted.”

A Domain-Wide Solution

“We first considered deploying Virtru with just our behavioral health employees. But the reality is that sensitive data is flowing throughout each and every department. We needed to reign it in and take control of the data we are entrusted to protect. In the past, we had explored using Zix but their DLP rules simply weren’t reliable.

“With Virtru, everything is both extremely straightforward and flexible in terms of the control that we have over encrypted email content. For example, client case numbers are not something that people typically think could be sensitive data so being able to supplement Virtru’s default HIPAA rule pack with our own custom rules has proven to be extremely beneficial.

“Once we had the green light to move forward with Virtru, we were up and running very quickly and our employees saw how easy it is to encrypt an email before sending it. With Virtru, we are not adding any additional layers of complexity to our email workflows. Everyone—from the CEO to our case managers—agrees that Virtru doesn’t obstruct the way we communicate over email, but rather makes for a better experience. When staff can send an email without having to worry about client privacy or compliance, it makes their job that much easier.”