News
VNA Care Network and Hospice Chooses Voltage SecureMail to Ensure HIPAA Compliance
March 2008 by Marc Jacob
One of the largest visiting nurse associations in the U.S., VNA Care Network and Hospice is a nonprofit with more than 500 clinicians in the field serving communities throughout central and eastern Massachusetts. Like most healthcare organizations that take advantage of the latest software and digital hardware to complement and support their work with patients, VNA Care Network has had to grapple with the implementation of HIPAA provisions over the past few years. The most recent being the new Access Control rules that went into effect in April 2005. “We’re a technology-intensive organization,” stressed Peter Kosel, MIS technology manager and security officer at VNA Care Network. “Which presents a number of challenges for HIPAA compliance. One of our big concerns is finding ways to prevent any type of patient-identifiable information from leaking out onto the web.”
Because VNA Care Network is a provider of in-home healthcare and hospice for the terminally ill, it has to contend with certain security challenges that an individual hospital or clinic might not face. For instance, all of its clinicians in the field are equipped with laptops using clinical software to manage patient information. With all medical charts for their patients stored on these laptops, clinicians can instantly look up health histories, prescription drug records and so forth. At the end of the day, these clinicians upload any new patient information directly into the VNA Care Network database using a phone link or VPN connection. Since direct dial-in and VPN provide secure connections, VNA Care Network can be confident that patient health information (PHI) is safe as it moves from its clinicians in the field to its database. But under the new HIPAA rules, Kosel and his team also had to ensure that patient information remains secure once it begins circulating through the organization during the normal course of business via email, and across open networks—the Internet in particular.
Finding The Right Solution
The last of four implementation specifications associated with the HIPAA Access Controls is “Encryption and Decryption,” which is designated an “addressable” rather than a “required” provision. In other words, healthcare organizations aren’t necessarily required to use encryption software, but the alternative would be to implement detailed policies setting out exactly how staff should handle email containing PHI, and then ensure that everyone across the organization follows these policies to the letter. For an organization like VNA Care Network, with more than 800 employees spread across a large geographic area and multiple branch offices, this kind of approach simply did not make sense. As Kosel pointed out, “With users scattered all over the state, and with thirteen regional offices and program sites, it was obvious that we had to have a tool to encrypt our email traffic.”
After considering a number of encryption offerings on the market, Kosel recommended Voltage SecureMail to senior management to protect VNA Care Network’s email traffic. “What I was looking for was something secure, safe and very easy to install,” said Kosel. “We wanted something that wouldn’t be complicated, or difficult to use and maintain. Voltage SercureMail gave us all that.”
Kosel and his team began a trial implementation in late January 2005, with ten users in the test group. After a month and a half of positive reviews, VNA Care Network decided to go ahead with a wider deployment and now has up to 200 licenses for people on staff who use email to send patient health information internally and externally. “We were really impressed with SecureMail’s ease of installation,” admitted Kosel. “I just put a link on the agency intranet, and everyone who needed it simply downloaded the client and installed it themselves. We’ve done this with other types of software in the past, but never with something like this.”
Ease Of Use On The Front End And Back End
The consensus across the company is that by making encryption so easy, Voltage SecureMail is an effective way to ensure that everyone stays compliant with HIPAA. Elaine Kestle, RN, director of health services, uses SecureMail when sending patient information to external agencies that partner with VNA Care Network in providing home care aide services to patients. “We tested several systems before Voltage, and all the others were labor intensive with lots of steps to remember,” she pointed out. “Voltage is very simple to use. You can send complete patient information in a timely manner while still meeting HIPAA requirements.”
In fact, because Voltage SecureMail integrates so well with VNA Care Network’s email software, Kestle and her colleagues can easily send secure email messages with a single click of a "Send Secure" button. In addition, SecureMail eliminates the need for cumbersome certificates and Certification Authorities, which dramatically reduces administration and management requirements. For Kosel and his team, this means that they are able to maintain HIPAA compliance with a minimum of effort. “As far as back end management with SecureMail is concerned, there’s nothing to do. It just runs,” said Kosel. “With Voltage, there is reassurance there, peace of mind. It’s an easy and cost effective way to stay compliant with HIPAA.”
