Making The Case: Real World Solutions from People in the Trenches
Employing Cutting-Edge Messaging Security Technology to Protect Patient Data and Ensure HIPAA Compliance
Meadville Medical Center is a leader in healthcare in northwestern Pennsylvania. The hospital has a staff of more than 1,300 professionals that provide high quality medical care to patients.
The Challenge
As a healthcare facility, we must comply with the Health Insurance Portability and Accountability Act (HIPAA), which includes provisions mandating that hospitals secure protected health information (PHI) sent via email, such as patient reports, diagnosis numbers and other personal information.
As with any healthcare organization, there is potential for HIPAA violations. Our IT department created a tool that was being used for sending encrypted data, but during an internal audit we uncovered concerns that employees had the potential to use the system incorrectly, because it required manual operation. We wanted a system that would automatically detect PHI in email messages and encrypt without requiring user intervention.
The Solution
The audit was a real eye-opener for us. Due to our manual processes there could have been a potential for accidentally sending PHI without encryption. The potential fines a violation could cause quickly justified the cost of buying a solution to manage the problem. As a result, we decided to update our existing messaging security systems and investigate new solutions to automatically scan outbound emails for PHI in order to ensure that all messages comply with HIPAA email-related regulations. After narrowing down our list to solutions from KODAK Secure Email Services (SES) and Proofpoint, we selected the Proofpoint Messaging Security Gateway. The Proofpoint solution offers better performance, includes six managed dictionaries of healthcare codes, and requires almost zero ongoing maintenance.
We use the Proofpoint Regulatory Compliance and Proofpoint Secure Messaging modules. These modules scan outgoing email messages for PHI, including patient data and procedure codes, along with other personal information like social security and credit card numbers. Once emails containing PHI have been identified, the Proofpoint Secure Messaging module, which is powered by Voltage IBE (identity-based encryption) technology, automatically encrypts them before they are sent outside the hospital.
For us, one of the most important features in a messaging security solution was it had to be easy to use and require very little administration. Because we rely on email as a primary means of business communication, we wanted an appliance that worked right out of the box and did not slow business processes by requiring end-users to take special action in order to encrypt emails.
Like many healthcare organizations, we are always looking for ways to maximize our IT resources. We needed a comprehensive, easy-to-administer system to secure outbound email that had the following:
- Pre-defined policies that automatically scan for PHI
- Built-in rules that can be easily modified with a point-and-click interface
- Automatic, policy-based encryption of email messages
- HIPAA code sets (e.g., of medical terms, diseases, procedures and drug names) and rules that are always up-to-date
We wanted to ensure our compliance policies were consistently and accurately applied on an as-needed basis. We also wanted a solution that allowed us to easily define and modify privacy rules that could be applied to individual PHI occurrences. We only had to set up a few rules to identify and capture email unique to our environment, since our messaging security vendor had all of the rules and dictionaries in place pertaining to HIPAA and other sensitive information. The dictionaries define common protected health information code sets - such as standard disease, drug, treatment and diagnosis codes used by the healthcare industry - to simplify HIPAA compliance.
The Results
As a result of upgrading our messaging security processes, today we automatically identify and encrypt more than 100 emails a month that contain PHI. In the process, we have also dramatically reduced the amount of time that our IT staff must spend investigating email infractions. We now have a convenient, single source for outbound email scanning and encryption and have securely protected our patient data from improperly leaving our network via outbound email. JS/TMP