Small and Medium Healthcare providers struggle with the cost and complexity of ensuring security and privacy of Protected Health Information (PHI) data subject to HIPAA. Traditional healthcare systems are complex and expensive, designed primarily for large organizations. Small healthcare providers frequently face a conundrum: deploy expensive systems or forgo compliance and assume a substantial financial risk. This makes communication with patients, 3rd parties or even within the office difficult.
PreVeil is an integrated encrypted email and file sharing system used extensively by defense organizations for compliance that offers smaller healthcare providers the same security benefits while also being easy to deploy, use and affordable. PreVeil enables providers to conveniently share electronic PHI data (e-PHI) with clients, 3rd parties and others within their own organization. With PreVeil, providers can achieve and demonstrate broad compliance with the four objectives of HIPAA, namely:
- Ensure the confidentiality, integrity, and availability of e-PHI they create, receive, maintain, or transmit.
- Identify and protect against threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
PreVeil Email enables providers and clients to send and receive end to end encrypted messages using their existing email address. PreVeil Email seamlessly integrates with Microsoft Outlook, Gmail and Apple Mail for a familiar user experience. It also works in a browser and in mobile apps for Apple and Android devices. PreVeil can even automatically encrypt emails whose subject lines indicate they contain PHI. If recipients don’t have a PreVeil account, they can establish one for free in 30 seconds, making it simple for clients and 3rd parties to adopt.
PreVeil Drive is an encrypted file synchronization, storage and sharing system very similar in functionality to OneDrive, Google Drive or Dropbox. However, unlike those, it is fully end-to-end encrypted and can be used to securely share files and folders in compliance with HIPAA. Drive supports granular access permissions such as Read only or Edit & Share. Shared data can even be revoked to mitigate 3rd party risk. Providers benefit from a simple workflow because Drive can be seamlessly integrated with Windows Explorer or Mac Finder for a familiar experience. Clients can conveniently access both their secure email and files on computers as well as their mobile devices.
Meet the HIPAA Security Rule Requirements:
PreVeil uses end-to-end encryption, the gold standard of data security to protect e-PHI. This technology ensures that only the sender and recipients can access data, no one else, not even PreVeil. It renders attacks on servers useless as information is always encrypted. PreVeil accounts are also impervious to password attacks because it uses unbreakable encryption keys to grant access. It’s also designed so even an attack on an IT administrator will not reveal data. These default security capabilities, in conjunction with PreVeil’s administrative features enable providers to satisfy all four Technical Safeguards of the HIPAA Security Rule namely:
- Access Control. PreVeil enables providers to limit access to e-PHI not only to authorized persons but also authorized devices.
- Audit Controls. PreVeil creates immutable, cryptographic audit logs that record access and other activity, including changes made to e-PHI data.
- Integrity Controls. Providers can prove that e-PHI has not been improperly altered or destroyed because whenever any changes are made to a file, Drive creates a new cryptographically verifiable version of the changes. This capability also protects PHI from Ransomware attacks.
- Transmission Security. e-PHI is always encrypted while it is being transmitted over an electronic network to prevent any unauthorized access.
Secure Mobile Access:
PreVeil’s Email and Drive are available as an elegant, encrypted, free app on iOS and Android phones and tablets. Access to the app is secured via biometric authentication or passcodes. Not only does this make it greatly convenient for clients and providers but also it solves the challenging security and encryption requirements for PHI on mobile devices since those capabilities are built in by default.
PreVeil can be deployed alongside an organization’s existing Office 365, Exchange or GSuite infrastructure without any impact to those systems. While the system is designed for self-deployment, PreVeil’s support team can help set up an organization and train users in an hour.
Providers deploy PreVeil using a low-cost, all-inclusive License that costs $25/month and includes both secure email and files. Clients and others typically access for free by taking advantage of PreVeil’s Express accounts resulting in 75% savings compared to those from large providers.
Encryption Safe Harbor Exemption from Data Breach Notification:
HIPAA requires covered entities to notify patients when their unsecured (PHI) is impermissibly used, disclosed—or “breached”. However, under the Encryption Safe Harbor Exemption, notification is only required for unencrypted PHI. Since PHI stored within PreVeil is always encrypted, organizations can save the significant expense and reputation damage associated with breach notification. That is why the American Medical Association (AMA) encourages physicians to use encryption to render PHI indecipherable to unauthorized users.
Business Associates Agreement:
PreVeil executes Business Associates Agreements with Providers so they can demonstrate they meet their obligations under the HITECH Act of 2009. This is a key HIPAA requirement.
The PreVeil service maintains compliance credentials that significantly exceed HIPAA so as requirements evolve, providers can remain confident they are keeping up. PreVeil is independently audited to comply with the Federal Government’s Risk and Authorization Management Program (FedRAMP Moderate), for cloud services as well as FIPS 140-2 Encryption standards. The service is also used to meet NIST 800-171 and ITAR security standards for storing, sharing, and exporting sensitive military data. We provide documentation and third-party audit reports to customers as evidence of compliance.
Together, these capabilities offer Providers with a simple path to compliance and protection from cascading financial damages which can multiply with each instance where PHI data was divulged.
To learn more: Book a free 15-minute consultation with our compliance team