Virtru is an email encryption and data privacy company. Users who pay for a Virtru subscription can send protected health information (PHI) in encrypted emails in programs like Gmail or Outlook. Users also have the ability to revoke messages and restrict forwarding of messages. Virtru claims that providers can use Virtru to send confidential information to colleagues and patients while maintaining the privacy of that information.
Is Virtru HIPAA compliant? Since its use involves transmission of PHI, providers may only use the Virtru email encryption platform if the answer is “yes.”
Is Virtru HIPAA Compliant? Virtru Data Security Measures
For Virtru to be HIPAA compliant, it must offer security controls that safeguard the confidentiality, integrity, and availability of electronic protected health information (ePHI).
Virtru offers what it calls the Trusted Data Format (TDF), which allows fine-grained access control for files and attachments, such as emails, Office files, PDFs, photos, and videos. The TDF ensures that files are encrypted. When a recipient attempts to open files, TDF verifies whether the recipient is eligible to access the data. Once a recipient is verified, that recipient can decrypt, open, and read secure content.
Virtru allows providers to manage access to information, using the following administrative control features:
◈ Strong data encryption technology for files and messages in transit and at rest.
◈ Configuration of data protection around specific content and content types.
◈ Limitations on the forwarding of messages inside and outside of the organization.
◈ Monitoring and tracking of protected health information.
◈ A search tool that allows for quick search of encrypted emails.
Is Virtru HIPAA Compliant? Business Associate Agreement
Under HIPAA, covered entities must enter into a business associate agreement with vendors before vendors can create, receive, maintain, store, or transmit PHI on behalf of those covered entities to carry out HIPAA functions.
A written business associate agreement requires Virtru to use all necessary and appropriate safeguards to protect ePHI and PHI. The agreement also covers conditions under which Virtru is permitted to receive, maintain, store, or transmit PHI, and those conditions under which it may not receive, maintain, store, or transmit PHI.
Virtru’s website states that Virtru offers a signed BAA with most of its paid packages. BAAs are not available to unpaid users on Personal Privacy accounts. Eligible paying customers can contact Virtru to enter into the BAA. Users must configure the security controls properly for Virtru to function as intended. Virtru offers assistance to users who have questions about properly configuring the security controls.
Is Virtru HIPAA Compliant?
Yes. If the user properly configures the software, and enters into a signed business associate agreement with Virtru, the Virtru service is HIPAA compliant.