A HIPAA-Compliant e-Mail Solution
A Chicago children’s hospital finds a simple, but powerful, solution for HIPAA-compliant e-mail security..
.By Bob MuellerAccording to legend, one day in 1484 Christopher Columbus, broke and dispirited by his failed attempts to get funding for his westward voyage to the Indies, stumbled into the Franciscan monastery of La Rabida in Palos, Spain. One of the friars connected with La Rabida was a renowned astronomer; another was a personal confessor to Queen Isabella. Their influence helped Columbus get the support he needed for his famous voyage in 1492.Four hundred years later, the Spanish government built a replica of the La Rabida monastery in Chicago, in conjunction with the Columbian Exposition of 1893. When the fair ended, Spain donated the building to the city for use as a children’s fresh-air sanitarium.
The building from the exposition no longer exists, but La Rabida Children’s Hospital continues to care for chronically ill children and is a leading researcher in pediatric healthcare and a respected teaching facility for pediatric specialists.La Rabida is also a leader in health IT. The American Hospital Association’s Hospitals and Health Networks named La Rabida one of the “most wired” small and rural hospitals (La Rabida has fewer than 50 beds) in 2004—an award that went to only 10 hospitals nationwide. According to Tom Grynovich, network administrator for La Rabida, the hospital recently redid its infrastructure to provide gigabit speed between switches and fiber optic connections to desktops where speed matters. “The award is basically for using technology in the workplace in every aspect of security and speed and accessibility of software and documents,” Grynovich says.Most of La Rabida’s doctors and staff are also affiliated with the nearby University of Chicago (U of C) Hospital, which sends many med students to study at the children’s hospital.
“It’s been a pretty good relationship,” says Grynovich. “We take a lot of the cases that they aren’t suited to treat long-term. We also share a lot of network resources with their doctors. We are constantly using e-mail and some of the medical software applications.”Consequently, La Rabida shares patient health information with U of C doctors, as well as with family members, family physicians, government agencies, and others.
The hospital transmits much of that data as e-mail and message attachments and so must meet HIPAA requirements for secure transmission of patient information. Those requirements have proved troublesome and expensive for many healthcare organizations, notes Grynovich, leading HIPAA regulators to push back the compliance deadline.”We started looking into secure e-mail, along with all the other HIPAA regulations,” Grynovich says. “Over the course of HIPAA growing bigger and bigger, getting closer to their deadline, they relaxed their requirement a little for secure e-mail systems due to the exorbitant cost of encrypting e-mail. Other companies are going with $10,000- to $15,000-a-year contracts. Sooner or later, secure communications will be a requirement, so we’re just trying to get a step ahead.
“To find a secure e-mail solution, Grynovich estimates that he contacted about 20 vendors. “I went in with kind of a rude attitude,” he says. “I said, ‘Just give me a cost first before I decide.’ That turned a lot of people off.” One company, CenturionSoft, wasn’t turned off, however.
CenturionSoft offers a secure e-mail product called CenturionMail that installs on top of Outlook and, according to Grynovich, offers a robust, but simple, solution.”We started testing the program, and its ease of use was just amazing,” he observes. “As for security, it offered everything the other major vendors did, and the fact that it wasn’t any extra burden on our exchange servers was a huge plus. Another big plus was that we didn’t have to train our personnel to use it. When they can open it up from scratch to finish and not ask any questions, that’s beautiful.
The only thing I have to tell the users is to click on the lock icon. That brings up a little pop-up window that asks them for a password. Once they provide that, they have rights to that file.”CenturionMail was also easy to deploy, Grynovich says. “When we first started, I went around and installed it for a few of our physicians and financial people. As we looked to push it out throughout the hospital, I just used our deploy software—no problem.
“A feature of CenturionMail lets Grynovitch attach “time bombs” to secure e-mail messages and attachments. If the information sits in a client’s e-mail inbox longer than a specified time limit—say, 30 days—the message cannot be decrypted and is automatically destroyed.Another feature that appealed to Grynovich was the fact that CenturionMail is already HIPAA-approved. That, he says, was something his research into e-mail security systems rarely turned up. Of the more than 20 companies Grynovich evaluated, only a few mentioned HIPAA compliance—and those that didn’t mention it offered only vague assurances that their products would meet regulators’ standards.La Rabida is taking other steps, apart from e-mail security, to keep its patient records secure and comply with HIPAA regulations.
“We have our auditors coming in and looking through our systems and checking who has access to what files,” Grynovich notes. “We’re using another software product, called PasswordCourier [from Courion] to synchronize passwords and enforce password policies.”On the belief that hardcopy records are more insecure than their electronic equivalents, La Rabida is getting rid of as much paper as it can. “We are looking at some off-site solutions to store all our medical records, where the records would be available electronically so we wouldn’t have to keep any paper records here,” Grynovitch says. “That might be coming within the next year or so.”