Is Virtru HIPAA Compliant?

Compliant Tools
September 30, 2021
Virtru is one way you can secure your messages, file sharing, and workspace collaboration through email. But... is it HIPAA compliant?

Is Virtru Compliant with HIPAA?

If you’re familiar with HIPAA in any way then you know that one of the core focuses of the law is to ensure that personal health information (PHI) is always protected. This can be tricky when communicating and collaborating outside of a secure electronic health information exchange.

Even a reasonably secure email provider like Gmail or Outlook brings inherent risks. Once information leaves your inbox or private drive, it’s almost impossible to fully control it on these platforms.

Messaging the wrong contact, hitting reply-all instead of just reply, accidentally looping the wrong person in, or attaching the wrong file can all land you in major trouble.

Since eliminating email isn’t realistic, third-party tools are often used to shore up security. Virtru is one of the ways you can secure your messages, file sharing, and workspace collaboration.

What is Virtru?

Virtru is a data protection platform. It lets you encrypt, control, and manage your emails, attachments, shared files, and collaborative workspaces.

You can use it to manage how your emails or files are stored, shared, and forwarded. You can add watermarks, see who’s opened a message, and even take back sent messages after they’ve been opened. Virtru also provides end-to-end encryption which guarantees that only you and your recipient can decrypt the message.

Virtru isn’t an email provider itself but rather it works as an add-on, or integration, with common email providers like Google and Microsoft. You can also use it with custom or enterprise email applications.

Virtru is one way that you can secure your emails, files, and information.

What Makes Emails and File Sharing HIPAA Compliant?

Using a secure email provider isn’t enough for HIPAA. The Health Insurance Portability and Accountability Act outlines strict requirements for protecting electronic personal health information as it’s transmitted and stored.

Protected health information must always be kept secure, confidential, and restricted using physical, technical, and administrative measures.

These measures include data access control, audit controls, user verification, data authentication, secured transmission, and restricting and securing the facility where PHI is physically stored.

These rules don’t just apply to healthcare providers or organizations. They extend to any third party who will handle the PHI, like email providers, collaboration tools, or cloud solutions.

These third parties are considered HIPAA Business Associates and they need to meet all these conditions.

An email provider handling PHI must be able to restrict access to the email and data to only authorized individuals, give the owner unfiltered control and be able to track and audit everyone who’s accessed the information.

This can be tricky when dealing with emails that are sent to other organizations or individuals.

Does Virtru Meet HIPAA Standards?

Yes, Virtru has taken the steps to meet and exceed HIPAA’s standards. Virtru’s platform is built for data security and privacy protection. This starts with complete end-to-end encryption. It even has a native encrypted search feature to protect sensitive information from insecure tools.

Virtru works within your email provider’s infrastructure. Every message, file, or attachment is wrapped in an encryption code the instant it’s created, using Virtru’s own Trusted Data Format (TDF).

It automatically archives data being created and sent through the outbound encryption process. This ensures that any patient who wants to review their personal information can do so.

Anyone who wants to open a message that’s been sent through Virtru must first confirm their identity, either through a verified email account or another authentication method.

You retain control of data that’s been emailed or shared, even if it’s left your organization. You can prevent emails or attachments from being forwarded, revoke access at any time, or set access to expire.

Downloadable files contain Virtru’s Persistent File Protection which keeps them secure after they’ve been downloaded. They can only be read using Virtru’s Secure Reader which also verifies user identities for each one.

These safeguards ensure the information will only be seen by who it’s intended for. You can confirm this using Virtru’s auditing controls.

Virtru monitors and traces everything it protects. It keeps track of who accessed data, when, where, and how. Its activity analysis capabilities exceed HIPAA standards, making these audit trails HIPAA compliant.

You can meet HIPAA’s administrative standards by actively managing your access policies. Virtru lets you give explicit access permission for every message or file. You can set up organizational policies and create protection rules for certain content types. These policies can be revised or updated at any time.

Virtru is a robust platform. All of its product and technical capabilities, through the upgraded paid version, either meet or surpass HIPAA requirements.

Does Using Virtru Make You HIPAA Compliant?

Simply switching to Virtru won’t make your emails HIPAA compliant. HIPAA requires you to enter into a formal legal contract with any third-party or business associate you engage to store, process, or interact with sensitive information.

This is done through a Business Associate Agreement. In this written contract, your business associate promises to safeguard the PHI and comply with HIPAA standards. This agreement also extends certain liabilities to third-party entities.

Virtru will sign a business associate agreement with you if you are under one of their paid plans. Their support team will give you all the documents you need to fill out. Virtru will then process it, countersign, and send the document back to you.


Virtru offers everything you need for HIPAA-compliant messaging, file sharing, and collaboration. And they’re willing to hold themselves liable for safeguarding your PHI data by signing a business associate agreement.

It isn’t an email provider, but it can make your use of Gmail, Microsoft Outlook, or enterprise applications HIPAA compliant. As long as you have your BAA in place, any emailing, file sharing, or collaboration secured by their platform is HIPAA compliant.

That said, your company itself still may not be. It’s possible to violate HIPAA while using HIPAA compliant software and platforms. HIPAA compliance is about more than the privacy-securing tools you use. It takes a readjustment of your entire company culture.

There are new risks to consider, like anyone working remotely, out-of-office, while commuting, or performing any job functions on their own device. Making your way through these challenges can be difficult. That is why Accountable is here to make HIPAA compliance simple for you. Create a free trial or schedule a call with us today to learn more!

Compliance Managment Full Hexagon logo

Expert compliance support, on-demand

Accountable Compliance Success Managers are dedicated to making sure your company is fully compliant as we guide you step-by-step through the process of achieving HIPAA compliance.
Expert guidance
Build trust
Dedicated Compliance Success Managers
HIPAA Training
Decrease risk
Close more deals