Massive global changes are shifting the way people live and work — requiring organizations to rethink their teams, processes, technologies and how they engage their clients to stay competitive. For some, this rethinking occurs through a digital transformation process that principally means “we’re moving to the cloud”. But for other organizations, including a leading US healthcare insurer, the needed transformation necessarily required a change in the underlying operating model for the business.
For this healthcare insurer the transformation began by launching a new line of business that places their customer (aka member) at the center of their operations, with dedicated Care Coordination teams providing personalized services to members. Among the associated process changes was an expanded role for email in improving communications with members and the healthcare providers who service members.
Easy & Secure Member Communications
For managing the member relationship, including all communications with members, the insurer selected SugarCRM. And to provide the best possible member experience, while continuing to meet PHI data protection requirements, the insurer chose eShare to secure all emails originating from SugarCRM.
Key to this selection was eShare’s ability to present an entirely white-labeled email experience to the member, minimizing any phishing concerns, and leveraging and strengthening the brand the insurer had created for its new business line. On top of that, the eShare solution eliminated the need for members to create (and likely forget) a new account and password to access emails from the insurer. This is a small but important element of putting the member’s needs first wherever possible.
Provider Communications Equally Important
The insurer’s new operating model also required significant improvement in how communications with healthcare providers is conducted and requests for information fulfilled. The heavy reliance on faxing had to change, especially when time-critical care decisions are required. One such example is a member’s challenge to a hospital discharge decision and the independent review by doctors and other professionals that ensues.
eShare allows the insurer to easily create a secure mail that includes a link to a case-specific virtual data room into which healthcare providers can easily, quickly and securely upload medical records, billing information and other sensitive documents using a web browser on most any device. And all participants in the virtual data room can view files, again using any device with a web browser. No software downloads, no installs and no account creation is required.
Crucial to this use case is the ability of healthcare providers to invite other providers to contribute files to the virtual data room, as seldom is there a single provider responsible for the care of a member. Though the virtual data room notification may be initially sent to single recipient, this recipient can invite a colleague to access the data room with the same rights and privileges. This re-sharing capability can be configured to require the insurers OK in all cases, no cases or only when the additional recipient is in a different organization than the original.
HIPAA Compliance is Only the Beginning
The insurer quickly realized that eShare was capable of doing more than securing its email communications with members and providers and meeting its HIPAA obligations. They saw that there was both security and productivity benefits in replacing all email attachments with links.
Like most organizations, the insurer’s employees instinctively rely on email when needing to share files with outside parties. Rather than fight this “muscle memory”, the insurer has decided to embrace it, with appropriate controls when PHI is present. In doing so the insurer takes full advantage of its Microsoft AIP- based data classification program and eShare’s ability to share information without giving data away in all cases.
The process is this:
- If an email attachment contains PHI data, either determined by an existing AIP-driven classification label or a DLP-driven scan of the file, the attachment is replaced with a link and the file stored in the sender’s OneDrive. Recipient access to the linked attachment requires authentication and that the recipient organization have a Business Associate Agreement executed with the insurer. eShare performs these checks.
- If the attachment does not contain PHI but is greater than 15MB in size, the file is replaced with a link and the file stored in the sender’s OneDrive. The linked file can be viewed and downloaded for 90 days with no authentication required.
- The insurer will lower the file size limit each month so that they are eventually replacing all email attachments with links.
Replacing attachments with links provides the insurer with several important benefits.
- Files, in some cases containing PHI, are no longer sitting in the email system of the recipient, subject to hacking and accruing risk by the day, long after the business need in sharing the file has been met. The risk of loss and misuse of files shared as email attachments diminishes each day that eShare is used.
- Fine-grained controls and expiration dates can be applied to shared files, and these controls can be modified at any time or access terminated (e.g. recipient org suffers an email hack or a BAA is terminated). By providing an easy, web-based workflow to extend access to files, expiration dates are encouraged with no penalty from a workflow standpoint.
- Large files, which the recipient’s email system may otherwise reject, can now be shared via email. Not only is employee productivity improved, but the satisfaction level of the recipient, in many cases members, is also improved.
The insurer has achieved several of its business transformation goals with eShare and has already identified file-based workflows that can be further automated to improve the member experience and increase operational efficiency. Vital to these new use cases will be the eShare REST API, which allows tight integration into the insurer’s custom and SaaS-based applications.