Tuesday, 19 December 2017

Can Email Create HIPAA Compliant Alerts?

Written by Orlee Berlove, Director of Marketing at OnPage

For healthcare providers, email is frequently used for communication between professionals. It is how healthcare professionals often seek out consults or necessary information from their colleagues.

But what happens when the physician or practitioner needs to use an email workflow to send their colleagues a critical alert? Similarly, what if the nursing station needs to get a hold of the doctor on call?

Traditionally, the solution would be – in each of these scenarios – to page the needed person.

You know… pagers.

They’ve been around for a while and their selling point is that the technology behind them is fading.

RELATED: Still Sending PHI Over Fax? We Need to Talk.

Fortunately, there are technologies like OnPage which vastly improve the reception and persistence of the alert through our phone to page feature.

But what if your healthcare facility is fixed on an email workflow? Luckily, there’s a way to make that work, too.

Email to OnPage

In the past, we have discussed how emails can be used to create critical alerts in OnPage. The whole process is rather straight forward:

  1. Open your email client
  2. Write your message
  3. Address a High Priority alert by using OnPageID@OnPage.com
  4. Address to a Low Priority alert by using OnPageID@Low.OnPage.com
  5. Hit ‘Send

The usefulness of email to alerting is highlighted by the fact that it is agnostic. Any email client can be used to create a message that can then be sent to OnPage. Gmail, Outlook, Yahoo or a hospital email can all be used to send alerts.

Paubox to OnPage

The process above works great if you are sending a straightforward message like:

Give Ms. Jones a call at 555-123-4567

(or)

Dr. Lazarus,

I need your consult on a radiology report I received.

-O.B.

But what if you need to send a message with content that needs to be HIPAA compliant? For example:

Dr. Lazarus,

Please view the attached MRI from radiology for Jon Smith. Initial testing on tumor is inconclusive.

Dr. Frank

This message contains patient specific images and patient-specific information. According to HIPAA dictates, this information needs to have SSL-encryption end to end.

For a situation like this, using Paubox in conjunction with OnPage is a good solution. Paubox’s HIPAA compliance and encryption secure the message when it is sent and OnPage’s platform ensures the continued HIPAA-compliant encryption once the message is received.

READ MORE: What is HIPAA? Or is it HIPPA?

The advantage of using Paubox along with OnPage is that the sender can provide greater, in-depth messaging. The need for brevity is momentarily bypassed and there can be greater clarity in the text.

This sort of workflow is ideal when the message sender is at a desk and has the ability to compose a message with greater detail.

Houston – we have a message

The message arrives to the practitioner with a persistent alert that lets them know their attention is required. The need for immediacy is conveniently married to the need for security.

Once the message has been sent from Paubox and received, the sender will get a confirmation email that works as an audit trail

How to get ahead of the future – today

HIPAA compliance is a huge issue that hospitals cannot ignore and hope goes away. Sorry guys. It’s not going anywhere. In fact, the need for HIPAA compliant communications is only going to increase in the months and years to come.

Given this eventuality, it only makes sense to get a leg up on the future by adopting the HIPAA compliant workflow described in this blog.

Monday, 18 December 2017

Can I use Mixpanel and be HIPAA Compliant?

Can I use Mixpanel and be HIPAA Compliant? - Paubox

Lately, we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Mixpanel is a popular business analytics service that tracks user interactions with web and mobile applications.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if Mixpanel offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Mixpanel

Mixpanel is a popular web analytics company that’s based a few blocks away in San Francisco. It tracks user interactions with web and mobile applications and provides tools for targeted communication with them. Its toolset also contains the ability to perform A/B tests and user survey forms.

Mixpanel and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Mixpanel’s site and were unable to find any information on their ability to sign a BAA.


The Mixpanel Terms of Use page however, made a reference to protected health information (PHI):

“4.3 Customer agrees to comply with all applicable privacy and data protection regulations. Further, Customer agrees to not use the Application Services to send Mixpanel Sensitive Information. “Sensitive Information” shall means information the unauthorized disclosure of which could cause material, severe, or catastrophic harm or impact to Mixpanel, any data subjects or third parties, including but not limited to … genetic, bio-metric, or health data, personally identifiable information”


We also found the Mixpanel Infrastructure page, which states:


Customer data is hosted with providers compliant with:

  • SOC 2
  • ISO 27001
  • EU Privacy Shield
  • HIPAA

It should be noted however, Mixpanel is not directly claiming they are HIPAA compliant, but rather the vendors they do business are.


As a last check, we reviewed the Mixpanel Privacy Policy.

We were unable to find any reference to HIPAA, Protected Health Information, or Business Associate Agreement.


Does Mixpanel Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Mixpanel’s Terms of Use page yielded the information we were looking for.

Mixpanel explicitly states their customers are not allowed to send it sensitive information. Mixpanel also classifies “health data” or PHI as sensitive information.

Conclusion

Mixpanel is not HIPAA compliant.

Saturday, 16 December 2017

Sending a Fax in 2017 – My Paubox Induction

I did something today that I had not done in a very long time. I sent someone a fax.

My instructions were to transmit a facsimile – or fax – to the number of Paubox’s advisor, Geoff Clapp.

My immediate reaction was panic.

I couldn’t even remember the last time I had even seen a fax machine. Did they still exist? Could I get to one by the end of business hours?

RELATED: A Wake for the Fax Machine -Paubox SECURE Conference

A bit of research online calmed my nerves a bit. I found a FedEx Office Print and Ship Center and confirmed by phone that they indeed had a fax machine that I could use.

So far, so good.

I arrived at the store, grabbed a cover sheet and filled it out.

I fed the cover sheet and the document I wanted to send into the machine and used the keypad to dial the fax number.

My first attempt was unsuccessful, as I didn’t realize that I had to feed the paper in face down.

That was $3 down the drain.

After two tries and about 10 minutes, I headed back to work with my confirmation sheet and newfound empathy for anyone who relies on a fax machine for sending information.

If it took as long as it did for me to send one fax consisting of just one page, what would my day be like if I had a send several faxes, each with multiple pages?

I probably wouldn’t be able to get much else done. Thank goodness for email.

Friday, 15 December 2017

1000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee

1,000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox
This is what 1,000 spam musubi looks like


  • To celebrate our 1,000th customer, we gave away 1,000 spam musubi in San Francisco today.
  • In memory of Mayor Ed Lee, we also donated $500 to Project Homeless Connect.
  • Team Paubox had a blast giving back and showing thanks to the city that’s given us ample opportunity.


To show our gratitude to the city of San Francisco, we gave away 1,000 spam musubi this morning at the Powell BART stop.

We chose the number 1,000 to also celebrate our 1,000th customer. We now have 1,000 customers in all 50 states and 4 countries.

With the tragic passing of Mayor Ed Lee earlier this week, we wanted to honor his memory by donating $500 to a favorite charity of his, Project Homeless Connect (PHC).

Caleb Plakun from PHC met us at our event to take a picture with us. He liked our oversized check so much he said he’s going to hang it on his wall at work. Thanks Caleb!


Caleb Plakun from Project Homeless Connect joined us for a picture
Caleb Plakun from Project Homeless Connect joined us for a picture - Paubox

Last year we gave away 500 spam musubi and also 500 Kalua Pig and Rice bowls. Both of those events took over an hour to complete.

In 2015, we gave away 100 spam musubi and 100 pairs of socks. With only three employees at the time, that took us nearly two hours.

This year with more staff and an optimized approach, we gave away all 1,000 spam musubi in under an hour.


Greg Hoffman quickly implemented a double down handout approach
Greg Hoffman giving away 1,000 spam musubi - Paubox

Team Paubox had a great time giving away a taste of Hawaii to the people of San Francisco.

I am very proud of our team.

Here’s to 2018 and beyond!


We gave away 1,000 spam musubi in under an hour
1,000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox
Our new friend Marvin Williams generously gave his time and helped us hand out spam musubi
Our new friend Marvin Williams - Paubox
Action shot of Shannon Honda passing out free spam musubi on Market Street
1000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox
Arianna Etemadieh captured great content today
1000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox
Merry Christmas from Paubox
1000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox
We found that yelling “Free Food!” or “Breakfast of Champions” or “Free Spam Musubi!” worked well
1000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox
Pau!
1000 Free Spam Musubi: Mahalo to SF and Mayor Ed Lee - Paubox

Thursday, 14 December 2017

Mayor Ed Lee’s Connection to Hawaii

Mayor Ed Lee’s connection to Hawaii - Paubox
San Francisco Mayor Ed Lee at the 2016 HCCNC Gala


    • Mayor Ed Lee made a lot of Hawaii friends during his days at UC Berkeley
    • Mayor Lee was a familiar face at the Hawaii Chamber of Commerce of Northern California Annual Gala

San Francisco Mayor Ed Lee passed away suddenly earlier this week.

While shopping at Safeway on Monday, December 11th, Mayor Lee suffered a heart attack. He passed away in the early hours of December 12th after several attempts to save his life. His office has not released his official cause of death yet.

Mayor Lee’s sudden passing came as a shock to many in San Francisco. He had been the city’s mayor since 2011 and made history as the first Asian American to hold the office. But beyond his term as mayor, he had always been a presence in the Bay area.

While he was a student at UC Berkeley, Mayor Ed Lee felt the best parties were thrown by the kids from Hawaii, so he’d spend a lot of time with them. It was great to see him first-hand continuing to spend time with the Hawaii crowd after his college years.


Mayor Ed Lee at the 2017 HCCNC Gala
Mayor Ed Lee stopped by - HCCNC 2017 Gala at the Westin St. Francis Hotel - Paubox

At Paubox, we feel strong connections to both Hawaii and our home now in San Francisco.

San Francisco is an auspicious city to grow a tech company and we believe in giving back to show our gratitude.

In 2015, we said Mahalo to the Mission by handing out 100 free spam musubi and 100 pairs of socks.

Then in 2016, we celebrated our acceptance into 500 startups by giving away 500 free spam musubi.

Last Christmas, we gave away 500 Kalua Pig and Rice Bowls at the Mission 16 BART stop.

This year, to celebrate our continued growth, we’re giving away 1,000 free spam musubi at the Powell BART stop at 8AM on Friday, 15 December 2017.

Paubox donates $500 to Project Homeless Connect in memoriam of Mayor Lee

Many people saw Mayor Lee was a man of the people. As mayor, he oversaw the city’s transition into the current tech boom. To help with employment, his administration gave major companies tax breaks to stay in the city. He also tried to resolve the soaring rental and home ownership costs and a regional housing shortage.

According to Mayor Lee’s office, the city was on track to fulfill his 2014 pledge to create 30,000 new and rehabilitated homes by 2020.

In memoriam of Mayor Lee and his efforts towards San Francisco housing, we’ve also donated $500 to Project Homeless Connect.

Project Homeless Connect’s mission is to connect San Franciscans experiencing homelessness with the care they need to move forward. The organization strengthens and utilizes collaborations with city agencies, businesses, and organizations to provide comprehensive holistic services, both at service events and through continued care, for those who are at risk of becoming homeless, are currently homeless or are transitioning from shelter to permanent housing.

Caleb Plakun, a representative from Project Homeless Connect, will join us at our 1,000 spam musubi giveaway tomorrow for a ceremonial photo of the occasion.

We will miss seeing Mayor Lee’s face at the Hawaii Chamber of Commerce of Northern California Annual Gala.

We wish his family the best during this difficult time.

Wednesday, 13 December 2017

How to Choose Effective HIPAA Compliance Software

Written by Frank Sivilli, Content Manager for Compliancy Group

Choosing an effective HIPAA compliance solution for your health care business is essential in defending against HIPAA breaches and fines.

There are many software solutions on the market that give healthcare professionals the ability to address their HIPAA compliance. But when it comes to finding an effective HIPAA compliance software for your practice, it can be difficult to parse the differences between your options.

To help narrow your choices, we’ve put together this guide to give you a sense for the bare-bones essentials that will keep your practice safe in the event of a HIPAA audit.

What should effective HIPAA compliance software include? 

1. Self-Audits, Security Risk Assessment

HIPAA compliance software must give you the ability to audit your practice against the HIPAA rules. These audits give you a baseline assessment of the security and privacy measures you already have in place and how they compare to the HIPAA standards.

Security Risk Assessments are also a mandatory component of HIPAA compliance.

Most HIPAA software solutions will give you the ability to complete your Security Risk Assessment, but don’t follow through on remaining HIPAA requirements. Keep in mind that incomplete software solutions will leave your practice exposed to HIPAA breaches and fines, even with a Security Risk Assessment in place.

2. Remediation Plans

Any effective HIPAA compliance software must allow your practice to create remediation plans in response to the gaps uncovered by your self-audits and security risk assessment. Remediation plans are an essential part of becoming HIPAA compliance because they provide the government with proof that your practice has performed due diligence.

A good HIPAA compliance software should give your organization the ability to document and retain all components of your remediation plans with an area for notes and important details tailored to the specific steps taken to remediate your practices’ gaps.

3. Policies, Procedures, Employee Training

One of the essentials of any HIPAA compliance program is a robust and unique set of HIPAA policies and procedures. It’s especially important that the HIPAA compliance software you choose gives you the ability to create, customize, and apply policies and procedures in your practice.

Policies and procedures are the infrastructure around which the rest of your compliance program will be built. The HIPAA Rules outline specific standards for privacy and security that must be implemented, and your organization’s policies and procedures should correspond with all applicable standards.

HIPAA policies and procedures must be updated annually to account for any changes in the running of your organization—an effective HIPAA compliance software should send your reminders or give you support to ensure you meet these annual deadlines and avoid common HIPAA violations.

Once you’ve adopted and applied your policies and procedures, all staff members must be trained on them annually. They must legally attest that they’ve read and understood the policies and procedures of your organization. An effective HIPAA compliance software should have modules for employee training, in addition to documentation capabilities to keep employee attestation stored for at least six years, as mandated by HIPAA.

4. Documentation

Documentation is the most important aspect of any HIPAA compliance program. Without proper documentation of your compliance efforts, your practice will not be able to properly defend itself in the event of a HIPAA audit.

An effective HIPAA compliance software should be able to create documentation for each and every step of your compliance program. This documentation must be retained for at least six years in order to adhere to federally mandated HIPAA standards, and your HIPAA software should be able to maintain these records on your behalf.

5. Business Associate Management

HIPAA regulation requires health care professionals to execute contracts with their health care vendors before they share health care data. These contracts are called Business Associate Agreements (BAAs), and they’re meant to protect your practice from liability in the event of a breach caused by a health care vendor.

An effective HIPAA compliance software should come included with pre-vetted Business Associate Agreements, in addition to a means for properly storing them once they’ve been executed and signed. Because Business Associate Agreements must be reviewed annually, HIPAA compliance software should also allow users to easily review stored files to make necessary changes and avoid HIPAA violations caused by out of date or missing BAAs.

6. Breach/Incident Management

The final component of an effective HIPAA compliance software we’ll discuss is Incident Management. Any time a healthcare organization experiences a data breach, that breach must be tracked, documented, investigated, and reported to HHS OCR.

An effective HIPAA compliance software should give users the ability to track and document all stages of a data breach or incident investigation. In the event that the data breach spurs an OCR HIPAA investigation, the affected organization must be able to demonstrate the steps they’ve taken in the aftermath of a breach.

Once again, documentation is key here, not only because it’s legally required by the HIPAA Breach Notification Rule, but because it’s essential to protecting the affected organization from ensuing HIPAA fines.

Why should you choose a total HIPAA compliance software? 

Choosing a total HIPAA compliance software gives your practice a way to handle HIPAA right the first time around. Piecemeal, self-serve software solutions waste time and don’t give your practice everything needed to become HIPAA compliance. Without a HIPAA compliance software that addresses each of the HIPAA standards listed above, your practice could be at risk of incurring serious HIPAA fines.

HIPAA enforcement has ramped up significantly in recent years, now totaling more than $46 million since 2015 alone.

Protecting your practice and your reputation from HIPAA breaches and fines is easier than ever before, especially with total HIPAA software solutions that work for you.

About Compliancy Group

Compliancy Group gives health care professionals confidence in their HIPAA compliance with The Guard®. The Guard is a total HIPAA compliance solution, built by former auditors to help simplify compliance.

Tuesday, 12 December 2017

Paubox Becomes a G Suite Authorized Reseller

2017 has been a great year for Paubox. We added new faces to the team, added new products and features, and held our first annual digital health security conference – and that’s just a few of the many successes we had in 2017.

As we look ahead to 2018, we’re excited to grow and evolve Paubox for bigger and better things. For example, we are proud to announce that Paubox has become a G Suite Authorized Reseller.

Why did Paubox become a G Suite Authorized Reseller?

In the past, we hosted email as a way to help our customers who needed it, but we never intended to be in the email hosting business.

We realized that in order to stay focused on our core business – HIPAA compliant email – we needed to move on from email hosting.

But we still wanted to provide a solid email hosting solution for customers, so we became authorized resellers of G Suite, which seamlessly integrates with Paubox.

When it comes to email encryption, we at Paubox prioritize two things: security and user experience. Both have equal weight in importance.

Regarding security, Paubox seamlessly secures your message from end-to-end with industry-standard Transport Layer Security (TLS) and up to 256-bit AES encryption.

As for user experience, many of our customers range from small practices to large organizations. Despite obvious differences, they all have one thing in common: they are businesses.

G Suite’s products, such as its easy to use email messaging, calendar, Google Drive and more, are assets every business can use. Paubox ensures that every email communication through G Suite – even Calendar email reminders – is encrypted and HIPAA compliant.

READ MORE: Can I use G Suite (Google Apps) and be HIPAA Compliant?

What happens if I sign up for G Suite through Paubox?

If you sign up for G Suite through Paubox, the first thing you will notice is a 20% discount for G Suite.

G Suite’s typical pricing is $60/year per user. Paubox offers G Suite for $48/year. 

After you register for Paubox and G Suite, our Customer Success team will help answer any questions you have during or after the set-up process. You won’t have to worry about multiple bills either. To help keep everything organized, you’ll only have one invoice from Paubox.

If you already have G Suite, our team can help you transfer your account under our Paubox G Suite umbrella so you can save and send your email in a HIPAA compliant manner.

What if I’m already a Paubox hosted email customer?

For current customers, don’t worry. Your hosted Paubox account will stay active for as long as you need it. You also have the option to upgrade to a G Suite account.

What if I use another email provider, like Office 365?

Paubox still seamlessly integrates with other email providers, such as Office 365 or Microsoft Exchange Server.

You do not have to purchase G Suite if you want Paubox’s email encryption. We simply offer G Suite if you need help with email hosting.

If you would like to add G Suite and Paubox’s HIPAA compliant email to your business, contact us at getstarted@paubox.com.

How Doctors Can Respond to the Opioid Crisis Without Violating HIPAA

In HIPAA, healthcare professionals are forbidden to disclose protected health information without a patient’s consent.

But what about in the case of an emergency?

Defining an emergency situation can create obstacles for the loved ones of the emergency patient. Family support is crucial to providing the proper care and treatment of people in an emergency situation, like an opioid overdose.

In emergency situations, healthcare providers can share PHI with a patient’s family members without violating HIPAA regulations – but the amount of information they can share is limited. The HHS clarified what can be shared in a recent publication.

What information can a healthcare provider share without a patient’s permission?

In times of crisis, healthcare providers can share certain PHI to the patient’s family members without violating HIPAA. But the situation must meet both of these provisions:

  • The family or close friend helps take care of the patient
  • Sharing the PHI is in the patient’s best interest
  • The information shared is directly related to the family or close friend’s care of the patient or their payment for the treatment

For example, in the case of an opioid overdose, the healthcare provider can speak to the patient’s parents (after making this decision using professional judgment) and discuss the overdose and information related to the overdose.

However, the healthcare provider cannot share any medical information unrelated to the overdose without permission – even if the person could prevent or reduce the threat to the patient’s health or safety.

But there is one exception.

With this opioid overdose example, a doctor may inform the patient’s family, friends or caregivers about the opioid abuse if the doctor feels that the patient could harm themselves with continued opioid abuse after being discharged from the hospital.

When warning about a serious or imminent threat, the doctor is presumed to be HIPAA compliant.

HIPAA restricts sharing personal health information without a patient’s consent out of respect for the patient

If a patient is capable of making a decision, the healthcare provider must give the patient the opportunity to consent or object to sharing their PHI with the individuals responsible for the patient’s care or payment of care.

If a doctor shares PHI to a patient’s loved ones when the patient forbids it with decision-making capability, they have committed a HIPAA violation. The only exception to this rule is if the patient is in serious or imminent danger to their health.

HIPAA acknowledges a patient’s decision-making ability may change during treatment

In emergency situations, such as an opioid overdose, a patient may regain consciousness to the point of being capable of making decisions.

When this happens, the patient must approve or reject any additional information the doctor shares with loved ones.

Doctors and nurses can share PHI if a patient is severely intoxicated or unconscious and if they feel it is in the patient’s best interests. Both of these conditions must be met before any PHI disclosure relating to the patient’s care or payment for the care.

However, if the patient regains consciousness and forbids any additional information from being shared, the healthcare provider can still share information to prevent or lessen a threat to a patient’s health or safety.

HIPAA recognizes a patient’s personal representative (according to state law)

In the case of a patient’s personal representative, HIPAA grants this individual the right to “request and obtain any information about the patient that the patient could obtain, including a complete medical record.”

A personal representative is a person who has authority in healthcare decisions for the patient under state law. This representative can be determined from a parental relationship between a parent/guardian and a minor, or from a “written directive, health care power of attorney, appointment of a guardian, a determination of incompetency, or other recognition consistent with state laws to act on behalf of the individual in making health care related decisions.”

Can I Use iMessage and Be HIPAA Compliant?

Can I Use IMessage and Be HIPAA Compliant? - Paubox

Lately, we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. iMessage is an encrypted instant messaging service developed by Apple.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if Apple iMessage offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Apple iMessage

Apple iMessage is is an instant messaging service developed by Apple. It was launched in 2012 with iOS 5 and OS X Mountain Lion.

iMessages are texts, photos, or videos that are sent to other iOS devices and Macs over Wi-Fi or cellular-data networks. iMessages are encrypted and appear in blue text bubbles.

Can I Use iMessage and Be HIPAA Compliant? - Paubox

Apple iMessage and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Apple’s corporate site and found an important piece of information on the iCloud Terms and Conditions page.

On that page, Apple states:

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”


Although we could not find a specific mention of iMessage and Apple’s stance on it for HIPAA compliance, we can infer several things:
  1. We could not find any cloud-based products or services for which Apple offers to sign a BAA for.
  2. In June 2017, Apple announced it’s bringing iMessage to its iCloud platform.
  3. If iCloud is specifically not HIPAA compliant, then we know that by bundling iMessage into it natively that iMessage is also not HIPAA compliant.

Does Apple iMessage Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Apple’s corporate site quickly yielded the information we were looking for.

First of all, their site clearly states iCloud is not HIPAA compliant. By virtue of iMessage being folded into iCloud this year, we can conclude iMessage is also not HIPAA compliant.

In addition, Apple makes zero mention anywhere on its site of its ability to sign a BAA for any of its cloud-based services.

Conclusion

Apple iMessage is not HIPAA compliant.

Do not use Apple iMessage if you are bound by HIPAA regulations.

Friday, 8 December 2017

How Does a Paubox Encrypted Contact Form Work? (With Pictures)

Every premium Paubox account comes with one encrypted email address and one encrypted contact form.

The encrypted contact form allows you to receive basic patient information in a HIPAA compliant email straight to your inbox, avoiding the hassle of hard copies, scanning and manual entry.

Sounds straightforward enough. But when it comes to gathering basic information from a patient, it can go one of two ways.

Scenario 1:

  1. Staff has to hand out paperwork
  2. Patients have to take the time to enter in their information by hand
  3. Staff need to file the forms appropriately, sometimes requiring scanning or manual entry into record systems

If a form is incomplete or not filled out properly, your staff spends valuable time chasing down the answers, only to download, print, fax and process the form all over again.

Scenario 2:

  1. The patient fills out the form on the practice website
  2. The form gets sent in a HIPAA compliant manner directly to your inbox
  3. The form is digitally processed in the inbox with PDF and CSV attachments
  4. The email notification can be digitally archived for easy retrieval later on

When it comes to efficiency and practicality, scenario 2 is clearly the way to go.

How does an encrypted contact form work?

Our encrypted contact forms feature basic fields for patients to fill in, such as their name, email address, phone number, and a brief message. We’ll also include a space where patients can upload up to 50 megabytes of attachments.

After we receive your company logo, we’ll create an encrypted contact form and give you a custom URL to place anywhere on your website.

You don’t need to worry about having a HIPAA compliant website and server because the link will be hosted on our secure Paubox server.

What happens when a patient fills out the form?

When a patient, vendor, or other covered entity clicks on the encrypted contact form link, they will see your form, encrypted with HTTP/2 technology, and your company logo at the top.

This an example of wha the encrypted contact form would look like.

On the bottom right corner, there will be a handy “Encrypted by Paubox” signature so your patients can fill out the form with confidence.

When the patient finishes filling out the contact form and clicks submit, the form is delivered securely to your inbox in the body of the email, PDF and CSV formats, just like the pictures below.

How will the encrypted contact forms change my workflow?

Your workflow will improve with our encrypted contact forms. Our contact forms are easy to use, so you won’t need to give any additional training to your staff. You’ll also be eliminating extra time spent on scanning forms or manually entering them.

The email notification to your preferred email address helps your office manager easily archive the information.

Patients can also fill out the encrypted contact form as many times as they need to, so they don’t need to worry about accidentally entering a typo or submitting a change in their information.

Digital contact forms will reduce backlogs, frustration and delays commonly associated with physical paperwork.

Is Paubox Encrypted Contact Form HIPAA compliant?

Yes. We encrypt the contact forms with TLS encryption that protects the email notification message in transit from one server to another. This makes any PHI sent in the encrypted contact form HIPAA compliant.

Paubox’s encrypted contact forms are perfect for patient engagement and office management when it comes to patient intakes, referrals and other common, repetitive paperwork.

See for yourself how encrypted contact forms can make your practice more efficient with a free no-risk 14-day trial.

Thursday, 7 December 2017

Top 5 Posts from 2017

Top 5 Posts from 2017 - Paubox
In case you missed them, here are the top 5 posts in 2017.


  • Lots of people are interested in learning more about HIPAA Compliant Email.
  • HIPAA is commonly misspelled.
  • A single tweet by Sam Altman caused a considerable spike in traffic.

Paubox offers seamless encryption for secure email, branded storage and HIPAA compliance.
HIPAA Compliant Email
The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organization dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This of course includes HIPAA compliant email.

Organizations include Covered Entities (anyone who provides treatment, payment and operations in healthcare) and Business Associates (anyone with access to patient information and provides support in treatment, payment or operations). This also includes making sure you have HIPAA compliant email baked in when it comes to your email service provider.
[Read more]


Is Gmail HIPAA Compliant? - Paubox
How to Make Gmail HIPAA Compliant
We have been getting a lot of questions from prospective customers about whether or not Gmail is a HIPAA compliant email platform. In previous posts, we’ve covered email providers like Yahoo, GoDaddy, IPOWER and HostGator and their capabilities for HIPAA compliant email. In this article, we’ll determine if Gmail is HIPAA compliant or not, and what to do about it.
[Read more]
How Large is the HIPAA Industry? - Paubox
What is HIPAA? Or is it HIPPA?
If you are even remotely connected to the health care industry, then chances are you’ve heard of something called HIPAA (sometimes incorrectly referred to as HIPPA).

But other than being a core consideration for health care providers, what is HIPAA?
[Read more]


HIPAA compliant website by Paubox
How to Make Sure You Have a HIPAA Compliant Website
93% of all business decisions starts with an online search. This makes having a website vital for any business, including healthcare providers. However, healthcare providers need to take extra precautions to be sure they have a HIPAA compliant website.

A good website can help providers be “found” in online searches, give them credibility, and provide a way for potential patients to contact you. For healthcare providers, a good website can also make operations more efficient.
[Read more]


Sam Altman - Paubox
An Auspicious 12 Minute Meeting with Sam Altman
I first met Sam Altman on September 24, 2015 at Y Combinator’s Mountain View office. I got lucky and was granted an office visit with him before their next round of formal interviews for YC. I arrived (very) early to their Mountain View office and patiently waited for my meeting.
[Read more]

Wednesday, 6 December 2017

5 Amazing Business Books I Read This Year

5 Amazing Books I Read This Year - Hoala Greevy, Paubox

As described by Ben Horowitz in his book, The Hard Thing About Hard Things, I often wonder:

What is it I don’t know?

And perhaps even more disconcerting:

What should I already know?

It can be a lonely place for a startup founder.

Reading however, appeases my appetite for learning new strategies, new playbooks and new ideas. It’s one of my methods for leveling up.

Maybe someday I’ll have time for reading fiction again but for now, it’s strictly business. In other words, I solely read non-fiction.

Without further ado, here are the Top 5 books I read in 2017. They are listed in the order I’m holding them in the picture above.

If you’re looking for a great business read this holiday season, you can’t go wrong with one of these.

Only the Paranoid Survive, by Andy Grove. This was my favorite strategic book of the year. Andy Grove, who served as Intel CEO for 11 years, dives deep into a term he coined: The Strategic Inflection Point. I got special value out of running the theoretical exercise: “If I got kicked out and the board brought in a new CEO tomorrow, what’s the first thing they’d do?”

Inbound Marketing, by Brian Halligan and Dharmesh Shah. Brian and Dharmesh are the co-founders of Hubspot and the book is a must read for Content Marketers. A central theme to Inbound marketing is making it as easy as possible for prospects to find your company online. This boils down to consistently publishing content. A lot of it. Among a bevy of useful tips and strategies, I really liked the concept of, “How do you get your customers, partners and vendors to create remarkable content for you?”

The Sales Acceleration Formula, by Mark Roberge. Mark was the SVP of global sales and services at Hubspot and its fourth employee. He scaled the company’s annual revenues from $0 to $100M in seven years. To top it off, he joined the team with zero sales experience (he was formerly a quant). His book revolves around the phrase that causes any VC to salivate like Pavlov’s dogs: “Scalable, predictable revenue growth.” I especially liked how he systemized the hiring, interviewing, and scaling of sales teams.

How to Drive Your Competition Crazy, by Guy Kawasaki. A veritable Smithsonian classic in internet years, Guy published this book back in 1995. He even listed his AOL email address (Macway@aol.com)! In case you’re wondering, I already checked- it no longer works. I got value out of his emphasis on focusing competitive efforts on yourself and not other companies. To truly drive your competition crazy, simply delight your customers and avoid confrontation. I also really like this: “Know your customers well enough to satisfy the needs they cannot even express. Then get to know your customers again to satisfy the changes and upgrades they can express.” I’d like to think we are doing precisely that at Paubox.

From Impossible to Inevitable, by Aaron Ross and Jason Lemkin. This was my favorite playbook of the year. Aaron and Jason concisely describe and expound on the three revenue drivers for any B2B SaaS business: Nets (Inbound Marketing), Seeds (Referrals and Customer Success), and Spears (Outbound Marketing). I especially liked this sentence in the book- “Predictable lead generation is the lever to creating hypergrowth.”

I Have A Small Medical Office, Is Sonic Email HIPAA Compliant?

I Have A Small Medical Office, Is Sonic Email HIPAA Compliant? - Paubox

Today we received an inbound inquiry from an owner of a small medical office in Northern California. She asked whether it’s possible to use our HIPAA compliant email solution with her email provider, Sonic.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Sonic offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Sonic

Sonic is a telecom and ISP based in Santa Rosa, California. It also acts as a competitive local exchange carrier in the San Francisco Bay Area and Sacramento.

Sonic and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Sonic’s site and found no reference of them offering to sign a BAA or their aptitude for providing HIPAA compliant email services.

We did however, find an interesting forum post entitled, HIPAA compliance, dated 27 March 2014.

In it, a user asks:

“Is the fax line service HIPAA compliant?”

Less than an hour later, Sonic CEO Dane Jasper replies:

“No, we do not certify HIPAA compliance for our FaxLine service. Please do not use the service where HIPAA is required.”

Does Sonic Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Sonic makes no official reference to signing a BAA or offering HIPAA compliant services on their corporate site.

In addition, their CEO specifically stated in their user forum not to use their infrastructure for HIPAA compliant faxing.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Sonic does not appear to offer HIPAA Compliant Email.

We therefore cannot recommend using their email service for HIPAA compliant email.

Tuesday, 5 December 2017

Only the Paranoid Survive: My Takeaways

Only the Paranoid Survive: My Takeaways - Paubox

6AM at the office and I’m in Randy Moss mode.


  • It’s one of the best books I’ve read this year.
  • Strategic Inflection Points will constantly occur in the lifespan of a business.
  • The book was written at the dawn of the internet age and is profoundly insightful.

When I moved to San Francisco in early 2015, my buddy and SF resident Kian Alavi gave me the rundown on Silicon Valley:

I devoured all three within a month while living in a 10×10 foot “cabin” with an outdoor shower in Brisbane.

As I would learn from Ben Horowitz’s book, Andy Grove is a seminal Silicon Valley figure. Mr. Grove was a co-founder and CEO of Intel. He helped transform the company into the world’s largest manufacturer of semiconductors.

Fast forward to a couple months ago, I read Andy Grove’s “Only the Paranoid Survive: How to Exploit the Crisis Points that Challenge Every Company” while working late at the office.

This blog post is about my takeaways from his stellar book.

I’ve also included recent pics of our journey here at Paubox. Enjoy!

SEE ALSO: We’re Riding The Third Wave


The Twitter building is one of my favorites in San Francisco
Only the Paranoid Survive: My Takeaways - Paubox

Chapter 1: Something Changed

Here are my takeaways from Chapter 1:

  • In 1994, a PR nightmare made Andy Grove realize Intel no longer sold microprocessors to computer makers. They had crossed over to the global, mass consumer market.
  • “Not only didn’t we realize that the rules had changed- what was worse, we didn’t know what rules we now had to abide by.”
  • “All businesses operate by some set of unstated rules and sometimes these rules change- often in very significant ways.”
  • “The lesson is, we all need to expose ourselves to the winds of change.”

Grabbing lunch with Jeff LeBrun of Pillsy
Lunch trucks with Jeff LeBrun of Pillsy - Paubox

Chapter 2: A “10X” Change

Here are my takeaways from Chapter 2: A “10X” Change.

  • Andy Grove summarizes Porter’s Five Forces and proposes a Sixth Force: The Force of Complementors.
  • Complementors are other businesses from whom customers buy complementary products.
  • If a very large change occurs in one of the six forces, it becomes a “10X” force.
  • “There’s wind and then there’s a typhoon, there are waves and then there’s a tsunami.”
  • “In the face of such “10X” forces, you can lose control of your destiny.”
  • “Only the beginning and the end are clear; the transition in between is gradual and puzzling.”
  • Andy defines an inflection point as where the old strategic picture dissolves and gives way to something new.
  • “It [inflection point] is a point where the curve has subtly but profoundly changed, never to change back again.”
  • “When you’re caught in the turbulence of a strategic inflection point, the sad fact is that instinct and judgement are all you’ve got to guide you through.”
  • “The strategic inflection point is the time to wake up and listen.”

Thanksgiving in Bakersfield
Thanksgiving in Bakersfield with Craig Joiner - Paubox

Chapter 3: The Morphing of the Computer Industry

Here are my takeaways from Chapter 3: The Morphing of the Computer Industry.

  • Andy admits he was unable to pinpoint where exactly the inflection point took place in the computer industry of the 80s.
  • “When an industry goes through a strategic inflection point, the practitioners of the old art may have trouble.”
  • Dell Computer upending the market by selling computers via mail order, then later online.
  • “Few of the top ten participants in the new horizontal computer industry rose from the ranks of the old vertical computer industry, bearing testimony to the observation that it is truly difficult for a successful industry participant to adapt to a completely different industry structure.”
  • “The first mover and only the first mover, the company that acts while the others dither, has a true opportunity to gain time over its competitors.”
  • “People who try to fight the wave of a new technology lose in spite of their best efforts because they waste valuable time.”
  • “Simply put, it’s harder to be the best of class in several fields than in just one.”

Dungeness crab at Half Moon Bay
Dungeness crab at Half Moon Bay - Paubox

Chapter 4: They’re Everywhere

Here are my takeaways from Chapter 4: They’re Everywhere.

  • Andy Grove makes the case every strategic inflection point is characterized by a “10X” change and every “10X”
    change incurs an inflection point.
  • “A far superior competitor appearing on the scene is a mandate for you to change. Continuing to do what worked before doesn’t work anymore.”
  • “Steve Jobs is arguably the founding genius of the personal computer industry, the person who at age twenty saw what in the next decade would become a $100 billion worldwide industry.”
  • “A fundamental rule in technology says that whatever can be done will be done.”
  • “Customers drifting away from their former buying habits may provide the most subtle and insidious case of a strategic inflection point.”
  • The star of a previous era is often the last one to adapt to change.
  • “There is a school of thought that suggests taht software generated for the Internet will grow in importance and eventually prevail in personal computing.” (Prescient)

Paubox sales team meeting: Finishing November strong
Paubox sales team meeting

Chapter 5: “Why Not Do It Ourselves?”

Here are my takeaways from Chapter 5: “Why Not Do It Ourselves?”

  • Intel’s first product was a 64-bit memory chip.
  • Andy asked Intel’s CEO Gordon Moore, “If we got kicked out and the board brought in a new CEO, what do you think he would do?” (Powerful exercise)
  • “People who have no emotional stake in a decision can see what needs to be done sooner.
  • “It was through the memory crisis- and how we dealt with it- that I learned the meaning of a strategic inflection point.”
  • Strategic inflection points can provide an opportunity to reach new levels of achievement.
  • “People in the trenches are usually in touch with impending changes early.”

Fortunate to be able to walk to work
Fortunate to be able to walk to work - Paubox

Chapter 6: “Signal” or “Noise”?

Here are my takeaways from Chapter 6: “Signal” or “Noise”?

  • There isn’t a formula to measure or gauge signal versus noise.
  • “Because there is no surefire formula, every decision you make should be carefully scrutinized and reexamined as time passes.”
  • “Most strategic inflection points, instead of coming in with a bang, approach on little cat feet. They are often not clear until you can look at the events in retrospect.”
  • The silver bullet test: If you had just one figurative bullet, which competitor would you save it for?
  • You can use these questions to distinguish signal from noise:
    1. Is your key competitor about to change?
    2. Is your key complementor about to change?
    3. Do people seem to be “losing it” around you?
  • Helpful Cassandras are people in a company who are quick to recognize impending change. They are usually in middle management and often in sales.
  • The Trap of the First Version: You can’t judge the significance of strategic inflection points by the quality of the first version. (e.g., Apple’s Newton in 1993)
  • Strategic inflection points are rarely clear.

Weekly staff meeting
Weekly staff meeting - Paubox

Chapter 7: Let Chaos Reign

Here are my takeaways from Chapter 7: Let Chaos Reign.

  • The chapter deals with how management reacts emotionally to the crisis of an inflection point.
  • The sequence of a strategic inflection point: Denial, escape or diversion and finally, acceptance and action.
  • Strategic dissonance is one of the surest signals a company is struggling with an inflection point.
  • “Looking back over my own career, I have never made a tough change, whether it involved resources shifts or personnel move, that I haven’t wished I had made a year or so earlier.”

Sharing a laugh in Bakersfield for Thanksgiving
Sharing a laugh in Bakersfield for Thanksgiving - Paubox

Chapter 8: Rein in Chaos

Here are my takeaways from Chapter 8: Rein in Chaos.

  • “Often in the course of traversing a strategic inflection point your people lost confidence in you and in each other, and what’s worse, you lose confidence in yourself.”
  • The valley of death is an inevitable part of every strategic inflection point.
  • “To make it through the valley of death successfully, your first task is to form a mental image of what the company should look like when you get to the other side.”
  • “If you’re in a leadership position, how you spend your time has enormous symbolic value. It will communicate what’s important or what isn’t far more powerfully than all the speeches you can give.” (strongly agreed)
  • Andy Grove believes the best way to transform a company is though a series of incremental changes that are consistent with a clearly defined end goal.
  • “Your tendency will almost always be to wait too long. Yet the consequences of being early are less onerous than the consequences of being late.”
  • “It is very hard to lead an organization out of the valley of death without a clear and simple strategic direction.”
  • “If competition is chasing you (and they always are- this is why ‘only the paranoid survive’), you only get out of the valley of death by outrunning the people who are after you.”
  • “The greatest danger is standing still.”
  • “This is exactly when you need a strong leader setting a direction. And it doesn’t even have to be the best direction- just a strong, clear one.”
  • “If top management is able to alternately let chaos reign and then rein in chaos, such a dialectic can be very productive.”
  • When “10X” forces are upon us, the choice is taking on these changes or accepting an inevitable decline, which is no choice at all.”

Paubox sales team in the zone
Paubox sales team in the zone - Paubox

Chapter 9: The Internet: Signal or Noise? Threat or Promise?

Chapter 9: The Internet: Signal or Noise? Threat or Promise?

I really liked this chapter. Here are my takeaways from Chapter 9: The Internet: Signal or Noise? Threat or Promise?

  • “But in the long term, data rich in pictures, voice and video promise an even larger use of the Internet and therefore new business opportunities.” (Keep in mind, he wrote this in 1996)
  • “The Internet has potentially just as much impact on the software industry. It can provide a much, much more efficient way to distribute software.” (He basically just described SaaS)
  • Andy Grove describes the cloud: “The Internet fosters the emergence of a third class of use: applications and data that are stored at some other computer someplace…”
  • Andy correctly concludes that the Internet is a strategic inflection point for Intel, way back in 1996.

Catching up with Jeff LeBrun of Pillsy
Catching up with Jeff LeBrun of Pillsy - Paubox

Chapter 10: Career Inflection Points

Here are my takeaways from Chapter 10: Career Inflection Points.

  • Andy Grove points out that career inflection points caused by a change in environment (e.g. Blockbuster vs. Netflix) don’t distinguish between the calibur of people they disrupt.
  • “As in managing businesses, it is rare that people make career calls early.”
  • “Pour your energy, every bit of it, into adapting to your new world, into learning the skills you need to prosper in it and into shaping it around you.”