Saturday, 30 September 2017

Can I use OneDrive and be HIPAA Compliant?

Can I use OneDrive and be HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. OneDrive by Microsoft is a cloud service for hosting and sharing files.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The goal of this post is to determine if Microsoft OneDrive offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About OneDrive

OneDrive is a file-hosting service operated by Microsoft as part of its suite of online cloud services.

It allows users to store files as well as other personal data like Windows settings or BitLocker recovery keys in the cloud. Files can be synced to a PC and accessed from a web browser or a mobile device, as well as shared publicly or with specific people.

Microsoft OneDrive and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the Microsoft Trust Center and found a page called HIPAA and the HITECH Act.

In it, Microsoft wisely points out:

“Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”

Since OneDrive is often bundled into Office 365, we found a pdf doc called Office 365 Compliance Framework for Industry Standards and Regulations that offered deeper insight into OneDrive and its capabilities for HIPAA compliance.

The document specifically states that OneDrive for Business can be HIPAA compliant while OneDrive consumer cloud storage is not HIPAA compliant.

Does Microsoft OneDrive Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Microsoft offers one specifically for OneDrive for Business, we conclude it is in fact a HIPAA compliant solution.

Conclusion: OneDrive for Business is HIPAA Compliant and adheres to regulatory compliance for healthcare providers and healthcare organizations.

OneDrive consumer cloud storage however, is not covered by Microsoft’s BAA.

Make sure you sign a BAA with Microsoft before using OneDrive for Business to store or transmit any PHI.

Thursday, 28 September 2017

Is Office 365 HIPAA Compliant?

Is Office 365 HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Office 365 by Microsoft is the brand name its chosen as it moves its services such as email, storage, and chat into the cloud.

For the purposes of this post, we will focus on the email component of Office 365.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The goal of this post is to determine if Microsoft Office 365 offers HIPAA compliant email or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Office 365

Office 365 is the brand name Microsoft uses for a group of software and services subscriptions, which together provide productivity software and related services to subscribers.

For business users, Office 365 offers service plans providing e-mail, chat, cloud storage, as well as access to the Microsoft Office software.

Microsoft Office 365 and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the Microsoft Azure Trust Center and found a page called HIPAA and the HITECH Act.

In it, Microsoft wisely points out:

“Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”

We also found on that page that several versions of Office 365 are covered by Microsoft’s BAA. Those versions are:

  • Office 365
  • Office 365 U.S. Government
  • Office 365 U.S. Government Defense

Does Microsoft Office 365 Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a covered entity and a business associate. Since Microsoft Office 365 offers one, we conclude it is in fact a HIPAA compliant email solution.

Conclusion: Three versions of Microsoft Office 365 are HIPAA Compliant and adhere to regulatory compliance for healthcare providers and healthcare organizations.

Make sure you sign a BAA with Microsoft before using Office 365 to store or transmit any PHI.

Saturday, 23 September 2017

Eric Nakagawa: Win or Lose

Eric Nakagawa: Win or Lose - Paubox

I met up with Eric Nakagawa this week at Philz Coffee in Noe Valley. We hadn’t seen each in person since I was a guest on his podcast back in January.

When I first moved to the Bay Area in January 2015, Eric let me stay at his house while I looked for a place of my own. With his third child on the way, my presence was no doubt an imposition on his family. I luckily found a 10×10 tool shed in Brisbane a couple days later.

Living in a 10×10 space with an outdoor shower and the words, “Cherish the cabin” scribbled above the front door are obviously topics for a future post.

Since then, Eric’s helped us get into 500 Startups, provided investor intros, given growth advice and been a trusted friend and adviser to me. I am indebted to him.

Here are my takeaways from our meeting:

  • Make our landing pages easier to read.
  • Make landing pages more accessible to non-technical people.
  • Spend some money to optimize our landing pages to get higher conversions (basecamp.com is a good example).
  • Reach out to Hiten Shah. Go seek growth experience.
  • Can we turn our blog into a podcast?
  • Don’t wear stripes when filming HIPAA Center.
  • Do we have a Content Playbook? If not, make one.

About Eric Nakagawa

Eric Nakagawa: Win or Lose - Paubox

I first met Eric Nakagawa in 2013 at a Barnes & Noble at Ala Moana Center. I had recently launched DareShare in the App Store and was in distinct need of consumer app expertise to drive user growth. As a refresher, Eric is the guy who brought funny cat memes to the internet. He’s also a a New York Times bestselling author with his book “I Can Has Cheezburger?”

Eric didn’t waste much time that day we first met: He quickly started drawing wireframes in my journal of new DareShare concepts.

I’m glad DareShare got put to bed because what we’re doing at Paubox is much more fun and lasting. We’re helping the last American business segment drop the fax machine and finally use email in the office.

Win or lose, Eric Nakagawa has had my back from day one.

Eric Nakagawa - Paubox

Our first meeting at a Barnes & Noble at Ala Moana Center in 2013

Omada Health Office Visit with Sean Duffy: Lifestyle Intervention

Sean Duffy with Henk Jan Scholten - Omada Health office visit - Paubox

Sean Duffy with Henk Jan Scholten

I walked to the Omada Health office in the Financial district yesterday for an office visit organized by 500 Startups.

Like the office visit to BetterDoctor a couple weeks ago, one of the key advantages to have an office in San Francisco is proximity to opportunities like these.

Omada Health recently closed a $50M Series C round a couple months ago, so I was definitely interested in hearing what Co-Founder and CEO Sean Duffy had to say.

SEE ALSO: BetterDoctor Office Visit with Ari Tulla: A Focus on Execution

Sean Duffy: My Takeaways

Here are my takeaways from our office visit with Sean Duffy:

  • You don’t need to be published in the New England journal of Medicine right out of the gate. Robust clinical trials not needed in the beginning.
  • Every buyer on healthcare is very risk averse.
  • Focus on discovering who would have a business benefit for your product in a large org. Then go target them. Who is the PnL owner?
  • Make sure your solution saves money in the first year. That’s the key to selling to big orgs.
  • Educate a buyer they have a problem.
  • Health plan sales is a very crowded market.
  • “For us it’s about lifestyle intervention.”
  • Founded Omada in 2011.
  • The Single Instrument Fallacy: Independent tools like fitness trackers and Fitbit don’t work just on their own. Full package approach is key.
  • Healthcare seed funding changes constantly.
  • The best board members don’t try to run your business for you. They don’t try to be operators. You want even keeled board members.

About Omada Health

Sean Duffy, Omada Health - Paubox

Omada Health is a breakthrough online program that inspires healthy habits people can live with long-term.

They combine the science of behavior change with unwavering personal support, so people can make changes that actually stick. It’s an approach shown to reduce risk factors for type 2 diabetes and heart disease.

About 500 Startups Digital Health

Omada Health office visit, 500 Startups - Paubox

500 Startups Digital Health is part of the four month core accelerator program focused on customer acquisition and fundraising.

They look for tech-enabled health and health care startups who have a product in the hands of some customers, but need to scale traction before qualifying for a follow on round.

We are proud to say we were part of their first batch (B18).

Thursday, 21 September 2017

3 Common Health Tech Mistakes You Need to Know

health technology, health technology mistakes, health tech, health tech mistakesEveryone in the digital health space wants to be HIPAA compliant and avoid HIPAA violations.

Health software developers spend substantial time and energy making sure their vendors are compliant, and ensuring their own systems are compliant as well.

But once compliant software or systems are installed in clinical settings, a new challenge arises: operating software and systems in ways that don’t create HIPAA violations.

It’s a fact. Even systems that meet every compliance requirement can be used in ways that create HIPAA violations.

We’re going to take a look at three of the most common mistakes people make while using technology that can lead to violations – and how to avoid them.

1. Sharing Login Credentials

Unfortunately, this is one of the most common ways to cause a violation.

HIPAA Regulations [§164.312 (a)(1)] require the use of “Unique User Identification” for all systems that contain or use PHI (Protected Health Information) that’s regulated by HIPAA.

In busy clinical settings, it’s tempting to share passwords with other employees to save time while providing rapid patient care. However, HIPAA strictly forbids this as it makes tracking down problems and errors nearly impossible.

HIPAA’s enforcers are more than happy to penalize medical entities who share logins as well as vendors whose systems don’t enforce unique user ID’s.

Think of it this way: you wouldn’t make copies of your house key for every neighbor on your block.

Likewise, don’t share login credentials with your co-workers either.

2. Sending Data to the Wrong Recipient

With so much going on in a typical clinical setting, sending data or records to the wrong party can happen in a heartbeat.

Entering a fax number incorrectly or mistyping an email address can quickly create data breaches that expose sensitive patient data, damage reputations, and lead to expensive HIPAA violations.

Best practices to avoid creating such violations are:

  1. Verify phone numbers and email addresses against approved, carefully vetted lists;
  2. Double-check phone/fax numbers and email addresses every time before sending PHI; and
  3. Verify receipt of sensitive data with the recipient(s) after every transmission.

3. Displaying PHI to Unauthorized Persons

Let’s say you’re traveling.

Your laptop is configured correctly, you’re using a secure VPN for your connection, your email provider is HIPAA compliant, and data you’re sending and receiving is fully encrypted.

Every required HIPAA compliance element is in place.

So what could go wrong? Plenty!

If you’re in your airplane seat or the airport, catching up on patient-related work, and you inadvertently allow a person near or next to you to see PHI on your laptop screen, you’ve just created a potential HIPAA violation.

If the bystander reports the incident or files a complaint, you may have created an actual HIPAA violation – complete with an OCR investigation and monetary penalties.

This is an easy to avoid mistake that’s all too common. Be careful and watch out for shoulder surfers!

The same concept applies to computer screens in your office.

If a visitor to your office can easily see PHI on workstations while walking around, that’s a potential HIPAA violation. And the more sensitive the data, the more serious the violation.

The solution?

Turn office monitors or desks so visitors can’t easily see what’s on your screens. Or use add-on screen filters that allow viewing only from a narrow angle, directly in front of screens.

Conclusion

To avoid HIPAA violations, it’s not enough to just have HIPAA compliant systems, software and vendors.

Digital health technologies must also operate in a compliant manner as well.

Thorough employee training certainly helps, but common sense and a watchful eye are the best safeguards against these sorts of problems.

Make sure you implement the appropriate safety measures to protect those who entrust you with their PHI.

About MedStack

This post was written in collaboration with MedStack. Based in Toronto, Canada, MedStack, Inc. focuses on empowering broader innovation in health care by removing barriers to digital product development. MedStack’s platform provides built-in operations to streamline technical security, privacy legislation and data integration in health care. MedStack’s powers over 30 healthcare companies across North America with its one-of-a-kind cloud offering.

Wednesday, 20 September 2017

Is Citrix ShareFile HIPAA Compliant?

Is Citrix ShareFile HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Citrix Sharefile is a secure, cloud-based platform for businesses to store and share large files.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if ShareFile offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About ShareFile

ShareFile is a secure content collaboration, file sharing and sync solution that supports the workflow needs of small and large businesses.

It was started by Jesse Lipson in 2005 in Raleigh, North Carolina. In October 2011, ShareFile was acquired by Citrix Systems.

Citrix ShareFile and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. HIPAA compliance requires this by law.

We checked the ShareFile site and found Citrix ShareFile Cloud for Healthcare.

On that resource page, Citrix ShareFile states:

“In response to the new rules and to further reduce the risk associated with a breach of PHI, ShareFile has updated its network and security architecture to provide enhanced security for customers who need to protect PHI. Now, ShareFile will place the PHI of all customers who provide us with a signed Business Associate Agreement (BAA) in this special secure enclave dedicated only for PHI.”

Does Citrix ShareFile Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Citrix offers one for use with ShareFile, we conclude it can be a HIPAA compliant service.

Conclusion: ShareFile is covered within the Citrix Business Associate Agreement.

Make sure you sign a BAA with Citrix before using ShareFile to store or transmit any PHI.

Tuesday, 19 September 2017

HIPAA Conduit Exception Rule – What is it?

What is the HIPAA Conduit Exception Rule? - Paubox

While I was doing research regarding Apple’s FaceTime and whether or not it achieves HIPAA Compliance, I came across opinions on the internet that concluded FaceTime qualified under the HIPAA Conduit Exception Rule. Under this rule, the writers determined that FaceTime did not need to meet HIPAA guidelines and it was therefore HIPAA compliant.

We know however, Business Associate Agreements are required by law and that HIPAA breaches can result from not signing BAAs with cloud vendors.

We also know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

I decided to dig deeper into the HIPAA Conduit Exception Rule to truly understand its meaning.

SEE RELATED: HIPAA Breaches and Cloud Providers

HIPAA Conduit Exception Rule Explained

The HIPAA Conduit Exception Rule was created by the HIPAA Privacy Rule in 2000.

We can see under Section 160.103 – Definitions:

We do not require a covered entity to enter into a business associate contract with a person or organization that acts merely as a conduit for protected health information (e.g., the US Postal Service, certain private couriers and their electronic equivalents). A conduit transports information but does not access it other than on a random or infrequent basis as may be necessary for the performance of the transportation service, or as required by law. Since no disclosure is intended by the covered entity and the probability of exposure of any particular protected health information to a conduit is very small, we do not consider a conduit to be a business associate of the covered entity.

HIPAA Conduit Exception Rule and Cloud Service Providers

Since a lot of time has elapsed since 2000, the obvious question arises:

How do Cloud Services Providers (CSPs) like Apple, Amazon, Paubox, Google, and others fit into the HIPAA Conduit Exception Rule?

We can reference a page on the HHS site called, Guidance on HIPAA & Cloud Computing for help.

Question 3 states:

Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

As explained in previous guidance,[14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

HIPAA Conduit Exception Rule: Wrap Up

There are two sections in the above answer from HHS that catch my eye:

  • First, a CSP qualifies as a Business Associate even if even it can’t view the ePHI because it is encrypted and the CSP does not have the decryption key.
  • Second, the conduit exception applies only where the only services provided to a Covered Entity or Business Associate customer are for transmission of ePHI that do not involve any storage of information.

I don’t know of a single cloud-based software vendor that stores absolutely zero information on its users. Furthermore, the HIPAA Conduit Exception Rule was meant for ISPs (Internet Service Providers) and carriers like the US Postal Service.

To apply the conduit exception to a Cloud Services Provider like Apple and its FaceTime product is, in my opinion, an incorrect conclusion.

Furthermore, we know that Apple is not in the business of signing Business Associate Agreements or being classified as a Business Associate with their consumer products.

In conclusion, I believe the HIPAA Conduit Rule does not generally apply to Cloud Services Providers like Apple, Goolge, Microsoft and Paubox. Therefore, you should make sure to sign Business Associate Agreements with each of these companies and make sure the BAA covers the service you will be using in a HIPAA environment.

Monday, 18 September 2017

How to Encrypt Your Email And Why You Should

how to encrypt email, email encryption, email security, cybersecurityEmail encryption means email security.

Email encryption creates secure email by scrambling the data so only someone with the right password or other form of authorization can decrypt the message.

In many cases, this process of encryption and decryption takes place without users ever knowing.

Is your email account encrypted? In today’s world of phishing scams, ransomware attacks and data breaches, can you afford to risk losing sensitive information at the hands of cybercriminals?

You can lower the risk of someone stealing your personal information by utilizing email encryption. Sensitive information like social security numbers, bank accounts, credit card information and more will be encrypted from prying eyes and become harder to steal.

Popular email providers such as Gmail, Microsoft Outlook, and more provide basic encryption, but cybercriminals can easily override their security settings.

There are a few stronger solutions out there to encrypt emails, but some are better than others. Read on to find out which email encryption works best.

Transport Layer Security (TLS) encryption

TLS or STARTTLS, is an encryption protocol that protects messages in transit from one server to another.

You can check if your email address supports TLS in seconds with our free Secure Email Checker.

However, if your email supports TLS, that does not mean your email is encrypted. 

TLS only works if the recipient email provider also supports TLS. Not all email providers support TLS, such as older legacy providers, which results in an unencrypted email written in plain text.

RELATED: How to Check for TLS to Secure Your Email

PGP (Pretty Good Privacy) data encryption

PGP (Pretty Good Privacy) follows the OpenPGP standard. It features the use of a public key and private key that locks and unlocks data. With this method, you need these particular keys for every single person you contact in order to ensure email security.

Considering how much of a necessity email is in modern business, this isn’t exactly the most efficient encryption method out there. Can you imagine how frustrating it would be to constantly enter an encryption key just to see a brief message? And what if you can’t find the key?

Having to always enter a password costs time, and time is money.

Email portals

Similar to a PGP, email portal systems work by keeping communication – including email communication – within the boundaries of the portal itself. You have to log in to access the outgoing mail service, and the receiver has to log in to access incoming mail.

However, logging into an external portal all the time is an unnecessary step when it comes to encrypting your email. For the recipient’s end, having to always comply with this extra step can be frustrating and can lead to a loss in business.

READ MORE: Email Portals Aren’t the Answer to Secure Email

Is that a risk you’re willing to take?

Blanket encryption

Most email encryption providers make sending an encrypted email optional because they know it can be bothersome for recipients. However, this leaves your business wide open for human error.

RELATED: 3 Insider Threats You Need to Plan For

Make sure you use an email service that encrypts message contents by default. This eliminates any concern for human error and keeps you clear of HIPAA violations.

It’s always better to be safe than sorry right?

Encrypted messages from any device

It’s 2017. We are in a digital age. No longer are the days of having to log into a desktop to send and receive email. Now, you can send emails from your laptop, tablet, smartphone, and even smartwatch.

READ MORE: How to Send Encrypted Email from your Apple Watch

It’s a brave new world.

With that said, you need to make sure you have seamless encrypted email all around. Bonus points if there are no extra steps for any device you want to send an email, like no plug-ins or extra apps.

The good news is, a seamless email encryption solution does exist out there: Paubox.

The easiest way to encrypt email

Paubox puts the user experience first for both senders and recipients, providing military grade encryption features without the hassle of extra steps.

Because using Paubox Encrypted Email is so easy, we encrypt all emails and replies by default. This eliminates the chances of user error and sending unencrypted messages because you forgot to type a keyword or hit a button.

Paubox also includes robust SPAM filtering that identifies malware and phishing attacks and has protocols against Ransomware.

It doesn’t matter what email client or app you use, Paubox will make sure the message has end to end encryption in place.

With seamless integration into business email platforms like G Suite, Office 365, and Exchange, you can keep your email address and domain as well.

You even get a neat digital signature every time you compose a new message letting your recipients know that your email was encrypted for their safety and security by Paubox.

Think of it as a digital certificate that assures your intended recipient that their privacy is protected.

Experience how easy email encryption can be with a free no-risk 14-day trial.

[contact-form-7]

Friday, 15 September 2017

Todd Park: Life is Short, Work on Things that Matter – athenahealth MDP

After Jonathan Bush’s keynote address, Todd Park jumped up (yes, he jumped. More than once) and began his guest keynote.

Here are my takeaways from Todd Park’s high energy speech:

  • Todd Park’s criteria for evaluating startups:
    1. Does the startup solve an important problem?
    2. Does the product enable the customer to make more money? Don’t forget, time is money.
    3. Does the product have a network effect at its core?
  • “It’s absolutely true, despite the cliche, the team is everything.”
  • Find, grow and retain people. Is that the thing you spend the most time on?
  • “How diverse is your team?”
  • “Diverse teams beat non-diverse teams at everything.”
  • Building diverse teams is really hard. It takes 2×3 more effort to recruit diverse teams.
  • “Pick a mission that you can’t to work on every second of your day.”
  • Your ability to recruit people is going to he higher if you’re working on something that excites them.
  • “Jonathan Bush is the best in healthcare about not giving up.”
  • “Life is short. Work on things that matter.”
  • “The future of the American healthcare system is in your hands. It’s in this mother f-*$ing room.”
  • “I’m a born again Christian who happens to swear a lot.”
  • VC’s are biased in ways they don’t even understand.
  • Not a fan of the B Corp.
  • Re: his new startup: “We are a paragon of hyper compliance.”

About Todd Park

Todd Park - athenahealth MDP - Paubox

At the age of 24, Todd Park co-founded athenahealth with Jonathan Bush in 1997.

Later in 2008, he co-founded Castlight Health, which was named by the Wall Street Journal as the #1 venture-backed company in America for 2011.

Todd has also served as the Chief Technology Officer for the U.S. Department of Health and Human Services (2009).

In 2012, he was appointed by President Obama to be United States Chief Technology Officer and Assistant to the President.

Todd also played an instrumental role in developing the initial version of HealthCare.gov, which was built in only 90 days. Todd shared a story with us that during those days, they had a sign in their office that read:

“No one is coming. It’s on us.”

I believe Todd is a national living treasure.

About MDP

Mandira Singh, Director of MDP - Paubox

The athenahealth More Disruption Please (MDP) conference brings together entrepreneurs, investors, clinicians and industry experts who share the company’s vision of disrupting the status quo in healthcare.

MDP provides easy access to the world’s most innovative thinking and offers solutions to help healthcare professionals thrive in the face of industry change and pressure.

It’s held at the Point Lookout in Northport, Maine.

Thursday, 14 September 2017

HHS Secretary Tom Price and Jonathan Bush: athenahealth MDP 2017

HHS Secretary Tom Price and Jonathan Bush - MDP 2017 - Paubox

U.S. Department of Health and Human Services (HHS) Secretary Tom Price was the featured speaker today for the final leg of athenahealth MDP 2017. He was joined on stage by athenahealth CEO Jonathan Bush for a fireside chat.

Here are my takeaways from their fireside chat:

  • Secretary Price first won his congressional seat in 2004 for Atlanta.
  • Secretary Price is a third generation doctor.
  • “The financing and delivery of healthcare has been so distorted.”
  • “Who decides?” was a recurring theme Secretary Price brought up.
  • It’s an incredible honor to have the privilege of being the head of the largest organization in federal government.”
  • HHS has a  $1.1T budget and a staff of 80,000.
  • “Government is glacial, usually, in its pace of moving direction.”
  • Secretary Price’s top 3 clinical priorities at HHS:
    • The opioid crisis
    • Severe mental illness
    • Child obesity
  • Secretary Price defines success as turning the curve on those three priorities.
  • “Does this help or hurt the patient? Does it cost more or cost less?”
  • 80% of opioid addicts started with a legitimate prescription.
  • “The thing I want to leave with you today is the enthusiasm I have of the things I don’t have a clue about.”
  • “Don’t force doctors to do stupid things in the EMR.”
  • “The people that provide the care should be determining the things they’re measured on.”
  • “The cost of regulatory compliance in healthcare is astronomical.”
  • “Don’t assume the federal government is gonna do the right thing in healthcare.”
  • “I want to convey to you the receptivity to new ideas we have.”

Questions from the Audience

Jason xx

During Q&A, Jason Crawford from Intelligent Retinal Imaging Systems got in a great question for Secretary Price.

Mr. Price even asked him to follow up to discuss it more in a subsequent meeting. Right on Jason!

David xx

About HHS

HHS Secretary Tom Price and Jonathan Bush - athenahealth MDP 2017 - Paubox

The U.S. Department of Health and Human Services (HHS), also known as the Health Department, is a cabinet-level department of the U.S. federal government. Its goal is to protect the health of all Americans and provide essential human services.

Its motto is “Improving the health, safety, and well-being of America”.

As I found out today, they are also the largest organization in federal government and have a budget exceeding one trillion dollars.

About MDP

The athenahealth More Disruption Please (MDP) conference brings together entrepreneurs, investors, clinicians and industry experts who share the company’s vision of disrupting the status quo in healthcare.

MDP provides easy access to the world’s most innovative thinking and offers solutions to help healthcare professionals thrive in the face of industry change and pressure.

It’s held at the Point Lookout in Northport, Maine.

athenahealth MDP 2017: Jonathan Bush Keynote Address

Jonathan Bush Keynote Address: athenahealth MDP 2017 - Paubox

This year’s theme for the 7th Annual athenahealth More Disruption Please (MDP) was Ride the Storm.

Keeping in theme, athenahealth Founder and CEO Jonathan Bush began his keynote as a Maine sea captain. As it was my first time to Maine, I had a hard time deciphering the Maine accent. Luckily for me, her reverted back after he finished his cautionary tale of Blockbuster getting disrupted by Netflix.

Here are my takeaways from Jonathan Bush’s keynote address:

  • “Every brand that makes it is gonna figure out a way to do it on the cloud.”
  • MDP is a corporate priority.
  • There are 182 partners in the athenahealth Marketplace.
  • Jonathan likens the athenahealth Marketplace to a hunting license.
  • They are bullish on microservices. They are revamping their architecture as quickly as possible towards it.
  • Their Marketplace is getting a facelift in the coming 6-8 months.
  • “What’s he’s (President Trump) basically done is give us an opportunity to fix our own problems.”

Jonathan Bush, athenahealth MDP - Paubox

About More Disruption Please (MDP)

Jonathan Bush, athenahealth MDP 2017 - Paubox

The athenahealth More Disruption Please (MDP) conference brings together entrepreneurs, investors, clinicians and industry experts who share the company’s vision of disrupting the status quo in healthcare.

MDP provides easy access to the world’s most innovative thinking and offers solutions to help healthcare professionals thrive in the face of industry change and pressure.

It’s held at the Point Lookout in Northport, Maine.

We were lucky enough to have be selected to attend this invite-only event by Santosh Mohan. I recently ran into him at the Health 2.0 summer meetup in San Francisco.

About ahtenahealth

Jonathan Bush, athenahealth MDP - Paubox

The athenahealth infrastrucure

athenahealth partners with hospital and ambulatory clients to drive clinical and financial results.

They offer medical record, revenue cycle, patient engagement, care coordination, and population health services.

athenahealth combines insights from their network of 99,000 providers and 88 million patients with deep industry knowledge and perform administrative work at scale.

Sunday, 10 September 2017

Can I use FaceTime and be HIPAA Compliant?

Can I use FaceTime and be HIPAA Compliant? - Paubox

Lately, we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. FaceTime is Apple’s video and audio calling service that’s available for free on their devices.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if Apple’s FaceTime offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About FaceTime

FaceTime is Apple’s video and audio calling service that’s available on mobile devices that run on iOS and Macintosh computers that run Mac OS X 10.6.6 and on.

It launched in June 2010 when then Apple CEO Steve Jobs announced it in conjunction with the iPhone 4 at the annual Apple Worldwide Developers Conference.

FaceTime and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Apple’s corporate site and eventually found the FaceTime Software License Agreement.

We could not find any mention of HIPAA, Business Associate Agreement, Business Associate or Covered Entity in it.

Next, we checked Apple Legal for reference to HIPAA or Business Associate Agreement. We found an important piece of information on the iCloud Terms and Conditions page.

On that page, Apple states:

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

While FaceTime is technically not a part of iCloud, Apple makes it very clear they are not in the business of signing Business Associate Agreements or being classified as a Business Associate.

Does the HIPAA Conduit Exception Rule Apply to FaceTime?

The HIPAA Conduit Exception states that certain organizations like the US Postal Service and Internet Service Providers (ISPs) act merely as conduits for protected health information (PHI).

Due to the transient nature of PHI being transmitted, the HIPAA Conduit Exception Rule does not require a Covered Entity to enter into a BAA with such organizations.

So the question arises, does FaceTime also fall under the HIPAA Conduit Exception Rule?

We found a page on the U.S. Department of Health and Human Services website called Guidance on HIPAA & Cloud Computing.

Question #3 states:

Can a CSP [Cloud Service Provider] be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

HHS gives the following answer:

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

As explained in previous guidance,[14] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

We believe the guidance is clear from HHS: A cloud-based service like FaceTime does not qualify under the HIPAA Conduit Exception Rule.

SEE ALSO: HIPAA Cloud Computing: Top Ten Frequently Asked Questions

Does Apple’s FaceTime Offer HIPAA Compliant Service?

The Business Associate Agreement (BAA) is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

While there was a lot of confusing information on Apple’s discussion forums on FaceTime and HIPAA compliance, we can infer from Apple Legal (https://www.apple.com/legal) that Apple is not in the business of signing BAA’s for their consumer-facing products like FaceTime.

Conclusion

FaceTime is not HIPAA compliant.

Do not use FaceTime if you are bound by HIPAA regulations.

Saturday, 9 September 2017

Is Apple iCloud HIPAA Compliant?

Is Apple iCloud HIPAA Compliant? - Paubox

Lately, we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. iCloud is a cloud-based service from Apple that stores photos, videos, documents, music, and apps while keeping them updated across all devices.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

Today, we will determine if Apple iCloud offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Apple iCloud

Apple iCloud is an online storage service that serves as a place to keep files, contacts, calendars and images. Users can access them from across all of their Apple devices, including the iPhone, iPad, and Mac.

Apple iCloud and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Apple’s corporate site and found an important piece of information on the iCloud Terms and Conditions page.

On that page, Apple states:

“If you are a covered entity, business associate or representative of a covered entity or business associate (as those terms are defined at 45 C.F.R § 160.103), You agree that you will not use any component, function or other facility of iCloud to create, receive, maintain or transmit any “protected health information” (as such term is defined at 45 C.F.R § 160.103) or use iCloud in any manner that would make Apple (or any Apple Subsidiary) Your or any third party’s business associate.”

Does Apple iCloud Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

While there was a lot of confusing information on Apple’s Discussion forums on Apple iCloud and HIPAA compliance, Apple’s corporate site quickly yielded the information we were looking for.

Conclusion

Apple iCloud is not HIPAA compliant.

Do not use Apple iCloud if you are bound by HIPAA regulations.

Thursday, 7 September 2017

Paubox Office Visit: Youth + Tech + Health

youth + tech + health, yth, yth logo

As part of our ongoing efforts to get to know our customers better, we are conducting office visits to learn about our customers’ challenges and how Paubox can help.

This week, I had the pleasure of meeting the team at YTH. You can see our conversation in the video below.

YTH gave us great feedback on how Paubox helped them implement HIPAA compliant programming, and they also gave us a thoughtful suggestion too.

About YTH

YTH is the partner of choice for those in search of new ways to advance the health of youth and young adults through technology.

They believe “young people deserve honest information, deserve for their voice to be heard, and deserve to live healthy lives without shame or fear.” Through their partnerships and projects, they discover what works, pilot innovative solutions, and disseminate what’s truly effective.

Once they determine what works, YTH makes sure that the community can learn from our findings by sharing them through our annual YTH Live conference, blog, and research.

A productive and enjoyable visit

YTH’s office is located in the historic Oakland Tribune Tower, which is conveniently located in downtown Oakland.

Once we reached the 14th floor, where the YTH office is located, we were warmly greeted by Laiah Idelson, the program manager for YTH. Laiah then kindly introduced us to the whole team at YTH.

Once I was able to meet everyone, we settled into the conference room and began discussing YTH and how Paubox is helping them achieve their goals.

Paubox and HIPAA compliant programming

YTH learned about Paubox through their brilliant engineers. Our encrypted solutions met their goal of using technology to develop innovative solutions for youth, health, and wellness.

YTH uses Paubox’s Email API in two of their programs: PrEPTECH and Health Reminders.

READ MORE: HIPAA Compliant Email API

However, in the past, YTH was not able to complete these programs. They strayed from HIPAA compliant programming due to the complicated nature of HIPAA. They also did not have the resources to simplify HIPAA’s challenges.

RELATED: Paubox Office Visit: Partners in Communication

We understand the plight of small businesses and HIPAA all too well, which is why we strive to make easy HIPAA compliant solutions.

Analytics with Email API

One suggestion YTH gave us was one our team had discussed a few times before: adding email analytics.

For non-profits, analytics is critical for the programs they run. YTH was no exception.

We took this valued feedback to heart, and within a week, we built out a mail analytics platform.

At Paubox, we make user experience a top priority.

Ultimately, YTH is happy to partner with Paubox – not just for our service and products, but for being an engaged partner as well.

We are more than happy to attend YTH’s events and support them in their mission, and likewise, we are happy to give them an invite to our events as well.

RELATED: July Social Mixer at Hawthorne in San Francisco

YTH is a great example of a non-profit leveraging technology and great talent to make a positive change in healthcare amongst the youth population.

We are excited to be a part of the journey and we look forward to a long term future with YTH.

Wednesday, 6 September 2017

How to Make Box HIPAA Compliant

Is Box HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Box is a publicly traded cloud content management and file sharing service for businesses.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Box offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Box

Box is a cloud computing business which provides file-sharing, collaborating, and other tools for working with files that are uploaded to its servers. It went public on the NYSE in 2015.

Box was originally developed as a college project of Aaron Levie while he was a student of the University of Southern California in 2004. Levie soon dropped out of USC, became CEO, and he got his childhood friend Dylan Smith to become CFO.

Box and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Box’s site and quickly found the Box for Healthcare solutions page.

On that page, Box states:

“For extra assurance, Box signs HIPAA Business Associate Agreements (BAAs) with customers.”

When did Box first announce HIPAA Compliance?

Now that we know Box support HIPAA compliance, we thought it would be useful to find out when they first offered HIPAA compliant services.

The answer turns out to be April 2013.

We found a Box Community guided titled, Box HIPAA and HITECH Overview and FAQs.

It mentions:

“In April of 2013, Box announced its ability to support the HIPAA and HITECH regulations, as well as the ability to sign HIPAA Business Associate Agreements (BAAs) with customers.”

Does Box Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Information on Box’s website concisely states they were an early adopter for HIPAA compliance among cloud vendors.

Conclusion:

Box for Healthcare is HIPAA compliant.

Make sure you sign a Business Associate Agreement with them.

Tuesday, 5 September 2017

BetterDoctor Office Visit with Ari Tulla: A Focus on Execution

BetterDoctor Office Visit with Ari Tulla - A Focus on Execution - Paubox

Ari Tulla – BetterDoctor CEO

I got an invite out of the blue today to attend a 500 Startups Digital Health field trip to BetterDoctor. One of the key advantages to have an office in San Francisco is proximity to opportunities like these.

Located in the SOMA district, BetterDoctor is a high impact portfolio company of 500 Startups.

It was a pleasure hearing Co-Founder and CEO Ari Tulla’s take on healthcare and where BetterDoctor is heading.

BetterDoctor: My Takeaways from Ari Tulla

BetterDoctor Office Visit with Ari Tulla: A Focus on Execution - Paubox

Here are my takeaways from our office visit with Ari Tulla:

  • Recently closed their Series B round.
  • Healthcare data is hidden in silos, access is hard to get.
  • BetterDoctor is about collecting data from providers and making it useful to the end user.
  • About three years ago, it was impossible to create an accurate database of healthcare consumer info.
  • 25M people have used BetterDoctor to find a doctor.
  • Nobody in the market has data that’s 75% or more accurate on just name, address, and phone numbers of doctors.
  • “We become the data hub for the healthcare provider.”
  • BetterDoctor Value Proposition: Offering compliance, ease of use and lower cost.
  • Provider data is a $10B market.
  • Every quarter they ping doctors to update data.
  • “You need to still use the fax because it’s the only way people (doctors) react.”
  • “I started the company to help people find doctors.”
  • Focused on execution.
  • “Most of the products today in the marketplace don’t work.”
  • “How do you prove the ROI?” (Can be tough to do in healthcare)
  • Pilot is a dirty word. Proof of concept is way better.
  • Price 40% higher in the initial quote.
  • Kaiser and United are the slowest buyers in healthcare.
  • Try to avoid the RFP process with big companies. You’re setup to fail. They are often written by your competition.
  • “Don’t save on legal fees on big deals.”
  • The consumer business model is almost dead in healthcare.
  • Healthcare is much slower than other verticals.

About 500 Startups Digital Health

Office Visit with Ari Tulla: A Focus on Execution - Paubox

500 Startups Digital Health portfolio companies

500 Startups Digital Health is part of the four month core accelerator program focused on customer acquisition and fundraising.

They look for tech-enabled health and health care startups who have a product in the hands of some customers, but need to scale traction before qualifying for a follow on round.

We are pleased to say we were part of their first batch (B18).

About BetterDoctor

BetterDoctor Office Visit with Ari Tulla: A Focus on Execution - Paubox

BetterDoctor helps patients find the right doctors when they need them.

It starts with helping health plans, provider groups, health care systems and health start up companies get high quality data.

They build tools to bring trust, confidence, and transparency to the process of finding a doctor.