Wednesday, 29 November 2017

Free SSL Security Testing for HIPAA Compliance

Free SSL Security Testing for HIPAA Compliance - Paubox
www.paubox.com gets an A+ SSL Security rating.


  • SSL certificates can be used for securing both Web and Email Communication.
  • An SSL certificate is not the same as the SSL Protocol.
  • There are free SSL security tests online.

A county hospital in Illinois asked us today about our use of SSL certificates and how secure our setup is.

After successfully answering their question, it occurred to me others might want to learn more abut proper configuration and use of SSL certificates.

SSL Certificate: What is it?

An SSL Certificate provides secure, encrypted communication between a website and a user’s internet browser. SSL certificates can also be used for secure email transmission.

SSL Certificates are usually installed on websites that require users to submit sensitive information over the internet like credit card details, protected health information, or passwords.

SSL Certificates are not the same as SSL Protocols

SSL stands for Secure Sockets Layer and is the protocol which provides the encryption. It was originally developed by Netscape and released as SSL 2.0 (SSLv2) in 1995. An improved SSL 3.0 (SSLv3) was later released in 1996.

It should be noted however, both SSLv2 and SSLv3 are no longer considered secure protocols. Paubox therefore does not support SSLv2 and SSLv3.

Later this week, we will also be ending support for TLS 1.0.

An SSL Certificate is not the same as the SSL protocol.

In fact, an SSL certificate is not dependent on protocols and is rather an industry term more people are familiar with.

Free SSL Security Test

A free SSL Security Test that we like and use often is provided by Qualys, Inc.

The Qualsys SSL Server Test is an effective way to test your website’s SSL certificate, as well as a variety of other useful security checks.

The test takes a couple minutes to run and is well worth it if you haven’t done it before.

With careful configuration and attention, it’s possible to get an A+ SSL Security rating from the Qualys SSL Server Test.

When it comes to U.S. Healthcare and HIPAA compliance, we recommend doing business with vendors that get an A grade or higher.

Tuesday, 28 November 2017

Can I use Heroku and be HIPAA Compliant?

Can I use Heroku and be HIPAA Compliant? - Paubox

From time to time, we get asked by customers and prospects about Heroku and their ability to use it in a HIPAA compliant manner.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud providers and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Heroku offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Heroku

Heroku is a cloud Platform as a Service (PaaS). It supports several programming languages including Java, Node.js, Scala, Clojure, Python, PHP, and Ruby.

Known as one of the first cloud platforms, Heroku launched in 2007. In 2010, it was bought by Salesforce for $212 million.

Heroku and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Heroku’s site and found a page called Heroku Security, Privacy, and Compliance.

In it, Heroku states:

“Customers who want to build healthcare applications on Heroku that complies with US HIPAA can contact sales@heroku.com regarding a Business Associate Addendum to the Master Subscription Agreement that is required for HIPAA compliance.”

Does Heroku Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Heroku offers a BAA that would be added to their Master Subscription Agreement, we conclude that Heroku can be configured to be a HIPAA compliant service.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Heroku can be configured to be HIPAA Compliant. Make sure you sign a BAA with Heroku first.

Monday, 27 November 2017

Can I use G Suite (Google Apps) and be HIPAA Compliant?

Can I use G Suite (Google Apps) and be HIPAA Compliant? - Paubox

We often get asked by customers and prospects about G Suite (formerly Google Docs) and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Google’s G Suite offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About G Suite (Google Docs)

G Suite is Google’s brand of cloud computing, productivity and collaboration tools. It’s most popular services are Gmail, Google Calendar, and Google Drive (including Docs, Sheets, Slides, and Forms).

While these services are typically free to use for consumers, G Suite adds enterprise features such as branded email addresses at a domain (@yourcompany.com), as well as phone and email support.

Formerly known as Google Docs, Google rebranded the service to G Suite in September 2016.

G Suite and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.”

Does Google’s G Suite Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Google offers one that covers G Suite, we conclude that Google’s G Suite is a HIPAA compliant service.

It’s important to note however:

  • You must sign a BAA with Google. It is not included by default.
  • Google’s BAA does not cover email sent or received in transit.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: G Suite, formerly known as Google Apps, is HIPAA Compliant. Make sure you sign a BAA with Google and that you have a solution in place to address email sent in transit.

SEE ALSO: How to Make Gmail HIPAA Compliant

Tuesday, 21 November 2017

Disabling TLS 1.0 for Improved Security

Paubox is will be disabling TLS 1.0 beginning 1 December 2017. We are doing this to align with industry best practices for security and data integrity.

While we pride ourselves in our military grade encryption, we also pride ourselves in user experience. No action is required prior to this date – simply continue using your encrypted email service from Paubox as you normally would.

TLS 1.1 will be the new minimum standard security protocol Paubox implements in order to align with industry-wide best practices for security and data integrity.

What is TLS? (What is TLS 1.0?)

TLS, short for Transport Layer Security, is an encryption protocol that protects messages in transit from one server to another. The encryption protocol deploys whenever a web browser or application transmits data over a network.

All Paubox network traffic, whether it contains PHI or not, is encrypted using industry-standard transport encryption (TLS).  TLS prevents emails from being read while in motion and ensures the communication is delivered to the appropriate recipient.

Currently, TLS has three versions: TLS 1.0, 1.1 and 1.2.

READ MORE: How to Check for TLS to Secure Your Email

Why is this happening?

At Paubox, we prioritize user experience, but not at the expense of security.

TLS 1.0 is vulnerable to a few attacks, such as the POODLE (Padding Oracle On Downgraded Legacy Encryption) and BEAST (Browser Exploit Against SSL/TLS).

RELATED: Make a Plan for the Middle Man

TLS 1.1 and 1.2, on the other hand, have no known weaknesses.

We are also acting in accordance with the PCI DSS (Payment Card Industry Data Security Standard). The PCI requires that TLS 1.0 no longer be used for secure communications, giving companies until June 30, 2018 to make the transition.

With this upgrade to TLS 1.1, you can continue sending encrypted HIPAA-compliant email with confidence that the highest security standards are in place and your sensitive information is safe.

When is this happening?

The upgrade will begin on 1 December 2017. The transition will occur “behind the scenes,” so you will not need to change how you normally use Paubox.

After December 1, TLS 1.1 and above will become the standard TLS version for Paubox encrypted email.

What impact will this have to me?

The impact will not affect most users. In fact, most users won’t notice. However, in the unlikely case that you experience any interrupted access to your Paubox account or encrypted email service, contact us at support@paubox.com.

Friday, 17 November 2017

How to Protect and Secure Protected Health Information (PHI) on Mobile Devices

Mobile Devices and Protected Health Information (PHI) - PauboxIn today’s digital age, mobile devices such as cellphones, laptops, tablets and even smartwatches are commonplace in modern work environments.

Even healthcare, a notoriously outdated industry, has begun adopting the use of mobile devices.

Considering the usability of mobile devices, their increased use is not surprising. Smartphones, for example, are convenient in their portability and efficient in their productivity. We’re no longer bound to an office or a desk to get work done.

However, utilizing mobile devices does come with some risks, especially if you are a healthcare organization. A compromised mobile device includes the data stored inside, such as electronically transmitted PHI (ePHI) that has been created, sent or received.

If you are a HIPAA regulated industry, you must include mobile devices in your enterprise-wide risk analysis. Be sure to train your staff on precautionary measures for mobile devices to reduce the risk of a HIPAA violation.

The risks of mobile devices containing or accessing ePHI

Take a look around you. Odds are, you have a mobile device inches away from you.

If you don’t have a mobile device near you, do you remember where you put it?

One risk of storing ePHI on mobile devices is the fact that they are small and portable.  Due to their small size, mobile devices are easier to steal or lose.

If your mobile device becomes lost or stolen and you have unsecured ePHI stored on it, you are in major risk of a HIPAA violation.  You need to take immediate precautionary measures to avoid being cited for a costly fine.

Personal mobile devices versus work mobile devices

Your organization must clarify if personal mobile devices can be used for work activities – especially if the work activities contain PHI. If this is prohibited, your organization must implement policies to enforce this rule.

For Covered Entities and Business Associates that do allow the use of personal mobile devices to store or access ePHI, these devices must be included in their enterprise-wide risk analysis. Furthermore, security measures must be in place to reduce risks of a HIPAA breach and enhance mobile security.

READ MORE: 3 Common Health Tech Mistakes You Need to Know

Configure mobile settings accordingly

One example of a proper security measure is modifying the mobile devices’ default settings. Similar to computer systems, mobile devices are programmed with default settings. These default settings are often unsecure, such as connecting to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services.

To resolve this security issue, organizations must ensure that mobile devices are properly configured and secured prior to receiving, maintaining, creating or transmitting ePHI.

Train employees in best security practices

Fully secure mobile devices go beyond setting the proper security settings. Employees should be trained in securely operating a mobile device to ensure the employee handling the ePHI on their mobile device remains HIPAA compliant. This includes being aware of the dangers of an unprotected Wi-Fi network, such as public Wi-Fi found in airports or coffee shops, and unprotected cloud storage and file sharing services.

Employees should also be fully trained on what steps to take if their mobile device becomes infected with viruses or malware. Just like any other compute system, malicious software on an infected mobile device can grant cybercriminals access to sensitive information. This hacked data would result in a HIPAA breach.

A data breach can also stem from a seemingly harmless mobile app. Some mobile apps request access to contacts, pictures, messages, and other information on your mobile device. The app then sends this data to an external entity, often without notice.

To prevent any data breaches and HIPAA violations from occurring, be sure to regularly review the security of mobile devices and adjust the security measures accordingly. As a covered entity or business associate, you are required by federal law to ensure that ePHI remains protected.

RELATED: 5 Business Best Practices for Email Security

How to protect and secure PHI on a mobile device

In October 2017, the HHS released a series of tips to follow to protect PHI on a mobile device:

  • Implement policies and procedures regarding the use of mobile devices at work – especially when used to create, receive, maintain, or transmit ePHI.
  • Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
  • Install or enable the automatic lock/logoff functionality.
  • Require authentication to use or unlock mobile devices.
  • Regularly install security patches and updates.
  • Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
  • Use a privacy screen to prevent people close by from reading information on your screen.
  • Use only secure Wi-Fi connections.
  • Utilize a secure Virtual Private Network (VPN).
  • Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
  • Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
  • Include training on how to securely use mobile devices in workforce training programs.

With these precautionary measures in place, you will help keep your protect patient information safe while remaining HIPAA compliant.

Is Google Slides HIPAA Compliant?

Is Google Slides HIPAA Compliant? - Paubox

We often get asked by customers and prospects about Google Slides and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Google Slides offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Google Slides

Google Slides is a web-based slideshow presentation program that competes directly with Microsoft Powerpoint. It was released by Google in 2007.

Google Slides and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms)…”

Does Google Slides Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Google offers one that covers Google Slides, we conclude that Google Slides is a HIPAA compliant service.

It’s important to note however, you must sign a BAA with Google to be HIPAA compliant.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Google Slides is HIPAA Compliant. Make sure you sign a BAA with Google.

SEE ALSO: Is Google Drive HIPAA Compliant?

Thursday, 16 November 2017

Can I use Google Voice and be HIPAA Compliant?

Can I use Google Voice and be HIPAA Compliant? - Paubox

We often get asked by customers and prospects about Google Voice and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solautions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Google Voice offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Google Voice

Google Voice is a telephone service that provides call forwarding, voicemail, voice and text messaging.

The service was launched in 2009, after Google acquired the service GrandCentral. Google Voice should not to be confused with Google Talk or Google Voice Search.

Google Voice and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms), Google Hangouts (chat messaging feature only), Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.”

The G Suite Administrator Help article however, does not mention Google Voice as being covered under their BAA. In fact, Google Voice is not considered a part of G Suite.

We then checked a Google Implementation Guide called HIPAA Compliance & Data Protection with Google Apps. We could not find a mention of Google Voice in that guide either. Google Voice is not considered a part of Google Apps either.

Next, we checked the Google Cloud Platform and found a guide called HIPAA Compliance on Google Cloud Platform. There was no mention of Google Voice being covered under the Google Cloud BAA either. Google Voice is not a part of Google Cloud.

SEE ALSO: Is Google Cloud HIPAA Compliant?

Does Google Voice Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

We determined that:

  • Google Voice is not a part of G Suite.
  • Google Voice is not a part of Google Apps either.
  • Google Voice is also not part of Google Cloud.

G Suite, Google Apps, and Google Cloud are the Google platforms that offer BAAs. Since Google Voice is not a part of any of them, we conclude that Google Voice is not a service that’s covered by Google for HIPAA Compliance.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Google Voice is not HIPAA Compliant.

Do not use Google Voice if you are bound by HIPAA regulations.

Wednesday, 15 November 2017

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA Compliant? - Paubox

We often get asked by customers and prospects about Google Sheets and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Google Sheets offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Google Sheets

Google Sheets is a web-based spreadsheet offered by Google within its Google Drive service. It was first released in 2007.

Google Sheets and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms)…”

Does Google Sheets Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since Google offers one that covers Google Sheets, we conclude that Google Sheets is a HIPAA compliant service.

It’s important to note however, you must sign a BAA with Google to be HIPAA compliant.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Google Sheets is HIPAA Compliant. Make sure you sign a BAA with Google.

SEE ALSO: Is Google Drive HIPAA Compliant?

500Health Showcase at 500 Startups San Francisco (Pictures)

500Health Showcase at 500 Startups San Francisco - Paubox
Rebecca Woodcock, Venture Partner at 500 Startups, kicked things off.


  • The 500Health Showcase featured pitches from 8 digital health startups.
  • There were 2 Fireside Chats: Ran Ma (SirenCare) and Ashwin Pushpala (Sano).
  • It concluded with an investor panel: Lynne Chou O’Keefe, Francisco Gimenez, and Jeff Lee.

Yesterday afternoon I walked a couple blocks from our office over to 500 Startups for the 500Health Showcase.

The program agenda included a demo showcase for the Batch 20, 21, and 22 Digital Health startups from 500 Startups Health. In addition to demo pitches, there was an investor panel and two fireside chats.

Phuong Tran and I got there early to setup our banner and catch up with friends and investors. I hadn’t seen Zach Gobst (LeapCure) in a couple months- the man is on the startup hustle! I also saw Marvin Liao but didn’t get a chance to catch up with him. Our Batch (B18) loves Mad Marvin.

The food and beverages were delicious as well.

Here are pics from the event. Enjoy!


The 500Health Showcase agenda.
The 500Health Showcase agenda - Paubox
Getting more comfortable with selfies: Myself, Ryan Williams, Clayton Bryan and Phuong Tran.
Hoala Greevy, Ryan Williams, Clayton Bryan, Phuong Tran - 500 Startups - Paubox
Networking before the event kicked off.
500Health Showcase at 500 Startups San Francisco - Paubox
Phuong and I caught up with our friends from Batch 18: Manu Kurbonali (Zentist) and Chinmay (SimplifiMed)
500Health Showcase at 500 Startups San Francisco - Paubox
Batch 23 Applications are now open.
Batch 23 applications are being accepted
Ran Ma, co-founder and CEO of SirenCare.
Ran Ma, SirenCare - 500 Startups - Paubox
SirenCare Fireside Chat with Suraj Mehta and Ran Ma.
SirenCare Fireside Chat with Suraj Mehta and Ran Ma
Jane Wang (Optimity) began the 500Health Startup Pitches.
Jane Wang, Optimity - Paubox
Zivana Zerjal (Elyse28)
Zivana Zerjal, Elyse28 - 500 Startups - Paubox
Garrett Ruhland (Biomarker.io)
Garrett Ruhland, Biomarker.io - 500 Startups - Paubox
Leonid Popov (TrueCare24)
Leonid Popov, TrueCare24 - 500 Startups - Paubox
Kevin Krauth (Orderly Health)
Kevin Krauth, Orderly Health - 500 Startups - Paubox
Ayush Bharti (OurHealthMate)
Ayush Bharti, OurHealthMate - 500 Startups - Paubox
Balaji Gopalan (MedStack)
Balaji Gopalan, MedStack - 500 Startups - Paubox
Aziz Kaddan (Myndlift)
Aziz Kaddan, Myndlift - 500 Startups - Paubox
Selfies are faster to take when there’s a lot going on.
500Health Showcase - 500 Startups - Paubox
Fireside Chat with Ashwin Pushpala (Sano) and Suraj Mehta
Fireside Chat with Ashwin Pushpala and Suraj Mehta - Sano - 500 Startups - Paubox
Jessica Tan: Welcome back!
Jessica Tan, 500 Startups - Paubox
The Investor Panel: Francisco Gimenez (8VC), Jeff Lee (DCM Ventures), Lynne Chou O’Keefe (Kleiner Perkins Caufield & Byers)
500Health Showcase Investor Panel - 500 Startups - Paubox
We propped the latest Paubox banner in a great location. Secure Mail Made Easy
Paubox Banner - 500 Startups

This Is What Happens to Patient Engagement Under HIPAA

patient engagement

According to a recent New England Journal of Medicine Report, patient engagement is a key way to improve patient and population health overall.

However, due to HIPAA, providers often struggle with properly engaging patients. 

RELATED: 5 Ways to Attract More Patients to Your Practice

What is patient engagement?

Patient engagement is the concept of interacting with patients through various methods (such as social media, portal systems, mobile apps) to get the patient active in their own care. The goal of increasing patient engagement is to improve the patients’ own health outcomes.

Patient portals, bluetooth enabled devices, and smartphone applications are all great ways to engage patients. However, Covered Entities and Business Associates are afraid of sharing sensitive protected health information (PHI) through these means. Sharing PHI over unprotected networks leaves Covered Entities and Business Associates ripe for HIPAA violations.

This is a shame because patient engagement does work when implemented properly. However, lack of proper communication is why patient engagement fails to improves. A recent West survey found 75% of patients with chronic conditions want their doctor to contact them regularly to keep tabs on their health.

Additionally, patients feel that they don’t have proper access to their records. A CDW Healthcare survey found that 89% of patients say they want easier access to their health records.

READ MORE: 7 Things You Should Know to Improve Your Medical Practice

How to improve patient engagement under HIPAA

One of the most common ways healthcare entities tried to improve patient engagement is through using patient portals.

Unfortunately, patient portals tend to be cumbersome to use. Brian Eastwood, consumer engagement and consumer-directed healthcare analyst at Chilmark Research, recently told Healthcare Dive that the adoption of patient portal technology is only at between 25% and 35%.

In addition to HIPAA barriers, portals are typically not mobile-friendly, which makes it harder for patients to access them.

Luckily, there is an alternative to patient portals that can keep your practice HIPAA compliant.

The solution: seamless HIPAA compliant email encryption.

Email is still one of the most effective and common ways people communicate with one another. However, any email communication involving PHI must be secure to be HIPAA compliant.

Sometimes, this increased security means giving up emails’ usability design. Although, you can salvage it if you utilize the right email encryption solution.

Email encryption’s challenge has been making sure the emails are secure and the encryption is easy to use. Most solutions can’t resolve this challenge. Paubox does.

With Paubox Encrypted Email, all outbound emails are automatically encrypted, and recipients will receive your emails like any other ordinary email.

This seamless nature ensures that patients and physicians can continue to communicate easily with one another without the fear of the information being exploited. We make HIPAA compliant email easy!

Tuesday, 14 November 2017

Can I Use Google Docs for HIPAA Compliance?

Can I Use Google Docs for HIPAA Compliance? - Paubox

We often get asked by customers and prospects about Google Docs and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Google Docs offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Google Docs

Google Docs is a web-based word processor offered by Google within its Google Drive service. It was first released in 2007.

Google Docs and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms)…”

Does Google Docs Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since Google offers one that covers Google Docs, we conclude that Google Docs is a HIPAA compliant service.

It’s important to note however, you must sign a BAA with Google to be HIPAA compliant.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Google Docs is HIPAA Compliant. Make sure you sign a BAA with Google.

SEE ALSO: Is Google Drive HIPAA Compliant?

Can I Use Google Calendar and be HIPAA Compliant?

 Is Google Calendar HIPAA Compliant? - Paubox

We often get asked by customers and prospects about Google Calendar and their ability to use it in a HIPAA compliant manner.

We know the HIPAA market is vast so we can empathize with just how many people need to use cloud-based storage services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Google Calendar offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Google Calendar

Google Calendar is a time-management and scheduling calendar service developed by Google. It was first released in 2006.

Google Calendar and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance.

We checked Google’s site and found a G Suite Administrator Help article called HIPAA Compliance with G Suite.

In the article, Google points out:

“Google offers a BAA covering Gmail, Google Calendar, Google Drive (including Docs, Sheets, Slides, and Forms)…”

Does Google Calendar Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate. Since Google offers one that covers Google Calendar, we conclude that Google Calendar is a HIPAA compliant service.

It’s important to note however, you must sign a BAA with Google to be HIPAA compliant.

G Suite email isn’t HIPAA compliant out of the box.
Download the Quick Guide to HIPAA Compliant Email for free.

Conclusion: Google Calendar is HIPAA Compliant. Make sure you sign a BAA with Google.

SEE ALSO: HIPAA Compliant Calendar Invitations

Saturday, 11 November 2017

How to Encrypt Your Gmail Email (With Pictures)

Gmail is one of the most popular email services out there. As of October 2017, Gmail ranks second in Email Client usage worldwide (measured out of 1.6 billion email opens).

Out of those 1.6 billion people, 3 million are businesses that pay for Google’s G Suite service.  Amongst those businesses are plenty of regulated industries that require secure email to be compliant.

Three years ago, Google.com promised to add end-to-end Gmail encryption to their email platform. Sadly, they have yet to deliver on their promise.

SEE ALSO: Check how secure your email is for free

However, if you are a business in a regulated industry that uses a Gmail account for your business, there are still ways to encrypt your message contents. We’ll show you how to encrypt your Gmail email account using one of the three services below.

1. Enable S/MIME for G Suite

S/MIME (Secure/Multipurpose Internet Mail Extensions) supports encryption in transit and encrypts your outgoing emails if it can.

But there is one contingency: for S/MIME encryption to work, both the sender and the recipient have to have it enabled. 

Then, after S/MIME is enabled, both the sender and the recipient will have to exchange information called “keys” to uniquely identify each other.

Once you have all that sorted, here is how to use S/MIME to send encrypted messages:

  1. Compose a message as you normally would
  2. Add a recipient to the “To” field
  3. To the right of the recipient, there will be a lock icon. The icon will vary depending on the level of encryption supported by your recipient.
    1. If you are sending a message to multiple recipients, the icon will show the lowest encryption capability depending on their encryption levels
  4. Click the lock and then “View Details” to change your S/MIME settings or learn about your recipient’s level of encryption.

To check if a message you received was encrypted, there are a few more steps to complete:

  1. Open the email message
  2. On the right of the recipients’ list, click on the Down arrow
  3. Look at the colored lock to determine what encryption level of the sent message

S/MIME Encryption Levels

The encryption levels are represented by three colors: green, gray and red.

  • Green means that your information is protected by S/MIME enhanced encryption. The recipient can only decrypt the email with the private key.
  • Gray means the email was only sent with TLS encryption. This means the message was protected from one server to another; however, TLS (Transport Layer Security) only works if both the sender and recipient support TLS.
  • Red means there was no encryption whatsoever. If that’s the case, try and refrain from sending any personal information until you are able to securely encrypt your email.

2. Use SecureGmail

SecureGmail is a Google Chrome extension by Streak. After you install it from the Chrome Web Store, refresh your Gmail page to activate the extension.

You will be able to tell if the extension is working if you see a “lock” button next to the “compose” button.

To compose an encrypted email, click on the lock button accordingly. But note, you must click on that small icon, or else you will be sending sensitive information over an unencrypted email.

By clicking on the lock, you will see two distinct changes:

  1. The header will show the word “Secured” with a lock symbol beside “New Message”
  2. The “Send” button will change to “Send Encrypted”

After you hit “Send Encrypted”, you’re not quite done yet.

A pop-up will appear prompting you to enter a password that the recipient will need to decrypt the email.

Afterwards, you will have to manually share your password with your recipient as they will only receive the password hint along with the email.

SecureGmail does facilitate end-to-end encryption, but the recipient will also need to have the SecureGmail extension in order to decrypt the email.

You can only use SecureGmail with a Google Chrome browser – recipients who use another browser on their laptop or smartphone will not be able to access the email.

3. Encrypt your Gmail through Firefox

If you don’t use Google Chrome as your primary internet browser, you can still encrypt your emails with Firefox. Simply add the “Encrypted Communications” Firefox extension and restart your browser to activate it.

To encrypt your Gmail email with this Firefox extension:

  1. Compose an email
  2. Right-click and select “Encrypt Communication”

3. Enter a password and select “OK”.

In order for your recipient to open the encrypted email:

  1. They will also need the Encrypted Communications plug-in.
  2. Right-click on the message and select “Decrypt Communication”
  3. Enter the assigned password

How to encrypt your Gmail email without plug-ins or extra steps

Let’s be honest here. Do you constantly want to be checking if you pressed the right button, entered the right password, or typed “SECURE” in the subject line to encrypt and decrypt your emails?

Of course not. And you shouldn’t have to.

Encryption solutions should be as seamless as sending an ordinary email. With Paubox Encrypted Email, it is that easy.

We encrypt all emails and replies by default so you don’t have to. Even better – you can send an encrypted email as you normally would. There’s no need for additional training for your staff and no change in user behavior.

This is because Paubox puts the user experience first for both senders and recipients.

We provide military grade encryption features without the hassle of extra steps.

Paubox also includes security features such as robust SPAM filtering that identifies malware and phishing attacks and has protocols against ransomware.

With seamless integration into business email platforms like G Suite, Office 365 and Microsoft Exchange, you can keep your email address and domain as well.

When we say there will be no change in user behavior, we mean it.

To assure your recipients that the email you sent is encrypted, they will see a neat little digital signature at the footer of your email saying that your email was encrypted for their safety and security by Paubox.

Experience how easy email encryption can be with a free no-risk 14-day trial.

[contact-form-7]

 

Friday, 10 November 2017

Life Before Paubox: It was So Bad I Didn’t Even Know It

Life Before Paubox: It was So Bad I Didn't Even Know It - Leolinda Parlin, Paubox

Leolinda Parlin describes life before Paubox.


  • Their previous encrypted email vendor was incredibly cumbersome to use.
  • Leolinda’s entire staff emailed her, thanking her for making the switch to Paubox.
  • “With Paubox, it’s absolutely seamless.”

During a recent HIPAA Center filming with Leolinda Parlin, I discovered what life was like for her company before Paubox and our HIPAA compliant email solution.

Leolinda is CEO of Hilopaa Family 2 Family. They provide a voice in healthcare to those with special needs.

Below is an excerpt from our chat.


Life Before Paubox

Hoala Greevy: So Leo, what was life like before Paubox?

Leolinda Parlin: Oh my goodness. You know, it was so bad I didn’t even know it. We had another, he who shall remain nameless, vendor for encrypted email. But it required us to make a decision for each email- how we were gonna send it, hit another button, it would go out, it wouldn’t even store the email in our outbox. So we had to go to the web if we wanted to retrieve a message to kinda watch the thread.

You know, we just assumed that was the industry standard and it was what was, so we put up with the frustration. Unfortunately, because you had to go through all this decision making, there were times that email left our office that hadn’t been encrypted. It went as registered, because they were multi-function, what you could’ve done with the email. So probably not the best thing to have but at the time, it was all we could have our hands on.

When we switched over to Paubox, it just made so much more sense. I felt wonderfully excited about using the technology but I also felt terribly sad at the same time. Because all the staff had emailed me, “Thank you so much!” They were so relieved we had made the transition.

I had no idea at all how cumbersome the multi-step process of the old platform was, let alone the anxiety of always worrying about whether or not you hit the right button to make sure it was encrypted. Or even the amount of labor that was required to retrieve the message to watch the thread to go through.

With Paubox, it’s absolutely seamless. Life is good, staff is happy. Happy staff, happy life. You know so, very pleased with Paubox.


About Hilopaa Family 2 Family

Hilopaa Family 2 Family is a one-stop for information and referral, technical assistance and training. The Center is staffed by parents and friends of children with special health care needs. They provide free, confidential assistance to families and self advocates and the professionals who serve them.

Medication Reminder Services – Customer Success with YTH

HIPAA Compliant Email API - Customer Success with YTH - Paubox

During a recent customer visit to YTH in Oakland, we caught up with them on how they use our solutions.

It turns out they use our HIPAA Compliant Email API for Medication Reminder Services. Medication Reminder Services are solutions that remind people of all ages to take their daily prescription medications.

Below is an excerpt from our chat YTH and Customer Success Manager Phuong Tran.


HIPAA Compliant Email API

Laiah Idelson: YTH was started in 2001 and our goal is to use technology to develop innovative solutions for youth health and wellness. Innovation programming, or some of the programs we work with paubox on, like PrEPTECH and Health Reminders Nebraska.

Phuong Tran: How does HIPAA apply to you guys and programs that you guys provide?

Laiah Idelson: We generally, before we learned about Paubox, avoided HIPAA programming that had to do with HIPAA. When we began some of the programs that we work on now, we were fortunate to find Paubox thru our engineers. Both of these programs, especially PrEPTECH, have requirements that they remain HIPAA compliant and we’re happy to have found you because it allows us to do programming that before we weren’t able to engage with.

Chris Bannister: PrEPTECH is an online telemedicine program. The PrEPTECH Program is designed in a way that allows participants to customize sms reminders and customize their own health tips and basically their own weekly setup so they can make sure their PREP adherence is maintained.

Phuong Tran It sounds like a lot of the programs you guys do, in particular PrEPTECH, it’s a smart way and an easy way to really remind participants about their appointments, the drugs their taking, and just trying to stay in adherence to the treatment they’re in.

Laiah Idelson: I think your point around adherence applies especially to the other program we use Paubox for, which is Health Reminders Nebraska. They came to us and asked us to replicate some other programs that we have which are medication reminder services. They asked that the site be HIPAA compliant, which are our previous partners with similar sites hadn’t requested and so that’s when we found you. They can choose if they receive text, email or voice reminders. The email reminders come from Paubox.

Phuong Tran I’m glad that we can help you guys, you know, give you some sense of safety in terms of insuring the communication between those participants are secure and encrypted.

Laiah Idelson: We work with a lot of other vendors for various programs and features and I do feel like, at least in the programs that I work with, you all are some of the more engaged partners and willing to come to our events and meet us and invite us to your events and things like that. That’s been fun for us to get to know you all as well.


About YTH

HIPAA Compliant Email API – Customer Success with YTH - Paubox

YTH is the partner of choice for those in search of new ways to advance the health of youth and young adults through technology. They drive change by creating, evaluating, and refining technology solutions and providing partners with proven models ready for scale and replication.

YTH also builds the capacity of the community to advance youth health by providing research, training, idea generation, and expert advice.

Once it’s determined what works, YTH makes sure that the community can learn from any findings by sharing them through their annual YTH Live conference, blog, and research.