41. Eoin Gregory: "You say the word HIPAA, and our providers cringe or turn their brains off."

Here's the full transcript of this episode.

Hannah Trum: I'm Hannah Trum, and this is the HIPAA Critical podcast.

 

If you work in healthcare, you know what HIPAA is, but do you and your organization understand how to maintain HIPAA compliance regarding email security and encryption? Is HIPAA compliance a “one size fits all” situation? How do organizations keep their employees and their partners compliant and safe?

 

Today Sierra Langston sits down with Eoin Gregory of Family Billing Solutions and Travis Taylor of Paubox to discuss email encryption, the HHS Wall of Shame, and how to keep your staff, partners, and yourself educated on the vague but vast world of HIPAA compliance.

Sierra Langston: Eoin, can you tell us about your company what industry you guys are in? What do you guys do and whom you serve? That would be great. 

Eoin Gregory: Hi, Sierra. My company is Family Billing Solutions. We are functionally a business-to-business organization. We work with existing healthcare professionals in small and or solo practices to deliver billing solutions and some practice management guidance. 

Primarily, we work with complementary alternative healthcare employers, companies, acupuncturists, chiropractors, naturopaths. And our primary role for them is the administrative side of billing and collections.

Sierra: Okay, great. And why did you start Family Billing Solutions?

Eoin: So actually, I'm a chiropractor by training. And back in 2017, I suffered a catastrophic injury and was no longer able to practice. But I was able to leverage my teaching experience as an educator and my practice experience, both clinically and administratively, into a company with a very good friend who owns a large billing company who works with big companies, but she couldn't handle small companies. 

She said, “You guys are perfectly placed to help smaller companies.” And so we decided very quickly to start a company, and we've grown tremendously, despite what the economy has done, and despite COVID, but a lot of what we do to being in practice. 

We do many diagnosing problems and come up with treatment plans to solve them for our providers. So at least I can fulfill some of that experience that I have.

Sierra: It’s good to hear that you turned a negative into a positive. And Travis, can you tell us about your role or mission at Paubox?

Travis: Yeah, of course. Yes. So I'm an account executive here at Paubox. That just means simply that I'm on the sales team here. But really, what I like about my duties or responsibilities is serving as an advisor on best email security practices, and then as an educator on HIPAA compliant email.

There's just so much out there that organizations need to know. And that's where I take responsibility to educate them on new industry trends, what is everyone else doing just to provide that recommendation and support that they might not have known otherwise, and from my experience, talking with other healthcare organizations, just trying to help move everyone into the more modern times when it comes to communication. 

At a high level, and my mission is just trying to help organizations communicate as effectively as they can without sacrificing security pieces; when it comes to HIPAA compliant email, you have to be right 100% of the time. So you need solutions and products that will remove that human element and make sure that you’re set up for success as you scale. And then the long term.

Sierra: Yes, and I'm so glad that you're on today because you're one of our technical experts. I love that you'll provide some excellent knowledge to our listeners. 

Eoin, when was Family Billing Solutions founded? You talked about why it was founded, but when was it founded? What prior experience do you bring to your company that makes you a good fit for your clients? Aside from being a great chiropractor.

Eoin: We started our company in January of 2018. My wife, who's an acupuncturist, too, we're co-owners of the company. We bring the clinical experience, not from the standpoint of treating patients, but the flow of practice life. How we work, how providers work and treat patients, and what time they have and don't have. 

I also bring the practice management side of things. I have spent a tremendous amount of time working on the technical aspects of practice, the software side of things, the communication side of things. So we bring those tools with us. 

Then the last thing is education. I was heavily involved in education at the post-secondary level. When I communicate with our providers, it's not just a yes or no kind of answer. It's, “well, this is the answer,” and “here's how you find it in the future,” or “here are some good resources to help you with this.” 

When you get into incredibly complex things like HIPAA compliance, you say the word HIPAA, and our providers just cringe and or turn their brains off. 

Travis: Yes, providers, they didn't go to school to learn about HIPAA; they went to school to learn about their specialty, how to treat patients, to get that specialty knowledge about how to be an expert in their field. 

So that's really why here at Paubox, we're posting blogs constantly and trying to keep up on industry trends; read newsletters because HIPAA is just so vast. And at the same time, it can be so vague, which is troubling for a lot of providers. 

Often, when incidents do happen; it’s just by accident, not negligence. Sometimes they just need to be aware and informed, like you're saying, Eoin, of what sort of best practices they need to do. 

Luckily, companies like yourself help them run the administrative side because, again, they went to school to learn how to treat patients; they didn’t necessarily learn how to run a business.

Sierra: Right, great insight, Trav! 

Eoin: I think the educational component of what we do cannot be underestimated. We work with other billing companies, and when I talk with the people who run those companies, they understand the business side of running a billing company. Still, they don't necessarily understand the business side of running a practice and what information the practices need, and how you can manage both giving them as much as they need. It's very helpful to have some concise information. 

When I originally looked at Paubox as a solution for our company, my conversation with Travis was a phenomenal conversation because he understood where I was coming from. I understood the direction he was going. 

The other side of it is simplicity. You know, we have some customized software that we use. And it's simple to use. You look at some of the software packages for healthcare practices, and they're overwhelming. 

One thing that Paubox does is it's not overwhelming. There's not a layer of encryption on top of encryption; you’re not dealing with multiple layers and multiple accesses and extra passwords because it's a passive system that actively runs in the background and prevents you from making unsecured connections. We can identify who has unsecured email, even though they told us they don't because they don't realize what I'm asking. 

The other side of it is that it gives us an opportunity to educate them on communicating with their patients.

Sierra: This feeds into the next question. Many of your clients don't understand HIPAA, or their eyes glaze over when you talk about it and why they need to be compliant. 

Can you tell us more about this? How do you educate them on the need for it? 

Eoin: Yes. So when I talk with providers, and they communicate with me, in the beginning, before we bring them on in the onboarding process, we say listen, how do you communicate both with your provider and with your patients? 

They say, well, oftentimes we text message, or oftentimes they'll email me, and I said, “Now, are they signing a piece of paper saying that it's okay to communicate with them their clinical information via email, or they or text message is it because that's the kind of authorization information you specifically need, they have to positively enroll, or have to possibly give permission for you to send them those types of communications, it's no problem to use.” 

It's no problem to use email in practice, but the patient does have to give their consent for that. And I said the same thing happens with us. In our business, we don't just randomly send emails out to our providers. I have them confirm that their email is HIPAA compliant. We confirm that they store their information or their data in a HIPAA compliant manner. It's not hard to do those things, as long as you're aware that needs to be done. 

The problem is, most of our providers don't know where to go or how to do it. I think the easiest one is Google Workspaces. From a user standpoint, it's incredibly easy to set up, and the fact that Paubox just plugs right into it makes life so easy.

Sierra: Right. I've heard that the HIPAA guidelines are pretty vague from a lot of podcast guests. 

Again, this leads to my next question: Why do you think many small healthcare practices struggle to understand or meet HIPAA requirements?

Eoin: I think there are two components. One is education, that there might not be or has not been a good source of education for this information. When they do professional education as continuing education, most providers are clinical type staff or get CE credits. 

You don't get CE credits when you do administrative-type stuff and running a practice. And that's actually what this is; this is an administrative role in practice. So there's that, and then there's the fear component or the ostrich component that if I don't think about it, then it doesn't exist, and I don’t have to worry about it. 

We know that that is not true. We know that that is a big issue. And besides HIPAA, ADA compliance is a whole other issue that's recently come up, particularly in the acupuncture profession.

Sierra: You talked about this a little bit, but what sparked your need for HIPAA compliant email? We talk about this a lot in our blogs and on this podcast, and so on. I’m curious about your opinion. 

Eoin: So what a lot of companies don't recognize, not providers, but companies who provide service to providers, or especially small ones, is that when we handle our providers’ data we have to assure them that we're going to handle it in a completely HIPAA compliant manner. 

When I give our clients a business associate agreement, it's not me giving it to them. It's me signing one that they've given; essentially, to me, I've given them a form that shows that we intend to hold their data in a HIPAA compliant manner. 

From the beginning, when my wife and I were forming our company, and we said, okay, what solutions do we need in place? We initially were collecting patient data via a HIPAA compliant spreadsheet. Suppose you work within a Google domain to address our company's daily billing comm. So if you were used to billing comm, and you're sending a message to me, an account that stays in our server, and there are no HIPAA compliance issues with that. 

So initially, when we first started our company, all of our providers had an email address on our domain. So they would log into our system. And that worked great, except when we changed our platform, and they didn't need that access. It costs money to maintain that access and usage. 

The other side is that providers were then, I found out, taking that email address and forwarding it on to their non-secure email. We decided that we needed a more proactive approach to managing how we communicate with our providers in a HIPAA compliant manner. 

The initial access was just deciding how we can communicate with our providers with protected health information for their patients to make it as easy as possible and be secure. And providers? I don't want to say they're lazy; they don't have time. So you need to make it as easy and as trouble-free as possible for them.

Sierra: Yeah, and I'm glad you said as easy as possible because we talk about this a lot. User error contributes to protected health information (PHI) breaches. Because our solution is so easy, and it kind of runs in the background. It is easier for our clients and customers.

Travis: If I could give a shout-out to Julie Haney, who works over at NIST and was a speaker at Paubox SECURE, she had a quote that I use every day, and it's that “usability and security need to coexist.” 

Now, Eoin, you made a point earlier; if people aren't using it, then what's the point? If people aren't opening their encrypted emails to access their medical records for their discharge information, then what's the point? 

There needs to be that harmony and fusion between those two aspects. What we've seen is a lot of complications from just the actual usability of that.

Eoin: Usability is one aspect, but there's the educational component of how to use it properly. 

For example, Paubox, there is no question about how to use it properly. It happens already in the background. There is, for us, nothing that we have to do on our end to make sure we're being HIPAA compliant. 

From the providers, as long as they're running an encrypted connection, which 95% are by default, but they don't know it. They are also transmitting data in a HIPAA compliant manner.

Sierra: And here at Paubox, we do the HIPAA Breach Report every month. Essentially, we look at The HHS Wall of Shame, and we categorize all the breaches if they occur over email, so and so forth. 

Travis, can you summarize the findings of our February HIPAA Breach Report?

Travis: Yeah, of course. Again, it's the ones that are reported because there are breaches out there that have just skated by or that people just don't know yet. 

So what we've seen in many previous months is that data breaches via network servers continue to affect the most people while email breaches occurred the most frequently. So to give you some numbers to chew on, there are over 646,000 patient records affected by network server breaches in January. 

But really, the number is slightly skewed because there was one breach that took up a little over 640,000 of that entire amount for email breaches. There are over 248,000 patient records affected, and then by occurrence, network breaches, had seven incidents, and email had 12 incidents.

Sierra: I've been at Paubox for close to 12 months, and since I've been here, email is always at the top. So that pushes our need for education awareness to the market about email being a huge threat actor.

Travis: Email is the most convenient, but it definitely can present the most vulnerabilities when you're using it. That's why you always need to have a secure solution. Like you said, Eoin, the training and the focus of your end-users to use that product that the organization invested in.

Sierra: Well, Eoin and Travis, thank you so much for joining me today. I appreciate it. 

Hannah: To learn more about HIPAA compliance, email encryption, or read the HIPAA Breach Report published monthly by Paubox, head to paubox.com/blog for guides, articles, and educational pieces to keep your organization educated and safe.  Mark your calendars! Our next free webinar will take place on June 2 at 10 am PT. Our panelists include Travis Taylor of Paubox and Tony UcedaVélez of VerSprite. They will discuss the ever-evolving threat landscape and healthcare.  This webinar will be moderated by Paddy Padmanabhan of Damo Consulting, and it's completely free to attend. If you'd like to register, please send me an email at hannah@paubox.com or simply head to paubox.com/webinars . Have you attended one of our Zoom social mixers? Each month our customers and noncustomers gathered to network and discuss industry trends with their peers. Every attendee will receive a complimentary adult beverage of their choice delivered to their door day of and attendance is completely free.  If you'd like to attend, please email me at hannah@paubox.com , and I will get you registered.  As always, you can listen to every episode of the HIPAA Critical podcast on paubox.com or subscribe via Apple Podcasts, Spotify iHeartRadio, Stitcher, or Amazon Music.  Thanks for tuning in to another episode of the HIPAA Critical podcast; I’m your host, Hannah Trum, signing off. 

SEE ALSO:  HIPAA Compliant Email: the Definitive Guide