Why should primary care doctors use Paubox? A Paubox employee story

Why should primary care doctors use Paubox? A Paubox Employee Story

As a person with a disability, I love how the Internet makes life easier for me. But when it comes to interacting with my primary care doctor, making the appointment is where convenience ends. You see, my doctor’s clinic doesn’t use Paubox for HIPAA compliant communication.

Last year I became physically unable to drive my vehicle due to progression of a neurological condition. However, some amazing technology exists that makes it possible to drive using just a joystick – a video game-style joystick! It was an exciting thing to discover and I wanted to make it happen.

But it’s a long road going from seeing something on YouTube to making it a reality – especially when the DMV is involved. The first part of my long road involved getting a new learner’s permit for modified-vehicle driving. To do this I had to have my primary care physician fill out a DMV form that said I would be medically ok to drive so I emailed my doctor the blank form to fill out.

Unfortunately, she could not simply email the completed form back because her clinic could not guarantee that the communication would be HIPAA compliant. Instead I had three options:

  1. Come and pick it up.
  2. Have it snail-mailed to me.
  3. Have it faxed to me.

Imagine my frustration, being told the fastest way to get the form was to get in my car when I can’t even drive myself without getting the form in the first place!

The second option wasn’t optimal because that meant delaying my return to driving by a week.

And the third option – in the 2020s – is to BUY A FAX MACHINE and then install a landline just so I can use it???

It sounds ridiculous but had I known then what I know now, I actually would have scoured Craigslist for a $10 fax machine since I ended up needing over a dozen forms filled out by my doctor last year. 

I understand the law and I understand its importance. What I don’t understand is why medical organizations large and small don’t realize that regular email CAN be HIPAA compliant.

Hospitals, clinics, and doctors  just need Paubox to secure patient email communication and be HIPAA compliant. 

Had my doctor’s clinic been using Paubox, she could have sent me the scanned form back the day she filled it out. I wouldn’t have had to coordinate multiple rides to her office, wasting time and gas. The clinic wouldn’t have had to print out a label, put it on an envelope, and stuff the envelope with my form then have someone find it when I got there. It’s a win for everyone.

Making lives easier for patients like me is one of the reasons I work at Paubox.

How to make HIPAA compliant email stress-free for nurses

Nurses email communication

Just like all medical practitioners, nurses must understand HIPAA compliance and be HIPAA compliant in their communication with or about patients. Nurses play key roles in proper patient care and in safeguarding protected health information (PHI). They deal with private information daily and must be aware of how to communicate it.

SEE ALSOPII and PHI best practices: How healthcare organizations should handle sensitive information

Patients and their healthcare providers need to give and receive information clearly and securely. HIPAA compliant email is one of the best ways to meet those needs. However, a HIPAA breach, intentional or accidental, is a big concern for all medical professionals and can cause undue stress on an already overworked staff. HIPAA compliant secure email provides a top option for healthcare professionals, especially nurses.

What is HIPAA?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients. The U.S. Department of Health and Human Services’ Office for Civil Rights regulates and enforces the act. HIPAA consists of five sections (or titles), with Title II being the most referenced.

Title II sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form, and includes:

  • Privacy Rule (2003): covers the protection of PHI as well as compliance standards
  • Security Rule (2005): sets required security standards to protect ePHI
  • Enforcement Rule (2006): sets the rules for enforcing HIPAA and penalizing non-compliant organizations
  • HITECH Act (2009): promotes the adoption and meaningful use of technology in healthcare
  • Breach Notification Rule (2009): sets the procedures for reporting breaches
  • Omnibus Final Rule (2013): incorporates HITECH further by improving privacy protections

These rules and amendments strengthen and further elucidate the building blocks necessary for patient privacy and security. And, of course, patient care.

LEARN ABOUTPatient engagement and HIPAA compliance: What you need to know

What nurses need to know about HIPAA

Like all medical practitioners, nurses must follow HIPAA guidelines to protect a patient’s privacy. And nurses are privy to PHI for numerous patients at any given time. Nurses constantly look after multiple records and patients when working in a small clinic or a large hospital.

SEE ALSOThe role of nurses in HIPAA compliance, healthcare security

Nurses are at the forefront of handling, managing and disclosing PHI:

  • During treatment
  • To facilitate payment
  • When authorized by a patient
  • For disaster notification or national security
  • For law enforcement, in some instances

Such disclosure could be to patients, their family members or other medical providers. It may also be for general HIPAA compliant documentation. And because of this, nurses must understand and follow HIPAA regulations.

HIPAA compliant email

HIPAA compliant email must meet the HIPAA requirements for the safe communication of PHI electronically. Sending and receiving an email with PHI is not a HIPAA violation if essential safeguards are correctly set.

RELATEDWhy healthcare providers should use HIPAA compliant email

The Security Rule puts safeguards into three categories: administrative, physical and technical. For email, this could mean setting policies and procedures (administrative), verifying workstation/computer controls (physical) and monitoring login controls (technical). The idea is to restrict access, monitor use and always ensure PHI integrity and message accountability.

One critical aspect of email security is encryption. HIPAA labels encryption as “addressable” and states that it must be used if it “is a reasonable and appropriate safeguard.” Unfortunately, though, there is no appropriate alternative to encryption. Therefore, healthcare organizations must take sufficient steps to secure PHI at rest (in storage) and in motion (in transit).

What are common ways to violate HIPAA with email?

HIPAA violation occurs when a healthcare professional does not properly safeguard PHI due to either negligence or an accident. HIPAA rules exist not only to stop such violations but also to hold non-compliant healthcare practitioners liable.

SEE ALSOPreventing security breaches in healthcare

How could a nurse violate HIPAA with email?

Regarding email communications, there are several ways to violate HIPAA accidentally. For example, a nurse may write an email and include PHI without a patient’s permission. In another example, a nurse may write an email at their station and be disrupted by an emergency and walk away to attend to it. Walking away to take care of an emergency with an email that includes PHI open and visible is classified as an accidental disclosure and a reportable HIPAA violation.

However, there are also intentional violations, such as curiosity-driven disclosure. For example, when the news of someone well-known getting care is shared outside of actual patient care. 

LEARN MOREPotential coronavirus-related HIPAA violations

Of course, the disclosure could be purposeful and sometimes even harmful.

Finally, there are breaches due to an organization not utilizing strong email security, which can lead to a cyberattack. In any of these incidences, using HIPAA compliant email would have helped.

Do all nurses need to use HIPAA compliant email?

Nurses always need to use a HIPAA compliant email solution when sending PHI.

The vast majority of nurses need a secure solution that is easy to use and does not add to their workload. For example, easily sending secure emails containing appointment reminders, treatment information, diagnosis or prescriptions can help create an efficient and smooth workflow.

LEARN ABOUTPermitted use and disclosure of protected health information (PHI) under HIPAA

And something that cannot be forgotten: nursing and healthcare is stressful and tiring. When work is long and hard, it is easy to overlook security measures that stop a breach from occurring. By using a secure email provider like Paubox, staff or provider errors are taken out of the equation.

6 HIPAA compliant email use best practices for nurses

  1. Have a fundamental understanding of HIPAA and PHI.
  2. Go through employee HIPAA awareness training.
  3. Learn to exercise caution when accessing information from multiple devices, including mobile. 
  4. Never share passwords or login credentials.
  5. Pause before sending an email and ask, “Does the recipient need this information to do their job? What is the minimum amount I can send to help a patient?”
  6. Use a secure email provider for HIPAA compliance, like Paubox, for all email communication.

READ MOREWhy cybersecurity education is key to protecting your medical practice

How can Paubox HIPAA compliant email help nurses care for patients?

Paubox Email Suite takes healthcare emails seriously by providing nurses with an easy way to communicate securely with patients. 

Our HITRUST-CSF certified solution is effortless and lets nurses focus on caring for patients without adding to the stress of digital communication barriers and HIPAA compliance regulations.

No additional passwords or portals are necessary, and there is no need to change your existing platform.

RELATEDTop 7 things you didn’t know about Paubox Email Suite

Paubox Email Suite enables HIPAA compliant email by default and encrypts every outbound message automatically. And our Plus and Premium plans come equipped with innovative, proactive inbound tools like Zero Trust Email and ExecProtect

There is no reason to hesitate. Let Paubox do the heavy lifting when it comes to HIPAA compliance and emailing your patients so you can focus on the important job of nursing. 

Close-up, abstract view of architecture.

Open Spaces

See case study ↗

OCR’s Notice of Proposed Rulemaking

OCR’s Notice of Proposed Rulemaking

Wondering about the status of OCR’s Notice of Proposed Rulemaking? OCR announced the proposed rulemaking in December 2020. Although the proposal was not technically subject to the “regulatory freeze” by the Biden administration, it was effectively delayed because OCR extended the public comment period until May 2021.

Read more

OCR’s NPRM to modify HIPAA

On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to support individuals’ engagement in their healthcare, remove barriers to coordinated care, and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.

OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.

Read more: Understanding and implementing HIPAA rules

The NPRM proposed changes to the Privacy Rule include proposals to:

  • Strengthen individuals’ rights to access their own health information, including electronic information.
  • Improve information sharing for care coordination and case management for individuals.
  • Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.
  • Reduce administrative burdens on HIPAA covered healthcare providers and health plans.

The estimated total cost saving from this proposed regulatory reform is $3.2 billion over five years.

Read more: HIPAA Compliant Email: The Definitive Guide [2023 update]

Wondering about the status of OCR’s Notice of Proposed Rulemaking?

On January 21, 2021, the NPRM for the proposed HIPAA privacy rule changes was published in the Federal Register. The deadline for submitting comments on the 357-page proposal was March 22, 2021. Almost everyone interacting with healthcare systems will be affected by the proposed changes to the HIPAA Privacy Rule. In light of the potential impact of the proposed HIPAA changes, the deadline for submitting comments was extended to May 6, 2021. OCR has not yet provided a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2023, although they may not become enforceable until 2024.

Read more: OCR shares guidance on preventing common cyberattacks

The largest medical cyberattack in U.S. history?

The largest medical cyberattack in U.S. history may have occurred last week. CommonSpirit Health is suffering at the hands of a not-yet-identified ransomware group. The number of medical records affected could be as high as 20 million.

Read on to learn more, including why healthcare is under attack and the steps to take if your medical record is leaked.

The largest medical cyberattack in US history?

CommonSpirit Health is the nation’s fourth-largest hospital system with 142 hospitals in 21 states.

CommonSpirit Health’s Statement

Over the course of this past week, we have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created. 

As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care. 

Our facilities are following existing protocols for system outages, which include taking certain systems offline, such as electronic health records. 

In addition, we are taking steps to mitigate the disruption and maintain continuity of care. 

To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement. 

We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process.  

Systems serving Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident. For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.  

Central to our decision-making has been and will continue to be our ability to carry out our mission in a manner that is safe and effective to those we serve. At CommonSpirit Health, we are dedicated to meeting the needs of the communities we serve and are guided by our core set of values, which include integrity, excellence, and collaboration. We are grateful to our staff and  physicians who are doing everything possible to mitigate the impact to our patients and ensure continuity of care.

The CommonSpirit ransomware attack impact area

Subsidiaries of CommonSpirit affected by the attack include CHI Health facilities in Nebraska and Tennessee, MercyOne Des Moines Medical Center, Houston-based St. Luke’s Health and Michigan-based Trinity Health System. As stated above, Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident.

5 reasons why healthcare is a target for ransomware

Healthcare organizations are vulnerable to cyberattacks, even more so than other industries. The reasons why advanced persistent threat (APT) groups actively target covered entities, such as healthcare providers, pharmaceutical companies, and medical research organizations, likely include the following:

  1. Medical records are valuable on the black market and fetch up to $1,000 per record.
  2. Healthcare may be more likely to pay ransoms to get data back because lives hang in the balance.
  3. The attack surface is excessive and often left vulnerable.
  4. Untrained or overworked staff are prone to make errors.
  5. Lax security: A healthcare organization may view cybersecurity as an expense, despite the fact that that expense is small compared to what the organization could lose in the event of a data breach.

Read more: Why is healthcare a juicy target for cybercrime?

How do ransomware attacks happen?

Phishing emails are a common method of delivering ransomware attacks. An attachment is sent in an email as a link that the victim believes is trustworthy. When the victim clicks on that link, the malware in the file begins to download.

Upon entering a system, the malware begins encrypting the victim’s data. The files are then encrypted with an extension which makes them inaccessible. Once this is done, the files cannot be decrypted without a key known only to the attacker. Finally, a message will be displayed to the victim, explaining that the victim’s files are inaccessible and can only be reaccessed by paying a ransom to the attackers.

Read more: What is ransomware and how to protect against it?

Are foreign governments targeting the U.S. healthcare system?

Anne Neuberger, U.S. Deputy National Security Advisor, stressed the growing threat of foreign cyberattacks, citing U.S. government reports that identify specific “preparatory activity” targeting U.S. companies and critical infrastructure.

Further, the U.S. Department of Justice confirms that a North Korean regime-backed programmer is charged with conspiracy and responsible for the destructive Global WannaCry 2.0 ransomware attacks.

“Security needs to be top of mind for every company. Email security is the number one cause of breaches,” Paubox customer Eli Golden, Director of IT at The Jellyvision Lab, explains. “Attackers are getting smarter, and while we train our staff thoroughly with simulated attacks and live sessions, it’s best to have as much protection as possible.”

Read more: The White House warns against possible Russian cyberattacks

Healthcare executives rank ransomware as the #1 threat

A recent survey of 132 healthcare executives found that ransomware was the number one cybersecurity threat – more than data breaches or insider threats – according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat forum for the healthcare industry.

Read more: The risks are too high for healthcare leaders not to understand Zero Trust

Take these 7 steps if your medical record is breached

  • File a police report
  • File a report with the FTC
  • Inform your insurer
  • Get copies of your medical record
  • Notify the three credit bureaus
  • Ask for corrections
  • Use strong passwords and 2FA or MFA on your accounts
Steps to take if your medical record is breached
Source: IDStrong

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST-CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are effortlessly easy to implement and use.

In fact, Paubox is securing nearly 70 million HIPAA compliant emails each month for more than 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data and organization HIPAA compliant and secure.

OCR struggles to keep up with rising ransomware cases

OCR stuggles to keep up with rising ransomware cases

According to a recent update from Politico, the Department of Health and Human Services’ Office for Civil Rights (OCR) is facing an overflowing caseload of ransomware incidents and other healthcare cybersecurity threats.  

Melanie Fontes Rainer, OCR acting director, states that investigators are “under incredible resource constraints and incredibly overworked.”

Keep reading to learn more about OCR’s challenges and proposed next steps. Plus, find out how HIPAA compliant email can help covered entities stay one step ahead.

Read more

Why the OCR budget matters to healthcare

The black market values protected health information (PHI) more than other types of personal information. That’s why cyberattacks are common in the healthcare industry.

Ransomware strikes these organizations especially hard since disruptions in care can put patients’ lives in danger. Therefore, they are more likely to comply with ransom demands.

As this threat grows, the OCR cannot provide the support needed to assist healthcare organizations. This is primarily due to inadequate funding and resources provided by Congress.

Because the OCR has a limited budget, it has a smaller investigation team than many local police departments. Consequently, investigators must handle more than 100 cases simultaneously.

Possible solutions on the horizon

In order to address this concern, the Biden administration has requested a 60 percent budget increase in 2023. As a result, the OCR would be able to hire 37 new investigators.

In addition to balancing the agency’s workload, additional resources will give the agency more opportunities to provide guidance.

Additionally, OCR officials believe implementing higher fines will boost enforcement and encourage healthcare organizations to comply with HIPAA requirements.

Healthcare cybersecurity advocates point to other solutions to reduce risks. Investing in better defense systems and workforce development is part of this strategy.

AHA‘s national adviser for cybersecurity and risk, John Riggi, has called for federal support to train staff to improve security. And Intermountain Healthcare‘s chief information security officer urges the Centers for Medicare & Medicaid Services to develop payment models that directly fund cybersecurity programs.

Secured email is secured healthcare

Covered entities can avoid falling victim to ransomware and other security threats by putting the right protections in place from the start. And with email serving as a leading threat vector for cybercrime, a stronger email security strategy is a must. That’s where a HIPAA compliant email provider comes in. 

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules.

This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary. 

In addition to healthcare email encryption, Paubox Email Suite’s Plus and Premium plan levels include robust inbound email security tools that block ransomware and other attacks from even reaching the inbox in the first place.

Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Are you in healthcare and concerned about digital security?

Paubox technology is HITRUST CSF certified, patented and provides the most advanced HIPAA compliant email solutions available. Paubox solutions are designed to be effortlessly easy to implement and use.

In fact, Paubox is securing 70,000,000 HIPAA compliant emails each month for over 4,000 healthcare customers and has a 4.9/5 G2 rating.

Whether you are a large hospital or a standalone clinic, Paubox has the right email product to keep your data, organization and patients safe.

Not having email DLP leads to 90,000 patient records breached

Email DLP - Paubox

In April 2015, the New York City Health & Hospitals Corporation’s (HHC) Jacobi Medical Center reported 90,060 patient records were breached when an employee emailed the records to her personal email account. In addition, she also cc’d her new employer. The email was sent shortly before the employee left HHC Jacobi Medical Center to work for another healthcare provider.
Continue reading “Not having email DLP leads to 90,000 patient records breached”

Email DLP can curb automatic email forwarding rules

Email DLP - Paubox

Earlier this year, Health Department officials in Multnomah County, Oregon discovered an employee set up an automatic mail forwarder that resulted in a HIPAA violation. The employee in question configured their work email account to automatically forward all email to a personal Gmail account.

As we’ve previously covered, when it comes to Gmail and HIPAA compliance, the two don’t mix. In a nutshell, Google is willing to sign a Business Associate Agreement (BAA) for use with some, but not all, of their services.
Continue reading “Email DLP can curb automatic email forwarding rules”

Lack of email DLP causes HIPAA violation in California

Email DLP - Paubox

In 2015, Hillsides issued a press release alerting the public it became aware of a HIPAA violation caused by one of its employees.

The employee in question had been using their work email to send protected health information to their personal email address.

On at least five occasions between October 2014 and October 2015, the employee sent unencrypted email attachments to their personal email account containing:
Continue reading “Lack of email DLP causes HIPAA violation in California”