46. John Benbrook: "In order to safeguard that sensitive information, we needed to implement encryption."

Episode 46 of the HIPAA Critical podcast features John Benbrook, president of Oasis Senior Partners , and Paul Giovacchini, enterprise customer success manager at Paubox as they discuss HIPAA compliance training and data encryption with Sierra Langston. 

Rather read?

Sierra Langston: Hey, John, and Paul! Thanks for joining me today. I'm very happy to have you both on. 

John, can you provide some background on Oasis Senior Advisors? Who you guys are? Where you're located and who you all serve? That would be great. 

John Benbrook: Sure, happy to! Oasis Senior Advisors is a national franchise system of certified senior advisors. We work with seniors and their families in supporting the needs of those seniors when it's really too difficult or too dangerous for them to live independently. 

We're a free service to families; assisting them while they're really investigating their care needs, and we provide those options for them. It's a great mission. It's an incredibly rewarding business. 

For our franchisees, I was actually an advisor outside in the Philadelphia area before joining our corporate team in Bonita Springs, Florida. I'm incredibly excited about our momentum. 2020 was challenging for everybody if you haven't paid attention. But we had an incredibly solid year, it spoke to our focus, our creativity, and our dedication to really working with our families. 

I'm super excited about the momentum we built and what we're taking into 2021. I'm the president of the business. 

Sierra: Paul, do you mind providing some background on yourself in your current role at Paubox?

Paul: Definitely. I'm currently an enterprise customer success manager at Paubox, coming up on my one year. I work with our partners to make sure that they're sending secure PHI to practices, to their patients, all through electronic email and also making sure that every PHI is encrypted and secure with our customers.

Sierra: Okay, great. Thank you both. John, how often does your organization perform risk assessments?

John: Our security assessments are conducted annually. It's really to confirm compliance with the security standards and specifications as outlined in our corporate HIPAA compliance policy and procedures. The main reason we're doing it is to determine if the controls that we have in place are effective, certainly, to reduce the risk and vulnerabilities and really ensure that we're staying within the HIPAA compliant regulation, policy, and directives.

Sierra: How did you determine that your organization needed to become HIPAA compliant?

John: Well, we’re pretty tight on our security. As we got more and more information to handle for our clients, we wanted to make sure we were secure. We engaged a third-party compliance company, and they did a pretty good audit on us. They gave us some great recommendations which we've implemented.

Sierra: Paul, this question is for you. What is the importance of a business associate agreement? BAA for short. 

Paul: Just as you said, a BAA is a business associate agreement. 

First off, it's a contract that is between a covered entity, so like Oasis, think health plans, healthcare providers, and a business associate, which that is a third party vendor, something like Paubox. What it does is it specifies what each party’s responsibility is when it comes to handling PHI. A BAA is a HIPAA requirement, and it conveniently comes with every Paubox license.

Sierra: Great information there. John, back to you. How do you train your team on HIPAA compliance since that is such a specialty of yours?

John: We've really doubled down on this and all of our new employees must complete HIPAA compliance training within 30 business days of their hire. 

Additionally, all corporate team members participate in quarterly trainings in varying HIPAA topics. That training is led by our compliance officer. Training ranges from online to self-guided to live and virtually lead. 

Our franchisees are also trained on the handling so it's not just our corporate office, it's how are they handling PHI, EPA, and HIPAA compliance. It's part of our training cycle, and it's included in our operations manual. We really take it seriously.

Sierra: We actually have HIPAA compliance training as well, per our HITRUST certification. And your next question is for you; identifying vulnerabilities is a requirement of the HIPAA Security Rule. How often does your team perform vulnerability scans?

John: I'd say on average, on an annual basis unless we identify a reason to conduct assessments sooner. For example, a reported or suspected breach email came in and our team jumped all over it. We took the necessary steps to make sure that we corrected that as soon as possible.

Sierra: If you don't mind me asking, What did that breach entail?

John: Somebody hacked into my email and was looking for information, they had sent a very specific, very well-written, very believable email to all my contacts, both professionally and personally. So I got double hacked. I don't know how that happened. It looked like I was sending out an RFP, and I'm sure that that was riddled with peril. 

So, we communicated effectively out to everybody that we thought would have been reached. We've since taken corrective measures to make sure that doesn't happen again.

Sierra: I'm sorry, that happened. For use cases [it’s important for] people [to] know what's out there, and what these phishing emails look like. I think that's really helpful for both myself and our listeners. 

John, the majority of PHI breaches result from unencrypted data and the transmission of an unsecured PHI over open networks. What spurred your organization's need for secure HIPAA compliant email?

John: Well, we have a proprietary system, and communications sent through that software system contain sensitive data, as I indicated earlier, and personal health information of our clients that our franchises serve. We have to pay attention to that very seriously and make sure that we're doing everything we can to protect it. 

In order to safeguard that [sensitive] information, we needed to implement encryption. That holds true for our direct corporate communication, the non-Oasis email. Things that are communicating back and forth, via email, and between our franchisees, lead sources, and our communities as it relates to their clients. We’re communicating across the board. We're encrypting that information.

Sierra: Okay, great. Paul, do you have any thoughts on this?

Paul: That's a phenomenal start, John.

That is the first step in preventing a corrective action plan. We always take the idea of “defense is the best offense.” So, when you are doing the proactive work of encrypting and sending PHI encrypted to prevent any type of HIPAA breach. That's the best policy forward for that, to prevent a cap. 

Another thing you could do is always test and retest the system. You mentioned that you've been hacked, so find any gaps in the security that you have. The whole entire goal is we don't want to get into a corrective action plan. We want to have that plan in place and avoid any type of HIPAA violation.

Sierra: John, I know you plan on using our email API for franchise referrals. Can you dive into why you plan on using an email API?

John: In the first quarter of this year now that we're in 2021, we're implementing an online referral form for anybody that wants to refer a family to us. So an elder care attorney, or hospital, anybody that's touching a family that they think we can help serve through our services, we're providing that through an online referral form. 

It's a way for them to effectively and confidently be able to refer those people to us. It's critical to us that our valued partners’ information submitted through that form, and be transmitted safely in the encrypted API from Paubox. [That] is going to be a key component to that security. 

Sierra: Yeah, that's an absolutely great use for an email API. So thanks for explaining that. 

Paul: John, we're really excited to work with you on that as well. When I first started the project, I thought it was really interesting and I’m excited to see how it goes out. 

We also have a lot of other uses with our API. Especially with a vaccine, testing, everything that’s coming out. A lot of our customers are using the API to send test results to all the people that they are testing, securely encrypted, hopefully with a negative result to those people. As the vaccines roll out, as well, we're seeing a lot of API use. 

It's incredibly easy to use, as John and the team have experienced. We look forward to how this project comes out with you guys.

John: And it's awesome. We're excited as well. It's just further helping us. It's so important when we're communicating to our referral partners, our assisted living communities, and most importantly our families that [we take] the steps to secure that information.