Image: Special Consumer Guide episode cover for Modern Therapist’s Survival Guide featuring Paubox. Background has a blue and orange gradient with the Paubox logo centered prominently. A headshot of Hoala Greevy appears below the logo. Text reads: “An in-depth interview with Hoala Greevy, Founder and CEO of Paubox” along with the websites paubox.com.
Google PodcastsApple PodcastsStitcherSpotifySubscribe on AndroidShare Listen in a New WindowDownloadSoundCloudLeave a ReviewSubscribe via RSSKeep me updated!Player Embed

Modern Therapist’s Consumer Guide: Paubox. HIPAA Compliant Email, Secure Communication, and Practice Privacy. An Interview with Hoala Greevy, Founder and CEO of Paubox

Most therapists know they are supposed to use HIPAA compliant email, but few of us could explain what is actually happening on the back end, where the gaps in our existing tools live, or why so many of our clients never bother to open the secure portal links we send them. Email is one of the most ordinary tools in a private practice, and one of the easiest places for a quiet compliance problem to develop.

Curt and Katie talk with Hoala Greevy, Founder and CEO of Paubox, about HIPAA compliant email, the limits of the BAAs therapists already have with Google and Microsoft, how end to end secure delivery actually works in practice, and how to evaluate an email vendor as a clinician. Paubox is a HIPAA compliant email security company built to deliver encrypted messages straight to the recipient’s inbox, without portals, plugins, or extra clicks. This episode is part of our Modern Therapist’s Consumer Guide series.

Transcripts and more information for this episode will be available at mtsgpodcast.com!

Transcript

Click here to scroll to the podcast transcript.

(Show notes provided in collaboration with Otter.ai and Claude AI.)

Interview with Hoala Greevy, Founder and CEO of Paubox

About Our Guest: Hoala Greevy

Image: headshot of Hoala GreevyHoala Greevy is the Founder and CEO of Paubox, a leading provider of HIPAA compliant email solutions for healthcare organizations. Born and raised in Honolulu, Greevy drew on his computer science background and Silicon Valley experience to build Paubox after returning to Hawai’i, inspired by a meeting with the CEO of the Make-A-Wish Foundation that revealed a critical need for secure healthcare communication. Beyond Paubox, Greevy is passionate about supporting Native Hawaiian students in the tech industry through the Paubox Kahikina Scholarship and giving back to the community that shaped him.

In this Podcast Episode: HIPAA Compliant Email, Secure Delivery, and Practice Privacy with Paubox

Hoala walks us through how Paubox was built to close a specific gap most therapists do not realize exists: the gray area in standard Google Workspace and Microsoft 365 Business Associate Agreements around outbound email containing protected health information. He explains how Paubox wraps around the email systems therapists already use, what HIPAA compliant email actually requires, why most secure-portal solutions fail at the inbox, and how clinicians can think about email security alongside ease of use and ongoing AI-related threats. Hoala also shares how community service is built into the Paubox Foundations through the Paubox Kahikina Scholarship, a recurring scholarship program named after his grandmother that supports Native Hawaiian students entering careers in STEM and technology.

Key Takeaways for Therapists: HIPAA Compliant Email, BAAs, and Secure Practice Communication

“We provide comprehensive email encryption, where every email from a sender’s domain is encrypted by default. There’s no keywords to trigger, there’s no app to install. All email, all devices, every user, encrypted by default in transit as it travels across the internet.”

— Hoala Greevy, Founder and CEO of Paubox

  • Standard BAAs leave a gray area. Google Workspace and Microsoft 365 will sign a BAA, but their own legalese leaves outbound email containing PHI in a gray area where the customer has to decide whether transmission is compliant. Paubox is designed to fill that specific gap.
  • Portals are why clients do not read your emails. Hoala estimates up to 90% of messages sent through traditional portal-based encryption tools go unread, especially on mobile. Paubox delivers encrypted messages straight to the recipient’s inbox so the back-and-forth therapists rely on actually happens.
  • Encryption in transit is the standard that matters. Paubox dynamically uses the highest level of encryption the recipient supports (TLS 1.3 or 1.2). If a recipient’s server cannot accept secure transport, the message is routed through Paubox’s secure message center with a single magic link, rather than being sent in the clear.
  • Domain ownership is a baseline requirement. A gmail.com address cannot be HIPAA compliant, because Google will not sign a BAA for gmail.com addresses. Therapists who want HIPAA compliant email need their own domain, then either Google Workspace or Microsoft 365 on top of it, then a layer like Paubox for secure transmission.
  • HIPAA compliant forms are part of the package. Paubox Forms is bundled at no additional charge for paid customers. Form submissions are delivered straight to the inbox in a compliant way, rather than living behind another portal.
  • Inbound threats matter too. Display-name spoofing attacks, where bad actors scrape LinkedIn to impersonate new hires or executives, are an underrecognized risk for small practices. Paubox ExecProtect is built specifically to guard against this pattern.
  • HITRUST certification is the vendor signal to look for. Paubox is HITRUST certified and has maintained that certification since 2019. For therapists evaluating any HIPAA-adjacent vendor, HITRUST is one of the clearest signals that a company is doing the underlying work, not just clicking through a BAA.

“Your listeners are going to care about security, reliability, and ease of use. When it comes to choosing a HIPAA compliant email vendor, that’s a profound business realization where you don’t have to guess the market. It’s going to be those three things.”

— Hoala Greevy, Founder and CEO of Paubox

Timestamps

  • 0:00 – Introduction
  • 1:16 – Who is Hoala Greevy and how Paubox came into being
  • 2:18 – What Paubox does and why it was created
  • 4:40 – The fax machine, email adoption, and US healthcare
  • 5:19 – Mission, vision, and the Paubox Foundations
  • 6:30 – Community service and the Paubox Kahikina Scholarship
  • 8:38 – What HIPAA compliant email actually requires
  • 10:26 – The Google and Microsoft BAA gray area
  • 12:45 – How Paubox integrates with Google Workspace and Microsoft 365
  • 14:48 – What the client experience looks like on the receiving end
  • 18:11 – Onboarding and self-service setup
  • 19:29 – Paubox Forms and customer-driven product development
  • 21:09 – Inbound email security and display-name spoofing
  • 24:32 – Data access, HITRUST certification, and trust
  • 26:41 – What makes Paubox stand out
  • 27:18 – AI scraping, encryption, and the limits of protection
  • 28:36 – Who Paubox is for and who it is not for
  • 32:20 – PGP, S/MIME, and what to avoid in encrypted email
  • 34:05 – Pricing, value, the badge program, and referrals
  • 36:10 – TLS standards, evolving threats, and AI
  • 38:43 – Curt and Katie Chat: Our Review of Paubox

Curt and Katie Chat: Our Review of Paubox

Curt and Katie reflect on their initial impressions of Paubox and the new partnership. Curt comes at the evaluation from a group practice owner’s perspective, focused on how the platform scales in cost as users are added and how it would integrate with an existing Google Workspace setup. Katie evaluates it from a solo practitioner’s perspective, focused on whether the cost is worth it for therapists who rely heavily on email versus those who barely use it.

Both note that Paubox’s promise of seamless, inbox-level secure delivery (rather than the standard portal-and-login workflow) is the feature that most stands out. The security framework meets their standards, the pricing scales reasonably across users, and the integration with Google Workspace and Microsoft 365 does not require learning a new system. Katie’s bottom line: for therapists who live in their inbox and regularly communicate with clients there, the seamless secure delivery and ease of use make the cost worthwhile. For clinicians who barely use email, it may not be the right match.

Special Offer for Modern Therapist Listeners

Get $250 off an annual Paubox plan. Visit paubox.com and use the promo code MODERN to get started. Paubox also offers a 14-day free trial, a referral program with no cap, and a website badge program that further reduces ongoing cost.

Relevant Links

Transparency Note

This episode is part of our Modern Therapist’s Consumer Guide series, where we interview companies to help therapists make informed decisions about tools and services that support their work. While this interview is a paid partnership, our discussion and opinions are our own.

Meet the Hosts: Curt Widhalm & Katie Vernoy

Picture of Curt Widhalm, LMFT, co-host of the Modern Therapist's Survival Guide podcast; a nice young man with a glorious beard.Curt Widhalm, LMFT

Curt Widhalm is in private practice in the Los Angeles area. He is the cofounder of the Therapy Reimagined conference, an Adjunct Professor at Pepperdine University and CSUN, a former Subject Matter Expert for the California Board of Behavioral Sciences, former CFO of the California Association of Marriage and Family Therapists, and a loving husband and father. He is 1/2 great person, 1/2 provocateur, and 1/2 geek, in that order. He dabbles in the dark art of making “dad jokes” and usually has a half-empty cup of coffee somewhere nearby. Learn more at: http://www.curtwidhalm.com

Picture of Katie Vernoy, LMFT, co-host of the Modern Therapist's Survival Guide podcastKatie Vernoy, LMFT

Katie Vernoy is a Licensed Marriage and Family Therapist, coach, and consultant supporting leaders, visionaries, executives, and helping professionals to create sustainable careers. Katie, with Curt, has developed workshops and a conference, Therapy Reimagined, to support therapists navigating through the modern challenges of this profession. Katie is also a former President of the California Association of Marriage and Family Therapists. In her spare time, Katie is secretly siphoning off Curt’s youthful energy, so that she can take over the world. Learn more at: http://www.katievernoy.com

A Quick Note:

Our opinions are our own. We are only speaking for ourselves – except when we speak for each other, or over each other. We’re working on it.

Our guests are also only speaking for themselves and have their own opinions. We aren’t trying to take their voice, and no one speaks for us either. Mostly because they don’t want to, but hey.

Join the Modern Therapist Community:

Linktree

Patreon | Buy Me A Coffee

Podcast Homepage | Therapy Reimagined Homepage

Facebook | Facebook Group | Instagram | YouTube | LinkedIn | Substack

Consultation services with Curt Widhalm or Katie Vernoy:

The Fifty-Minute Hour

Connect with the Modern Therapist Community:

Our Facebook Group – The Modern Therapists Group

Modern Therapist’s Survival Guide Creative Credits:

Voice Over by DW McCann https://www.facebook.com/McCannDW/

Music by Crystal Grooms Mangano https://groomsymusic.com/

Transcript for this episode of the Modern Therapist’s Survival Guide podcast (Autogenerated):

Announcer 0:00
You’re listening to the Modern Therapist’s Survival Guide, where therapists live, breathe and practice as human beings. To support you as a whole person and a therapist, here are your hosts, Curt Widhalm and Katie Vernoy.

Curt Widhalm 0:15
Welcome back, modern therapists. This is the Modern Therapist’s Consumer Guide, where we talk with some of the brands that Katie and I trust, and we do our due diligence to research and say we agree with these companies and their missions, and today, we are joined by Hoala Greevy, founder and CEO of Paubox, to talk about the company, not just the products that they offer, but also the mission, the visions, the wonderful ways that it can make our modern therapists be able to have the best practices that they can. So thank you so much for joining us here today.

Hoala Greevy 0:56
Thanks for having me.

Katie Vernoy 0:57
I’m really looking forward to this conversation. We get a chance to learn more about Paubox, and also for all of us having to make decisions about HIPAA compliance and how we communicate with our clients, I think this is going to be very, very helpful. But before we jump into the conversation, I want to ask you the question we ask all of our guests, which is, who are you and what are you putting out into the world?

Hoala Greevy 1:16
Sure. My name is Hoala. I’m born and raised in Hawaii, Native Hawaiian. Paubox came into being by taking a customer out to lunch, and that customer was the CEO of the Make a Wish Foundation of Hawaii. We went out to lunch in Downtown Honolulu in Chinatown. She described the business problem around HIPAA compliance, and I thought I could do something about it. So fast forward a little bit. Pulled some all nighters, came up with Paubox and launched it into the world. And so Paubox is very much customer feedback driven. That’s that’s our ethos. Now I live in San Francisco, because I found out pretty quickly the market did not take us seriously being headquartered in Honolulu, so I moved to the one city where we’d be taken seriously for tech, and I’m very grateful to be here.

Curt Widhalm 2:08
So for our audience, can you frame a little bit about what Paubox does and how and why it was created?

Hoala Greevy 2:18
Yeah, sure. So Paubox offers email security and compliance for healthcare industries. So in other words, we provide HIPAA compliant email service. The solution is seamless by nature, because what I saw in the market being an outsider to healthcare, was people weren’t reading these messages because of the friction involved with reading emails where you have to log into a portal, and there’s seven steps, which still happens to this day with the Microsoft 365 solution, by the way, it’s seven steps, or they might get you download an app or install some kind of keys. Barely any people actually read the messages. And that continues to this day. Upwards of 90% of these messages are not read, just too much friction, especially when you’re trying to read it on a phone. And we now know that upwards of 75% of all email is now read on mobile phones. So these solutions completely fall down on upon themselves when you’re trying to get someone to read something on a mobile phone. And so Paubox was designed because I have deep experience in the email business. I’ve been doing emails for over 20 years.

Katie Vernoy 3:26
Wow.

Hoala Greevy 3:27
So just been doing the same thing for a long time. So we designed a method to offer a seamless delivery of HIPAA compliant email straight to the inbox, including any attachments you need to send, while maintaining the compliance that’s required for HIPAA, and that’s why the market didn’t believe us being in Hawaii, I’d have people on the phone with me. I’d do a demo on the phone. They get the email, and they’d say, Why is this 10 times better than what Google and Microsoft offer for encryption? And you’re calling me from an 808, area code number. I think this is a gimmick. I think you surf all day quick. And, you know, doesn’t take too many of those hang ups to realize you got to do something. So yeah, now we’re in the city where we get taken seriously, so that that’s pretty much what Paubox is about. And I’ve considered healthcare to be the last American business segment not using email for work, for work purposes. Still largely doesn’t occur, in my opinion. In fact, I believe the backbone of communication in US healthcare remains the fax machine. So that’s a nice boogeyman to have as a as a competitor, because, you know, everyone’s got a story about the fax machine.

Katie Vernoy 4:40
Oh my goodness, I myself have some some stories about fax machines, but not recently. I think for my private practice, I’m able to to move past the dreaded fax machine. But the question I have, and this is one that we ask all of the folks that come into that do these consumer guide episodes with us is around the mission vision and values that guide your business decisions, because I feel like our audience really wants to know who they are working with. You know, if they’re choosing a solution, do they align morally with what’s going on in the background? So can you talk a little bit about that?

Hoala Greevy 5:19
Yeah, sure. Katie. So our mission is to become the market leader for HIPAA compliant email security. And we are driven by what we call the Paubox foundations. And these are just values that we care intensely about. You know, a lot of companies have them. We create a list of things that matter a lot to us. And so top of the list is customer feedback. So we allow our customers to tell us what and when to build, and we don’t rely on investors, the press, or even our own co workers to dictate the roadmap. It’s customer feedback driven. Big ideas matter. That’s another one of our values. So we believe our customers will always want security, reliability and ease of use, and this is something we can plan the business around, because so many things change in tech. I mean, just look at what’s happening with, you know, AGI generative, AI et cetera, like that stuff’s impossible to predict. But we know our customers will always want security, reliability and ease of use, so we constantly invest in those initiatives. Another one is GSD. We get stuff done. Another one is we do the homework, right. Honesty and trust, clear communication, data driven, and we’re leaders, not followers. We just feel like if our mission is to become the market leader, then we need to exhibit the behaviors of a leader and so community service, that’s a big deal to us. I think one of the things I took away from the Hawaii business community is the leader always gives back. That’s an indicator of who you are. So we created a scholarship seven years ago. We named it after my my tūtū, my grandmother. It’s the Paubox Kahikina scholarship. The mission is to encourage native Hawaiians like me to enter careers in STEM or technology in general. It’s a recurring scholarship of $1,000 a year every year to the student until they graduate. We started off with one scholarship recipient. Now we have, I believe, 62. So we have more scholarship recipients than we have full time employees, which is unusual. And we recently got our 501(c)(3) nonprofit status because our folks that would attend our networking events for the scholarship we’re asking for ways to contribute, but, you know, they need a nonprofit entity to make that contribution to. So I think that’s one of the ways in which we lead, because there’s really not enough Native Hawaiians in tech, in my opinion, or STEM in general.

Curt Widhalm 7:59
From the therapist’s end, we rely on a lot of HIPAA compliant technologies. We mostly vaguely just trust companies that do the HIPAA compliant tech end of things, and kind of generally ask our colleagues, Hey, who are you using for HIPAA compliance on this. This is a really cool opportunity for us to actually ask what goes into being a tech company staying up to date in the practice of HIPAA compliant, and what are the challenges that a company like Paubox faces in doing that?

Hoala Greevy 8:38
So HIPAA compliance at a high level for email involves encrypting the data at rest, you know when it’s in your mailbox, encrypting the data in transit as you send email across the internet, you have to have a business associate agreement signed with vendors that handle PHI on your behalf that’s protected health information and vendors like us, we also need to do annual security training for our staff. That’s also requirement by HIPAA, as well as other documentation of safeguards. So as a vendor for covered entities and business associates like therapists, we have to behave just as they do. We have to be HIPAA compliant as well. So that’s an ongoing thing for us. And in 2019 we got our high trust certification, which is considered the gold standard of HIPAA compliance in the healthcare industry, and we’ve maintained that ever since. So that’s been seven years now. We were the first email encryption company to get high trust and, yeah, we still do our annual security training. That’s part of high trust, and we make it our business to know everything about HIPAA compliant email. Since, like I said, there’s, there’s just so many more people out there that should be communicating with patients the way they used to be communicating with. And the snail-mail has its place. Phone calls have their place, but emails, in my opinion, is vastly under utilized.

Katie Vernoy 10:09
So when we look at a therapist wanting to make their therapy practice HIPAA compliant around communication, what are the challenges? What are the things that they should consider when determining a you know which email service they should use?

Hoala Greevy 10:26
Sure. So the top two cloud email providers right now, Google Workspace, Microsoft 365 both of them make it very easy to get a business associate agreement. Microsoft 365 for example, just text it on by default when you sign up, so there’s no additional behavior to do. We did the research on that. We write a lot of blog posts on the topic. The Google BAA is pretty simple to get. It’s free. Both are free. But what’s a gray area which they ready to readily admit, if you parse the legalese on their site, is when it comes to actually sending or receiving email, what’s basically sending? There’s a gray area there. And they sell. They tell the customer, it’s up to you to decide whether this is HIPAA compliant or not. They don’t make that claim about the other parts of their HIPAA compliance service, like OneDrive or Google Docs, for example. To me that they’re acknowledging that there’s a gap there, and that’s where we come in to fill the hole. And we provide comprehensive email encryption, where every email from a sender’s domain, that’s our customer. You know, you have your own domain name. We encrypt all email by default. There’s no keywords to trigger. There’s no app to install. All in email, all devices, every user encrypted by default in transit as it travels, travels across the internet. And we can also optionally encrypt inbound email as well, because customers were asking for that. So that’s as far as a HIPAA compliant email goes. And we designed Paubox so that could wrap around Microsoft 365 or Google Workspace, or even hosted on premise Microsoft Exchange servers. So that’s why we designed it, to seamlessly integrate with what customers have and make the transmission of their email seamless to the recipient, so the recipient actually will read the message and interact with them. And we found a very nice fit with therapists, because I believe there’s just a lot of back and forth with therapists and their patients. You know, how you doing today, just checking in, things like that. And so if you’ve got a portal in the way, it’s just simply not going to happen. So that’s why I believe our fit has been pretty well received by therapists.

Curt Widhalm 12:45
So how does this actually look for us as users? Would you say that it integrates with Google workspace or something? Is it something where we go into our normal Google login and there’s some sort of extension, like what you’re describing sounds almost too good to be true.

Hoala Greevy 13:05
Well, Curt, that’s exactly why I left Hawaii, because you can imagine trying to overcome this being in Hawaii. So there’s a few steps. So you have to have your own domain name to use Paubox, which is also a requirement for Google Workspace or Microsoft 365. You are not allowed to use a gmail.com address and be HIPAA compliant. Google will not sign a business associate agreement for gmail.com addresses. So you get your own domain name. So we need to make a few DNS changes with your DNS provider, and that’s letting the rest of the internet know that you’re using Paubox to send your and receive your email. We can provide instructions, or you can hop on a Zoom with a real human being, and we can show you how to do that with wherever you registered your domain, be it GoDaddy or any other provider. Second step, with the appropriate permissions, we guide you through the Google Workspace admin panel or the Microsoft 365 admin panel, and we make a few changes that affect the entire organization-wide, domain-wide, which is basically becoming the outbound email gateway for your organization. And after that, you’re done. And all email you send from your devices, or, you know, your apps or your browsers, it’s automatically routed through Paubox, and we can do the rest from there, encrypting the email in transit. So that’s how we did it. And we do have 10 patents around our security, our technology, itrust certified, like I mentioned, so we’ve taken the pains to be deep domain experts in this particular thing.

Katie Vernoy 14:48
So from the client angle, I know with other HIPAA compliant email processes, sometimes they’ll have to have a login or go to a separate you know, kind of separate window in order to read the email, which I think is what you’re alluding to. People aren’t reading emails. How does that work with Paubox?

Hoala Greevy 15:09
So what we do is, when a when a customer sends an email, it hits our platform, and we take a look at who they’re trying to email, and on the encryption transmission process we use the highest level encryption that the receiving party will accept. Right now, that standard is TLS 1.3 another standard is TLS 1.2 outdated and deprecated, insecure protocols are everything below that. TLS, 1.1 1.0 SSL v3 SSL v2 if you want to go way back in history, if we find that instance on a recipient’s mail server that they cannot accept TLS 1.2 or 1.3 or that they have no encryption available at all, which still happens on the internet, we’ll dynamically sense this on the fly and convert that message and any attachments to our secure message center. Then we’ll send the regular email to the recipient, and it’s one additional click for them to read the message. And we can configure that click to be a magic link, or magic link plus 2FA or another option that includes a little bit more friction, depending on the customer’s preference. Most of the time, the email will go through seamlessly, straight to the inbox. But that’s the guarantee we provide where we’re like, Hey, we’re going to use the highest level of encryption that the recipient supports, and we’re never going to allow it to go through with an insecure protocol or no encryption at all. So we just take care of everything for the customer.

Katie Vernoy 16:51
So for for therapists, my message is safe. I can send it. It’s gonna I don’t have to click extra buttons. I don’t have to do anything. My message is safe. For clients, if they have an old, janky email, they’re going to have to make they’re going to have to click into a message like they might with any other email server. But if they have a normal, up to date email service, they’re going to just get a regular message with all the information in it.

Hoala Greevy 17:17
That’s right. And we can configure that to be, you know what? Using a magic link where it’s just the click and they’re, they’re able to read the message.

Katie Vernoy 17:26
That’s pretty wild. I mean, it’s, it’s the biggest problem, I think, with other HIPAA compliant services is that I don’t think people click in and do the whole process to try to get to receive their messages.

Hoala Greevy 17:38
No, it’s, um, yeah, why would you nobody likes doing that? Because it’s like, Well, is it the login for Kaiser, or is it the login for Solder, or is it the login for Epic, or do I even care about this point? Why do my five providers make me have five logins? This is absurd. I give up. I mean, that’s the way portals are received, right and rightfully so.

Curt Widhalm 18:04
What is the process to onboard to get all of this stuff going?

Hoala Greevy 18:11
So for therapists, we have a self service. Just go to our site, paubox.com, there’s big orange buttons. Start for free. We have a 14 day trial. There’s a self service, you know, just put down a credit card. We’ll step you through it on a wizard. If it’s a little confusing, we have an award winning support team. You can book a one hour Zoom meeting, and you can get an actual human to help you step through it, just in case you’re not feeling comfortable. So, yeah, you can do it on your own, if you like, or you can tag in a human on a Zoom meeting to help you with the setup.

Curt Widhalm 18:49
So it’s easy and amazing. What’s the catch?

Hoala Greevy 18:55
I mean, that’s what we’re here for. We we’ve chosen to be hyper specialized in HIPAA compliant email, do the same thing over and over again, day in, day out, constantly refining our processes.

Katie Vernoy 19:11
So if someone were to choose to become a Paubox customer, how does, how does that work as far as ongoing? It sounds like we’ve talked through the onboarding process. We’ve talked about you kind of integrated into your email at that point. What is there left to do?

Hoala Greevy 19:29
Most of our customers are on an annual plan. You can go monthly, if you like. We just ask for, you know, small premium to be tacked on to go monthly. Most customers are on annual and using our customer feedback ethos, we found that customers also want HIPAA compliant forms, and so we also offer Paubox forms for free, no additional charge, to all existing customers. And what we found there was on most forms products, when a visitor your site fills out a form, it triggers an action. So you, as the therapist, the business owner, you want to know someone’s filled out a form, and that’s usually in the that’s usually an email. And we found that all these other forms providers, it’s the same thing. It’s the same thing, right? It’s a Portal. Click here to view your form submission. So we thought this was a nice, complimentary thing we could do, where we can deliver that form data straight to your inbox and be HIPAA compliant. No one else is doing that. Everyone else is forcing you to go to a portal. So that’s why I think Paubox forms are a nice fit. And again, to provide value to our customers that’s available for free at no additional charge for paid customers.

Curt Widhalm 20:46
Your feedback process from customers led to forms. You are saying that a lot of what drives Paubox is what your customers want. What are some of the other things that people seem to be asking about, if you can share what might be on the horizon that you’re working on, that you’ve gotten feedback from customers?

Hoala Greevy 21:09
Oh, yeah, sure, Curt. Another one is inbound email security preventing ransomware or phishing attacks. I mean, that’s constantly coming up, so I have a deep background in that. My my first email company I started in Hawaii. It was essentially an inbound email security company. So when that kept coming up, we we added that to our service lineup, and one prominent one is what we call a display name spoofing attack. So you know, I can easily, so what’s happening right now is, for one, for most of us out there, it is socially awkward not to have a LinkedIn profile in white collar work. Two, the bad actors are constantly scraping LinkedIn to develop the org chart of every company on LinkedIn. Doesn’t matter how small you are, it’s all being scraped constantly, and we’ve proven this many years ago, still happening. So say you have a new employee starting, and on day one, they update the LinkedIn, bad guys see it, then they go and impersonate that employee display name using some Gmail address they’ve spun up and have an array of gmails to use, or any other free service, and I’ll say, hey, I need to change my bank account, you know, some payroll scam thing. Or maybe they’ll attempt to impersonate the CEO to the new hire, because the new hire just started. Hey, I need you to go buy these, you know, Apple gift cards, whatever. And so as part of our inbound email security solution, we came up with this thing called Paubox ExecProtect. And we have a way to totally guard against all display name spoofing attempts that we’ve gotten several patents over. So that’s one of the things we do for the email security. I mean, there’s a lot going on there. We have a generative, AI based approach to it now that’s been, we’ve been putting in a lot of work for and I just think that’s, that’s where the internet is heading, and that’s where we want to be using the latest tools to provide value to our customers. That’s, that’s, to me, what it’s about.

Katie Vernoy 23:21
Are there any limitations to the usefulness of like Google Workspace or Microsoft 365 if you put Paubox in, does it impact the functionality at all?

Hoala Greevy 23:32
We recently allowed up to 150 megabyte attachments to be sent or received through the Paubox platform. It was recently at 50 megs, and some of our customers were saying, Hey, can I get 100 megs? I was like, wow, that’s, that’s a pretty big email. So we just said, All right, let’s just do 150 completely remove that. So that’s a recent thing we’ve done. It hardly came up. But we just figured, let’s just do 150 and we also extended that to form submissions. So if you, if you had, so had a desire, you could set up a form and up to 150 megs of one file or more could be sent through that form using Paubox. So that’s the one thing that comes to mind, as far as limitations. But other than that, we you know, because ease of use is one of the Paubox foundations being big ideas, we really pay attention to making it seamless and easy to use.

Curt Widhalm 24:32
One of the questions that our audience has whenever we’re talking with tech companies is, is my client’s data safe. And we hear of tech companies that do all of the HIPAA compliance stuff, but there’s a magic box that seems to hide what’s happening on the other side. So what does Paubox have access to, as far as what’s being sent through their platform? What do you do with it, and are you some kind of evil tech CEO person that would just lie to our faces about that?

Hoala Greevy 25:10
Right. Well, if I’m doing my job in Honesty and trust or one of the Paubox foundations, then hopefully that puts that to bed. But this is where I think the high trust certification really helped us out, because in 2019 that was a thing that was getting asked for a lot by potential customers, especially the larger ones. You know, that basically went we as an organization are not high trust certified. However, if you want to do business with us, you have to be high trust certified. And after that kept coming up, we took it as customer feedback, we went and got it, and it’s a comprehensive security framework that basically wraps in a lot of publicly available frameworks like NIST and PCI and HIPAA, of course, puts them all in it together, and then has an annual certification process whereby, every year we jump on, you know, we engage in assessor, and we go through these hundreds of checkpoints on, are you doing this? Are you doing that? What are your backups look like? Etc. So that’s why it’s considered the gold standard, because it is, it is in our deal to acquire and retain high trust certification. And as far as PHI goes, we are not allowed by HIPAA to sell customer data for marketing purposes. So we abide by HIPAA. We abide by high trust that that’s that’s in the letter of the law. We’re not allowed to do that, and we don’t do that.

Katie Vernoy 26:41
What do you do best? What makes Paubox stand out?

Hoala Greevy 26:44
It would be the ease of use customers really like. And in this age of AI, we have not downsized our tech support team or our customer success team at all. If you run into problems, there is a human you can get in touch with and we can see that on our reviews online, on g2 you can see it consistently coming up. So it’s nice to see that the what we’re saying is what’s happening by and large. So support and ease of use would be top of mind.

Curt Widhalm 27:18
Email seems to be a weak point for a lot of AI scraping. And is the security features that Paubox have, does it protect against AI intercepting data?

Hoala Greevy 27:31
Okay, so the security we provide at Paubox, we encrypt the transmission of email as it travels across the internet, we believe that is the most prudent and effective way to secure email, encrypting the transmission. So there’s nothing to stop government entities or AI from sniffing the packet of data as it travels across the internet. However, that data will be jumbled because we’re using TLS 1.2 or TLS 1.3 encryption, so that that’s kind of how we see it. Yes, it is possible to sniff the line, but it’ll just be gibberish.

Katie Vernoy 28:14
So there’s some protection there. That’s that’s very reassuring. So it seems like…

Hoala Greevy 28:19
And it follows the letter of HIPAA. You need to take diligence when encrypting data at rest and data in motion, and that that’s what we provide. You have taken diligence to encrypt your data in transmission, and that’s what Paubox fits squarely in for HIPAA, yes.

Katie Vernoy 28:36
Who is Paubox for and who would not be a good fit for what Paubox offers?

Hoala Greevy 28:41
Paubox today is for covered entities and business associates that need to be HIPAA compliant in US healthcare or any derivative that US healthcare touches. We do have other organizations using it, schools, attorneys, accountants. We’ve got a few banks, I believe, but mainly that we fit square and center with organizations that need to be HIPAA compliant. So we’ve seen in the past, you know, someone from Europe will come or even Canada, and while we can adhere to the security practices or the encryption technology that they require, some of these folks have additional requirements, like data sovereignty. And what that means is, hey, if you’re going to encrypted email for a Canadian company, you need to have Canadian data center presence. Or if you’re going to do it in Denmark or Germany, et cetera, you got to go spin up data centers to achieve the data sovereignty requirement. And we just feel like there are just so many companies in the US that we should go and get first that we are not a good fit if data sovereignty is a requirement for your business, which would be, you know basically outside the US, if that’s a thing.

Katie Vernoy 30:03
So are the data centers for power box in the US?

Announcer 30:06
Only in the US. Yes,

Curt Widhalm 30:09
I want to go back to something that you mentioned earlier about the BAAS and how some of the other companies leave it in kind of a it’s up to you to decide if this is enough, because I find that this is sometimes we’re just having a BAA is where it’s very easy to click a terms of terms and conditions agreements that says, All right, there’s a BAA in place. What is it specifically that Paubox incorporates in your BAA that makes Pauboxes more trustworthy.

Hoala Greevy 30:46
Well, we’re willing to cover the things that Google Workspace and Microsoft 365 are leaving vague, and that’s specifically the transmission of email over the internet that incorporates PHI. So if you wanted to, you could put phi in the subject line, the front line, the attachment or the message body. Other forms of encryption don’t necessarily encrypt subject lines, for example. In fact, one of the older forms of encryption called PGP, pretty good privacy. It’s been around a very long time, and there’s a reason why no one uses it. It’s because there’s so much friction involved with it. This one encrypts the email itself, whereas we encrypt the transmission of the email. There’s a big difference there, because with PGP, technically, the subject line and the to and the from field are not encrypted by PGP, only the message body and any attachment are encrypted by PGP, not to mention there’s an severe vulnerability found in PGP. Gosh, like five years ago, it’s called E fail. I could not find any instance of it being authoritatively patched. So I would consider PGP and its cousin S/MIME to be ineffective forms of communication, both from a compliance and security standpoint and from a usability standpoint, kind of went off on a tangent there, but those are non starters as far as encrypted email goes, in my opinion, but just nobody’s going to read it and it’s not secure.

Curt Widhalm 32:20
Well, what I’m hearing from you a couple of things is, did a therapist name pretty good privacy? This sounds like a therapist’s language kind of thing. But it also sounds like what Paubox is doing is some of the weakest points when it comes with HIPAA, data usage, data transfer, sorts of things, is the users themselves. And what Paubox is doing, as I’m hearing it, is protecting us from ourselves when we use a product like this.

Hoala Greevy 32:52
Oh yeah, definitely. We ensure the compliance and maintain the ease of use. That security, reliability, ease of use. Those are the big ideas of Paubox five years from now, Curt, Katie, when we hop on a podcast together, or 10 years from now, we know with absolute certainty your listeners are going to care about security, reliability and ease of use when it comes to choosing a HIPAA compliant email vendor. That’s a profound business realization where you don’t have to guess the market. It’s going to be those three things that’s a powerful insight.

Katie Vernoy 33:29
So the question we like to ask somewhere near the end is kind of the who isn’t it for? And it sounds like it’s not necessarily for folks out of the United States. But also, we’ve heard folks have concerns about price, that Paubox is expensive, or something to that nature. Can you talk about that and how we might be able to help them out? Because from what you’re describing, this service is seamless and provides huge amounts of security for folks that could use email more and more effectively if they were to use it. So talk to me a little bit about pricing and how that might be.

Hoala Greevy 34:05
Sure. So we have US employees. You call, you set up a Zoom. You’re going to be talking to, you know, staff in the United States. And as we know, there are labor costs associated with that. And so we feel that we shouldn’t be budging on price. We should be providing more value. So one of them was the Paubox forms, one of the leading HIPAA compliant forms vendors, the cheapest plan available with them is a little over $1,000 a year. We bundle that in for free. So that was one step. Another step is we’ve rolled out a badge program. So if you want, there’s a small piece of HTML you could put on your website. And basically it’ll just be an image saying, Hey, we use Paubox for to secure our email. You click on it goes to Paubox. That’s a one time, $100 credit to your Paubox invoice, then the most promising one, in my opinion, is our referral program, which has no limits on the amount of referrals you can accrue. And it’s a simple thing you can enable in our admin panel. People click on the link, they sign up. The person referred gets a $250 credit, and the person that sent the referral, which in his case is just the customer themselves, that’s a $250 credit. So if you bundle the $250 referral credit and the badge program, which you have many people using, you can practically get the first year for free, and then just keep sending one referral a year, and it’s essentially very affordably priced. So and those were all things we took via customer feedback as well. When customers mentioned price, we’re like, Well, you know, it costs what it costs to have humans helping you out on the Zoom, and we’re happy to maintain that level of white glove service, we just need to be creating more value for our customers. So that’s kind of how we see it.

Curt Widhalm 36:06
Is there anything else you would like our listeners to know about Paubox?

Hoala Greevy 36:10
I think as the internet matures, so does Paubox. So in 2021 I remember distinctly seeing an announcement by the NSA, National Security Agency, and they said deprecated protocols for TLS, anything below 1.2 is now deprecated, and we consider them a national security threat. You should not do business with vendors using TLS 1.1 and below. And I knew that was a time we needed to make the jump. And within a week, maybe two weeks, we had upgraded our entire platform, TLS 1.2 or 1.3, everything else disallowed. Last year, we did a report, and we wondered to ourselves, do Google Workspace and Microsoft 365 still allow deprecated TLS versions that the NSA in 2021 said to stop using, and we found that Google Workspace and Gmail still allow TLS 1.1 and the things we know about email security and encryption, we will provide leadership there, and will evolve as the internet evolves. And we’re going to keep continuing to do that, and now with this new wave of AI, AGI, Gen AI, wherever you want to describe it as, we’ll continue to be doing that along along those lines as well.

Curt Widhalm 37:35
Thank you for spending some time with us and sharing about Paubox. And we really appreciate the offers that you’re putting out there for users to try this out. This sounds amazing. Where can people find out more about Paubox and you and the work that you’re doing?

Hoala Greevy 37:55
Sure just It’s on our website, paubox.com, Pau is in Hawaiian, done so P, A, U, and then box, you know, B, O, X, paubox.com. We named the company, you know, if you have a checklist of things you need to be compliant on check the box, paubox. And the domain name was available. Six letters, pretty hard to do these days with dot com. So that’s how the name came about, and we make it pretty darn easy to sign up. From there, we look at our homepage a lot to make sure it’s easy to sign up and easy to understand what you’re buying.

Katie Vernoy 38:31
All right, so now we’re going to take a couple of minutes and just talk through our own review of Paubox and the partnership that we’ve started with them. What are your initial reactions, Curt?

Curt Widhalm 38:43
So I have a group practice. I’m coming at this from maybe a little bit of a different standpoint than you are in a solo practice. And first of all, let me say that I like what I hear about, what Paubox offers, how they approach things, the security meets all of my standards as far as what they’re doing. But as a group practice owner, I am always thinking about, okay, if it costs this much, it makes sense for me, as a busy person with a caseload where I have a lot of interactions with clients, and I’m sending documents, and what I am always kind of holding in the back of my mind is, how does this scale up in cost for each additional user? If every user is going to cost the same amount as the first user, that is always kind of a concern for me, and as we dig into the prices, it’s also very reasonably priced to scale up as well. So it’s a good service and it’s a good price.

Katie Vernoy 39:56
Your expression is kind of like, what’s the catch?

Curt Widhalm 39:59
It is.

Katie Vernoy 40:00
I think it is a cost, and I think that is something that folks are going to want to look at. For a solo practitioner, the costs look like whatever your email service is, and I think that can include Gmail, like those types of things, and then it’s this on top. So there is a cost, but it isn’t huge, and it’s, it’s something where, if you’re in your email, as much as I am, the ease of use of having a familiar, very user friendly email service that then adds the peace of mind of the security on top of it feels worth it to me. If folks are barely using email, this isn’t the service for them. If it’s not something where they need to have really easy, simple to use email, I don’t think it’s worth it in that regard. But if you’re in the modern century and you’re emailing with clients or emailing documents, you’re making sure that you’re following the HIPAA compliant rules, this seems like a really good choice.

Curt Widhalm 41:00
It really does. I have used a variety of other email platforms before. As we’ve built out our practice, we have Google Workspace as our team, this would fit seamlessly with what we have, but there’s never been a perfect email system for us, whether it’s UI, whether it’s some of the HIPAA requirements, the confidentiality requirements that Paubox fits where our current systems don’t have it, and it’s allowing for much of the ease that we already have. We don’t have to learn a whole brand new system. It’s something that’s going to integrate pretty well. I’m looking forward to adopting it.

Katie Vernoy 41:45
Same. So for our listeners, you can get $250 off an annual pow box plan by going to paubox.com so that’s P, A, U, B, O, X.com, and use the promo code modern to get started. Really great offer, and they also have other ways, as was described, to get some more money back. Definitely want to make sure folks can use it if they want to. So really excited to be partnering with Paubox.

Announcer 42:13
Thank you for listening to the Modern Therapist’s Survival Guide. Learn more about who we are and what we do at mtsgpodcast.com. You can also join us on Facebook and Twitter, and please don’t forget to subscribe so you don’t miss any of our episodes.

 

 

/0 Comments/by
0 replies
SPEAK YOUR MIND

Leave a Reply

Your email address will not be published. Required fields are marked *