Interview: Hoala Greevy, Founder & CEO, Paubox

Posted by Steve Alder

The HIPAA Journal has spoken with Paubox founder and CEO, Hoala Greevy to find out more about their work and experiences with HIPAA.

Hoala Greevy, Founder & CEO, Paubox

Hoala Greevy, Founder & CEO, Paubox.

Tell the readers about your career in the healthcare industry

My journey in healthcare began in 2014, following a lunch meeting with Siana Austin Hunt, who was CEO of the Make-A-Wish Foundation of Hawaii at the time.

She explained a business problem to me and after some thought, I decided to do something about it. From there we built a seamless email encryption solution that became Paubox.

What was your first position?

My first job out of college was working for an email company in San Francisco in 1999. I’ve been doing email ever since.

What is your current position?

I’m the Founder and CEO of Paubox.

What are the main challenges in your position?

Communicating the mission, vision, and future direction of Paubox to staff, investors, and customers. I’ve found in my role, there is no such thing as over-communicating.

Tell the readers about any significant event in your career.

During my first semester taking computer science courses at Portland State University, I noticed a “help wanted” sign on the job bulletin board in the CS building. The scope of work for the contract was nearly identical to the homework we had the prior week. Although I was certain someone had already beaten me to it, I called the number anyway.

As luck would have it, I was the only person to call; I specifically recall how motivated the guy was. There was a bug in his company’s payroll file and without it fixed, he couldn’t run payroll.

A few days later, I met him in a Safeway parking lot near campus, floppy disk in hand. He popped it into his laptop, ran the executable, and voilà—it worked. He then begrudgingly gave me a check, I think it was for $1,000. I split it with my buddy who had access to a C++ compiler, which I needed. All told, I made $500 for 30 minutes of work.

I immediately knew that was exactly what I wanted to do as a career: develop, market, and sell software.

What products/services do you provide for the healthcare industry and what is unique about them?

Our mission is to become the market leader for HIPAA-compliant communication. To that end, we specialize in three areas: email, forms, and text.

  • Paubox inbound email security protects healthcare organizations from advanced, healthcare-targeted threats with a combination of AI analysis and proven email security defenses. Every email is secured before it reaches users, eliminating the risk of interaction with malicious messages.
  • Paubox Email Suite is compatible with Microsoft 365, Google Workspace, and Microsoft Exchange. By default, it encrypts every email, for all users, and all devices.
  • Paubox Email API is a HIPAA-compliant REST API for transactional email.
  • Paubox Marketing is for digital marketers in healthcare. Paubox Marketing can be used to build personalized email campaigns that include protected health information (PHI). This is unique in that it’s common knowledge outside of healthcare that personalized email increases engagement and conversions. In healthcare however, personalization information can easily become PHI, which is protected by HIPAA. The ability to personalize with PHI and thereby increase patient engagement, is a new horizon in healthcare.
  • Paubox Forms is included for free for all paid customers. We released it in January.
  • Paubox Texting, our newest solution, is designed to further increase patient engagement.
  • Paubox Email Suite, Paubox Email API, and Paubox Marketing are HITRUST CSF certified. The HITRUST certification is the gold standard for HIPAA compliance in U.S. healthcare.

When did you first get involved with HIPAA compliance?

I first dove into the world of HIPAA compliance in 2014. After writing more than 700 blog posts generally around HIPAA-compliant email, it remains a topic I’m still learning about.

What are your main challenges regarding HIPAA?

HIPAA can mean many things to people. Effectively communicating and understanding HIPAA compliance is a constant challenge.

What do you think needs to be improved in the HIPAA regulations?

The deprecation of the fax machine as a HIPAA-compliant form of communication.

Do you have any predictions for the future of HIPAA?

More HIPAA breaches. More HIPAA fines. More HIPAA regulations.

Do you have any predictions for the future of healthcare regulation?

I believe more privacy rights will be added to healthcare regulations. While the HIPAA Privacy Act is a good start, I think more privacy provisions will be added.

For example, the California Consumer Privacy Act (CCPA) gives consumers the right to know about the personal information a business collects about them and how it is used and shared. It also gives them the right to delete personal information collected.

I think it’s a natural step for the HIPAA Privacy Act to be extended to adopt guidance similar to this.

Do you have any predictions for the future of healthcare technology?

Until we vanquish the fax machine, it remains a mystery to me how effective Generative AI will be in healthcare.

Do you have anything else interesting to share with readers?

I hold the IGFA world record for the finescale triggerfish, which is perhaps the ugliest fish ever caught!

You can reach Hoala Greevy via LinkedIn https://www.linkedin.com/in/hoalagreevy/

 

The post Interview: Hoala Greevy, Founder & CEO, Paubox appeared first on The HIPAA Journal.

Why Healthcare Staff Need HIPAA Training for Social Media

Posted by PJ Murray

Healthcare staff need HIPAA training for social media because a single post, photo, or comment can expose Protected Health Information (PHI), trigger a reportable breach, damage the organization’s reputation, and create personal legal risk for the employee. Social media feels informal and personal, but the HIPAA Privacy Rule and HIPAA Security Rule still apply every time a staff member talks about patients, work cases, or the workplace online.

How social media turns everyday moments into HIPAA risk

HIPAA does not only protect obvious identifiers like a name or medical record number. Any detail that can reasonably identify a person or connect them to a health condition, diagnosis, or treatment can qualify as Protected Health Information. A photo of a recognizable tattoo, a description of “the only serious car wreck in town last night,” or a story about a local public figure receiving care can all reveal who the patient is, even if no name appears.

Social media amplifies this risk. Once something is posted, the author loses control over where it goes, who screenshots it, or how it is edited and reused. Deleted posts can live on in private messages and group chats. Staff may believe that limiting a post to friends or using privacy settings keeps it safe, but friends and followers can still recognize patients, locations, or events and share that information with others. Without specific training, many employees underestimate how easy it is for patients, families, co-workers, and regulators to connect the dots.

Misunderstandings that drive HIPAA violations online

Most staff who get into trouble on social media did not wake up intending to violate HIPAA. They often misunderstand what the law covers or how easy it is to identify a patient. A common belief is that removing a name or blurring a face is enough. Staff may think that talking about “a patient I had today” or “a wild case in the ICU” is acceptable as long as they avoid names or use casual language.

Another problem is emotional pressure. Healthcare work is stressful, sad, and sometimes dramatic. Staff feel a real need to vent, seek support, or share meaningful experiences. In a moment of frustration, pride, or grief, it can feel natural to post a story, image, or video. That impulse to be heard and validated can override training or policy, especially if the person never truly understood how HIPAA applies online.

Some individuals also use social media as a form of self-promotion or branding, highlighting cases or patient interactions to showcase their skill or compassion. When those posts include any identifying details, they become impermissible disclosures. A good training program needs to address not just rules, but these emotional and social drivers of behavior.

Why organizational policies are strict about social media

Most healthcare organizations now have broad social media policies that cover both official and personal use. These policies usually extend beyond the major platforms and include blogs, online forums, messaging apps, and even personal email used from work devices. They often apply not only to original posts but also to actions such as liking a patient’s post, commenting on someone else’s content about a patient, or resharing material that mentions the organization.

Policies may restrict personal social media activity on workplace devices or during work hours. They may authorize the organization to monitor certain activity or block specific sites. Sanctions for violations can include mandatory retraining, written warnings, suspension, or termination. The stakes are high because a single post can harm a patient, damage community trust, attract media attention, and trigger an investigation. Intentional PHI disclosure on social media can create individual criminal exposure.

Staff need training to understand what the policy says in practical terms. They need concrete examples of forbidden behavior, clear explanations of permitted uses, and transparency about how monitoring and sanctions operate.

Personal legal consequences for staff who misuse social media

The risks are not only professional. Impermissible disclosures of PHI on social media for personal gain can be treated as wrongful disclosures under federal law. That can lead to civil fines and, in serious cases, criminal penalties. Liability is possible even if the employee did not personally press the publish button. A person who shares confidential details with a colleague, knowing that the colleague is likely to post about it, can share responsibility for the disclosure.

Personal gain does not have to be financial. Posts that highlight a shocking case to gain followers, sympathy, or status can still be viewed as motivated by gain. Families or individuals whose privacy was breached can pursue civil lawsuits, adding another layer of risk for both the organization and the individual staff member. Effective training should make these consequences real through scenarios and case examples, while still keeping the focus on prevention rather than fear.

Appropriate, compliant uses of social media in healthcare

Staff also need to see that social media is not entirely off limits. Many organizations use official accounts to share public health information, educational content, research updates, and general service announcements. These activities can support community engagement and patient education when they avoid individual patient information and follow internal approval workflows.

Training should distinguish clearly between official, controlled communication and personal accounts. Staff must understand that personal accounts are not appropriate channels for discussing care, answering clinical questions, or coordinating treatment. Even when patients reach out first, staff should redirect them to secure, approved communication methods. Clear boundaries make it easier for employees to participate safely in the organization’s online presence.

Staff HIPAA Training for Social Media

HIPAA social media training should first explain what counts as Protected Health Information in an online context, including any detail or image that could reasonably identify a patient or link someone to a diagnosis, condition, or treatment. Staff need to understand that posting this information on personal accounts is almost always an impermissible disclosure unless there is a valid, informed HIPAA authorization, and that once something is posted it can be copied, manipulated, and shared beyond their control.

The training should then walk through the organization’s social media policy and give clear examples of prohibited behavior and acceptable use. That includes explaining that policies often apply to blogs, forums, messaging apps, and even likes or comments, not just obvious posts on major platforms. Staff should see how real cases have led to discipline, fines, loss of employment, and even criminal charges, and they should know how to report a concern to the HIPAA Privacy Officer or other designated contact.

Training should close by reinforcing simple rules for staying safe on social media, emphasizing that work experiences and patient information belong in secure, approved channels, not on public or semi-public platforms.

The post Why Healthcare Staff Need HIPAA Training for Social Media appeared first on The HIPAA Journal.