S1E22 - Solving Podio Gaps 4: "HIPAA, Dates, Reports, & Emailing"

Speaker 1: 0:03

Music Intro

Gil Roberts: 0:10

Welcome to the Podio Solutions Podcast, episode 22. I'm Gil Roberts and with me today is our lead developer here at Brick Bridge, Alex Shull. Hello and our principal consultant Jarett Duker. Good afternoon. This podcast is about the design and development on the Citrix podio platform and you can find that at Podio, p o d io.com. We use this podcast to discuss our own experiences with podio as well as other interesting topics from the podio developer community. If you are Podio, designer, developer working at an agency, small business or enterprise. You should immediately hit that subscribe button. If you have already, thank you so much for your support. Lastly, before we dive into today's topic, if you have a topic, issue, problem, anything else, solution we'd like to hear about it, uh, hit us up on our Facebook, linkedin, Twitter, or you can send us an email or a podio message to podcast@brickbridgeconsulting.com. Today's topic is solving podio gaps. Number four. Um, we got four topics pulled out today. Uh, as always, we will have all the links to the podio help forms that we are pulling these gaps from. Uh, in the show's description. Uh, we have one good one right out of the gate. Uh, I say fellows, we just dive right into it. What do you think? Sure. So why don't you pull up the first one? Yup. So first one is, uh, this was submitted on June six 2019 so just about a month ago, uh, by Andrew Barbash at a, it's got comma MDE, so I assume that he's a doctor. Um, those of us who are, uh, this is HIPAA compliance update. Those of us who are big podio users and in clinic in clinical healthcare are very eager to find out if and when podio is likely to be officially HIPPA compliant to the point of supporting a business associate's agreement or BAA as we've called. Uh, this is a topic that has been raised many times, but a recent posts suggest that perhaps this is being actively pursued by podio. Question Mark. It would be good to have an update either way. Thanks again from Andrew Barbash, MD June 6th. I know, uh, personally for us, we've had our run around with HIPPA. Yeah. Yeah.

Alex Shull: 2:30

This is a response from, from there's a response one month ago. Yep. From the team. Carlos, Podio responded, yes. Says we do have this feature being taken into consideration into being implemented. Unfortunately we cannot provide further details of roadmap nor ETA. I apologize. So they, they see the value they're tackling it. They can't commit. It's complicated in a Citrix environment. Complicated. We understand that.

Jarett Duker: 3:01

So this is a huge soapbox for me. So I'm excited because I get to react a little bit. Um, first I'm just going to give a little bit of background because some people, if they're very lucky, don't know what we're talking about right now. So first off, what is HIPAA? Um, it's the health insurance portability and privacy act of 1996 also referred to as the Kennedy Costa Bam Act Information. I thought, Oh, let me, let me check that again cause I do miss it. Everyone just calls it HIPAA health insurance portability and accountability act, which is a very necessary bit of legislation that came out in 1996 that provided federal guidelines for the storage, transportation and disclosure of Phi or private health information, um, inadvertently created multiple new sectors of the u s government and spawned an entire industry of consultants and software programs designed to keep, uh, organizations in HIPAA compliance. And what was a really well intended act has created an entire host of externalities in which the, I've dealt with extensively, both, uh, here at brick bridge as well as with other organizations. And the issue was the wording of the act, um, it discusses any information which could be related to one's public or sorry, private health information as being officially protected under HIPAA. It's an umbrella clause. So what isn't private health information? The fact that you are alive, thus having a pulse and any other correlated data could be considered HIPAA information because you are alive. Therefore you are, have a health status. You have a name alive and the name is now protected under HIPAA. If the federal government wanted to push it that way.

Alex Shull: 5:09

If you're recording the data, it's like, yeah, there's one thing about HIPAA, but that's, that's important to realize is that you to an extent have control over your own HIPAA scope. You know what, you don't like HIPAA due to healthcare. We do it as little as possible. And so if you actually understand where you cross over into HIPAA, you can assiduously avoid it. But what do you do when you can't avoid it? In certain industries you can.

Jarett Duker: 5:40

No, actually, depending on how aggressive a, the compliance departments want it to be, HIPAA actually could cross into every spectrum of private information.

Alex Shull: 5:51

Well, it's, that's never happened. It's not a real concern for our business users today.

Jarett Duker: 5:56

However, it does open up this a joke for any of us who have worked with private health information at any point, which is you're never in compliance--you're never in compliance with HIPAA. You measure it as a percentage likelihood chance that you are out of compliance. Can I pass an audit or not? Or can you pass an audit? And as a consultant working in this environment, we never tell people'I can pass an audit.' We tell people you are 80% likely to be in compliance with HIPAA because the laws are so ambiguous that it is almost impossible from a data management perspective to state explicitly that you are in compliance with HIPAA. Taking what you said there and then you think about what the podio team has to develop. This is why that they're unable to give any kind of timeframe. So I can give a little bit more history on this. Um, the single socket layer security systems that podio employees as well as the rest of the encryption features that they use are HIPPA compliant in terms of the technical standards for data integrity. Podio is compliant to HIPAA, to the HIPPA requirements laws, but there are a lot of other considerations when you look at actually labeling a broad spectrum HIPAA compliance on your system, such as Citrix actually did with their share file system, which was specifically designed for the management of hospital records. Such things as a likelihood to disclose. The very fact that podio has an open ended share feature represents a massive potential HIPAA violation that requires the users to use it responsibly,

Alex Shull: 7:39

and this is the thing, when you build a system that is built to be open and collaborative and where you can modify things and share things, it's almost in direct conflict with the design requirements of the HIPAA compliance system where you say first protect the data and then slowly give access and track it

Jarett Duker: 8:03

millimeter at a time. HIPAA was not well-worded in terms of the clarity of of how this data was being disclosed.

Gil Roberts: 8:11

To be fair, HIPAA is for protecting information, not user experience software, right.

Jarett Duker: 8:17

But with that like ever expanding umbrella of what is considered private health information alongside the difficult wording of what constitutes a breach, as well as the incredibly stiff penalties for incurring a breach, it creates a very difficult environment for software developers who want to break into that healthcare space, which is a real shame because podio is absolutely perfect for office management of private physicians, dental offices.

Alex Shull: 8:47

I want to, I want to say something though, because I think that there is still an opportunity to leverage podio in an environment. This doctor apparently is still leveraging podio. Yes. In a, you know, field of health care of medical, you know, um, whatever it is, practices and the boundary into HIPAA compliant features for a doctor like this probably has to do, you know, definitely he has systems he or she interacts with that are, you know, prescription systems, hospital records, systems that use HL seven and all that kind of stuff. Those are kind of outside the boundary potentially. And then there's this crossover point where you start to say, well, I want those systems to talk together. I want to expand the flexibility of doing these things without stepping too far into the HIPAA scope. He clearly in this request wants to make more use of podio, can't because he doesn't want to cross that boundary. He knows better. So the use of systems such as share file are probably the only option available to where you can capture that data using a shared file approach and only actively leverage it. You know, with every single disclosure and requests coming in from the end user, it has to be an end user controlled interaction and that's how you get around it. And so it really, really, really limits the kind of interactions you can support.

Jarett Duker: 10:23

And keep in mind that even a person's name being in his system could represent a HIPAA violation because it is that system is associated to his practice. Someone could potentially infer that they are that a patient at his office; that is a violation. He could, he would have to, he would have to completely whitewash his podio side and only use anonymous ids for everything inside of his system. And he's probably not doing that. And again, I'm not saying it is a violation, I'm saying it could be considered a violation potentially.

Alex Shull: 10:55

What you're talking about though, it's kind of like, you know, a legal theory discussion and--It's very practical--no, no, no, it's legal theory because it hasn't actually been tested in courts where we know that these judgments would be handed down. Not against podio specifically. Well, yeah, but I'm just saying that that's the kind of gray area we're in where yes, you're, you're expressing a frustration with the extreme potential application of this in day to day practice. People are running businesses without fearing the consequences that you're warning against. So it only matters if you get caught. Yes, exactly. So carrying forward with Podio as a system, be aware of the HIPAA compliance issues where you're clearly treading into healthcare information, people who are just running back office systems, sending out invoices, appointments, things like that where you're not actually touching into description of services where you're not actually touching into, um, you know, um, the billing of, of certain codes, all that kind of stuff. Obviously the boundary's pretty clear. Anything that you need in podio that has to be in there beyond that boundary, it has to be in share file or you have have custom development, you need custom development to integrate it in with other systems that also are HIPAA compliant. Google has solutions for doing that. You could use their APIs in a fashion that maintains the compliance there. There's embedded technology available through podio that's, that's expensive. I'm not gonna, it's not a turnkey solution like we normally refer to, but that's where you're talking.

Jarett Duker: 12:40

So I've just got a couple of more points and we'll close this up. Uh, absolutely. Alex, you are right. I would warn any of our listeners because I did research this specifically using podio as a CRM for your customers to say remember birthdays and do mailings in that it is a gray area, but you could probably, you're unlikely to be cited for it. And it's a great way for even a medical practitioner to uh, you know, increase business like a dental office that wanted to send out thank you cards or birthday cards probably. Okay. Appointments, however, being stored alongside customer information is a clear violation. I researched this very specifically, even without a description of service, the knowledge that a person has a medical appointment, you are not in the gray area anymore. So it is very restrictive in that way. And I wanted to touch on um, what, uh, the original poster mentioned, which is a business associate's agreement, which is what podio is missing in order to be fully HIPAA compliant. Uh, because from a technical layer, podio meets the federal standards for data security. However, the business associate's agreement is a statement between two parties that we could share medical information that both of them will do their utmost to protect that information to the full extent of the HIPAA requirements. This is a blanket statement that carries wide reaching liability and that's what comes, that's what we really come down to was why podio is not already fully HIPAA compliant is a liability.

Alex Shull: 14:15

Well, I, I think also it comes back to that flexibility that podio has in terms of actually being able to trace the ownership of that data back to a certain type of user of the system. In podio, there's no notion of, you know, the patient, you know, if you go into healthcare systems, patients are an identity and any health record has that identity tied to it. So you guarantee that there is a, um, you know, there's an integrity between, you know, those two. But whereas in podio...

Jarett Duker: 14:51

an app is an app, a field is a field.

Alex Shull: 14:52

Exactly where, what are you going to trace down or trace down the user id of some external user. Right. It is,

Jarett Duker: 15:01

is a hard, it's a high hurdle to cross when Podio was built for the flexibility first. Yeah.

Gil Roberts: 15:06

And, and that also kind of ignores people getting in there and then building stuff in the platform. Right? Like right. I could have a HIPAA compliant platform, I'll just say any platform that, you know, can be HIPAA compliant, but I could build a solution on top of it that like every time a new patient shows up emails the half the country that they have a dental appointment. Right. Because I'm stupid, I don't know.

Jarett Duker: 15:28

Every integration is a potential security risk and open API platforms are open API platforms.

Alex Shull: 15:36

Yeah. And that's what I did. The only way to really extend the use of Podio is to extend it through an integration with the another HIPAA compliant system, but don't really leak the boundaries of that system. Use it as an in bed, use it as, you know, launching that application, you know, just that. But it's not, it's a boundary where you really have to keep the data in, in its safe place.

Jarett Duker: 16:03

Well, I have a few years experience working around HIPAA. I'm far from an expert. So yeah, I'm really hoping that there are some solutions that I just haven't thought of yet because I'm very, very optimistic about Citrix, which is a security giant finding a way around this. Yeah. Yeah. Well, fair enough. Fair enough. The platform, um, I mean for us...

Gil Roberts: 16:27

Yeah, personally here at Brick Bridge, we could've had a deal with a chain of dentists offices. But because of the, the compliance issue we, we're un, we're unable to capitalize on that opportunity. So I see that. So this issue of HIPAA compliance has hit us personally here, cause that would've been a good bit of business. Um,

Alex Shull: 16:46

yeah.

Jarett Duker: 16:46

All right. I think we've, we've done this one to death and I'll, I'll, I'll, I'll rail against this one forever, but just get me, put me down.

Gil Roberts: 16:53

Can we, uh, can we say that we might pick up this HIPAA and embed technology conversation at another time? I'd say

Alex Shull: 17:01

yeah, I mean that there's a potential for that, but that will, will, we'll, yeah,

Speaker 5: 17:08

we'll probably circle around this HIPAA issue as you could tell near and dear to our hearts.

Jarett Duker: 17:11

I'm sure it will rear its head again. Yeah,

Speaker 5: 17:15

probably no shortage of that. All right, let's move on to the next one. What's a, I'm going to grab a this one, add another and quotes for date field and this came from Bethany Anderson May 30th, 2019. Again, this is that they help.podio.com forms a subject is add another with quotes for date field. I would like to see an add another option, become available on the date time feel the idea would continue the current functionality by default, but in the field right click properties to add the option there. Use case examples: Uh, we track training events that are both single day and multiday. The multi-day events most often have different times setups where one day, maybe nine to five but day two is nine to one. So the dates and times would then be able to be added independently. That's one use case. Another use case, um, events that are series, for example, a three part webinar where each part is in a different month. Being able to have all three dates independently with one within one app item would be helpful. She's got a couple of other ones they're on, I think, I think those two use cases are really good for a, what we're going to talk about here. So add another for date fields.

Alex Shull: 18:37

well, um, right away. Um, I want to say that, um, you can already do this. You don't, I don't think that that, um, podio would benefit broadly from adding this feature directly in to the system because the flexibility they have with the current system allows you to, to build a customization that does anything you want and more, um, better than podio would do it in trying to build a more generic feature. So to give you an example, um, you were saying that she describes this, um, um, events that are a series, for example, a three part webinar where each part is in a different a month. Being able to have all three days independent with one app item would be helpful. Jarett, you, you spent, um, a good bit of time working with them. One of our clients building a really nice custom application. Can we name the client? Uh, yeah. Village capital. Yeah. And we, we have written a podio system. You and John have done a great job of building a system where through a configuration of a custom environment, you can then do an executed buildout that provides very highly, um, detailed options around calendar scheduling requirements in ways that I don't even want to get into on this program. Cause it would just take up the second half of this show, if I'm not mistaken. Still going to, it's still okay.

Jarett Duker: 20:22

We're a third tier dependencies based on a single date and collective do generate dynamic calendars for these programs. So,

Alex Shull: 20:30

and this is, this is bespoke. You're not gonna find this anywhere. You're not going to, you're not going to go into a podio feature and be able to do this. So it has to be bespoke. What my point is of a much simpler future, a much simpler development effort. I don't want to put a hard number on this, but I think you'd surprised how affordable it would be to hire a company like ours or any other provider out there who does custom podio development. You could probably do a lot of this just through globi flow. It's not ideal. I think, I think it requires something. You know where you're handling the event. You're running a little custom code, but podio is already there for you. You just need a little design work and this, this solution, some technical, oomf. Yeah, the API, just using the API. You just need to invest, pay a developer

Gil Roberts: 21:18

to make podio do exactly what you want podio to do. Yeah, and these are some of the other use cases. It's like, oh, these are wonderful use cases. Bethany has the legitimate need here. What she's saying, it's just like this is, this is one of those points where kind of, podio shines in a sense that you've been able to get this far on podio. Now it's time to kind of open the purse strings up a little bit, get exactly what you want, still in podio and it's just like this one little deep functionality that you need to buy. You know where in olden days you're paying money for everything that's happening, right? This you're paying the cheap seat price.

Alex Shull: 21:59

I don't want to say beyond that, that there's even the reality is that the, the Free Java script that I put out there is all you need is a single application event handler to take care of a use case like this because it's just a little, you know, minor data manipulation and um, it, it, it's, it's a,

Speaker 5: 22:24

it's a low development effort compared to the, what we deal with, you know, on a typical this is this something that you can achieve affordably. So check it out. Get a hold of someone. Yup. Excellent. Um, all right. We got a couple more. We're going to move into one that is simply labeled email campaign. Um, Sade Zane May 29th, 2019. A email campaign is possible to make an email campaign with podio. I would like to use the contact email addresses that I have saved in my podio and send them up to date information. Any suggestions? Question Mark. We don't have any comments here. E-Mail campaign. So from a, from why I'm hearing it's, this is kind of like an auto mailer or something very similar to maybe a MailChimp or constant contact, a Weber, one of the, I'm like, just do you even Zapier? Yeah. Yeah. I know for this guy, we'll, we'll, we'll drop some comments out and then of course we're going to put the links in the show description if for our listeners want to roll over there and help him out and help Sade as well. This is, yeah. I want to take this a little direction because the answer is obvious, which is use podio, Zapier and then go get a service to do this or just write some globi flows set on day timers.

Alex Shull: 23:50

My first question is what do you really mean? And with email campaign, because people mean different things. It sounds like you have a list of email addresses. You want to schedule something to be sent out to all of them and podio can very easily do all those things.

Jarett Duker: 24:06

A pull on date, pull a filter view of your contact list, send your custom email with a few, uh, merge fields.

Alex Shull: 24:14

Just like with any other approach, the first thing you face is you, you don't want to be a spammer, so you have to have domain sending, you know, credentials or something. Somewhere. Podio doesn't change that. It just helps you automate stuff so you know whatever you're doing. If you're doing sending out 10 million emails, well just yeah, just don't.

Gil Roberts: 24:39

Weber is a great piece of software for like large volume campaigns with good delivery delivery rates. I mean obviously there's MailChimp and constant contact as well. I want to take this in just a little bit of a different direction. Just a to add on to this, which is something we've done for other clients, which is maintain customer records over on the Podio side and then use Zapier or custom integration, whatever, whatever works for you to maintain and control the lists over in the, in your actual emailing service. So all the people signing up on your website, they first kind of stop through podio. That way you can profile, demographic information, whatever that you're collecting on behalf of this campaign that you're doing. And then as people sign up on their podio can talk to one of these emailing services and have better delivery rates than globi flow that are, that are built for and designed for what you're trying to do. Yeah. And then let that mailing service actually handle all the email volume that you're trying.

Alex Shull: 25:41

One of the, there's one interesting caveat that refers back to something we discussed on our prior podcast, which is the way that, um, email services integrate. And on a prior podcast we discussed how Shopify was cutting off MailChimp because mail chimp wouldn't talk back to Shopify if there were changes in its interaction. And so in the case of an email campaign, one of the things you have to support legally is unsubscribe. So if you have a central list that you're maintaining in Podio, whatever service you use, you have to be able to extract that data at some point, update your contacts, make sure you're not, you know, sending out emails.

Jarett Duker: 26:35

No, I have not personally done it, but I fully believe that a, you could set up a two ways Zapier link that uh, on a, unsubscribe receive from MailChimp, uh, through the Podio API flag that person.

Gil Roberts: 26:47

I'm sure you can do it. The, the dispute with Shopify was the, they weren't automating it in however blah blah blah or something like that. You can put Shopify on one side, podio on the center of MailChimp on the other side and kind of let podio sort out the two of them. But, um, I think that for white Sade is trying to do here, I would definitely say, you know, he said send them an update. We don't really know how many people, you know, is it five, is it some employees or something or is it customers? Because the word email campaign makes me want to lean towards customers. Let's use a service that has all the compliance features already built in all the magic. They 10 again, if you're doing an email campaigns, delivery rate is so key because if they don't ever get your email, you're not getting any sales or anything. So these other services have much higher delivery rates cause they, they are super compliant. Everybody knows that, so they deliver better. Okay. I think that's a good one. All right. Last one for today. Um, create report of a number field per text field. This was submitted by TiM Miller June 29th, 2019. It did have a, a response on this, uh, from the podio support team. They're saying he sent something, his answer on a support ticket. Let's dive into this.

Jarett Duker: 28:12

Yeah, I've misunderstood that. Let's read that again.

Speaker 5: 28:14

Yeah, so it's create report of a number field per text field. I am either missing something very obvious or podio is missing a key feature. Is it possible to have a report that shows the number field per text field of the same item?

Jarett Duker: 28:30

Okay. I think I see his issue, which you cannot filter by text fields so it would be difficult to,

Gil Roberts: 28:37

he's got a, he's got an example here. I have staff members app, one of the fields which is a numbered calculation field shows the number of months they have worked with us. Another field is their name. I would like to have a report that shows a bar chart using globi flow if necessary with staff members and the number of months they have worked for us. Is it possible? It seems like it's obviously simple, but I can't work it out for the life of it.

Jarett Duker: 29:04

Nope. It is not obvious.

Gil Roberts: 29:06

Yeah. And, and support came back and said, hey, apparently it's--Tim put a support ticket in and they responded to him over there so we don't get the benefit of that response.

Jarett Duker: 29:16

But I can probably break this down and I can give him an easy solution to it. Um, the issue is text fields are free form and what he's trying to do is use the podio indexing system, which is what generates reports also to do an if this, then that to get it. Text fields don't work that way. Relationship fields, however, do. So instead of using just the text field of the person's name, if you had a card that was the people's names, um, you could then do a for each through that relationship field and get it. It just can't be a text field. You have to represent the person's name as an entity inside of podio and not just a string of characters. So make a staff member card in another app and then relate it to his report, then assign it and then you can forward each through the related fields and get exactly what he wants. Exactly. And I think the globi flow like widget reports thing that he's talking about there should pull all that. He can probably do it through, with a view. Yep. You should be able to. Um, I've not tried it. A relationship fields have a few special rules that say a category fields don't have the most, the easiest thing to deal with. But at the very least, yeah. Or I could build an html table using globi flow in just a few minutes. So yeah. And then I think the global flow widgets will be able to pull that stuff better. Absolutely. Yeah. But this, this goes back to that, just limitations and indexing that we've talked about a few times before.

Alex Shull: 30:52

Yeah, sure. So, yeah, just a appreciate a response back if that did address your issue because um, it's not totally clear to me that we did, but what we talked about was a is actually a good thing to know anyway, having and understanding how that works. So

Gil Roberts: 31:08

excellent. That is four gaps down for this episode. Um, we actually have some more in the queue that I think we might get to next week. We might do back to back gaps episodes. We want to be at five in on the season before or at the end of the season so we only have so much time to do it. Uh, otherwise than that we'd like to hear any more gaps that you guys have. We've just been scrolling through the community forums, looking through some of the user forms and just pulling gaps as we find them, uh okay. I think we're good for today, gentlemen, so appreciate everybody listening in. Hopefully some of those gaps gave you guys some value for food for thought, for maybe some of the problems that you're having. Lastly, definitely, definitely, definitely hit us up on Facebook, linkedin, Twitter. If you have any gaps of your own, you can also send an email or podio message to podcast@ brickbridgeconsulting.com otherwise than that, you have a great rest of your week. Thank you so much. Thank you. Thanks. Subscribe!

Speaker 6: 32:23

Music Outro