If you conduct any business online, especially a healthcare practice, you know how important it is to have well-considered security measures in place. Not just because HIPAA requires them, but because security is crucial to the peace of mind of yourself and your clients, as well as the integrity of your practice. However, managing a highly functional, efficient practice is important as well. Is it possible to have both security and functionality for your practice?
The answer is yes. In fact, security and functionality are intrinsically linked. The most secure way of doing something can also be the most functional, as long as you keep several guidelines in place. Here’s how you can assure yourself and your clients of a secure and functional practice.
A secure contact form – security and functionality intrinsically linked
One very good example of how security and functionality can not just coexist but support one another is a secure contact form on your website. As we’ve discussed before on our blog, many therapists use a typical web form that isn’t secure on their website and do their best to limit the sensitive information that comes through it by asking for only the basics – name, phone number, and maybe a brief comment in a limited text field.
This is unfortunate for two reasons. Although the therapists are attempting to do the right thing by limiting the information that’s sent unsecured, from a HIPAA standpoint, even a name and phone number sent through a form that isn’t secure can be considered a violation. Additionally, it would be more beneficial for the therapist to be able to collect more information on the contact form. The more you know about your potential clients, the better you can identify those who are the best fit for your practice. A secure contact form alleviates the need to reduce the sensitivity of the information you collect, making the information more useful. This is a case of security directly improving efficiency.
A secure contact form also establishes trust with clients from the very beginning and, overall, optimizes and simplifies the intake process.
Primary security concerns to keep in mind
There is a balance that must be maintained between security and functionality. Too much of one or the other and the balance is thrown off, which is detrimental to your practice. Here are the ingredients to maintain equanimity between the two. You might find you need to tweak a few to get the perfect combination for your practice, but this is a very good place to start.
Make sure you have BAAs
A Business Associate Agreement (BAA) is a signed document that affirms a third-party service provider's willingness to accept responsibility for the safety of your clients' PHI, maintain appropriate safeguards, and comply with HIPAA requirements when they handle PHI on your behalf. Having one of these on file for every third-party service you use, such as your billing service, email service, and online fax service, to name a few, goes a long way toward ensuring your HIPAA compliance. Not all services offer a BAA, and some charge a great deal for one (see more about that below), so make sure you understand exactly what is offered and choose your services accordingly.
Subscribe to services that use encryption
If a service provides you with a BAA, most likely they’re using some sort of encryption. TLS encryption is the widely used cryptographic protocol used to secure messages in transit only. Some services, such as Hushmail, also use OpenPGP encryption, which secures messages in transit and in storage, providing greater security than TLS alone. By using both of these encryption methods, you can be confident that your client conversations will remain private.
Not all services provide encryption in storage, however, and this will have to be a decision you make weighing security (how much you need to be comfortable) with functionality (ease of use and affordability).
Extra layers of protection to consider
You might also want to consider adding a few extra security features if you feel you can do so without compromising functionality.
- Two-step verification – also called two-factor authentication, two-step verification is an extra layer of protection that you can put in place for many services. It requires you to verify your identity using two different methods when signing in to an account from a new computer or device. Not all services offer two-step verification, but it’s worth finding out if they do. Accounts that you might want to protect with two-step verification include email accounts, your EHR or other practice management service, and any cloud-based service that stores client or practice information. You can easily turn it on for your Hushmail account by going to your account settings.
- Security questions – a security question is usually a question you compose that only your client knows the answer to, most likely used once when first establishing communication. The question helps verify your recipient’s identity and ensure you’re using the correct address. In Hushmail, you’re prompted to create an optional security question the first time you send an encrypted email to a client.
Functionality and efficiency
There are several things you’ll want to require for your practice to ensure its functionality and efficiency coexist with your security measures.
When you shop around for secure services, you’ll find that there is a wide range of prices. Many services charge extra for a BAA, for example. Quite a bit extra, in some cases. Others recognize that this document, and the inherent acknowledgement and acceptance of responsibility, doesn’t have to command such a high premium. Hushmail includes a BAA with all Hushmail for Healthcare plans, which start at $11.99/month.
Convenient for your clients
Services have to be convenient for both you and your clients to use. What this means will differ according to the services. One example is Hushmail email that is secure even if your client doesn’t also have a Hushmail account. Instead, they’re directed to a secure message center that they can use for the duration of your relationship once they establish a password.
Also, for in-person practices, be sure to pay attention to the privacy of your patients from the moment they walk in your door. For example, when your patients check in, having them write their name in a paper logbook (which is easily scanned by other wandering eyes) or say their name out loud to a receptionist can be uncomfortable. Instead, consider a digital visitor system that allows for discreet check-in and provider notification.
Easy-to-use features with the health care practitioner in mind
It’s a good idea to look closely at the extra features that are included with a secure service. A practice management software might also include telehealth, such as TheraPlatform. And Hushmail isn’t just a secure email service, but also provides secure, customizable web forms and e-signatures, among other useful features, such as aliases and Hushmail for iPhone.
Great Customer Care
Fast, efficient customer care is perhaps the most important requirement from a functionality standpoint. When problems come up, it needs to be easy for you to make contact and get an answer quickly. At Hushmail, we’ve made prompt, reliable, and pleasant Customer Care experiences a priority, and we’ve found that it makes all the difference in helping our customers get the most out of their accounts.
Need a functional and secure email and web form solution?