If you work in the healthcare field, there’s a good possibility that you should be using HIPAA-compliant email and web forms. But what does...
A non-intimidating guide to HIPAA-compliant email for therapists
Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.
Does the thought of HIPAA give you heartburn as a therapist?
How about “HIPAA-compliant email?”
If just thinking about HIPAA rules and email gives you anxiety, you’re not alone. There’s a lot of confusion around what HIPAA-compliant email is and how to use it.
What’s a therapist to do?
In this non-intimidating guide, we’ll explain everything you need to know about HIPAA-compliant email. What it is, who needs it, and the risks if you don’t use it. Then we’ll wrap it all up with a chart comparing several popular email services and a handy FAQ.
After reading this guide, you’ll know how to choose a HIPAA-compliant email service that’s perfect for your therapy practice.
Do all therapists need to use HIPAA-compliant email?
The short answer is “yes.” If you use email as a therapist, it should be HIPAA compliant.
Secure online communication is key to running a responsible, reputable practice. It lowers the risk of being audited or fined. Most importantly, it keeps your clients’ sensitive information safe.
Technically, you’re only required to follow HIPAA’s guidelines for communicating electronic health information if you’re a “covered entity.” That’s anyone who accepts health insurance.
A Covered Entity is a health care provider such as a:
… if they electronically send information that’s connected with financial or administrative activities related to healthcare (i.e., insurance claims).
However, if you’re not a covered entity, you should still strive to comply with HIPAA for professional and ethical reasons.
As Rob Reinhardt, CEO of Tame Your Practice, advises, “Even if you aren't technically a covered entity under HIPAA, it's still important to be mindful of digital security. First, our codes of ethics require that we protect our clients' privacy and imply that we should follow accepted standards. Further, most states now have data privacy laws that have requirements similar to HIPAA. In short, it's imperative for all mental health professionals to be taking all reasonable steps to secure client information and communications.”
What exactly is HIPAA-compliant, secure email?
HIPAA-compliant email meets the HIPAA requirements for safe electronic communication of protected health information (PHI). We’ll explain PHI in more depth later on.
The HIPAA Security Rule explains the steps you need to take to determine what safe online communication means for your practice. The rule requires you to:
- Assess the risk of using email (or other online form of communication)
- Identify options for protecting PHI
- Choose a solution
- Document your decision
Ultimately, it’s up to you how you protect your clients’ information, which is nice, but…
It’s a little intimidating having to make the right choice without more specific guidance. That’s where encryption comes in.
What is encryption?
Encryption is a method used to make information unreadable to anyone other than the intended recipients.
Computers do this by scrambling the information into a secret code while only telling the recipient how to decode it. This means that if anyone else gets hold of the information while it’s encrypted, it won’t make any sense to them.
For a more technical explanation, read about how to use Hushmail encryption to support your practice.
The Security Rule mentions encryption as “an addressable implementation specification.” This means that if it’s reasonable to use encryption, you should. Or carefully document why you haven’t.
Encryption and HIPAA compliance
While HIPAA doesn’t explicitly require encryption, it’s a best practice for meeting its standards. However, not all encryption is equal. It’s important to consider when a service is encrypting your email.
Is it encrypting your email on its way to your client but not in your client’s inbox?
When your client sends back a reply, is that encrypted?
Many secure email providers claim to encrypt email when it’s moving from sender to recipient and back again. But that only happens if both sides support encryption. That’s not always the case.
According to Hushmail Chief Technical Officer Brian Smith, “Many providers also claim to encrypt email when it’s in your inbox. This might be true, but it doesn’t say whether or not your recipient is also encrypting the message in their inbox. A private message center keeps the message in one secure location where it can be replied to and stored securely.”
What is a Private Message Center?
A private message center is a secure web page where your clients can read and respond to your encrypted emails. Even if they don’t have an encrypted email service themselves.
Sending and receiving messages through a message center is a lot like email. Email addresses are used. You can reply and send attachments. The big difference is that the messages are kept within the private message center where they’re encrypted and safe.
The best way to ensure your emails are encrypted all the time is to use a service that offers a private message center.
What are the risks of using regular email to communicate PHI?
You’re taking a risk if you send and receive PHI online without any kind of protection.
PHI is information that could identify an individual and relates to:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual.
You can find more information about what PHI is in the Summary of the HIPAA Privacy Rule from the US Department of Health & Human Services (HHS).
Can’t I just use a “HIPAA” disclaimer?
HIPAA disclaimers are those blocks of text in italics at the bottom of an email warning that “this message is private and might contain PHI.” Some disclaimers advise you to alert the sender if the message wasn’t meant for you.
Example of a HIPAA disclaimer:
These disclaimers do nothing to ensure HIPAA compliance. In fact, they can make things worse by encouraging you to reply, sending the PHI out into unsecure cyberspace again.
Common email problems faced by therapists
As a healthcare provider, you probably communicate with your clients in all sorts of ways, many of them online.
You might be surprised by what needs to be secure and what doesn’t…
- Appointment reminders don’t have to be secure as long as you state in your Notice of Privacy Practices (NPP) that you send them out, and clients can opt out if they choose. Just make sure the appointment reminders are limited to only the necessary information.
What is an NPP?
An NPP lets your clients know how you’re going to use and disclose their health information. You can read all about NPPs here.
- Newsletters can be sent using regular email as long as they don’t contain PHI or identify the recipients as clients.
- “Email me” forms on directory websites, such as Psychology Today, are popular with therapists. But did you know they’re not secure? These forms can present a problem when a prospective client sends you sensitive information, not knowing it’s vulnerable. Instead, a solution is to direct people to a secure form on your website.
So do all emails have to be secure?
Not all emails. You can send emails that don’t contain PHI using regular email.
Clients can also request that you send them regular emails even if they contain PHI. For this, you must get them to sign a “request for non-secure email communication” form and file it with their health record. The form gives your client the option to use or not use non-secure communications and informs them of the risks.
What if you’re using email that’s not HIPAA compliant?
Here’s what you can expect if someone files a complaint against your practice:
The key to HIPAA-compliant email for therapists
Encrypted, HIPAA-compliant email is a key component of keeping your clients’ information safe. However, it’s ultimately up to you to ensure your emails are secure. We’ve put together six practical tips that will help prevent mistakes that could undo your security measures.
Subscribe to our newsletter by entering your information below... and we’ll send the six tips straight to your inbox.
What to look for in a HIPAA-compliant email provider
Affordable and secure email
Look for an affordable service. However, don’t forget to factor in the fines you might incur if you don’t keep your clients’ information safe. Consider this laboratory that was audited and found guilty of not conducting a risk assessment and implementing the necessary safeguards. They received a $25,000 fine. You might decide that protecting yourself against such a penalty, not to mention two or three years of monitoring by HHS, is well worth the cost of a reliable, secure email service.
A BAA is crucial
A HIPAA-compliant email service will provide you with a signed business associate agreement (BAA). This document is needed to affirm the email service’s willingness to accept responsibility for the safety of your clients' PHI. With a BAA, you can feel confident that they’ll protect the PHI and comply with HIPAA requirements. Look for a service that not only provides a BAA but allows you to sign it electronically for free.
Find the right email encryption
Look for encryption that protects your emails through their entire lifecycle. As explained before, a private message center is one of the best ways to make sure the message is encrypted at all times. If you’re considering an email service that doesn’t offer this, make sure it encrypts your emails on their way to your recipient and back to you when they reply, and keeps them encrypted in your inbox and theirs.
There are times when you might need to access your emails quickly. For example, if a client or court asks for particular records or evidence of an interaction. A built-in email archive provides easy access to every conversation and record you exchanged. Also, it’s a HIPAA requirement.
HIPAA requires that you retain emails containing the following for six years:
Secure email that’s easy to use
Spend some time testing out a service as both the sender and receiver. There might be some extra steps when you use a private message center, but they should be simple and well communicated. For example, take a look at what clients experience when they use Hushmail’s private message center.
Excellent Customer Care
Don’t forget the importance of support that’s accessible and helpful. Having an expert walk you through issues can make all the difference. And you shouldn’t expect to pay extra for this help either.
Look for additional features such as forms
Some email providers offer more than just email.
For example, as a therapist, you likely use intake forms, informed consent forms, and health questionnaires. Instead of sending PDFs or using paper forms, email providers like Hushmail give you web forms to use instead.
These web forms serve the same purpose as PDF forms, but they’re secure, easier to read, and can be filled out from anywhere. You can even get them signed electronically by your clients.
By choosing a provider that offers more than just email, you’ll get more bang for your buck.
A comparison of 5 encrypted email services
|Hushmail for Healthcare||Google Workspace||Paubox||Virtru||Microsoft 365 Business Premium (Outlook)|
|Basic email encryption||✅||✅||✅||✅||✅|
|Private message center||✅||❌1||✅||✅||✅|
|Free designated customer success team||✅||❌||❌||❌||❌|
|Secure healthcare form templates||✅||❌||❌||❌||❌|
|Cost||Starts at $9.99/month||Starts at $6/month||Starts at $29/month||Starts at $79/month||Starts at $20/month|
Frequently Asked Questions About HIPAA-Compliant Email For Therapists
But isn’t regular Gmail supposed to be HIPAA compliant now?
Regular Gmail is not HIPAA compliant. You might hear that Gmail uses encryption. It does, but only when the email is traveling between and stored in the inboxes of Gmail users. If you send an email to someone who doesn’t use Gmail, you have no guarantee that the email will be encrypted. Regular Gmail also doesn’t provide a BAA which is necessary for HIPAA compliance.
Will HIPAA-compliant email be difficult for my clients to use?
A secure email service with a private message center might require your clients to take an extra step (such as creating a password) to read your emails. However, this step shouldn’t be difficult. Also, keep in mind that the extra step is there to ensure your emails are as secure as possible.
If I use a HIPAA-compliant email service, are all my emails automatically secure and HIPAA compliant?
Not necessarily. If you’re confused about this, however, you’re not alone. Consider the puzzlement from one therapist unclear about how Hushmail makes their emails secure and HIPAA compliant:
What was confusing to Dr. Berchick confuses a lot of practitioners. There’s no one way to make email HIPAA compliant, and ultimately, it’s your responsibility to ensure the safeguards are in place.
A HIPAA-compliant email service is an excellent foundation for your compliance. However, it’s up to you to:
- Ensure encryption is enabled
- Leave PHI out of the subject line (subject lines usually aren’t encrypted)
- Send the email to the right email address
If I switch to a HIPAA-compliant email service, will I lose all of my old emails?
Most HIPAA-compliant email services make it easy for you to move your emails over from your old service by providing instructions. Or some services like Hushmail can also move them over for you for a small fee.
Are attachments, such as practice forms, secure if I use a HIPAA-compliant email service?
Attachments are usually secure. However, if you use an encrypted email service like Hushmail that also provides secure web forms, you won’t have to attach your forms. Instead your clients can fill out their information online and send it securely back to you. This is much easier than having to print, fill out, scan and attach PDFs.
Hushmail for Healthcare gives therapists what they need
Hushmail is easy to use
Made for healthcare professionals
Hushmail for Healthcare is an email and web form service that’s uniquely tailored to your work as a therapist. Notice how we have:
- Healthcare specific web form templates
- A website that talks to you specifically (take a look at our testimonials!)
- A Customer Care team trained to understand the unique requirements of your job
Personalized customer support
At Hushmail, our Customer Success team holds your hand as you get started with your new account. The minute you sign up, you have a dedicated team behind you to make sure everything is set up correctly. You’ll get the most out of your Hushmail plan from the very start.
Last thoughts about HIPAA-compliant email
If you’re a therapist who uses email to communicate with your clients, you need to use a HIPAA-compliant email service. Choosing a service doesn’t have to be complicated. Find one that provides a private message center that encrypts your emails to and from your clients even if they don’t have encryption themselves. Decide what additional features you need, such as intake form templates and e-signatures. And make sure you get a signed BAA.
Then be sure to use your new email service correctly to protect your clients’ sensitive information.