Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.
Does the thought of HIPAA give you heartburn as a therapist?
How about “HIPAA-compliant email?”
If just thinking about HIPAA rules and email gives you anxiety, you’re not alone. There’s a lot of confusion around what HIPAA-compliant email is and how to use it.
What’s a therapist to do?
In this non-intimidating guide, we’ll explain everything you need to know about HIPAA-compliant email. What it is, who needs it, and the risks if you don’t use it. Then we’ll wrap it all up with a chart comparing several popular email services and a handy FAQ.
After reading this guide, you’ll know how to choose a HIPAA-compliant email service that’s perfect for your therapy practice.
The short answer is “yes.” If you use email as a therapist, it should be HIPAA compliant.
Secure online communication is key to running a responsible, reputable practice. It lowers the risk of being audited or fined. Most importantly, it keeps your clients’ sensitive information safe.
Technically, you’re only required to follow HIPAA’s guidelines for communicating electronic health information if you’re a “covered entity.” That’s anyone who accepts health insurance.
A Covered Entity is a health care provider such as a:
… if they electronically send information that’s connected with financial or administrative activities related to healthcare (i.e., insurance claims). |
However, if you’re not a covered entity, you should still strive to comply with HIPAA for professional and ethical reasons.
As Rob Reinhardt, CEO of Tame Your Practice, advises, “Even if you aren't technically a covered entity under HIPAA, it's still important to be mindful of digital security. First, our codes of ethics require that we protect our clients' privacy and imply that we should follow accepted standards. Further, most states now have data privacy laws that have requirements similar to HIPAA. In short, it's imperative for all mental health professionals to be taking all reasonable steps to secure client information and communications.”
|
HIPAA-compliant email meets the HIPAA requirements for safe electronic communication of protected health information (PHI). We’ll explain PHI in more depth later on.
The HIPAA Security Rule explains the steps you need to take to determine what safe online communication means for your practice. The rule requires you to:
Ultimately, it’s up to you how you protect your clients’ information, which is nice, but…
It’s a little intimidating having to make the right choice without more specific guidance. That’s where encryption comes in.
What is encryption?Encryption is a method used to make information unreadable to anyone other than the intended recipients. Computers do this by scrambling the information into a secret code while only telling the recipient how to decode it. This means that if anyone else gets hold of the information while it’s encrypted, it won’t make any sense to them. For a more technical explanation, read about how to use Hushmail encryption to support your practice. |
The Security Rule mentions encryption as “an addressable implementation specification.” This means that if it’s reasonable to use encryption, you should. Or carefully document why you haven’t.
While HIPAA doesn’t explicitly require encryption, it’s a best practice for meeting its standards. However, not all encryption is equal. It’s important to consider when a service is encrypting your email.
Is it encrypting your email on its way to your client but not in your client’s inbox?
When your client sends back a reply, is that encrypted?
Many secure email providers claim to encrypt email when it’s moving from sender to recipient and back again. But that only happens if both sides support encryption. That’s not always the case.
According to Hushmail Chief Technical Officer Brian Smith, “Many providers also claim to encrypt email when it’s in your inbox. This might be true, but it doesn’t say whether or not your recipient is also encrypting the message in their inbox. A private message center keeps the message in one secure location where it can be replied to and stored securely.”
What is a Private Message Center?
|
The best way to ensure your emails are always encrypted is to use a service that offers a private message center.
You’re taking a risk if you send and receive PHI online without any kind of protection.
PHI is information that could identify an individual and relates to:
You can find more information about what PHI is in the Summary of the HIPAA Privacy Rule from the US Department of Health & Human Services (HHS).
Sending PHI to your client using regular email, such as regular Outlook or regular Gmail, is like sending their most sensitive information on a postcard. Don’t do it!
HIPAA disclaimers are those blocks of text in italics at the bottom of an email warning that “this message is private and might contain PHI.” Some disclaimers advise you to alert the sender if the message wasn’t meant for you.
Example of a HIPAA disclaimer:
|
These disclaimers do nothing to ensure HIPAA compliance. In fact, they can make things worse by encouraging you to reply, sending the PHI out into unsecure cyberspace again.
As a healthcare provider, you probably communicate with your clients in all sorts of ways, many of them online.
You might be surprised by what needs to be secure and what doesn’t…
What is an NPP?An NPP lets your clients know how you’re going to use and disclose their health information. You can read all about NPPs here. 👉 Learn more: "Notice of Privacy Practices (NPP): What Small Healthcare Practices Need to Know" |
Not all emails. You can send emails that don’t contain PHI using regular email.
Clients can also request that you send them regular emails even if they contain PHI. For this, you must get them to sign a “request for non-secure email communication” form and file it with their health record. The form gives your client the option to use or not use non-secure communications and informs them of the risks.
Here’s what you can expect if someone files a complaint against your practice:
Encrypted, HIPAA-compliant email is a key component of keeping your clients’ information safe. However, it’s ultimately up to you to ensure your emails are secure. We’ve put together six practical tips that will help prevent mistakes that could undo your security measures.
Subscribe to our newsletter by entering your information below... and we’ll send the six tips straight to your inbox.
Look for an affordable service. However, don’t forget to factor in the fines you might incur if you don’t keep your clients’ information safe. Consider this laboratory that was audited and found guilty of not conducting a risk assessment and implementing the necessary safeguards. They received a $25,000 fine. You might decide that protecting yourself against such a penalty, not to mention two or three years of monitoring by HHS, is well worth the cost of a reliable, secure email service.
A HIPAA-compliant email service will provide you with a signed business associate agreement (BAA). This document is needed to affirm the email service’s willingness to accept responsibility for the safety of your clients' PHI. With a BAA, you can feel confident that they’ll protect the PHI and comply with HIPAA requirements. Look for a service that not only provides a BAA but allows you to sign it electronically for free.
Look for encryption that protects your emails through their entire lifecycle. As explained before, a private message center is one of the best ways to make sure the message is encrypted at all times. If you’re considering an email service that doesn’t offer this, make sure it encrypts your emails on their way to your recipient and back to you when they reply, and keeps them encrypted in your inbox and theirs.
There are times when you might need to access your emails quickly. For example, if a client or court asks for particular records or evidence of an interaction. A built-in email archive provides easy access to every conversation and record you exchanged. Also, it’s a HIPAA requirement.
|
HIPAA requires that you retain emails containing the following for six years:
|
Spend some time testing out a service as both the sender and receiver. There might be some extra steps when you use a private message center, but they should be simple and well communicated. For example, take a look at what clients experience when they use Hushmail’s private message center.
Don’t forget the importance of support that’s accessible and helpful. Having an expert walk you through issues can make all the difference. And you shouldn’t expect to pay extra for this help either.
Some email providers offer more than just email.
For example, as a therapist, you likely use intake forms, informed consent forms, and health questionnaires. Instead of sending PDFs or using paper forms, email providers like Hushmail give you web forms to use instead.
These web forms serve the same purpose as PDF forms, but they’re secure, easier to read, and can be filled out from anywhere. You can even get them signed electronically by your clients.
By choosing a provider that offers more than just email, you’ll get more bang for your buck.
A comparison of 5 encrypted email services |
|||||
| Hushmail for Healthcare | Google Workspace | Paubox | Virtru | Microsoft 365 Business Premium (Outlook) | |
| BAA | ✅ | ✅ | ✅ | ✅ | ✅ |
| Basic email encryption | ✅ | ✅ | ✅ | ✅ | ✅ |
| Private message center | ✅ | ❌1 | ✅ | ✅ | ✅ |
| Built-in archive | ✅ | ❌ | ❌ | ❌ | ✅ |
| Free designated customer success team | ✅ | ❌ | ❌ | ❌ | ❌ |
| Secure healthcare form templates | ✅ | ❌ | ❌ | ❌ | ❌ |
| E-signatures | Optional | ❌ | ❌ | ❌ | ❌ |
| Cost | Starts at $11.99/mo | Starts at $7.20/mo | Starts at $38/mo | Starts at $119/mo | Starts at $20/mo |
Regular Gmail is not HIPAA compliant. You might hear that Gmail uses encryption. It does, but only when the email is traveling between and stored in the inboxes of Gmail users. If you send an email to someone who doesn’t use Gmail, you have no guarantee that the email will be encrypted. Regular Gmail also doesn’t provide a BAA which is necessary for HIPAA compliance.
It doesn't have to be. A secure email service with a private message center, like Hushmail, is simple to use and ensures the privacy of your conversations. Clients who use traditional email services can sign in to Hushmail's private message center using their Google, Apple, or Microsoft accounts, or create a passphrase, to exchange secure messages and web forms with you.
Not necessarily. If you’re confused about this, however, you’re not alone. Consider the puzzlement from one therapist unclear about how Hushmail makes their emails secure and HIPAA compliant:
|
What was confusing to Dr. Berchick confuses a lot of practitioners. There’s no one way to make email HIPAA compliant, and ultimately, it’s your responsibility to ensure the safeguards are in place.
A HIPAA-compliant email service is an excellent foundation for your compliance. However, it’s up to you to:
Most HIPAA-compliant email services make it easy for you to move your emails over from your old service by providing instructions. Or some services like Hushmail can also move them over for you for a small fee.
Attachments are usually secure. However, if you use an encrypted email service like Hushmail that also provides secure web forms, you won’t have to attach your forms. Instead, your clients can fill out their information online and send it securely back to you. This is much easier than having to print, fill out, scan, and attach PDFs.
|
Hushmail for Healthcare is an email and web form service that’s uniquely tailored to your work as a therapist. Notice how we have:
At Hushmail, our Customer Success team holds your hand as you get started with your new account. The minute you sign up, you have a dedicated team behind you to make sure everything is set up correctly. You’ll get the most out of your Hushmail plan from the very start.
If you’re a therapist who uses email to communicate with your clients, you need to use a HIPAA-compliant email service. Choosing a service doesn’t have to be complicated. Find one that provides a private message center that encrypts your emails to and from your clients even if they don’t have encryption themselves. Decide what additional features you need, such as intake form templates and e-signatures. And make sure you get a signed BAA.
Then be sure to use your new email service correctly to protect your clients’ sensitive information.
HIPAA-compliant email providers to keep client messages and information secure. Find the best solution for your needs and budget with our detailed...
Get clear answers to your top HIPAA questions about email, web forms, telehealth, and more. No jargon, just easy-to-understand guidance.
If you work in the healthcare field, there’s a good possibility that you should be using HIPAA-compliant email and web forms. But what does...
