If you work in the healthcare field, there’s a good possibility that you should be using HIPAA-compliant email and web forms. But what does...
Do HIPAA email disclaimers work?
Think a HIPAA email disclaimer makes you HIPAA compliant? Think again. Disclaimers won’t prevent fines and investigations.
Are you relying on a HIPAA email disclaimer to protect your practice?
Would you like to know if they really work?
A lot of practitioners think that a carefully worded block of text at the bottom of their emails makes them HIPAA compliant. And no wonder! If you search “HIPAA email disclaimer,” you’ll find plenty of articles telling you that you absolutely must have one.
But here’s a dirty little secret…
They do nothing to make you HIPAA compliant.
Let’s find out why they don’t do any good and what you can do instead to make sure you’re not committing unintentional HIPAA violations.
What’s a HIPAA disclaimer?
A HIPAA disclaimer is a block of text at the bottom of an email. It lets the recipient know that the email might contain protected health information (PHI) that needs to be handled with care.
An example of a HIPAA disclaimer (that could make things worse)
The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately by replying to this email and deleting this email and any attachments from any computer.
The disclaimer above looks official. It mentions HIPAA. It threatens criminal or civil penalties.
But it doesn’t actually do anything.
In fact, it can make things worse.
Disclaimers threatening penalties can scare people and discourage them from doing the right thing. What’s the right thing? Letting you know that you made a mistake. After all, they did nothing wrong.
Also, disclaimers encouraging the recipient to reply to the email are a terrible idea. You might accidentally reply to “all” and send that PHI to the wrong people yet again.
There are much better ways to protect your clients’ information while supporting your compliance.
What to use instead of HIPAA disclaimers
If HIPAA disclaimers don’t protect you, what does?
Business associate agreements (BAAs) are a crucial part of ensuring that you’re HIPAA compliant.
A BAA is a signed document between you and a service provider, like your email service. If that service provider comes in contact with PHI, you need to have a signed BAA with them.
In signing the BAA, the service provider takes on the responsibility of keeping your clients’ confidential information safe. This is a HIPAA requirement.
Request for non-secure email communication
Even if you use a secure email service that comes with a BAA, some clients might not want it.
And that’s fine.
Just make sure you have them sign a Request for non-secure email communication form informing them of the risks. That way, you’re covered if an email is compromised.
However, keep in mind that even if your clients sign one of these forms, you still need to have a BAA with your email provider.
"A request for non-secure communication from a client does not obviate the need for a BAA with the service provider that is handling those non-secure communications," says Liath Dalton, director of Person Centered Tech, a company that helps therapists understand tech and security. "If you don't have a BAA with the service providers handling PHI, that's a violation of HIPAA requirements and is not compliant – regardless of the request for non-secure communications."
Good email etiquette
The third thing you need is good email etiquette. You can sign up for a HIPAA-compliant email service and get your non-secure communication forms signed, but…
None of that matters if you’re not careful with your email messages.
Good email etiquette means paying attention to what you’re doing and not making mistakes that could compromise your clients’ information.
Find out by signing up for our guide, “6 tips to make sure your emails are truly HIPAA compliant.”
If you still want to use a HIPAA disclaimer
Alright, so now you know that a HIPAA disclaimer doesn’t do anything to make you HIPAA compliant. Are there any reasons you might want to use one anyway?
Yes, a couple.
But realize that using a disclaimer in these cases just adds a little extra heft to your overall precautions. They won’t actually protect you from investigations or fines if something goes wrong.
Disclaimers raise awareness
It’s crucial to be mindful of protecting PHI. HIPAA disclaimers that are attached to every email act as one more reminder to be careful. Can you really have too many reminders?
Disclaimers remind recipients to be careful too
Disclaimers inform your recipients that PHI might be in the email and to be cautious when they reply. However, the disclaimer only informs the recipient. It doesn’t relieve you of the responsibility to keep their information safe.
So, yes, it’s fine to keep using a HIPAA disclaimer if you feel better seeing it at the bottom of your emails. As long as you follow a few guidelines…
Guidelines for using a HIPAA disclaimer
Don’t threaten legal action
First of all, this is an empty threat, so why make it? Also, scary threats might stop someone from doing what you need them to do – report a mistake that could compromise your client’s PHI.
“You might be tempted to threaten legal action if the wrong recipient doesn’t report the incident or mishandles the PHI,” says Steve Youngman, Vice President of Legal, Hushmail. “But you’re not actually in a position to do anything. In fact, if anyone’s going to be subject to penalties, it’s going to be you for not protecting the PHI in the first place.”
Provide a phone number
Instead of requesting a reply to the email, give the recipient your phone number. If you accidentally sent an email to the wrong person, you don’t want them to send it back out into the online world. You want them to delete the message and let you know what happened with a phone call.
Example of a good “HIPAA” disclaimer:
The information contained in this transmission is privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited. If you have received this transmission in error, please contact the sender at (XXX) XXX-XXXX immediately and delete this email and any attachments from any computer.
If you use this disclaimer, make sure you also use a HIPAA-compliant email provider that comes with a signed BAA.
If you send non-secure emails to a client upon their request, make sure they sign a Request for non-secure email communication. The form should clearly explain what it means to communicate in a non-secure manner and the risks involved.
Be sure to get a signature so you have proof that your client understands and agrees to communicate this way.
The bottom line on HIPAA email disclaimers
Whether or not you decide to use a disclaimer, find a HIPAA-compliant email provider like Hushmail for Healthcare.
Hushmail comes with a signed BAA that promises it will always handle your clients’ PHI with care.
Hushmail also provides templates for a variety of practice forms, such as the Request for non-secure email communication, and gives you the option to add e-signatures to your plan.
With Hushmail for Healthcare, you’re covered when it comes to HIPAA-compliant email. No disclaimer needed.