HIPAA rules and how they apply during the pandemic

Published on April 30, 2020

HIPAA rules

A few weeks ago, Hushmail Technical Account Manager Jarred Bolen had the pleasure of speaking with Curt Widhalm and Katie Vernoy of Therapy Reimagined on their podcast The Modern Therapist’s Survival Guide.

He answered a lot of the questions therapists have these days about HIPAA rules, and how they apply to using email and other online services to communicate with clients during the pandemic. 

Here’s a brief overview of what they discussed, followed by links to the podcast and our webinar page where you can find more in-depth material about much of what they talked about.

What you need to know right now about HIPAA 

There’s a common belief among therapists that online communication is inherently insecure, but there are many different options now: secure telehealth, messaging, email, web forms, and others that are HIPAA compliant. These services usually use some form of encryption to ensure your client’s information is secure.

What’s encryption?

In a nutshell, encryption is when you send content from one source to another, and that content is scrambled either in transit, in storage, or both. If someone wants to “listen in” on an encrypted email conversation, they aren’t able to unless they have a key, such as a password. 

Ideally, you should have encryption in transit from sender to recipient as well as encryption at rest when the data is stored. This provides the most reliable protection of your information. 

Ethical reasons to maintain security

HIPAA requirements may have been relaxed for the pandemic, but security is still important. Even if a client thinks regular email is secure enough, you might want to consider a few important points: 

  • Do your clients want to engage you in communications between sessions?
  • Do these communications contain highly personal information? 

Your personal comfort level can help you decide if a secure email service is preferable for this type of communication. Even if HIPAA guidelines don’t apply to your practice (you aren’t a covered entity), you might decide to comply with the guidelines to better uphold your professional, ethical standards. 

Should you worry about inconveniencing your clients?

Depending on the encryption service, there will likely be some action required of your clients to benefit from it. Hushmail requires people without a Hushmail account to access their messages on a secure message center protected with a password.

The important thing is to find a solution that balances security with convenience. For example, Hushmail allows you to choose which messages are encrypted. Being selective about the emails you want to encrypt can help achieve this balance. For example, office supply orders probably don’t need to require a password to access. 

Overall, we believe that most clients value that their therapist is taking the extra step to protect their information.

Transitioning to a HIPAA-compliant virtual practice

The main question to ask yourself is, “how do I best protect my clients?” Although you may be in a rush to get things set up quickly and tempted to cut corners, it’s better to set yourself up for success now so you can continue using those systems once the pandemic is over. 

This crisis has presented an opportunity to step back and look at all the ways you have to communicate. Everyone has their preferred method of communication, and if you can stick to that medium, you’re more likely to successfully engage with your clients and have a positive experience. To make sure you’re making a decision that will meet your needs during and after the pandemic, follow these simple steps:

  • Decide what method you’re going to use
  • Document your policies and procedures around using that method
  • Conduct a risk assessment for that method

Conducting a risk assessment might sound like more than you want to take on right now, but it doesn’t have to be complicated. Essentially, an assessment documents your communication method, how that method protects your clients’ information, why and when you use that method to communicate, what the possible risks are, and the risk mitigation strategies that you’re using. Practitioners are required to conduct a risk assessment, so the documentation is more than invaluable in the case of an audit.

The HHS website provides some good risk assessment samples that are easy to implement. 

And that’s just a brief overview of what we talked about

Jarred also talked to Curt and Katie about the following topics:

  • Potential legislation asking for back doors into encrypted services – concerns and potential risks
  • Staying current on updates within the tech sector
  • What’s included in Hushmail’s service
  • How Hushmail has evolved from the beginning

Listen to the podcast

Additional material 

Jarred has also talked to Brighter Vision about transitioning to a virtual office and moving your paperwork online with Hush Secure Forms

And he hosts regular webinars about these and other topics, which you can check out on our webinar page

Ready to get started with HIPAA-compliant email and web forms?

Sign up for Hushmail for Healthcare

We're answering questions therapists have about HIPAA rules and how they apply to using email and other online services to communicate with clients during the pandemic. Topics addressed include what encryption is, ethical reasons to maintain security, and transitioning to a HIPAA-compliant virtual practice.

Related posts: