HIPAA Compliant Email For Therapists
HIPAA Compliant Email For Therapists
As a mental health professional, you've probably been hearing a lot about how you should encrypt your email communications with clients. This is true, with some caveats. First, it's all about the Protected Health Information, or in this case Electronic Protected Health Information (ePHI). Encryption comes into play when your transmitting or storing this information that identifies a client and relates to their care. This can be as simple as an appointment reminder. It's important that HIPAA doesn't explicity require encryption. But it does consider it "addressable". In HIPAA-speak this means that, if it's reasonable to implement, you need to do it or document an thorough reasoning for why you did not employ that measure. Encryption is certainly reasonable to implement when it comes to email.
Okay, so how do I make this happen?
There are a lot of different ways to make this happen. There are too many vendors that can help with encryption to mention. The one that I feel is the best fit for most mental health professionals is Hushmail. There are four primary reasons for this:
Friendly Interface – Hushmail is a web-based email platform so anyone who has used services like Gmail, Yahoo, or Hotmail will find it easy to transition to Hushmail.
HIPAA Friendly – Hushmail, as a vendor, complies with HIPAA and will sign a Business Associate Agreement with you making it easier for you to maintain compliance.
Business Friendly – You can use one of your own domains with Hushmail for a more professional appearance.
Secure Contact Forms – Hushmail for HIPAA accounts come with the ability to integrate secure contact forms into your web site at no additional cost. This allows you to secure communications even from new/potential clients. Tame Your Practice can even integrate the form into your web site for you!
I've been using Hushmail myself for several years and am quite happy with the product and customer service.
Want to see how easy it is to use? Check out this video:
But I heard that Gmail was HIPAA compliant now?
There are a couple of significant caveats to this:
Google for Work Only – You have to be using the paid version of Gmail through Google for Work in order to get a Business Associate Agreement with Google.
Limited to Google's Servers – The security/encryption of a Google for Works account really only applies to storage on their servers. No encryption is supplied when sending an email. So, while you can be in compliance with regard to the storage of emails on the server, you'll still need to address securing emails that you send to clients.
It is possible to address concern #2 through informed consent with clients. HIPAA values client autonomy, therefore if they ask you to send ePHI through unsecure means, you're covered. (HIPAA doesn't require it, but I recommend you document this in some way). This type of agreement works really well for low risk items like appointment reminders. It's not, however, a great solution for more significant confidential data. While you might tell clients simply not to email you in such detail, more and more clients want that convenience.
For these reasons, I've found Hushmail to be a great fit for most of the therapists I've talked to and spoken with.
Want to be sure Hushmail is a good fit for your practice? This is a great topic for an affordable 20 minute consultation. Ready to get started with Hushmail and want help setting it up and/or adding a Secure Contact Form to your web site? Look here for details.
Rob Reinhardt, LPC, PA
Rob is a Licensed Professional Counselor in private practice and
owner of Tame Your Practice, which provides comprehensive
consulting to mental health and wellness professionals.
©2015 Rob Reinhardt, LPC, PA