Out of the most common types of internet communication, sending emails easily became the norm in almost every business. Its ability in announcing detailed communication to a group in a short span of time is the reason why a lot of people – even outside the corporate world – choose to send and receive emails. Email platforms may have changed throughout the years but one thing is for sure, its simple process remained.
But, what does email have to do with the medical field? More precisely, with therapists in the mental health field?
(Almost) everyone in the medical field who uses email to contact their patients go through an anxiety riddled process of making sure they are sending HIPAA compliant emails. Ending an email with a disclaimer, the paragraph of text usually found after the signature of a healthcare provider’s email, isn’t enough to be HIPAA compliant. Actually, it could even make things worse if the disclaimer isn’t made clearly.
So, what can you do to avoid being shot down by HIPAA? Keep reading to learn about HIPAA Compliant Email for Therapists and the mental health industry.
What is a HIPAA Email?
Before we get into the process of being HIPAA compliant, we need to know first what a HIPAA compliant email should be. A HIPAA compliant email should ensure that an email with PHI (Protected Health Information) is sent securely to the recipient’s inbox. The thing is, the most popular consumer and business email providers such as Gmail and Outlook aren’t HIPAA compliant by default without tweaking its settings or paying for an upgraded version.
If you can employ an IT expert that’s proficient in information systems, that would be great. If not, you can always consult a third-party HIPAA complaint email provider or get in touch with your attorney. If you’re a hands-on person, you can always start your search by typing the phrase “hipaa compliant email” on Google search.
What you should know: The 6 Rules of HIPAA
Ignorance of the law is no excuse. Knowing the 6 rules of HIPAA will help you avoid paying out a hefty sum (or losing your license!)
The Privacy Rule (2003) talks about the safeguarding of PHI and compliance standards. Learn more about it here.
The Security Rule (2005) talks about the required security standards to safeguard ePHI. Click here for a summary about Security Rule (2005).
The Enforcement Rule (2006) talks about the general guide for compliance, investigation, and penalties for violations
The HITECH Act (2009) encourages the meaningful use of state of the art technology in healthcare. Read more about the HITECH Act.
The Breach Notification Rule (2009) provides the steps wherein you need to do to report breaches. Click here for a summary of the Breach Notification Rule (2009).
The Final Omnibus Rule (2003) assimilates HITECH further by upgrading privacy protections. Learn more about it here.
What’s Actually Required for HIPAA-Compliant Email in Mental Health?
Responsibility and reputation: the two things needed to run an effective and profitable practice. How would one attain this? One of the things you could do is to make sure that you have an online communication that is secure. Aside from avoiding a hefty fine, it keeps PHI safe.
On the technical side, HIPAA’s guidelines for sending emails containing PHI only require a practice to be compliant if they are a covered entity. Meaning, if your practice accepts health insurance.
Although that’s a fact coming from HIPAA themselves, you still need to comply with HIPAA’s guidelines for ethical and professional reasons.
The code of ethics requires that clients’ privacy should always be protected in any way shape or form. Furthermore, most states have data privacy laws that are a whole lot similar to what HIPAA has. With that said, it’s critical for all mental health professionals to do everything in their power to secure and protect client information as well as communications.
How Do I Make my Email HIPAA Compliant and Secure?
To avoid getting hit by a HIPAA compliance violation, here are things you need to consider:
1. Make sure the email service you will use have end-to-end encryption
What this means is that the emails you send should also be encrypted not only when it is in transit. If you’re saving old emails, yes, it also needs to be encrypted. One of the easiest ways of doing this is getting an email and storage service provider that encrypts every email automatically – be it sent, received, or stored.
If you’re thinking of personally encrypting every email that you send, you’re just waiting for a disaster to happen in the form of human error. Aside from that, can you imagine the time you need to spend to encrypt all those emails?
2. Data sent, received, and stored should be on a need to know basis
Before sending an email with PHI, you need to ask yourself first: who needs access to this information? It is important to make sure that the staff that needs to have access to this information are the only people that should have access to it.
3. Identify the time it’s alright to send PHI in an email, and to whom
There are a lot of situations where you might need to send PHI via email. It’s not only going to be between you and your patient, you might also need to reply from their inquiry. There are also instances that you might need to send emails to doctors and insurance companies that will contain PHI. You’ll also be sending emails within your organization.
Good thing though, email HIPAA compliance cites and provides workarounds on each possible scenario that anybody could have. You can check out these email security recommendations for further input.
4. Have a backup for all email messages
Insurance companies, lawyers, and other doctors may need access to email messages and it’s important that you can provide it. Using a storage technology that is not only secure but also able to protect information is needed to carry out this guideline. You won’t know when anyone needs to access patient history and communication so it’s best to keep this in mind.
Contracting a third-party email archiving service is one of the best ways to make sure you do this correctly.
5. Ask for patient consent
A written authorization from the patient needs to be documented that they agree to receive emails from you containing their personal information. Aside from completing that procedure, you also need to inform them that their email accounts (Google, Yahoo, or Microsoft Outlook) may not have the end-to-end encryption it needs to be secure.
In the event they don’t give consent, it is advised to offer them a different but secure form of communication. It is common practice to include them in a secure online portal as a solution. Why? Because it will have its own password and account. Doing it this way will not only minimize information leaks, but it will also make your patient feel that their privacy is valued since they will have their own account.
6. Choose and use the correct software
While everything in this list is important, this one is the most critical. Although Gmail is widely used because of its ease of access, it is still not considered as HIPAA compliant.
It is crucial to use an email service provider that is HIPAA compliant. The HIPAA Journal approves the use of third-party email service providers, like GSuite, for all healthcare providers. Doing this can be considered as a cakewalk compared to creating your own system.
How would you know if the email provider you chose is HIPAA compliant? Three letters, BAA. Make sure that while looking for available email providers you’re also on the look out if they have a Business Associate Agreement. Once you see that they have BAA, you’ll be sure that they are HIPAA compliant.
7. Employ a healthcare lawyer and seek legal advice
We are healthcare providers, not lawyers. It’s best to get one to make sure you’re compliant because you can never be so sure about the policies you implement. Just remember to get a lawyer that is HIPAA compliance focused.
8. Secure devices that has PHI
Working from home or having a hybrid setup became popular because of the pandemic. With these in effect, your employees may work from home and access patient information without the safety brought by your office or clinic. If this is happening in your organization, you need to find a way to make sure that all of the devices in use are secure.
The HIPAA violation that commonly occurs is when devices get lost or stolen. You won’t get penalized because of theft or because you lost it. The penalty happens when an investigation following the incident found out that the devices used are not properly protected due to the failure of implementing encryption, mandating the use of passwords and other security measures.
If members of your staff send emails that contain PHI through their phones, all procedures in making sure that it’s HIPAA compliant must still be taken.
9. Staff training
Conducting annual training is a must in compliance with HIPAA and each personnel needs to confirm that they have completed it. The training will cover topics on how to properly secure devices, who should only have access to such information, and what can and can’t be included in emails.
It’s also important to take note that including additional training about how to avoid phishing email scams is going to be a plus.
HIPAA violations are expensive.
Noncompliance is penalized to a certain degree of negligence. The fine could range from $100 to $50,000 per violation. Its maximum penalty can reach up to $1.5 million a year for a violation if committed again. According to Thomson Reuters, the fines could go higher because of inflation.
How much would it cost?
HIPAA violations have four different tiers and each tier has a minimum and a maximum penalty. Multiple violation instances on the same tier are capped annually. According to the HIPAA administrative simplification provisions, the following recorded penalties apply:
|HIPAA Email Violations||From||To||Annual Cap|
|1st tier: Lack of knowledge||$127||$63,973||$1,919,173|
|2nd tier: Reasonable cause and not willful neglect||$1,280||$63,973||$1,919,173|
|3rd tier: willful neglect, corrected within 30 days||$12,794||$63,973||$1,919,173|
|4th tier: willful neglect, not corrected within 30 days||$63,973||$1,919,173||$1,919,173|
Source: Thompson Reuters
Top 5 HIPAA Compliant Email Hosts for Mental Health Professionals
Let’s review a few HIPAA compliant email hosts most commonly used by mental health professionals:
1. Google Workspace
Formerly known as G Suite or Google Suite, Google workspaces’ changes included a system wherein only someone who has permission from an admin can request access to ePHI. However, there are always exceptions for different products. That’s why it’s better to read the fine print before signing on anything.
The good thing is, you won’t miss the fine print upon signing up. Google Workspace requires administrators to review and accept a BAA before completing the process. You can also check out what other products Google Workspace has to offer that are HIPAA compliant by checking out the HIPAA Included Functionality.
Intermedia answered the FAQs any administrators may have when searching for a HIPAA compliant email provider on their website. With that said, their services are designed to fulfill the answers they have given to frequently asked questions. They said that their system is designed to meet the privacy and security requirements of PHI.
Aside from maintaining quality, their policies and procedures are audited by a third-party to ensure they follow the HIPAA privacy and security.
Virtru is a cloud based end-to-end encryption partner that you can add on to your Google Client or Microsoft email. What does this mean to the user? The user will be free to send any information without the worry of being hit by a HIPAA violation because this software will encrypt the data you’ll be sending out and will also control who can only have access to anything you send. The user will also not have to switch email hosting or the way they do their job to be HIPAA compliant.
Paubox works like Virtru in some ways. It can perform end-to-end encryption without the need to access additional software. Paubox will integrate itself onto your email platform like Google Workspace or Microsoft Office 365 allowing its users to send and answer emails while being HIPAA compliant. It won’t appear as a plug in your email, it’s as if it’s not there.
NeoCertified provides HIPAA-compliant email hosting by letting its user access a secure portal or by integrating the platform into Outlook. While there is an option to turn NeoCertified into a plugin, it is really an independent product. This is rewarding for practices that aren’t with a major email service provider yet and would choose to do business with a company that’s specially designed to send HIPAA-compliant emails.
Would my responsibility with PHI in an email that I send end?
Yes. Once an email containing PHI is sent, it is now the responsibility of the recipient to secure any information inside it.
Final thoughts on HIPAA-Compliant emails for therapists
Thank you for reading our resource on HIPAA Compliant Email for Therapists. While there isn’t a definite email service provider that can provide 100% HIPAA compliance, it is still essential to follow what the law dictates – full non-disclosure. Email companies that offer products to help you to be HIPAA-compliant exist, so use them.
If you think the services they offer to help you to be compliant is expensive, it’s still many times cheaper compared to the fines HIPAA may levy on you.
TherapyByPro is an online mental health directory that connects mental health pros with clients in need. If you’re a mental health professional, you can Join our community and add your practice listing here. We have assessments, practice forms, and worksheet templates mental health professionals can use to streamline their practice. View all of our mental health forms, worksheet, and assessments here.