Using Clinical Email (Part II): Secured Email Protection Systems
by Monica McCormack and Marlene M. Maheu, PhD
When does email need to be HIPAA Compliant?
Email is subject to the HIPAA Security Rule and therefore must have the proper measures in place before it can be used to transmit electronic protected health information (ePHI). According to HIPAA, this rule can be disregarded after a full informed consent discussion and agreements are made with the intended recipient of services, however. In other words, unsecured email can be used legally, but according to HIPAA’s Final Rule (2013), only after a completed informed consent process wherein the risks and benefits of using unsecured email are explained and that the clinician is reasonably assured that the risks and benefits are understood by the recipient of services.
Surprising to many clinicians, given this federal HIPAA ruling, the Telebehavioral Health Institute advises all practitioners reconsider using their unprotected email addresses when linking from commonly used internet directories or insurance companies who routinely offer their customers a clinician’s email address. Clinicians who doubt this requirement are encouraged to speak with their attorney and consider the rationale for the American Counseling Association’s (ACA) 2104 ethical standard below:
B.1.c. Respect for Confidentiality
Counselors protect the confidential information of prospective and current clients. Counselors disclose information only with appropriate consent or with sound legal or ethical justification.
The ACA’s stance toward initial contact with prospective clients is very much in keeping with HIPAA, which places the responsibility for the use of email protection squarely on the shoulders of the clinician rather than the directory platform or another online provider listing. Including one’s unsecured email address on one’s business card or brochure can lead to similar complications if the initial contact is more than just administrative. Unlike with medical professionals, the initial contact for appointment setting can most often be directly with the clinician. Furthermore, it can often include a brief discussion of the motivations for seeking treatment, and can sometimes include a quick outline of medications prescribed, suicidality and history of the problem — all of which is clinical material that can contain Protected Health Information (PHI). If this early data collection is conducted in email rather than by telephone, potential complications increase.
How then, does a counselor or any other behavioral professional attempting to be ethical engage in unsecured email with prospective as well as current clients? Using a secured email protection system is the recommended path to take at first with prospective patients as well as clients with whom there has not been a thorough discussion of the risks and benefits of unsecured email. (A reasonable although more cumbersome alternative to email protection is to move the initial contact with a patient to the telephone, where HIPAA issues are typically handled by the phone company, or use a directory platform that will protect the initial email contact by surrounding messages in a firewall that requires a login, as does Facebook, LinkedIn and many other large social networking websites.)
What are secured email protection systems?
To be HIPAA compliant with secured email protection, you must have:
- Integrity controls are the policies and procedures implemented to protect data from alteration or destruction. Encrypting your data protects the information from unauthorized changes.
- Access controls ensure that only the person(s) granted permission to view PHI have access to it. Restricting access to PHI ensures that there is no unauthorized access of PHI, such as by your children, spouse or anyone else who handles your telephone, tablet or any computers.
- Audit controls track and record who accessed PHI and when they accessed it.
- Transmission security pertains to monitoring how PHI is communicated by tracking who is sending or receiving PHI. It also involves ensuring the integrity of PHI at rest, this refers to safeguarding PHI stored on your network through the use of encryption or a firewall.
- ID authentication is a means to identify the person(s) accessing PHI. This is accomplished with personalized login credentials.
The rules for secured emails differ based on if you’ll be sending an email through an internal email network or to an outside network. All emails that are sent externally, beyond your firewall, need to be encrypted. However, just because encryption isn’t required for emails sent over your internal email network, doesn’t mean that you shouldn’t encrypt. Before a covered entity (CE) decides whether or not to encrypt, they need to perform a risk analysis. A risk analysis will allow a CE to assess if there is a threat to the integrity, confidentiality, or availability of ePHI. In addition, the decision whether or not to encrypt must be documented to prove to the Office of Civil Rights (OCR) that you considered encryption, and found that it wasn’t necessary.
Harbor Behavioral Health Phishing Attack
Harbor Behavioral Health experienced a phishing attack in February that affected 2,290 patients. The mental health treatment center failed to implement adequate email security safeguards, resulting in the unauthorized access of an employee’s email account. As a result, Harbor Behavioral Health will be offering free identity theft and credit monitoring for affected individuals.
Considering the intent as well as the letter of HIPAA, the types of sensitive information handled by behavioral health practices are good reasons for using safe practices with email as outlined in PART I of this article series. The first email-related issue outlined by HIPAA and summarized above then, is encrypted email protection systems. By using email protection systems, your patients’ PHI and your practice’s reputation will be safer in the unlikely event of a data breach. Data breaches are occurring with increasing frequency, however. To stay current with this news for free, subscribe to the Telebehavioral Health Institute’s free weekly newsletter. Practitioners may also want to note that in the United States, private practices are the # 1 area most frequently disciplined by the Office for Civil Rights, HIPAA’s federal enforcement agency.
Both small and large organizations seeking to use email with the populations they treat would do well to get informed by coming back to this TBHI blog series to read the upcoming segments of email security articles.
This is Part II of the XI-part blog series. You can also read Part I below:
Behavioral health practices handle protected health information (PHI) regularly, and as such, must take precautions to safeguard the sensitive information. The Department of Health and Human Services (HHS) recommends ten practices that anyone handling PHI needs to implement, the first of which is email protection systems. (Each one of these XI HIPAA outlined practices will be examined in its own article, labeled Part I-XI for your convenience. This current article is Part II of that XI-part series.)