Although email is a convenient means of communication, using email to communicate sensitive information poses some risk to those people who trust you to protect their privacy and to whom you have a legal duty to maintain their confidentiality. Privacy is your client’s or patient’s right to seclude themselves and their information by expressing themselves selectively. Confidentiality in healthcare is the professional’s legal duty to protect the privacy of those who entrust them with care. These issues quickly surface when using email to communicate patient information, especially for therapists and behavioral health professionals. While using secured email is a better choice than not in most instances, there are circumstances that warrant using unsecured email if needed.
To give providers guidance on how to use email to communicate protected health information (PHI), both unsecured and secured, HIPAA compliant email for therapists is discussed below.
What about unsecured email?
In June of 2019, the American Psychological Association published a response to a question from a psychologist about their responsibilities involving the use of unsecured email with a patient. A representative from APA’s legal office responded that indeed, unsecured email can be used, but there are risks. Suggested actions are:
- Explain the risks.
- Manage your protocol to protect patients’ protected health information(PHI).
- Consider encryption.
- Document Your Decisions. HIPAA requires that professionals evaluate and document their responsibilities and decision-making process (PDF, 3.63MB)
In the article below, these suggestions are detailed in bullet form to help you quickly and easily develop your own approach to using both unsecured and secured email with clients or patients.
Explain the Risks. What are the Risks of Using Email to Communicate PHI?
When determining whether or not to use email to communicate protected health information (PHI), it is important to consider and warn patients about the risks of using email for clinical communications.
- Shared Devices. When patients share their computer with another individual, there is potential for their PHI to be inadvertently exposed to other members of their household. This poses a risk, especially for those patients in an abusive relationship.
- Email Errors. Before sending an email containing PHI, it is important to double-check the recipient’s email address before sending it. It is recommended that email addresses are confirmed with the patient for correct spelling before sending an email.
- PHI in Email Subject Lines. PHI should never be in an email subject line. Email subject lines cannot be encrypted, so if the email is accessed by an unauthorized individual, PHI will be easily viewable.
- Group Emails. Group emails should never be sent to clients or patients. Email addresses are considered PHI under HIPAA so when group emails are sent to a patient, their email address is viewable to other recipients.
Develop Email Protocols
With just a few minutes, any professional can develop and document a few simple procedures to protect everyone involved.
- Delete previous portions of email when responding to a client’s or patient’s email.
- Only use first names.
- Double-check email addresses before sending your outgoing message.
- Make it a practice to glance at the To: line before clicking the “Send” button.
- Use a delay feature for an outgoing email that allows you to retract “Sent” mail before it actually leaves your computer.
Not all email providers have the proper security features to ensure the confidentiality, availability, and integrity of PHI. When choosing a secured email provider, the following should be considered:
- Encryption. To prevent unauthorized disclosures of PHI, encryption is a necessary component of HIPAA compliant email for therapists. Encryption masks data so that it cannot be read by unauthorized individuals. However, as previously mentioned, email subject lines cannot be encrypted, so they should never contain PHI.
- Audit Logs. Keeps a record of access to PHI to ensure adherence to HIPAA standards.
- Access Controls. Limits access to PHI to only those that require access.
- User Authentication. Email providers that include two-factor authentication are more secure. Two-factor authentication utilizes multiple login credentials to confirm a users’ identity, such as a username and password in combination with a security question or one-time PIN.
HIPAA Compliant Email for Therapists: Business Associate Agreements
Software providers, including email providers, are considered business associates. Before it is permitted to share PHI with a business associate, they must sign a business associate agreement (BAA). Not all email providers will sign a BAA, especially for their free versions, and therefore cannot be used in conjunction with PHI.
See TBHI’s What is HIPAA for Healthcare Workers? to learn more about the HIPAA Privacy Rules for Healthcare professionals.