Is HIPAA Compliant Email for Therapists Possible? Only in Very Select Circumstances. To Avoid Violations, a Secure Messaging System is the Best Option.

As a therapist, it is essential to understand The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its application to your profession. However, navigating the regulatory environment can feel like groping around in the dark.

In particular, HIPAA compliant email and secure messaging for therapists is a complex subject that can be confusing when you have no formal training in cybersecurity and digital privacy.

How can you stay HIPAA compliant when emailing patients, colleagues and external business associates?

This blog post will explain the basics of HIPAA-compliant email for therapists and offer some tips on how to stay safe and protect your patients’ privacy.

How Does HIPAA Apply to Therapists in Patient Communication?

According to a recent American Medical Association (AMA) report, physicians and private practices are the second most common HIPAA violators after hospitals. The top five violations, according to the HHS’ Office for Civil Rights (OCR), are:

1. Impermissible uses and disclosures of protected health information.
2. Failure to safeguard protected health information.
3. Failure to provide patients with access to their protected health information.
4. Failure to put in place administrative safeguards of electronic protected health information.
5. Using or disclosing more than the minimum necessary protected health information.

Several recent HIPAA fines affect therapists failing to provide patients with access to their medical records. For example, in 2020, Bethany Israel Lahey Behavioral Services, King MD and Wise Psychiatry were fined $70,000, $3,300 and $10,000, respectively, for violating HIPAA Right of Access rules.

(Image source: compliancy-group.com)

In 2021, a private practitioner also found himself on the wrong end of a HIPAA fine. Dr. Robert Glaser was fined a staggering $100,000 for failing to provide a patient with access to his medical records within the required time and failing to comply with an OCR investigation.

(Image source: hipaajournal.com)

While these fines are not as hefty as some of the multimillion-dollar settlements we have seen in recent years, they nonetheless send a strong message that the OCR takes HIPAA violations by private practices and physicians seriously.

In most private practices and physicians’ clinics, these violations stem from a lack of knowledge of HIPAA rules.

Knowledge is power. The only way to protect yourself from stiff fines and reputational damage is to understand how the law applies to your profession. The HIPAA Privacy Rule establishes national standards to safeguard individually identifiable health information, technically referred to as protected health information (PHI) or electronic protected health information (ePHI) when the information is transmitted electronically.

This law applies to “covered entities”, which are defined as:

• Health care providers who electronically transmit any health information in connection with providing treatment, payment, or operations
• Health plans
• Any company that deals with protected health information (PHI) as part of its normal business activities

Therapists are covered entities and if you’re a therapist and use email to communicate with patients, or colleagues, you must comply with HIPAA Rules.

In practice, this means you must take adequate steps to ensure the information you send via email is secure and that the recipient is authorized to receive it.

It also means that you need to think carefully about what information you include in emails. PHI includes information that can be used to identify an individual, such as names, addresses, birthdates, Social Security numbers and medical information.

You should never include PHI in the body of an email. Instead, you should use a secure file transfer system or send the information in a password-protected file.

Is Emailing a Patient HIPAA Compliant?

The short answer is no. Most popular email services are not HIPAA compliant. In addition, there are inherent problems in using email to transmit ePHI, namely:

• Interception: Email is an insecure system that anyone can intercept. This means that there is a risk that your emails could be read by unauthorized individuals, including hackers, thieves and competitors.
• Prone to Errors: Email is a notoriously unreliable communication system. Messages can be lost or misdirected and there is no guarantee that the recipient will receive them.
• Lack of Encryption: Most emails are not encrypted, which means that there is a risk that the information you send could be read by anyone who has access to the email system.

For these reasons, it is not advisable to use email to send PHI. In some cases, a patient can authorize you to send them ePHI using email or even authorize you to share the information via email with third parties. However, such authorization must be in writing for it to be HIPAA compliant.

In most cases, if you must transmit PHI electronically, a HIPAA compliant secure file transfer system is the only option.

What About Emailing Business Associates?

If you are a therapist, then it is likely that you will need to email PHI to business associates, such as billing companies or transcriptionists.

In order to stay HIPAA-compliant, you must take steps to ensure that these business associates are also HIPAA compliant, and you must enter into a business associate agreement (BAA) with the company.

A BAA is a legal contract that obligates the business associate to protect the privacy of your patient’s information and to use only authorized means of transmission. It also requires the business associate to notify you if there is a breach of PHI.

The BAA should be in place before any PHI is exchanged.

The Best Compliant Email Isn’t Email – It’s WisperMSG

So, what is the best HIPAA-compliant email service?

Unfortunately, due to the security challenges posed by email, we wouldn’t recommend using any email provider to transmit ePHI. Even if the provider markets itself as HIPAA compliant, it is impossible to guarantee the security of your data.

The best way to ensure that your electronic transmissions are HIPAA compliant is to use a secure messaging system designed specifically for not only therapists nd healthcare professionals but every business seeking to protect their information.

At Central Data Storage, WisperMSG, our encrypted file sharing solution, makes communicating with patients, colleagues and business associates completely secure, HIPAA compliant, easy and affordable.

Features include beyond military-grade encryption, password protection and audit logs that help you meet regulatory compliance, while being as simple to use as all popular messaging services. For more information, sign up for a free trial.