This content is provided by Brighter Vision, an affinity partner of AAMFT. This information is not necessarily the view of AAMFT and should not be interpreted as official policy.
If you work in the field of mental health, chances are you should be using HIPAA compliant email to communicate with your clients. This is especially true if you send and receive protected health information (PHI).
And if you’re using contact forms to collect information from your clients on your private practice website, they should be HIPAA compliant as well.
But how do you know for sure if you need HIPAA compliant email or contact forms? And what exactly is considered HIPAA compliant?
In this post, we will help shed some light on the ins and outs of HIPAA compliance so that hopefully, by the time you’ve made it to the end of this article, you’ll have a better understanding of whether you should use regular or HIPAA compliant email and contact forms for your private practice website.
What Is Encryption?
We’ve all seen how excited little Ralphie was to finally receive his Orphan Annie Secret Society secret decoder ring in A Christmas Story. We all laughed at his unmistakable look of pure disappointment when, after spending a few torturous minutes decoding his first secret message, he finds out it’s only a crummy commercial telling him to “Be Sure To Drink Your Ovaltine.”
Well, today’s encryption services that are used to keep our online information private is actually very similar to encoded messages such as Ralphie’s. When you send an encrypted email, you’re essentially jumbling up all of the message’s content and assigning it a random assortment of letters, numbers, and symbols. To anyone without the “key” – the digital world’s version of Ralphie’s decoder ring – the message is indecipherable which means the information in its contents remains private.
With Hushmail’s email service, sending an encrypted message is as simple as checking this one box:
For a more detailed explanation, take a look at this article: What is encryption, and how do I know if I need encrypted email?
Who Needs HIPAA Compliant Email and Website Contact Forms?
Any HIPAA covered entity (as defined in the chart below) and/or any healthcare practitioner who wants to protect their clients’ or patients’ privacy should be using HIPAA compliant email and website contact forms.
Any HIPAA covered entity (as defined in the chart below) and/or any healthcare practitioner who wants to protect their clients’ or patients’ privacy should be using HIPAA compliant email and website contact forms.
A Health Care Provider
|
A Health Plan
|
A Health Care Clearinghouse
|
This includes:
- Doctors
- Clinics
- Psychologists
- Dentists
- Chiropractors
- Nursing Homes
- Pharmacies
…but only if they transmit any information in an electronic form in connection with a transaction for which Health and Human Services (HHS) has adopted a standard.
|
This includes:
- Health insurance companies
- Health maintenance organizations (HMOs)
- Company Health Plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
|
This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
|
Source: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
What Kind of Information Should Be Encrypted?
The short answer is – any information that could be considered protected health information (PHI).
HIPAA guidelines define Protected Health Information as “anything – vague or specific – that could reveal the identity of a patient.” So, a newsletter you send out to participants of your ADHD Support Group would be considered PHI just as much as the results of a Depression Screening Test you send to a single client would be. If a client’s identity is connected with the information within that message in any way, you should definitely be sending it through an encrypted email service like Hushmail.
To learn more about all the different types of PHI, check out this post: HIPAA Compliance on Social Media: A Guide for Private Practices
How Is HIPAA-Compliant Email Different from Regular Email?
First and foremost, it is important to remember that maintaining HIPAA compliance online – whether it be a website contact forms or email – is dependent on good user habits, such as verifying email addresses and not including sensitive information in the subject lines of your outgoing emails.
HIPAA compliant email gives you the ability to send emails that have been encrypted with OpenPGP encryption to protect its contents during transit – similar to the way how your bank secures exchanges on their website – plus continued protection upon opening, and in storage. This provides an extra layer of security on top of the TLS encryption that most other standard email servers support.
A HIPAA compliant email service will provide you with a signed Business Associate Agreement (BAA) that places the responsibility for securing the PHI you send with the email provider. HIPAA audits are scary, and violations can be potentially devastating to a private practice. But, by choosing a company that provides you with a BAA, you can legally ensure your business is protected.
Finally, a HIPAA compliant email service should also provide email archiving that serves as added backup in case of an audit or a question. All of our HIPAA compliant email accounts automatically include a separate archiving email address for as long as you’re a customer. This will ensure you always have a full record of all communications – both sent and received – for any email address on your domain, should you ever need it in the future.
Need help marketing to your Ideal Client?
Take our Ideal Client Quiz now to receive your custom marketing tips!
Why Can’t a HIPAA Compliant Email Be Sent Using Google or Yahoo?
It’s about how comfortable you are with the level of security. HIPAA stipulates that covered entities are required to implement technical safeguards of the “electronic protected health information” of their clients and patients, but it doesn’t specify the use of X or Y type of encryption, and there is no list of what technical safeguards you should use.
Should a breach happen, you need to convince HIPAA officials, and maybe even a judge, that you did everything you could to safeguard the information. However, keep in mind that TLS only secures your email if it’s supported by the recipient’s email servers as well. Although most servers do support TLS, this isn’t guaranteed. If you are comfortable saying that you sent the information protected in transit only, reliant upon the recipient supporting encryption, then TLS may be all you need, and Google or Yahoo might be fine.
The extra layer of security with OpenPGP encryption provides evidence of due diligence in case of an audit or a breach.
Can My HIPAA Compliant Email Work with Outlook or Mac Mail?
The short answer is yes, most encrypted email services can be set up to work with a third-party email app. However, using the encrypted service’s webmail or smartphone app is usually a good idea for ease-of-use and security reasons.
With a standard webmail platform as well as a dedicated mobile app, Hushmail makes it extremely easy to maintain HIPAA-compliance while emailing your clients from any of your devices.
Click here to schedule a call today.
Wait! You Don’t Have A Private Practice Website Yet?
Brighter Vision is the ultimate marketing package for therapists, centered around the best therapist website you’ve ever had. Contact us today to get started.