The Key to HIPAA-Compliant Email for Therapists

Sending HIPAA-compliant email is a key concern for all therapists and health care providers.

In fact, you may have noticed that HIPAA-compliant email disclaimers have become so common that we now barely notice them when we’re reading emails.

Or, maybe you haven’t even noticed them.

HIPAA-compliant email disclaimers are that paragraph of text tacked on at the end of a healthcare provider’s email signature explaining that the email message is private and may include protected health information (PHI).

Many of us, myself included, started using these HIPAA disclaimers at the bottom of our emails to clients after noticing that many of our mental health colleagues had added them. The practice seemed to be a new standard.  Plus, it was easy enough to implement.

Alas, it may come as a surprise to learn that using these disclaimers alone does not ensure you’re sending HIPAA-compliant emails to your clients. (Take Note: SimplePractice offers HIPAA-compliant Secure Messaging, which makes it easy to securely communicate with your clients and team members all in one place.)

And, unfortunately, there’s little evidence that including HIPAA-compliant email disclaimers will protect you or your practice in the event of an email-related breach, and they could actually make any security breach worse. 

To be sure you’re truly sending secure HIPAA-compliant emails and electronic messages, here are a couple things to consider in order to protect your practice and your clients’ data. 

The problem with email disclaimers

Neither HIPAA (aka the Health Insurance Portability and Accountability Act) itself nor any Department of Health and Human Services regulations specifically mention a mandate for email disclaimers. 

On their own, disclaimers are not enough to ensure secure HIPAA-compliant email and electronic messaging.

What’s more, these disclaimers can actually make a data breach worse. 

As one law firm specializing in information technology pointed out, poorly-phrased email disclaimers can cause confusion. 

Unintended recipients of private data may unwittingly recirculate PHI when they try to follow the disclaimer’s instructions. 

For instance, if your disclaimer asks anyone who is not the email’s intended recipient to reply to the message, each person who does so may be retransmitting the PHI. 

And, if they mistakenly reply-all on a group message, they’ve inadvertently created multiple additional copies of the PHI they were aiming to responsibly address. 

In this situation, unintended recipients aren’t forwarding PHI with malicious intent. However, it can still be problematic for the client whose information was compromised through such  a security incident. 

To take steps to avoid an infinite email chain passing along private data, the same law firm recommends that if you do include response instructions in a HIPAA disclaimer, make sure those instructions direct recipients to contact you by phone to inform you of the error. 

Then, instruct recipients to simply delete the message and any attachments. 

This addresses the breach promptly while avoiding the recirculation of PHI.

What’s actually required for secure HIPAA-compliant email?

While the Security Rule doesn’t expressly prohibit using email to send PHI (even unsecured email—if the client requests it), using email does present some risks. 

Most importantly, the majority of email systems are not encrypted. In addition, it can be difficult to know whether the information was received by the intended recipient. 

An email footer alone is no replacement for a thoughtful, holistic set of policies and practices designed to protect private health information. And, that’s what HIPAA requires of us as clinicians. 

Different practices and organizations have different needs when it comes to the protection of PHI, and while email disclaimers may be one component of your overall data protection strategy, disclaimers do not suffice as the only component.  

If you’re going to use email to communicate with clients or other providers, it may seem to make logical sense to include cautionary notes—such as a disclaimer—as part of a comprehensive privacy strategy. 

If you’re cautious about sending PHI over email, secure messaging software, such as the feature included in SimplePractice EHR, may be a better option for sending convenient messages that include clients’ personal health information. 

Tools for secure HIPAA-compliant email and electronic messaging

As mentioned above, HIPAA doesn’t have specific requirements for what’s considered compliant technology—the Security rule allows you as a covered entity to use any security measures that you deem reasonable and appropriate to uphold security standards. 

That said, they do have some guidance and questions to ask yourself before you start using a software or product to help you determine if it’s reasonable and appropriate. 

A secure encrypted messaging platform is the safest option for sending quick messages that contain PHI to clients or to coworkers in a secure way.

SimplePractice offers HIPAA-compliant Secure Messaging, which makes it easy to securely communicate with your clients and team members all in one place. Try it free for 30 days—no credit card required.

Once Secure Messaging is enabled for a client, you can easily communicate with them on either a computer or the SimplePractice mobile app. 

When your client receives a Secure Message from you, they’ll also receive an email containing a Client Portal login link that will allow them to access the message.

With SimplePractice Secure Messaging, you can answer client questions, consult on a colleague’s case, and adjust treatment plans—all via fast electronic conversation. And it’s always HIPAA-compliant and secure.

All of your SimplePractice account information is safely stored with bank-level data encryption technologies. SimplePractice has been certified through HITRUST—a third-party assessor that verifies the strictest level of HIPAA compliance.

Here’s more info on how to enable and use Secure Messaging.

If, for some reason, you still feel you need to communicate with clients and staff specifically using email, you can choose to pay for an encrypted option. 

Services like Hushmail for Healthcare, GSuite, and Virtru allow you to send HIPAA-compliant, secure emails at a variety of price points. 

If you’re doing everything that HIPAA requires of covered entities—such as performing a regular security audit to examine your risks, training your staff, minimizing where PHI is shared, and ensuring your clients have the knowledge they need to control such sharing—then you might find that using an email disclaimer isn’t relevant to your practice. 

That said, you also might decide that an email disclaimer is appropriate to be included as one of several layers of protection against an email-related breach. 

Ultimately, every practice is different. You’ll need to carefully consider the specifics of yours before implementing a strategy to make sure you’re sending secure HIPAA-compliant emails and HIPAA-compliant electronic messaging. 

If you have specific questions or concerns, consult an attorney.

SimplePractice provides HIPAA-compliant client messaging

SimplePractice practice management software is an EHR system that includes HIPAA-compliant Secure Messaging that makes it easy to securely communicate with your clients and team members.

Try SimplePractice free for 30 days. No credit card required.
READ NEXT: Why Most Therapists Are NOT Legally Compliant