HIPAA Compliance Email Rules and Platforms for Secure Therapy Messaging

Protecting your patients’ information is a major concern when it comes to email. Whenever you want to send a reminder about an upcoming therapy session, make changes in a treatment plan, or even attach a bill, you have to check HIPAA compliance email rules and ensure you use a secure software for messaging. You can’t simply share this information, and you can’t use the ordinary Gmail mailing platform to communicate with your patients. If you do, you risk getting penalized for breaking the HIPAA Privacy and Security Rules.

Powerful HIPAA-compliant email software is an invaluable asset for therapy practices, as it lets you have a stable means of communication without the threat of protected health information (PHI) falling into the wrong hands. Keep reading this article to learn about the typical issues, requirements, and features of HIPAA-compliant email message platforms and find out which solutions cover communication security needs.

Types of sensitive data that set HIPAA compliance at risk

Email is one of the best ways to share information with your client. Unlike chat or video conferencing, an email makes it possible for your client to access the sent information anytime and even preview or download shared files. However, before emailing your client, you need to know that the HIPAA Privacy Rule applies to the following types of data, classifying it as protected health information:

• your patient’s name, address, mobile phone number, occupation, social security number, billing, and insurance details
• medical records and information on treatment the patient receives
• any information that could lead to identifying the person, including a photo, fingerprints, or contact details

As you can see, almost any data, including your patient’s email address, falls under the definition of ePHI. In these cases, you will need to use a HIPAA-compliant email platform. The other cases when you will need to use a HIPAA-compliant email platform are:

• superbills
• forms, attachments, or messages that feature your patients’ SSN or insurance information
• CPT codes
• any information on diagnoses, releases, or records

All these types of information have to be kept secure at all times, and it’s not as easy as it might seem. Many companies have been sued for protected data breaches. Let’s learn what we should do to ensure protected information security and if there are any exclusions where protected data can be disclosed.

Can HIPAA compliance email rules be waived?

Sometimes people wonder if there’s a way to share protected health information with expert colleagues if it is in the patient’s best interests. In such situations, a HIPAA waiver can be applied.

A HIPAA waiver is a legal document that will let you share your patient’s health data with specifically named individuals (family members, colleagues, attorneys, etc.). With a HIPAA waiver, the patient can grant full access to their health information or partially disclose medical records, depending on the circumstances and the purpose of such a disclosure.

HIPAA waivers are invaluable when it comes to discussing the patient’s medical condition with experts in the field or when the medical record has to be shown to a new therapist who takes your place. Another case when a HIPAA waiver can be signed is when the patient allows the therapist to use their medical records in research.

In any case, the patient is solely in charge of their medical records. It’s up to your patient if they allow you to share their health information with anyone after being notified of such a necessity.

In any other cases, HIPAA email regulations can’t be waived.

Typical HIPAA compliance issues using email services

Any disclosure of protected health information to unauthorized parties is prohibited by HIPAA standards. This means therapists should be extra vigilant when ensuring the information exchange between you and your patient is protected. Using email software for communication raises the risk of accidental ePHI disclosures in more than one way, and it’s important to be aware of the situations that could potentially lead to protected information leakage. There are four main factors that might lead to ePHI disclosure:

• no encryption. Emails that aren’t encrypted can be easily snatched by third parties that share the same network with you. That’s why it’s prohibited to send or receive emails when using public Wi-Fi.
• compromised access details. Sometimes the danger of third parties obtaining access to protected health information is overlooked when your patient is underage or in an abusive relationship where there’s no privacy. You have to know that such situations aren’t different from cases when information is disclosed to strangers, and sometimes such disclosures can pose an even larger threat to your patient.
• human error. Sometimes personal health data becomes exposed because it is sent to the wrong recipient when communication processes lack automation.
• using email services that are not HIPAA-compliant. There are specific requirements that an email platform has to meet to suit therapy practice (e.g., end-to-end encryption). When the practice overlooks the danger of using a solution that is not HIPAA-compliant, there is a danger of the messages getting leaked.

HIPAA-compliant email requirements

The requirements that email platforms need to meet in order to be HIPAA-compliant are there to guarantee that the information you share with your patient won’t fall into the wrong hands. That’s why you need to ensure you use software that confirms that it meets HIPAA standards. Let’s take a closer look at the requirements a HIPAA-compliant email message service needs to meet:

• two-factor authentication
• end-to-end encryption protocol usage
• encrypted email attachments
• regular updates
• business associate agreement

Note that email services that do not offer to sign a BAA agreement aren’t compliant with HIPAA standards. You can’t use these services in a therapy practice, even though they might meet other requirements (e.g., Gmail supports two-factor authentication, but it still can’t be used).

However, there are lots of email service providers that meet these requirements and can grant you and your patient safe and private communication. Let’s overview them.

What email providers meet HIPAA compliance email rules?

We have prepared a list of twelve top HIPAA-compliant email providers you can consider using in your therapy practice. They differ in features and price, so let’s overview them to learn more about the pros and cons of each solution.

#1 Virtru

With Virtru, you can use popular email services like Gmail and Microsoft Outlook because it adds the end-to-end encryption needed for HIPAA-compliant communication. Virtru makes it easy to encrypt data and control who has access to the content you send.

#2 Paubox

Paubox is a solution that offers HIPAA-compliant email encryption and protects you from unwanted spam, ransomware, and phishing attempts. It offers integration with Office 365 and G Suite, so it won’t require you to install any extra add-ons.

#3 NeoCertified

NeoCertified is a HIPAA-compliant solution that offers email encryption within its platform and integrates with Outlook, Office 365, and G Suite. It also provides secure email forms and email archives and will let you sign a BAA agreement.

#4 HIPAA Vault

HIPAA Vault is similar to the solutions listed above, as it offers integration with Office 365 and Gmail. With HIPAA Vault, you will get HIPAA compliance without the need to switch to another platform. It also comes with fully managed services and continuous support.

#5 Aspida Mail

Aspida Mail is a secure HIPAA-compliant platform with multiple integration options that include Outlook, Thunderbird, Windows Live Mail, EagleSoft, and many other mail services. Within it, you can also add a custom domain name.

#6 Send IT Secure

This software supports delivery revocation, offers encryption, and is fully HIPAA-compliant. Within Send IT Secure, you can also set up message policies and make access to messages automatically expire.

#7 LuxSci

LuxSci provides you with secure email services, hosting, and forms. This service is HIPAA-compliant, offers to sign a BAA agreement, and encrypts messages. Moreover, with LuxSci you’ll be able to track email statuses and know if messages were opened.

#8 ProtonMail

ProtonMail is a service that combines end-to-end encryption and password-protected emails. It also lets you encrypt contact details and use aliases. ProtonMail is HIPAA-compliant and offers to sign a BAA.

#9 Hushmail

Hushmail adds encryption to your emails, forms, and signatures. This service, like the ones listed above, offers to sign a business associate agreement and meets HIPAA standards.

#10 Mimecast

Mimecast is an email security service that offers everything from encryption to an AI-based file scan that is aimed at preventing phishing attacks and data loss.

At first glance, all these options may seem similar, so let’s compare the features of these ten software solutions.

Alternatives to secure emails

Communication processes aren’t limited to emails. While some people are more accustomed to using emails and thus prefer them, today you can find HIPAA-compliant software that offers easier ways to share and e-sign documents. This innovative software also combines email functionality with scheduling, billing, teletherapy solutions, and automation. Let’s explore several all-in-one solutions that can easily replace HIPAA-compliant email platforms and help you automate communication.

#1 ExpertBox

ExpertBox is a platform that successfully combines HIPAA-compliant chat, intake forms, feedback collection, teletherapy tools, and secure scheduling and billing. Within the platform, you can easily find everything you need to provide therapy services. Moreover, with ExpertBox it’s possible to automate booking and schedule tasks if you work as a team. ExpertBox technology reduces the chance you’ll miss anything important.

With ExpertBox, you get:

• booking and scheduling functionality
• secure document sharing and e-sign
• a chat and video conferencing platform
• billing
• CRM
• intake and feedback forms
• HIPAA compliance
• reliable support

Price: $29.95 per month

#2 SimplePractice

SimplePractice is another option if you’re looking for an alternative to a standalone HIPAA-compliant email solution. SimplePractice offers a client portal, paperless intake forms, treatment plan creation, and scheduling features to assist you in your therapy practice.

SimplePractice will offer you:

• scheduling and booking features
• paperless documentation
• billing
• a client portal
• a teletherapy platform
• HIPAA compliance

Price: $29 per month

#3 Spruce Health

Spruce Health is also aimed at all-in-one communication to keep you and your client on the same page. It’s focused on sophisticating communication processes and automating communication. With Spruce Health, you get access to:

• secure messaging
• scheduled messages
• automatic replies
• HIPAA compliance

Price: $24 per month

What if your patient uses email services that are not compliant with HIPAA standards?

You might wonder what you should do if your patient wants to use a specific email provider that isn’t HIPAA-compliant. In such cases, you can ask your patient to sign a request for non-secure email communication so that they will be aware how to get HIPAA-compliant email, and receiving messages using a different platform will be explained to them as a risk. This document has to point out, in written form, all the repercussions of using an email provider that is non-HIPAA-compliant.

A request for non-secure communication from a client does not obviate the need for a BAA with the service provider that is handling those non-secure communications. Liath Dalton, director of Person Centered Tech

Though, you have to remember that even if your patient has signed a request for non-secure email communication, you personally still have to use a HIPAA-compliant email provider that is able to sign a business associate agreement with you.

Is it necessary to add a HIPAA disclaimer to emails?

Some therapists add a HIPAA disclaimer to their emails (it is also known as ​​HIPAA compliance email signature). First of all, you should know that adding a disclaimer doesn’t make your emails automatically compliant with HIPAA standards. However, there are still reasons to add a disclaimer into your therapist email signature if you haven’t done so.

The first reason is to make the recipients aware that they shouldn’t copy, print, or reuse any piece of information you share with them. The other rationale behind adding a disclaimer is to warn the recipients that the email contains ePHI.

A HIPAA disclaimer is often added to the bottom of an email. It might look as follows:

“This email and any attachments are intended solely for the recipient named above. Any use, distribution, printing, or copying of this transmitted data is strictly prohibited. If you have received this transmission in error, please contact the sender at (XXX) XXX-XXXX immediately and delete this email and any downloaded attachments from your computer.”

Note that it is recommended to add a phone number instead of asking the recipient to reply to you with an email because you don’t want the protected health information to be resent back to you.

Wrapping up

There are multiple ways to establish secure communication with your patients. From HIPAA compliant mailing services to teletherapy and chat solutions, you can choose any option that fits your practice. Feel free to subscribe to our newsletter to learn more about HIPAA compliance in therapy and software that will help you protect your patients’ ePHI.