As with all healthcare professionals in the United States, therapists need to be HIPAA compliant. They must follow the complex set of interlocking rules that make up the Health Insurance Portability and Accountability Act (HIPAA).
The purpose of these rules is to secure patients’ Protected Health Information (PHI), as defined in the HIPAA Security Rule, according to the criteria specified in the Privacy Rule.
Most therapists are solo practitioners who devote most of their professional time to helping patients, which can make taking the time to understand the complex requirements of HIPAA compliance a challenge.
This article is part of a series discussing various aspects of HIPAA compliance. ProtonMail is the world’s largest secure email provider, used by millions to protect their messages, and we provide HIPAA compliant email to thousands of organizations. In this article, we look at the aspects of HIPAA email compliance that are particularly relevant to therapists.
Why therapists need HIPAA compliant email
Everyone is familiar with email, making it a great way for therapists to communicate effectively with patients. It’s also more convenient than phone calls or teleconferencing solutions, as it allows therapists to engage in long-form conversations while giving them greater control over their time.
Email is also much easier for lone therapists to manage than complex web portals, which can be difficult to operate without a tech support team’s assistance.
However, a problem with most email services is that they are not secure. This is a major issue for therapists because their conversations often cover highly sensitive (and potentially damaging) personal matters.
HIPAA allows patients to waive their right to secure email communication once all reasonable efforts have been made to alert them about the privacy risks this involves. But this is not an ideal solution, given the highly sensitive nature of the PHI that therapists discuss with their patients.
A much better solution for therapists is to use a HIPAA compliant email service that can ensure sensitive information exchanged by email will remain private.
Types of sensitive data handled by therapists
Therapists often hear their patients’ innermost thoughts, so as a simple duty of care, it is vital that you secure all forms of their sensitive data.
According to official Department of Health and Human Services guidelines, “generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information.” This means that the following data is classed as PHI:
- Patient’s name, contact details, profession, social security number, billing, and insurance details
- Other personally identifiable information, such as photographs, fingerprints, and emergency contacts
- Medical history and ongoing treatments
- Family medical histories
Psychotherapy notes, however, receive special protections. These are defined as any notes “documenting or analyzing the contents of a conversation” held during a therapy session.
Therapists must keep psychotherapy notes separate from other forms of PHI thanks to the particularly sensitive nature of the data they contain — and because they are primarily only of use to the therapist who made them.
While also sensitive, information about medication prescriptions, how and when treatment is furnished, symptoms, prognosis, information contained in a patient’s medical record, or anything else tangential to the contents of a conversation are not considered part of psychotherapy notes.
Under most circumstances, a therapist can only disclose their notes to a third party with their patient’s express permission (except in situations involving abuse or where the patient threatens to harm others).
What to look for when picking the best email provider for therapists
Any email service a therapist considers for use for their practice should:
- Sign a business associate agreement (BAA)
- Use two-factor authentication to prevent unauthorized access to accounts
- Use end-to-end encryption to secure emails
- Offer a way to send end-to-end encrypted emails to users of insecure third-party providers. Escrow email is a good example of this.
- Allow secure (encrypted) sending of email attachments, such as PDF forms
- Be easy to use
- Be business friendly (For example, it should support custom domain names and scheduling)
Common issues faced by therapists
Therapists face unique issues when it comes to protecting patients’ PHI due to the highly personal nature of the information they must discuss.
Failure to obtain informed consent
Some experts argue that the 2013 HIPAA Omnibus Rule requires patients to opt-in to communication by email that involves exchanging PHI. Most experts, however, agree that properly informed consent is sufficient.
This means the therapist must fully alert patients about the privacy dangers of using email and offer alternative secure ways to communicate.
Of course, using an end-to-end encrypted email service that allows secure communication even when a patient uses an insecure email service addresses many of the security problems associated with more traditional email services.
Disclosing too much PHI
Therapists are obliged to disclose the minimum amount of personal health information possible for the purpose at hand. This is particularly important when dealing with other healthcare professionals (HIPAA-covered entities) and business associates.
Not all encryption is equal
The Security Rule does not, strictly speaking, require encryption for emails, but achieving HIPAA compliance without using encryption is very hard. The problem is that encryption is a very complex subject that many find difficult to understand, no matter how much research they put into it.
Encryption in transit
Most email services (and all HIPAA compliant ones) use TLS encryption to secure emails in transit. That is, as they travel between your computer and the email server they are stored on.
However, there is no way of knowing if a recipient’s email service also uses TLS. If it doesn’t, then emails sent to them will be sent in plaintext, meaning their email service, their internet service provider, and, potentially, malicious actors can see what the email contains. You can address this problem by using a service that offers escrow email.
Encryption at rest
Most email services (and all HIPAA compliant ones) ensure that data is encrypted when stored on their servers. Again, it is difficult for a therapist to ensure that this is the case for their patient’s email service.
Another point to consider is that if you rely on your email provider to encrypt your emails, it can also decrypt them. That’s why it is vital you sign a business associate agreement (BAA) with your email provider to ensure it is a HIPAA compliant business associate.
An even better option is to use an email service that offers end-to-end encryption. With end-to-end encryption, emails are encrypted on your device before being sent to your email provider’s servers, so it cannot read them. These messages can then be securely delivered to your patient using an email escrow service.
This provides a robust extra layer of security for sensitive emails, although it does not replace the need to sign a BAA with your provider.
What is a BAA?
A business associate agreement (BAA) is a contract between a primary healthcare provider (a “covered entity”) and any business associate that it shares PHI with (for example, an email provider).
As a therapist, you are the covered entity, and the email service you use is your business associate. The BAA is basically a written guarantee from the business associate that it will follow all HIPAA rules.
What is escrow email?
Escrow email is a system used to deliver secure end-to-end encrypted emails to a recipient who uses a potentially insecure email service. If you use an escrow email, instead of receiving an email containing sensitive PHI in their inbox, your patients will receive an email that notifies them that an end-to-end encrypted message has been sent to them. To view this secure message, they would log in to a web portal using credentials that you have previously established.
With escrow email, the intended recipient is the only person who can read the email, no matter how insecure their email service is. ProtonMail’s Encrypt for non-ProtonMail users feature is such an escrow email system.
What is a secure form?
A secure form is an online HTML form that uses an SSL/TLS certificate to encrypt sensitive information such as PHI. Although popular with some therapists as a way for patients to submit details about themselves, similar results can be achieved using form-fillable PDF documents, which can be sent securely with escrow email.
Some HIPAA compliant email services offer the ability to create secure forms as a feature, but there are also plenty of stand-alone HIPAA compliant options available.
Therapists can use ProtonMail to send HIPAA compliant email
A therapist cannot treat a patient if that patient does not trust them with their thoughts and feelings. You can earn your patients’ trust by demonstrating to them that you take data security and privacy seriously.
ProtonMail is a HIPAA compliant email service developed by CERN scientists. It uses strong end-to-end encryption with email escrow to ensure your emails and any attachments remain private. We also use zero-access encryption, which means we encrypt your emails before we store them on our servers, meaning only you and your intended recipient can access your messages. This encryption is done automatically in the background, making it easy for anyone to send or receive a securely encrypted email.
A signed BAA is available on request — just email firstname.lastname@example.org for assistance.
It is important for your business to protect your patients’ data, not just to be HIPAA compliant, but because it is the right thing to do. Your patients are entrusting you with sensitive, highly personal information, so it is your legal and moral duty to protect it. ProtonMail is the world’s most popular encrypted email service and is fully HIPAA compliant, making it a safe and convenient choice for therapists.
Yes. The HIPAA Privacy Rule recognizes the importance of involving a patient’s friends and family in their mental health treatment. Therapists may communicate with such individuals if they have the patient’s consent and believe that doing so is in the best interests of the patient.
Needless to say, any such communication must be done using secure HIPAA compliant channels. For example, using a HIPAA compliant email service.
Therapists are subject to the same rules and penalties as other covered entities. Please see What is a HIPAA violation? for more details. Using a HIPAA compliant email service such as ProtonMail helps to reduce the chances of an unintentional HIPAA violation occurring.
Escrow email is a way to send end-to-end encrypted messages to users of email services that are not end-to-end encrypted. To view a message sent in this way, they need to log in to a secure web portal using a password you have previously shared with them. ProtonMail’s Encrypt for non-ProtonMail users feature is such a system, and it allows the recipient to reply in a way that is also end-to-end encrypted.
Feel free to share your feedback and questions with us via our official social media channels on Twitter and Reddit. Note that while blog comments also remain open, questions and feedback will not be responded to individually. Where relevant, we will incorporate the most frequently asked questions or comments into a blog update.