For any clinician handling or sending private information through email or any other digital communication method, making sure they adhere to HIPAA regulations is important. In order to protect their clients’ information, having a secure email server, keeping an archive of their communications, and signing a Business Associate Agreement are a few essentials that keep your practice in line with HIPAA privacy protocols. Learn more about HIPAA regulations and how you can stay compliant without much hassle.
Most therapists and clinicians don’t experience a seamless transition through their communication methods. It’s not like other careers, where your personal email can legally become part of your enterprise. While many people get a work email, it’s often not as regulated, and can be added to any email client. However, when your work is related to the medical field, your communications with clients or patients needs to be HIPAA compliant, which brings with it several important aspects you’ll need to consider.
Back in the old days of paper charts, keeping patient health information safe was not a major concern. The charts were kept in a locked office, and there were laws enacted to make sure these paper documents were stored properly in a secure setting. However, with the surge of technological communications in the 1990s, more robust measures were necessary. In order to provide better quality care, people’s information needed to be shared, sometimes with the client themselves or with other medical service providers. But in order to protect a patient’s personal information, these communications needed to be regulated. Enter HIPAA.
HIPAA is a landmark federal statute aimed at providing more security for people’s personal information. It has two main aims: the first is to make sure a client or patient’s information can be shared in responsible ways to ensure high quality services are being rendered. The second, and the one we will be focusing on here, is that when a client’s information is shared, that it must be done so under specific regulations to keep it protected.
While it takes a bit of catching up to learn the HIPAA regulations, it’s a necessary part of running a successful group practice or treatment center because it will help you stay in compliance and you’ll be much more savvy about protecting your clients’ personal health information. Below are the main points behind HIPAA’s security protocol.
When speaking of HIPAA and communication, the key term is encryption. Your email (and overall) compliance rests on it. Encryption means setting up your email messages in such a way that if they are intercepted by a hacker or other mechanisms, that the information in those messages cannot be deciphered. It’s a guarantee that the information being shared will be safe through its digital journey. Encryption can be done at different levels, depending on the importance of the information. HIPAA requires facilities to use third-party encryption programs, or software that makes sure all attachments and text can be individually encrypted, which provides the best security.
These are the expectations for any email communication under HIPAA. However, counseling centers and healthcare providers are allowed to send unencrypted information via email only if the patient or client, who has been made aware of the risks, chooses to do so through their own accord and signs a consent agreement. You will not face a penalty over this as long as you keep the necessary paperwork documenting the patient’s consent.
Another option for some organizations is to set up a patient portal, wherein a client must log into a secure website that contains personal health information. The patient would receive an email with a link that takes them to the secure patient portal, and once they have gained access to the site, they can view all messages and information that the organization makes available. Because the information is all within the portal, email communication no longer needs to be encrypted.
Just as important as your encrypted email is your documentation of the messages received back and forth between your organization and your patients or clients. For this purpose, having a protected archive that keeps track of all emails sent and received is essential, especially in the case of an audit.
A protected email archive stores all emails and also makes them searchable, but the storage aspect takes up a lot of server space if you don’t set it up correctly. For this purpose, email archiving solutions can help by taking over the server burden while still making the emails accessible to those in your organization. Be aware that email backups are not the same as an email archive; data backups can take weeks for an IT professional to sift through to find the right email, while an archive is specifically suited to organize and catalog email communications for easy retrieval.
Many organizations often ask whether an email archive is required by HIPAA. Of course, the answer is not black and white. While HIPAA lists some requirements, it doesn’t always designate a specific way to fulfill those requirements. As you can imagine, HIPAA doesn’t mention requiring an email archive in their regulations. HIPAA does mention, however, that logs need to be kept of any electronic disclosures of patient information. While data backups can keep you in compliance, they might not be as helpful during audits or during the daily operation of your organization. Furthermore, because it’s easier to search an archive, you can easily track down communication with a client and make decisions to provide them with a higher quality service.
One of the final key elements in ensuring HIPAA compliance is the Business Associate Agreement (BAA). This is basically an agreement between an organization that needs HIPAA compliance, such as a treatment center, and a third-party company that performs a service for them. For instance, if you use a specific email server, you need a BAA with that service provider because they are handling secure information. The BAA essentially ensures that the business associate will implement safeguards at all levels to comply with the HIPAA security rule about protecting patient information.
Any service that you choose to use should offer a Business Associate Agreement. If they don’t, that is a tacit implication that they do not provide a service that would meet HIPAA standards, which means it’s not going to help your practice.
Instead of having to do all of this yourself, we have compiled two great resources that are turn-key ready to get you HIPAA compliant. Below we explain how they operate and what features each platform contains to achieve HIPAA compliance. Once you find one you like, all you have to do is sign up and get started!
Hushmail is one of the leading options for communicating with clients while also staying HIPAA compliant. As a paid service, you get everything you need to get started immediately.
Hushmail includes encryption, and it happens behind the scenes. As a therapist, you don’t have to worry about your email communication being encrypted—they do all the work for you. Through Hushmail’s iPhone app or web platform, you can simply check a box that makes the message encrypted, giving you extra safety and flexibility.
Hushmail also provides multiple layers of protection, with several pass throughs in terms of security, privacy, and authentication. Here’s a live report that demonstrates the strength of Hushmail’s security system. Another aspect of the security you get with Hushmail is their two-step authentication. When logging into your account, you will be sent a verification code to your email or phone, and you will only be allowed to open the app if you enter the code. This almost removes the possibility of unauthorized access to your account, which improves security.
Through their friendly user interface, Hushmail makes using their platform easy. You can send email to anyone using Hushmail, so it doesn’t matter what email client your recipient is using. You can also use Hushmail on your smartphone, and syncing contacts and webmail with Hushmail is as easy as setting up Face ID on your iPhone. You can also use Hushmail with other email clients like Outlook, Apple Mail, or Thunderbird.
With Hushmail, you can also maintain a professional touch by adding your own domain name to your email address. If you have a website name, you can add it to the end of your email: firstname.lastname@example.org. If you don’t have a website name, you can add one of their domain names to your email. Furthermore, you can have unlimited aliases, which are emails that mask your real email address. If you don’t feel comfortable giving out your actual address, you can give out an alias and it will redirect your emails to your inbox. It’s just an extra layer of security for you.
Hushmail also counts on a dedicated team of customer support, so if you ever have a question or a problem, you can email, call, or chat with a customer service representative and get to the bottom of the issue. For many therapists, this is an amazing feature because they don’t have IT departments in their practice. Having this added layer of assistance can really make your practice run smoother.
There are many other features to Hushmail. They include an email archiving system, which helps in searching emails and for audits. You can design secure web forms to have your clients enter their information online rather than on paper charts. You can set up email forwarding, manage users, and much more.
Finally, it’s important to note that Hushmail is meant for privacy, and that includes all forms of security regarding emails. Your emails are not mined for data. The information in these emails is not sold to advertisers. Your IP address (a unique address that locates your device in your network) is not added to your emails. Hushmail makes your privacy and the privacy of your clients a priority.
Another option for staying HIPAA compliant is through G-Suite. Using Gmail and the other services provided by Google is very attractive to many people who are already used to the Google platform. Instead of having to learn a whole new user interface, people can simply opt into the paid version of Google products and through some small changes, they will be HIPAA compliant.
Through G-suite, you can still use your own domain name in your email address. For example, if you have a website (www.best-therapist.com), your “@gmail.com” can be changed to match your domain (email@example.com). Already, this adds a touch of professionalism to your email account without having to use a different platform.
Another benefit to the paid version of G-suite is that you can get a Business Associate Agreement (BAA) from Google. Although this is not the only necessary aspect of becoming HIPAA compliant, it’s one of the key components.
G-suite comes with many platforms that are incredibly useful, like Google Docs, Sheets, Forms, Calendar, and Google Drive, the repository for files and information. However, you will need to set up your G-suite properly using this handy guide to make sure you are HIPAA compliant. The document covers every Google app that can be made HIPAA compliant, so it’s a long list. However, the directions are clear and can be completed by anyone with familiarity with Google services.
Of course, even though you may be comfortable using Google products, navigating compliance can be tricky. We can help you make HIPAA compliance a simple process that will ensure efficiency within your treatment facility and simultaneously keep your clients’ or patients’ information safe.
Through the use of technology, like Hushmail and G-Suite, therapists, mental health professionals, and any other clinicians can provide their clients with better care. These services help professionals maintain their clients’ information securely and provide a streamlined approach to online communication, making access to mental health services easier and more convenient.