The Convoluted Maze of HIPAA-Compliant Email and How to Navigate It

Home » The Convoluted Maze of HIPAA-Compliant Email and How to Navigate It

The Convoluted Maze of HIPAA-Compliant Email and How to Navigate It

Email could arguably be one of THE most misunderstood aspects of HIPAA. Part of the confusion stems from the fact that there is no ONE place in HIPAA that says “Do email like this.” However, email is referenced – directly or indirectly – in a variety of places throughout the vast HIPAA documentation. What causes some of the misunderstanding is that people will find a guideline that pertains to email from ONE place in HIPAA and assume if they do that one thing, they’re good. Unfortunately, that conclusion is not unlike what you get when several people with visual impairments are put in front of an elephant and asked to describe it. We may get a beautiful description of an elephant’s trunk but to assume that’s ALL an elephant is would be incorrect.

A great illustration of this point is the following: There’s a section in the HIPAA Privacy Policy that discusses our obligation to use unencrypted email should a patient request it. If you’re only looking at that section of HIPAA, it would be easy to say, “Great! I’ll just include a line in my Informed Consent asking people if they want to opt-out of encrypted email and then I’ll be all set!” Well . . . no. Both the HIPAA Security Policy and the HITECH Act make it clear that our first and foremost responsibility around Protected Health Information – which includes most email – is to safeguard it with encryption. That reference in the Privacy Policy is meant to be an exception. For example, a patient might let us know that they’re having difficulty using our encrypted email system and ask us to use their Gmail account instead. At that point, our job is to send a release for them to sign that also educates them about the problems with unencrypted email – how it’s sometimes trolled to collect information that might be sold to other businesses, etc. However, assuming they sign the release, then yes. HIPAA DOES require us to make reasonable accommodations and send unencrypted email to the account the patient requested. Again, though, that’s the exception. It should not be a question you routinely ask patients on your intake documentation, but rather, an accommodation you make for those individuals who request it.

An error in the opposite direction would be to require ALL patients to use your encrypted email. Although that’s certainly the safest approach to email, it doesn’t adequately account for patients that might have difficulty accessing your system for some reason.

Another complication is that although the authors of HIPAA implied that our communications with patients should be encrypted, they did not specify the type of encryption. This is generally considered a wise move, in that the legislators who wrote HIPAA weren’t tech-savvy; they couldn’t have been expected to know which types of encryption might be best. Also, technology changes so often that even among tech-savvy folks, today’s “best encryption” may not be tomorrow’s ideal. For both of those reasons, the authors of HIPAA left that up to us. “Us” in this case includes both developers of healthcare software and the healthcare providers using those products.

Unfortunately, the lack of specificity about the type of encryption required can lead to misleading consequences. For example, some commercial products can accurately claim that they are in compliance with HIPAA despite the fact that their products are only encrypted part of the time and/or in certain, specific situations. Most healthcare professionals are unlikely to dig deeply enough to uncover the truth, which is, that if they use those products and their email DOES get breached in some way, it’s the healthcare professional who will be held responsible for that breach. They can get fined and have other sanctions imposed. The software company in this case, will NOT be fined because they provided an encrypted product – and usually, if you dig deeply enough in their documentation, you’ll find disclosures where they’ve explained the circumstances under which their products are NOT encrypted. Whether you agree with those kinds of business practices or find them appalling, that’s the way the laws around this are at this point.

The final concern about email is that, since it’s considered part of the patient’s medical record, we’re required to keep it for however many years our state and professional organizations require. This includes all patient emails to you as well as your responses back to them. Systems that don’t provide threaded email, i.e., that only keep records of what a patient sent you or you sent them aren’t sufficient.

So what do we do? The good news is that, although HIPAA email compliance is challenging to understand, it is NOT difficult to implement. In general, if BOTH parties must use a unique password and log in to their email system to send and/or read their email, that system is probably safe. Email products that don’t require that are more suspect. Personally, I tend to favor healthcare Portals over systems that are primarily only offering email for these reasons:

  • With Portals – assuming that product is integrated with an EHR/EMR – all emails will be kept with everything else in that patient’s medical record. The entire chart is in one place – not scattered among several programs and/or filing cabinets.
  • Portals make us look more professional. These days, people are getting used to their medical professionals having Portals and are beginning to expect the same from their mental health professionals.

If you’re looking for a good encrypted email product, the free email that is provided with each PSYBooks EHR/Portal subscription checks all the boxes. Both parties must log in, emails are threaded – keeping both your patients’ emails to you and your response to them in one place, and you can keep them for as long as required. You won’t find any disclaimers about the type of encryption we use with our email because it’s designed with 100% end-to-end encryption both “in motion” (as emails are sent and received) and “at rest” (when emails are just sitting in your inbox, a patient folder, etc.)

If you’d like to try it for yourself, you can sign up for a 30-day free trial and/or schedule a free demo with our support staff. We’re very proud of our email and would love to share it with you.

By |2022-05-16T16:18:42-04:00March 27th, 2022|Current, Features, HIPAA/HITECH|Comments Off on The Convoluted Maze of HIPAA-Compliant Email and How to Navigate It

About the Author:

Susan C. Litton, Ph.D. holds degrees in both psychology and IT. In addition to being the developer of the PSYBooks EHR & Portal, she's been a practicing clinical psychologist in Decatur, GA, since 1985.