What is HIPAA Compliant Email for Therapists?

The Risk of PHI Exposure in Emails

There are several considerations that therapists must make when determining whether or not they should use email to communicate with patients. This is because malicious entities often target emails to steal sensitive information. 

Part of HIPAA compliant email communications require therapists to receive patient consent to communicate with them via email. Additionally, must warn patients of the risk of having their sensitive information in their emails. While therapists can secure their email communications, it is unlikely that patients will have implemented sufficient security measures to protect them from exposure. As such, using email to share protected health information (PHI) increases the risk of incidental disclosures.

To minimize the risk of accidental PHI exposure on your part, you should consider the following.

Email Errors

There have been many instances in which healthcare workers have caused a breach by sending emails containing PHI to the incorrect recipient. When email addresses are not carefully reviewed before sending an email, inadvertent PHI breaches can easily occur.  This is why it is essential to confirm that you have the recipient’s correct email address before sending them an email containing PHI. 

Shared Devices

When receiving patient consent to send them emails, it is essential to inquire whether other people have access to their emails. Patients that share computers or other devices with family members may have their PHI unintentionally revealed. There are some instances in which this concern may deter a patient from receiving emails from their therapist. If the patient has a condition that they don’t want their family members to know about, or the patient is in an abusive relationship, they would likely not consent to email communications.

Tips for Maintaining Patient Confidentiality in Emails

One obligation of HIPAA requires the confidentiality of PHI to be maintained. As such, you must use secure email, not only when communicating with patients but when communicating PHI with other covered entities or your business associates.

To protect patient confidentiality, you should take the following steps before sending these types of documents or other documents containing PHI.

• Check and double-check the recipient’s email address.
• Do not include PHI in email subject lines. Email subject lines cannot be encrypted, so PHI in an email subject line can easily expose patient information.
• Do not send group emails, especially to multiple patients. When doing so, other recipients’ email addresses can be easily viewed, which is a HIPAA violation as email addresses are considered PHI.
• Take a minute to review your email, including email addresses, subject lines, and attachments, to ensure that you are not inadvertently exposing PHI.

The following are some common healthcare documents that contain PHI:

• Forms, attachments, or messages that contain Social Security numbers or insurance information
• Release of patient records
• CPT codes
• Diagnosis information
• Superbills

Any document that may contain PHI must be sent through an encrypted email service when being sent externally.

Using a HIPAA Compliant Email Encryption Service to Protect Patient Confidentiality

While some email services offer encryption, many do not. Encryption masks data so that unauthorized users cannot read it. Email providers that do not offer encryption leave PHI vulnerable to unauthorized access and therefore do not offer HIPAA compliant email for therapists unless an encryption service is also used. 

Those email services that do not offer encryption are only HIPAA compliant when emails are sent internally, or organizations use an email encryption service when sending external emails. 

However, not all email encryption services are HIPAA compliant. HIPAA compliant email encryption services must be willing to sign business associate agreements with their healthcare clients.

HIPAA Compliant Email for Therapists and Business Associate Agreements

Email service providers and email encryption services are considered business associates when their service is being used to communicate PHI. When your practice sends PHI internally to authorized employees, you must have a business associate agreement (BAA) with your email service provider. When emails are being used for patient communication or external communication, you must have a signed BAA with your email service provider and your email encryption service provider. 

Business associate agreements must be signed with business associates before you share PHI with them. A BAA is a legal document that dictates the safeguards that your business associates must have securing the PHI you share with them. A BAA also requires your business associates to be responsible for maintaining their HIPAA compliance.

Best HIPAA Compliant Email for Therapists

Several email platforms boast HIPAA compliance. While some have built-in encryption services, others require providers to purchase an encryption service to integrate with their email platform.

• HIPAA Vault: provides a standalone email service with encryption services included.

• ProtonMail: provides a standalone email service with encryption services included.

• Microsoft Outlook: can be HIPAA compliant when configured correctly, but users must have the paid version of Outlook.

• Gmail: can be HIPAA compliant but only with the paid version. Users must also purchase an email encryption service that integrates with Gmail, such as Paubox.