I was recently asked about setting up a private practice email with HIPAA compliance in mind. The first two things to remember:
- Your email is not technically HIPAA compliant unless you have a Business Associate Agreement (BAA) with the email provider
- AND you use it properly.
In other words, there are limits to what you should send in an email message, even when set up with a BAA.
The following is from the newest edition of the Guide (in annual revision February 2021 and will replace the current edition). I use Google Workspace with a BAA, so you will see more details below regarding this option.
Here’s the info in the upcoming revision of the Guide.
Choosing Your Psychotherapy Practice Email
Figuring out which email service to use will take some time and consideration for cost and convenience. Your decision might be influenced by services you are already using.
- Have a Google account already? Consider Google Workspace with the BAA. https://gsuite.google.com/features/
- Have a Microsoft Office 365 account (or use Outlook)? Read this article for details. https://compliancy-group.com/is-office-365-hipaa-compliant/
Both of those services offer additional features you will appreciate sooner or later.
Some Electronic Health Records (EHR) have integrated email in addition to Secure Messaging.
Secure Messaging within the EHR is the safest way to communicate electronically with your client because HIPAA Compliance is built into the EHR. The client must sign in on their end to see the content of the message within their Client Portal.
While EHRs use email to send things like invoices, statements, superbills, reminder messages, informed consents, intake questionnaires, documents, and .pdfs, not all of them allow you to free type a general communication email. For example, you want to send the client resource information, but you’ll need to use an email system outside of the EHR.
I know, confusing…
Remember: Any email communication is a legal part of a client’s record, whether it is sent within an EHR or outside of it.
Emails to and from your client are considered e-PHI (electronic Protected Health Information).
Remember: The email service must offer a BAA (and you need to find out how to obtain it after you sign up – some services require a phone call, others require flipping through a zillion web pages of instructions to find it).
It is generally recommended the only information you should communicate via email is regarding scheduling.
Before you communicate via email with a client, you must provide Informed Consent for email communication. Here are a few examples (a simple Google search will provide many examples):
A disclaimer in your Email Signature is important as well. Here’s an email disclaimer example:
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please delete the material from any computer. Please note that gmail/email communication is not considered HIPPA Compliant for Protected Health Information. By emailing or texting to (clinician name) you understand and accept the risk of email or text potentially not being secure. Do not send Protected Health Information via email or text.
A client cannot “waive HIPAA” nor can they waive your responsibility to protect their Protected Health Information (PHI). They can, however, consent to use of email and texting for specific information such as Appointment Reminder Messages (Informed Consent you require them to review and sign).
Consider Encryption (an extra layer of protection), but don’t stress too much about it: https://telehealth.org/hipaa-compliant-email/
Three HIPAA Compliant Email examples to check out (then do your own Google Search):
- Add to your existing email $4.95 per month https://www.mailhippo.com/
- HushMail – $9.99 per month https://www.hushmail.com/business/healthcare/hipaa-compliant-email/
- Google Workspace (previously known as G-Suite) https://gsuite.google.com/ $6.00 per month
- this also gives you access to Google Docs, Forms, Spreadsheets, and many other cool options you will appreciate later https://gsuite.google.com/features/
- you must activate the BAA after signing up for Google Workspace
- encryption available
- Here’s an article on a fantastic resource you should follow: https://practiceoftherapy.com/gmail-google-apps-counselors/
- Step by Step guide for making G-Suite HIPAA Compliant https://privatepracticeskills.com/hipaa-compliant-email-therapists-g-suite/
- requires a domain – the domain is the URL for your future website which you should purchase ahead of time to protect your cyberspace real-estate. Check out these options (and do a Google search for purchasing a domain) for purchasing your URL domain:
Hint: name.com is the URL so theoretically an email for this domain could be YourName@name.com.
Here’s mine: bonniemckeeganlcsw @ bonniemckeeganlcsw.net (spaces intentional to avoid spam bot crawlers). It’s too long, but I didn’t know what I was doing when I set it up. Learn from my mistake, make your name part shorter ;-). bonniemckeeganlcsw.net is another website URL (domain) I own.
Regarding that URL domain you may need for your new email (or you may be thinking about for a website address), you can purchase the URL domain for your future website without ever creating an actual website.
Assignment: Choose Your New Professional HIPAA Compliant Email
What HIPAA Compliant Email service are you using? Would you mind sharing with readers what you like or dislike about it?
Don’t forget to Follow Navigator News by Email so you don’t miss anything!