Colorful, hand-drawn envelopes hovering above a smartphoneEmail is a great avenue for quick communication with clients. You can use it to direct them to additional resources, follow up on sessions, and even assist in a mental health crisis. Many therapists prefer email to phone calls because it gives them more control over their schedule and limits the stress of trying to manage a client who may talk too long or too much on the phone.

While convenient, email also presents some serious HIPAA concerns. You have a legal duty to protect your clients’ sensitive health information and an ethical duty to ensure that third parties don’t use this information to harm your clients. A comprehensive understanding of the pitfalls of email can help you implement a sensible strategy that protects client confidentiality while preserving the convenience of email.

Common Issues with Email

HIPAA prohibits unauthorized disclosure of protected health information (PHI) such as treatment notes, diagnoses, treatment strategies, and even the fact that a client has sought treatment. Not only must you avoid disclosing this information to unauthorized third parties; you must take reasonable measures to protect inadvertent disclosures. 

Email can increase the risk of inadvertent disclosures in several ways:

  1. Third parties can intercept emails when they are not encrypted, especially when those emails are sent across unsecure third party networks. For example, a client sending or receiving a Gmail message at a local coffee shop or bookstore may use an unsecure network, enabling their messages to be seen by others.
  2. People with access to a client’s computer or phone may be able to open their email and read their messages with the click of a button. This is an especially common scenario when the client is a child, when employers have access to employee computers, or when a client is in an abusive relationship.
  3. Email errors can expose personal health care data. For example, you might type the wrong email address and send an email to the wrong client. Or you might be distracted and type in the email address for the client’s partner or parent.

Strategies for Protecting Client Confidentiality

HIPAA compliance demands that therapists must check and double check the address to which they send an email each and every time. Some clients may copy other people, such as parents or partners, on emails to therapists. Never hit “reply all” unless the client has specifically asked that you do otherwise. 

The following strategies can help ensure therapist email is HIPAA compliant:

  • Only send email communications across secure channels—not free networks at bookstores, libraries, or coffee shops.
  • Use encrypted email. Unencrypted email is never compliant with HIPAA standards. Most free email programs, including Gmail, are not encrypted, or not guaranteed to send encrypted messages every time. Many of these programs, Gmail included, offer paid upgrades that are encrypted.
  • Talk to clients about how their use of email may affect the security of messages. For example, using an email app on an unlocked phone may mean that anyone can view messages they receive in that app.
  • Consider a third-party escrow program. These programs notify your client via email or text that they have received a message. The client then logs in on a separate page where messages are encrypted and locked behind a password. In most cases, the client can’t install an app that allows them to view messages without the password. While this may be slightly less convenient, it makes it far less likely that the message will be intercepted.
  • If you work for a practice or health care organization that already uses a messaging system, ask about HIPAA compliance. If the program is encrypted and HIPAA-compliant, always use that system—never personal email.

HIPAA-Compliant Email for Therapists

A number of programs offer HIPAA-compliant email, and several cater specifically to therapists and medical practices. Premium Gmail/Gsuite is a great option for therapists who like Gmail but who need better security. There is a secure/encrypted email option, but some users find it clunky to use.

Can Clients Waive HIPAA?

A client can request a less secure form of email communication or may authorize you to share information with third parties. To protect you and the client, it’s important to document this request in writing. Discuss with the client the risks of unsecure communication, because they may not be fully aware of these risks. 

Even when a client requests a less secure form of email communication, it does not waive other HIPAA duties. You must still ensure you send emails only to authorized parties and may not disclose health information across other channels or to unauthorized parties. In this case, the client’s waiver extends only to email.

HIPAA-Compliant Texting

Many therapists use text as a substitute for email or to communicate quick information about appointments. Texting raises even more serious HIPAA issues than email because texts are readily available on a person’s phone and might not be locked behind a password. This means that anyone with access to the patient’s phone could read the text. Not only is this a privacy violation; it can pose a real threat to clients in abusive relationships.

Some texting programs, such as Signal, are encrypted. This reduces the risk that a third party can intercept them but does not address concerns about people reading messages directly from the recipient or sender’s phone. A number of HIPAA-compliant texting apps now allow therapists to text clients directly to their phone but require the use of a pin or password-based app to read the text. 

Protecting client confidentiality is just one of the many challenges therapists face. If you’re running a busy therapy practice, GoodTherapy can help you understand and manage your ethical obligations while growing a thriving business. We offer continuing education classes, myriad resources, and a comprehensive directory that makes it easy for prospective clients to find you. Become a member today!

References: 

  1. HIPAA compliant Gmail—what you need to know. (n.d.). Virtru. Retrieved from https://www.virtru.com/blog/hipaa-compliant-gmail
  2. Huggins, R. (2018, January 1). 3 kinds of email security: How to make an informed and HIPAA-aware choice. Retrieved from https://personcenteredtech.com/2018/01/01/3-kinds-email-hipaa-howto-informed-choice
  3. Is text messaging HIPAA compliant? (n.d.). Retrieved from https://www.hipaajournal.com/is-text-messaging-hipaa-compliant
  4. Reinhardt, R. (n.d.). HIPAA compliant email for therapists. (n.d.). https://www.tameyourpractice.com/blog/hipaa-compliant-email-therapists
  5. Summary of the HIPAA privacy rule. (2013, July 26). Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
  6. The ultimate guide to HIPAA compliant email for therapists (BAAs, secure forms, and more). (2019, October 11). Retrieved from https://empathysites.com/hipaa-compliant-email-for-therapists-baa-secure-forms