HIPAA Compliant Email, HIPAA Compliant Email for Therapists, HIPAA Compliant Email Encryption

HIPAA Compliant Email for Therapists


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Email provides a convenient way to communicate. However, there are security implications to consider. Email security is of particular concern when using it to communicate with patients. As a healthcare provider, HIPAA regulates what is appropriate for patient communications, including the tools used for communication. HIPAA compliant email for therapists takes patient confidentiality and the use of a HIPAA compliant encryption service provider into consideration.

Tips for Maintaining Patient Confidentiality in Emails

HIPAA compliant email for therapists is dependent on patient consent. HIPAA requires therapists to receive explicit written permission from patients to communicate with them through email. In addition to authorization, therapists are obligated to warn patients of the security implications of email communications.

While therapists can secure their email communications, it is unlikely that patients will do so without the guidance of their healthcare provider. Patients who share devices, such as a mobile device or computer, with others risk having their emails exposed to them. Malicious individuals can also target emails through phishing.

To protect patient confidentiality on your part, consider taking take the following steps to be compliant with HIPAA and relevant state law related to email communications with patients/clients in the United States:

  • Implement HIPAA compliant encryption before sending emails containing PHI.
  • If they differ, have a signed business associate agreement with your email service provider and your encryption service.
  • Check and double-check the recipient’s email address. Providers should do this by sending an email to the patient that does not contain PHI before sending one that does.
  • Do not include PHI in email subject lines; email subject lines cannot be encrypted.
  • Review email attachments to ensure that the correct document is attached.
  • Do not send group emails, especially to multiple patients.
  • Include mention of your email procedures in your informed consent document and discussion.

Protecting Patient Confidentiality with HIPAA Compliant Email Encryption

Encryption is essential to maintaining the security of email communications. Encryption masks data so that unauthorized users cannot read it. PHI is left vulnerable to unauthorized access without email encryption and is therefore not HIPAA compliant.

Some email providers include encryption services. However, in many cases, the encryption setting requires activation. Several popular email platforms do not include encryption, requiring the purchase of an email encryption add-on from a third-party service. However, not all email encryption services are HIPAA compliant. HIPAA compliant encryption services must be willing to sign business associate agreements with their healthcare clients.

Email service providers are considered business associates when their service is used to communicate PHI. When providers use email for patient communication or external communication, it is essential to have a signed business associate agreement (BAA) with the email service provider used to do so. HIPAA requires BAAs to be signed with email service providers before they are used to communicate PHI. Providers that will not sign a BAA are not HIPAA compliant.

Several email platforms will sign BAAs with their healthcare clients and can be used in compliance with HIPAA. However, many of these services require additional security measures (encryption) to be implemented to make email communications HIPAA compliant. While some email services have built-in encryption services, others require providers to purchase an encryption service to integrate with their email platform.

Which Companies Offer HIPAA Compliant Email?

For several examples of HIPAA-compliant email service providers, search for the “Clinical Email”  category to find a list amassed in Telehealth’s Telehealth & Technology Buyer’s Guide. This article by Hushmail may interest you.

This Article is Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help!

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x