HIPAA Compliant Email for Therapists
HIPAA compliant email for therapists is a complex subject to discuss because some therapists do not qualify as HIPAA covered entities, other are employees of HIPAA covered entities with no administrative responsibility for HIPAA compliance, and multiple exceptions apply to therapists that do qualify as HIPAA covered entities in their own right.
When discussing HIPAA compliant email for therapists, the first consideration is the therapist’s “HIPAA status”. If a therapist bills patients directly or does not conduct electronic healthcare transactions for which the Department of Health and Human Services (HHS) has adopted standards under Part 162 of the HIPAA Administrative Simplification Regulations, they do not qualify as a HIPAA covered entity.
However, while HIPAA compliance for email may not be a consideration for a therapist that does not qualify as a HIPAA covered entity, it may be necessary to implement HIPAA-esque measures if the therapist operates in a state that has adopted similar privacy or data security regulations, or provides remote services for citizens of a state that has enacted cross-border privacy regulations (i.e., Texas).
In addition, a non-qualifying therapist may still be required to comply with some HIPAA standards if they provide a service to or on behalf of a HIPAA covered entity as a business associate. In such circumstances, the therapist will have to comply with all applicable HIPAA Privacy Rule standards and implement the necessary Administrative, Physical, and Technical Safeguards of the HIPAA Security Rule.
Employees of Covered Entities and Business Associates
Therapists who work for a covered entity or business associate are not responsible for developing policies and procedures to safeguard the privacy of Protected Health Information (PHI) nor responsible for implementing measures to ensure the confidentiality, integrity, and availability of electronic PHI. However, although they do not have “administrative responsibility” for HIPAA compliance, they do have other compliance responsibilities.
These responsibilities include complying with their employer’s policies and procedures for HIPAA compliant email for therapists and any other HIPAA Privacy Rule standards that are applicable to their roles. Employed therapists must also use email as instructed by their employers and not take shortcuts to get the job done, or use non-sanctioned apps and services to communicate with clients unless an exception applies (see “exceptions” below).
It is also important for employed therapists to be aware they can be sanctioned for any violation of the HIPAA Privacy or Breach Notification Rule by their employer, even if the violated standard has not been covered in HIPAA training. This means that therapists also have a responsibility for understanding the complexities of the HIPAA Privacy Rule and complying with the standards – or exceptions – when no guidance may have been provided by their employer.
The Different Types of HIPAA Covered Therapists
The discussion about HIPAA compliant email for therapists is further complicated by there being different types of HIPAA covered therapists. A therapist that qualifies as a HIPAA covered entity may be a solo practitioner, a hybrid covered entity, part of an affiliated covered entity, or part of an Organized Health Care Arrangement. The distinction can be important when emails are exchanged between therapists about a patient.
When therapists who are HIPAA covered entities in their own right work within an affiliated covered entity or Organized Health Care Arrangement, it is more likely that the network over which emails are exchanged is an internal network protected by a firewall. In such circumstances, some requirements for HIPAA compliant email for therapists (i.e., encryption or other transmission security measures) may not be necessary.
However, when therapists who work independently of each other exchange emails about a patient with whom they have an indirect treatment relationship, it is usual for emails to be sent by one network or service and received by another. In these circumstances – or when emails are exchanged with patients under any type of treatment relationship – the requirements for HIPAA compliant email for therapists apply, unless an exception exists.
The Privacy Requirements for HIPAA Compliant Emails
The privacy requirements for HIPAA compliant emails are that – if an email contains PHI – the purpose of the email must be required or permitted by the HIPAA Privacy Rule or must be authorized by the patient or their personal representative. For example, uses and disclosures of PHI are permitted for treatment, payment, and health care operations, and for certain purposes permitted by §164.512 of the HIPAA Privacy Rule (i.e., disclosures required by law).
When emails containing PHI are exchanged between therapists who have an indirect treatment relationship with a patient, the PHI disclosed in the email must be limited to the minimum necessary unless the purpose of the email is to discuss treatment options. Disclosures permitted by §164.512 other than those required by law must also be limited to the minimum necessary to achieve the purpose of the disclosure (i.e., for public health activities).
Because it can be inferred that an email sent from a therapist to a patient contains PHI, it is advisable to obtain consent from a patient before sending PHI to a patient via email – even when the email is an appointment reminder or refill reminder. However, it is necessary to obtain consent when emailing PHI to a family member, friend, or care giver, and necessary to obtain a valid HIPAA authorization before sending a patient a non-exempted marketing email.
The Security Requirements for HIPAA Compliant Emails
The security requirements for HIPAA compliant emails include that physical safeguards are implemented to protect mail servers and other devices from unauthorized access. The systems used to send and receive emails containing PHI beyond a firewalled network must support access controls, audit logs, ID authentication, and transmission security, while the devices used to access therapists’ email accounts must have automatic log-off capabilities activated.
Although encryption is an “addressable” implementation specification that must be implemented “whenever deemed appropriate”, it is difficult to think of an alternate security solution that is as effective at protecting the confidentiality and integrity of electronic PHI at rest and in transit. However, care must be taken to store encryption keys separately from the data they protect- for example, in a hardware security module or key management service.
Therapists lacking the resources or technical knowledge to comply with the security requirements for HIPAA compliant emails can subcontract services from HIPAA compliant email providers. In such circumstances, it is important to enter into a Business Associate Agreement with the email service provider, configure the service to support HIPAA compliance, and use the service in compliance with the privacy requirements for HIPAA compliant emails.
HIPAA Compliant Email for Therapists – Exceptions
There are multiple exceptions that apply to HIPAA compliant email for therapists. One of the most significant exceptions is when a patient requests confidential communications via email when the therapist is not using a HIPAA compliant email service. Under §164.522(b) of the HIPAA Privacy Rule, the therapist must accommodate the request if it is reasonable despite the risks to the confidentiality and integrity of electronic PHI.
Conversely, section (a) of the same standard permits patients to request “privacy protections”. This means a patient can request that a therapist restricts certain disclosures of PHI for treatment, payment, or health care operations purposes, or restricts disclosures of PHI to certain entities or individuals. This includes disclosures to other therapists or to a family member, friend, or care given when consent has previously been given.
With regards to consent – in this case to communicate PHI via email – consent can be assumed if a patient initiates communication with a therapist via email. According to HHS guidance, “the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual”. However, it is advisable to alert the patient to any risks of communicating via email and obtain formal consent nonetheless.
Other Considerations for Email Communications in Healthcare
Other considerations for email communications in healthcare that impact HIPAA compliant email for therapists include FTC and FDA regulations, disclaimers, and HIPAA awareness training. The FDA and FTC regulations relate to the frequency of email communications, marketing and advertising on the Internet (when a link in an email redirects to a therapist’s website), and the promotion of health-related products by email.
With regards to disclaimers, several sources advocate HIPAA compliant email for therapists should include HIPAA disclaimers. While emails can include HIPAA disclaimers, they won’t absolve the therapist of an impermissible disclosure if (for example) an email containing PHI is sent to the wrong recipient. Although HIPAA email disclaimers may help reassure genuine recipients that a therapist complies with HIPAA, they serve no other worthwhile purpose.
On the subject of sending an email to the wrong recipient, misdeliveries of PHI account for approximately 8% of HIPAA breach notifications received by HHS’ Office for Civil Rights each year. To put this percentage into context, HHS’ Office for Civil Rights received 64,592 breach notifications in 2022. To avoid impermissible disclosures of this nature, it is recommended all therapists – no matter what their HIPAA status – take HIPAA awareness training to familiarize themselves with the consequences of healthcare identity theft.
