This dilemma is being discussed endlessly on HIPAA boards, and opinions vary. It is clear that emailing (or texting) clients is not a secure practice. PHI may be transmitted when we email, and the information is available to the companies that we use to email. Further, there are plenty of other risks, including the capacity for an email account to be hacked, for email messages to be misdelivered, or delivered appropriately but overseen by the wrong person.
So, are there solutions? Yes. And, happily, HIPAA is written to allow providers some leeway in choosing solutions that are the best fit for your practice. Here are some options:
- Do not email with clients (unsatisfactory solution, but it’s an option—and very secure.)
- Use encrypted email (Requires you and your client to jump through a few additional steps to send/receive email. Some may find these steps burdensome.)
- Purchase a HIPAA compliant service that provides clients with a secure “portal” for emailing you. (This is a very secure option, but does require the client to log in to a website to send/receive messages.)
- Provide clients with written information about the potential risks of emailing, and allow them to choose whether they would like to continue to email in spite of those risks. If you feel this is an ethical and appropriate fit for your clients and your practice, you’d also want to limit content and have an expiration date on the consent. Read more about this option here, on the OCR’s own FAQ page. https://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/570.html
Whatever you choose, make it an important part of your risk assessment, and document thoroughly.
Katie Malinski, LCSW is a therapist in private practice in Austin, Texas and the creator of the workshop “Ducks in a Row: HIPAA for Therapists.” You are warmly welcomed to visit the website www.HIPAAforTherapists.com for training information, articles, and other free resources.
This article is the first of a series of articles that will be contributed by various guest bloggers for SimplePractice. If you are interested in blogging with us, please email fletcher@simplepractice.com.
How SimplePractice streamlines running your practice
SimplePractice is HIPAA-compliant practice management software with everything you need to run your practice built into the platform—from booking and scheduling to insurance and client billing.
If you’ve been considering switching to an EHR system, SimplePractice empowers you to streamline appointment bookings, reminders, and rescheduling and simplify the billing and coding process—so you get more time for the things that matter most to you.
Try SimplePractice free for 30 days. No credit card required.