Four common misconceptions about encryption and encrypted email

  • Tuesday, August 6, 2019
encrypted email, Hushmail, ePHI, HIPAA compliance, misconceptions about encryption

As a therapist, you’re most likely well aware of the importance of protecting your clients’ protected health information (PHI) when it’s stored online or transmitted through emails and online forms. PHI is defined as any individually identifiable health information. The HIPAA Security Rule states that healthcare practitioners covered by HIPAA must implement technical safeguards of electronic protected health information (ePHI).

Encryption is a very demonstrable safeguard you can use to protect your clients’ ePHI. No doubt you’ve heard about encrypted email, but do you understand enough about encryption to knowledgeably choose an encrypted email and web form service that will give your practice the level of protection it needs?

This is an important question to ask because many people have misconceptions about encryption that prevent them from finding communication tools that could substantially improve their practice’s security. Let’s address some of these misconceptions, so you can shore up your HIPAA compliance with encrypted email and web forms that will help your clients feel safe when they entrust you with their information.

1. HIPAA requires encryption

Not exactly. The Security Rule isn’t specific about what safeguards should be used, leaving this decision up to the practitioner. However, if a data breach occurs and you’re audited, you’ll need to show that you made every effort to safeguard the information. There isn’t a much better way to protect ePHI than with encryption, and if the service you use comes with a signed Business Associate Agreement (BAA), which we’ll explain a bit later, you can feel confident going into an audit.

2. All encryption offers the same level of protection

This is not the case. All encryption is not the same, and understanding the distinction between different types of encryption will help you make an informed decision about what services will best protect your practice. Researching encryption on your own might be a little overwhelming, though. If you run a search for encryption types, you’ll soon find yourself reading about public and private keys, asymmetrical and symmetrical encryption, and various algorithms and protocols. It’s a lot to take in, and most of us don’t need to become experts to pick out an encrypted email service. All you really need to understand is the distinction between TLS encryption and OpenPGP encryption.

Transport Layer Security (TLS) encryption is considered the standard for encryption protection on the web. Gmail encrypts emails with TLS, as does Yahoo and many other email providers.

TLS protects email with encryption during transit as long as all of the email servers used along the way support it. That’s the main problem with TLS encryption. It can be difficult to know if it’s supported by all the servers used during an email’s journey. TLS also doesn’t protect information when it’s stored at its final destination.

OpenPGP encryption, on the other hand, protects information during transit and in storage. It also must be enabled either by a switch or password, adding a layer of security. The encrypted email service Hushmail uses OpenPGP encryption along with TLS to secure their customers’ emails and web forms with several layers of protection.

3. Encryption is difficult to use

Encryption might sound complicated, but that doesn’t mean it’s difficult to use – quite the contrary. When businesses first started offering encryption options for consumers several decades ago, it wasn’t very user-friendly and, understandably, practitioners were hesitant to use an email that could slow down or even obstruct communication.

Today, that’s all changed. You’re most likely using TLS encryption in your daily encounters on the internet. If you see https and a locked padlock icon next to the URL in your web browser, this means TLS is at work. As we mentioned, if you’re using an encrypted email service that uses OpenPGP, encryption needs to be enabled, but even this is usually worked into the email service, so it’s just noticeable enough to assure you that your messages are secure.

Hushmail, for example, automatically encrypts messages by default between Hushmail users, and requires a one-time password generation from anyone without a Hushmail account. Encryption is now so easy to implement, there’s no longer any reason to be concerned about disruption to your workflow or inconvenience to your clients.

4. Encryption is expensive

Not at all. Many encrypted email services offer an account for a low monthly subscription or even free. If you’re looking for a HIPAA-compliant service, you’ll want to find one that provides a BAA. This signed document places the responsibility for your emails’ HIPAA compliance on the email service, which is important in case you ever encounter a HIPAA audit. You’ll likely pay a monthly subscription for accounts that offer a BAA, but usually it’s quite affordable and may come with extra features such as encrypted web forms or e-signatures that make the monthly payment well worth it.

Now that you’ve read through this post, you know more than most about encryption and are ready to look for an encrypted email and web form service that will take your practice to the next level of security.

Remember, all encrypted communication services are different. The one you choose will depend on the level of security you want and extra features such a BAA, email archive, and web forms. We also suggest you find one with an excellent reputation for reliable, personal customer service.

If you’d like to take a deeper dive into encryption and how it works, here are a few helpful posts.

Encryption is a lot like a cryptogram, only better
6 essential checks to ensure your encrypted email is HIPAA compliant
Understanding your Hushmail encryption options

This guest blog was provided by Hushmail

About Hushmail: Hushmail has been providing encrypted email services since 1999. Its Hushmail for Healthcare account was specially developed to cater to the communication needs of healthcare professionals. This account includes secure mail encrypted with TLS and OpenPGP encryption, encrypted web forms, a signed BAA, and other features that are included to make your life easier and more secure. Visit Hushmail for Healthcare and try out an account for 60 days, risk free

About Author: Anabeli has been with Hushmail since 2014 and has over 20 years of marketing and communications experience in various industries, with a special interest in online marketing. Anabeli has a B.A. in Communications Sciences and an MBA with a specialization in marketing. Originally from Mexico, she lived in the U.K. before moving to Vancouver in 2010 and becoming a Canadian citizen. She is fluent in Spanish and English and spends her time outside of Hushmail enjoying her one-year-old daughter and the Vancouver outdoors with her family.

telehealth,telepractice,telepsychology,online therapy,online speech therapy, telehealth technology,telepractice technology,telepractice laws, teletherapy laws, teletherapy,hipaa teletherapy compliant,HIPAA compliant platform, social workers online, psychologist teletherapy


Complying with Federal and State Laws in Online Therapy

Online therapy, or telehealth, is an field that is rapidly evolving. As technology continues to advance, so do the ways in which we are able to deliver therapy. While the rules and regulations are straining to keep up, there are some guidelines that can help therapists to protect themselves as well as their patients. Whether you are a mental health therapist, social worker, behavioral therapist, or speech therapist, if you are interested in doing therapy with your patients online, you will need to do your due diligence to make sure that you remain in compliance.

teletherapy, technology teletherapy, teletherapy check list, telehealth, telehealth check lit


Teletherapy Checklist for Therapists

Teletherapy is growing! Here is the checklist of equipment, technology, documents and marketing for your teletherapy service.

Start 30-day Free Trial
Getting Started
Behavioral Therapy
Case Studies

Latest Posts

  • Private Practice Marketing

    Wednesday, February 12, 2020

    Private practice marketing is something that psychotherapists, counselors and therapists did not study at school as they go to school to learn to help people. Although the idea of marketing is distasteful to some, the fact is that you can’t perform counseling if you don’t get people in the door. Luckily, getting clients for your private practice is not as difficult as it may seem. Here are some marketing strategies tips and ideas for therapists to help you with your private practice marketing.

  • DAP notes

    Wednesday, February 5, 2020

    DAP Notes aka Data, Assessment and Plan Notes are progress notes that follow a very specific format to help clinicians to organize their notes. Let’s explore a few DAP note examples and tips. These examples will help you quickly review each part of DAP.

  • HIPAA Compliant Video Conferencing

    Wednesday, January 8, 2020

    HIPAA compliant video conferencing is a must when providing teletherapy (aka telehealth) services. Once you decide that telehealth is right for your practice, the next step is choosing your video- conferencing platform. Not just any platform but a platform that provides HIPAA-compliant video-conferencing. You might be tempted to assume that any password-protected video-conferencing platform is secure but that is not the case. If you are going to be providing telehealth services, your platform and other tools need to meet HIPAA-compliance standards.

This website uses cookies to ensure you get the best experience on our website.

Learn More