As a therapist, you’re most likely well aware of the importance of protecting your clients’ protected health information (PHI) when it’s stored online or transmitted through emails and online forms. PHI is defined as any individually identifiable health information. The HIPAA Security Rule states that healthcare practitioners covered by HIPAA must implement technical safeguards of electronic protected health information (ePHI).
Encryption is a very demonstrable safeguard you can use to protect your clients’ ePHI. No doubt you’ve heard about encrypted email, but do you understand enough about encryption to knowledgeably choose an encrypted email and web form service that will give your practice the level of protection it needs?
This is an important question to ask because many people have misconceptions about encryption that prevent them from finding communication tools that could substantially improve their practice’s security. Let’s address some of these misconceptions, so you can shore up your HIPAA compliance with encrypted email and web forms that will help your clients feel safe when they entrust you with their information.
1. HIPAA requires encryption
Not exactly. The Security Rule isn’t specific about what safeguards should be used, leaving this decision up to the practitioner. However, if a data breach occurs and you’re audited, you’ll need to show that you made every effort to safeguard the information. There isn’t a much better way to protect ePHI than with encryption, and if the service you use comes with a signed Business Associate Agreement (BAA), which we’ll explain a bit later, you can feel confident going into an audit.
2. All encryption offers the same level of protection
This is not the case. All encryption is not the same, and understanding the distinction between different types of encryption will help you make an informed decision about what services will best protect your practice. Researching encryption on your own might be a little overwhelming, though. If you run a search for encryption types, you’ll soon find yourself reading about public and private keys, asymmetrical and symmetrical encryption, and various algorithms and protocols. It’s a lot to take in, and most of us don’t need to become experts to pick out an encrypted email service. All you really need to understand is the distinction between TLS encryption and OpenPGP encryption.
Transport Layer Security (TLS) encryption is considered the standard for encryption protection on the web. Gmail encrypts emails with TLS, as does Yahoo and many other email providers.
TLS protects email with encryption during transit as long as all of the email servers used along the way support it. That’s the main problem with TLS encryption. It can be difficult to know if it’s supported by all the servers used during an email’s journey. TLS also doesn’t protect information when it’s stored at its final destination.
OpenPGP encryption, on the other hand, protects information during transit and in storage. It also must be enabled either by a switch or password, adding a layer of security. The encrypted email service Hushmail uses OpenPGP encryption along with TLS to secure their customers’ emails and web forms with several layers of protection.
3. Encryption is difficult to use
Encryption might sound complicated, but that doesn’t mean it’s difficult to use – quite the contrary. When businesses first started offering encryption options for consumers several decades ago, it wasn’t very user-friendly and, understandably, practitioners were hesitant to use an email that could slow down or even obstruct communication.
Today, that’s all changed. You’re most likely using TLS encryption in your daily encounters on the internet. If you see https and a locked padlock icon next to the URL in your web browser, this means TLS is at work. As we mentioned, if you’re using an encrypted email service that uses OpenPGP, encryption needs to be enabled, but even this is usually worked into the email service, so it’s just noticeable enough to assure you that your messages are secure.
Hushmail, for example, automatically encrypts messages by default between Hushmail users, and requires a one-time password generation from anyone without a Hushmail account. Encryption is now so easy to implement, there’s no longer any reason to be concerned about disruption to your workflow or inconvenience to your clients.
4. Encryption is expensive
Not at all. Many encrypted email services offer an account for a low monthly subscription or even free. If you’re looking for a HIPAA-compliant service, you’ll want to find one that provides a BAA. This signed document places the responsibility for your emails’ HIPAA compliance on the email service, which is important in case you ever encounter a HIPAA audit. You’ll likely pay a monthly subscription for accounts that offer a BAA, but usually it’s quite affordable and may come with extra features such as encrypted web forms or e-signatures that make the monthly payment well worth it.
Now that you’ve read through this post, you know more than most about encryption and are ready to look for an encrypted email and web form service that will take your practice to the next level of security.
Remember, all encrypted communication services are different. The one you choose will depend on the level of security you want and extra features such a BAA, email archive, and web forms. We also suggest you find one with an excellent reputation for reliable, personal customer service.
If you’d like to take a deeper dive into encryption and how it works, here are a few helpful posts.
Encryption is a lot like a cryptogram, only better
6 essential checks to ensure your encrypted email is HIPAA compliant
Understanding your Hushmail encryption options
This guest blog was provided by Hushmail
About Hushmail: Hushmail has been providing encrypted email services since 1999. Its Hushmail for Healthcare account was specially developed to cater to the communication needs of healthcare professionals. This account includes secure mail encrypted with TLS and OpenPGP encryption, encrypted web forms, a signed BAA, and other features that are included to make your life easier and more secure. Visit Hushmail for Healthcare and try out an account for 60 days, risk free
About Author: Anabeli has been with Hushmail since 2014 and has over 20 years of marketing and communications experience in various industries, with a special interest in online marketing. Anabeli has a B.A. in Communications Sciences and an MBA with a specialization in marketing. Originally from Mexico, she lived in the U.K. before moving to Vancouver in 2010 and becoming a Canadian citizen. She is fluent in Spanish and English and spends her time outside of Hushmail enjoying her one-year-old daughter and the Vancouver outdoors with her family.