Four common misconceptions about encryption and encrypted email

  • Tuesday, August 6, 2019
encrypted email, Hushmail, ePHI, HIPAA compliance, misconceptions about encryption
As a therapist, you’re most likely well aware of the importance of protecting your clients’ protected health information (PHI) when it’s stored online or transmitted through emails and online forms. PHI is defined as any individually identifiable health information. The HIPAA Security Rule states that healthcare practitioners covered by HIPAA must implement technical safeguards of electronic protected health information (ePHI).

Encryption is a very demonstrable safeguard you can use to protect your clients’ ePHI. No doubt you’ve heard about encrypted email, but do you understand enough about encryption to knowledgeably choose an encrypted email and web form service that will give your practice the level of protection it needs?

This is an important question to ask because many people have misconceptions about encryption that prevent them from finding communication tools that could substantially improve their practice’s security. Let’s address some of these misconceptions, so you can shore up your HIPAA compliance with encrypted email and web forms that will help your clients feel safe when they entrust you with their information.

1. HIPAA requires encryption

Not exactly. The Security Rule isn’t specific about what safeguards should be used, leaving this decision up to the practitioner. However, if a data breach occurs and you’re audited, you’ll need to show that you made every effort to safeguard the information. There isn’t a much better way to protect ePHI than with encryption, and if the service you use comes with a signed Business Associate Agreement (BAA), which we’ll explain a bit later, you can feel confident going into an audit.

2. All encryption offers the same level of protection

This is not the case. All encryption is not the same, and understanding the distinction between different types of encryption will help you make an informed decision about what services will best protect your practice. Researching encryption on your own might be a little overwhelming, though. If you run a search for encryption types, you’ll soon find yourself reading about public and private keys, asymmetrical and symmetrical encryption, and various algorithms and protocols. It’s a lot to take in, and most of us don’t need to become experts to pick out an encrypted email service. All you really need to understand is the distinction between TLS encryption and OpenPGP encryption.

Transport Layer Security (TLS) encryption is considered the standard for encryption protection on the web. Gmail encrypts emails with TLS, as does Yahoo and many other email providers.

TLS protects email with encryption during transit as long as all of the email servers used along the way support it. That’s the main problem with TLS encryption. It can be difficult to know if it’s supported by all the servers used during an email’s journey. TLS also doesn’t protect information when it’s stored at its final destination.

OpenPGP encryption, on the other hand, protects information during transit and in storage. It also must be enabled either by a switch or password, adding a layer of security. The encrypted email service Hushmail uses OpenPGP encryption along with TLS to secure their customers’ emails and web forms with several layers of protection.

3. Encryption is difficult to use

Encryption might sound complicated, but that doesn’t mean it’s difficult to use – quite the contrary. When businesses first started offering encryption options for consumers several decades ago, it wasn’t very user-friendly and, understandably, practitioners were hesitant to use an email that could slow down or even obstruct communication.

Today, that’s all changed. You’re most likely using TLS encryption in your daily encounters on the internet. If you see https and a locked padlock icon next to the URL in your web browser, this means TLS is at work. As we mentioned, if you’re using an encrypted email service that uses OpenPGP, encryption needs to be enabled, but even this is usually worked into the email service, so it’s just noticeable enough to assure you that your messages are secure.

Hushmail, for example, automatically encrypts messages by default between Hushmail users, and requires a one-time password generation from anyone without a Hushmail account. Encryption is now so easy to implement, there’s no longer any reason to be concerned about disruption to your workflow or inconvenience to your clients.

4. Encryption is expensive

Not at all. Many encrypted email services offer an account for a low monthly subscription or even free. If you’re looking for a HIPAA-compliant service, you’ll want to find one that provides a BAA. This signed document places the responsibility for your emails’ HIPAA compliance on the email service, which is important in case you ever encounter a HIPAA audit. You’ll likely pay a monthly subscription for accounts that offer a BAA, but usually it’s quite affordable and may come with extra features such as encrypted web forms or e-signatures that make the monthly payment well worth it.

Now that you’ve read through this post, you know more than most about encryption and are ready to look for an encrypted email and web form service that will take your practice to the next level of security.

Remember, all encrypted communication services are different. The one you choose will depend on the level of security you want and extra features such a BAA, email archive, and web forms. We also suggest you find one with an excellent reputation for reliable, personal customer service.

If you’d like to take a deeper dive into encryption and how it works, here are a few helpful posts.

Encryption is a lot like a cryptogram, only better
6 essential checks to ensure your encrypted email is HIPAA compliant
Understanding your Hushmail encryption options

This guest blog was provided by Hushmail

About Hushmail: Hushmail has been providing encrypted email services since 1999. Its Hushmail for Healthcare account was specially developed to cater to the communication needs of healthcare professionals. This account includes secure mail encrypted with TLS and OpenPGP encryption, encrypted web forms, a signed BAA, and other features that are included to make your life easier and more secure. Visit Hushmail for Healthcare and try out an account for 60 days, risk free

About Author: Anabeli has been with Hushmail since 2014 and has over 20 years of marketing and communications experience in various industries, with a special interest in online marketing. Anabeli has a B.A. in Communications Sciences and an MBA with a specialization in marketing. Originally from Mexico, she lived in the U.K. before moving to Vancouver in 2010 and becoming a Canadian citizen. She is fluent in Spanish and English and spends her time outside of Hushmail enjoying her one-year-old daughter and the Vancouver outdoors with her family.
telehealth,telepractice,telepsychology,online therapy,online speech therapy, telehealth technology,telepractice technology,telepractice laws, teletherapy laws, teletherapy,hipaa teletherapy compliant,HIPAA compliant platform, social workers online, psychologist teletherapy


Complying with Federal and State Laws in Online Therapy

Online therapy, or telehealth, is an field that is rapidly evolving. As technology continues to advance, so do the ways in which we are able to deliver therapy. While the rules and regulations are straining to keep up, there are some guidelines that can help therapists to protect themselves as well as their patients. Whether you are a mental health therapist, social worker, behavioral therapist, or speech therapist, if you are interested in doing therapy with your patients online, you will need to do your due diligence to make sure that you remain in compliance.

teletherapy, technology teletherapy, teletherapy check list, telehealth, telehealth check lit


Teletherapy Checklist for Therapists

Teletherapy is growing! Here is the checklist of equipment, technology, documents and marketing for your teletherapy service.

Start 30-day Free Trial
Getting Started
Behavioral Therapy
Case Studies

Latest Posts

  • Automatic Credit Card Processing and Billing for Therapists

    Tuesday, October 22, 2019

    Automatic credit card processing for therapists (auto-payment collection) and auto invoicing are now available in TheraPlatform! Billing is a big part of running a private practice and sometimes the most time consuming. Think of all time one can spend on creating invoices and superbills, sending them to clients, posting payments and dealing with failed credit card payments. This time can easily add up to a few hours a week or even a day if you own a large practice.

  • Motivational Interviewing for Substance Abuse

    Monday, October 14, 2019

    Motivational Interviewing (MI) for substance abuse, is primarily used to help overcome ambivalence or resistance in hard-to-change behaviors. With its roots in client-centered therapy, motivational interviewing for substance abuse, does not teach specific techniques to overcome problems. As a result, it is often used in conjunction with other therapies as opposed to being the sole intervention.

  • Person Centered Therapy Techniques

    Monday, October 7, 2019

    Person centered therapy techniques aka client centered techniques, originally founded by Carl Rogers, put an emphasis on the client as an expert. It posits that people strive toward a state of self-actualization and therapy can help a client reach self-awareness. It is a therapist’s job to create the proper surroundings for a client to become a “fully functioning person”.Let’s look at some techniques a therapist uses in person-centered therapy.

This website uses cookies to ensure you get the best experience on our website.

Learn More