HIPAA compliant email for therapists

Understanding HIPAA compliant email for therapists is a must in today’s digital age, where protecting client information goes beyond a locked filing cabinet.

Electronic Protected Health Information (ePHI) is constantly being transmitted through emails, intake forms, and billing systems. Therapists have a responsibility to ensure this sensitive data is exchanged securely, or it could be exposed to breaches or unauthorized access.

Summary

• Not all encryption is equal as end-to-end encryption offers the strongest protection.

• Encryption is now easy to use, even for clients who aren’t tech-savvy.

• Affordable encryption services are available and can save money by preventing costly HIPAA violations. By leveraging an EHR like TheraPlatform for secure communication, therapists can manage their practice with ease.

Streamline your practice with One EHR

• Scheduling
• Flexible notes
• Template library
• Billing & payments

• Insurance claims
• Client portal
• Telehealth
• E-fax

Learn More

Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare professionals must implement technical safeguards to protect ePHI. One powerful safeguard is encryption.

Encryption transforms readable information into an unreadable format for unauthorized users. It helps safeguard client confidentiality, especially in email.

However, many clinicians avoid using encryption because of misconceptions about what it is, how much it costs, and what HIPAA requires.

Let’s clear up four of the most common misunderstandings around HIPAA compliant email and share tips for choosing the best HIPAA compliant email for therapists.

Practice Management + EHR + Telehealth

Mange more in less time in your practice with TheraPlatform

Start Free Trial

HIPAA requires encryption

One common misconception is that HIPAA flat-out requires encryption for all ePHI.

The reality: HIPAA does not require encryption in every instance. Instead, the HIPAA Security Rule lists it as an “addressable” technical safeguard for both data at rest and in transit.

“Addressable” means providers must assess the risk of transmitting PHI without encryption and implement safeguards if reasonable and appropriate. If they choose not to use encryption, they must use an equivalent measure or document why no safeguard is in place.

That said, failing to encrypt ePHI that later becomes compromised is likely to be considered willful neglect by the Office for Civil Rights (OCR). Penalties can reach more than $2.1 million annually for serious violations.

For more, see the HIPAA Security Rule guidance.

Free Resources for Therapists

Click below and help yourself to peer-created resources:

• Ready-to-use worksheets, checklists, assessments & more!
• Master insurance billing with our expert-led course
• Telehealth 101: On-demand videos
• Curious how TheraPlatform solves private practice pain points?

All encryption is equal

​​Some providers believe that all encryption in healthcare methods offer the same level of protection because they may market services as “secure”.

The reality: Not all encryption methods provide the same protection. Therapists should seek services with the latest end-to-end encryption protocols.

As cybersecurity expert Bruce Schneier noted, “Encryption is only as strong as its weakest link.”

• Transport Layer Security (TLS): Encrypts email while in transit. However, messages stored on servers may remain unencrypted.

• OpenPGP or S/MIME: Provides end-to-end encryption so only the intended recipient can decrypt the message.

Not only can a lack of sufficient ePHI protection have legal implications, but according to research “a security breach can severely damage healthcare professional reputations and undermine patient confidence.”

Encryption is hard to use

Clinicians may think that HIPAA compliant email is too complicated to use consistently.

The reality: Today’s HIPAA-compliant systems make encryption user-friendly. Many client portals automatically encrypt messages. Others allow clinicians to use a “send secure” button.

Clients may only need to click a link, answer a security question, or enter a one-time password to access their secure communication.

Encryption is expensive

A 2022 study looking at barriers to healthcare providers using cryptographic techniques for data protection cited costs of cybersecurity as an obstacle.

The Reality: Basic email encryption services start at just $10-$20 per user a month.

How to choose the right HIPAA compliant email for therapists

When evaluating HIPAA-compliant email for therapists, consider the following:

• Type of encryption: Be sure to use a provider that offers end-to-end encryption, not TLS only. TLS only protects data during transmission, but not once they reach the recipient’s inbox. OpenPGP or S/MIME offers end-to-end encryption that ensures the message can only be decrypted by the intended recipient.

• Business associate agreement (BAA): HIPAA requires a BAA with any vendor that handles ePHI on a provider’s behalf, in order for the healthcare worker to remain compliant. The BAA legally establishes the vendor as sharing equal responsibility with you for maintaining HIPAA standards. Even if the service uses excellent encryption, having a signed BAA in place is non-negotiable.

• Workflow compatibility: A HIPAA compliant email provider should integrate smoothly with your practice’s existing tools, including EHR, contact forms, or intake workflows. Using a provider that offers secure forms and e-signatures in addition to an encrypted email service can eliminate the need for using multiple vendors.

• Ease of use: An encryption system should be intuitive, allowing clients who are not tech-savvy to still access their messages with ease. Consider using a platform that provides a web-based portal that is easy for both clinicians and clients to use.

• Support and customer service: Responsive, knowledgeable customer support is essential. Seek services with experience working in the healthcare field who understand the nuances of HIPAA compliant email for therapists.

• Pricing and features: HIPAA-compliant email may start at a lower price, however, it’s important to consider data protection features included in different plans.

Typical pricing tiers often includes critical features for practice management, such as:

• Secure online forms
• Archiving and audit logs
• E-signatures
• Secure file sharing

• Reputation: Check independent reviews, healthcare forums, or peer recommendations to assess the reliability and satisfaction associated with the encryption service. The reliability and reputation of a HIPAA compliant email provider is equally important as its technical features.

Encryption is one of the most effective ways therapists can protect client confidentiality while complying with HIPAA. Despite common misconceptions, it’s neither prohibitively costly nor too complex.

Free tools to get started:

• HIPAA Security Risk Assessment Tool
• NIST Cybersecurity Framework
• HHS HIPAA Security Rule Guidance

Streamline your practice with One EHR

• Scheduling
• Flexible notes
• Template library
• Billing & payments

• Insurance claims
• Client portal
• Telehealth
• E-fax

Learn More

Resources

TheraPlatform is an all-in-one EHR, practice management, and teletherapy software built for therapists to help them save time on admin tasks. It offers a 30-day risk-free trial with no credit card required and supports mental and behavioral health, SLPs, OTs, and PTs in group and solo practices.

More resources

• Therapy resources and worksheets
• Therapy private practice courses
• Ultimate teletherapy ebook
• The Ultimate Insurance Billing Guide for Therapists
• The Ultimate Guide to Starting a Private Therapy Practice
• Mental health credentialing
• Insurance billing 101
• Practice management tools
• Behavioral Health tools

Free video classes

• Free on-demand insurance billing for therapist course
• Free mini video lessons to enhance your private practice
• 9 Admin tasks to automate in your private practice

References

• Alzahrani, A. (2024). Developing a provable secure and cloud-centric authentication protocol for the e-healthcare system. IEEE Access. DOI link
• Lewis, N., Connelly, Y., Henkin, G., Leibovich, M., & Akavia, A. (2022). Factors influencing the adoption of advanced cryptographic techniques for data protection of patient medical records. Healthcare Informatics Research, 28(2), 132-142. DOI link
• Schneier, B. (2015). Secrets and lies: Digital security in a networked world. John Wiley & Sons. DOI link

This guest blog was provided by Hushmail

About Hushmail: Hushmail has been providing encrypted email services since 1999. Its Hushmail for Healthcare account was specially developed to cater to the communication needs of healthcare professionals. This account includes secure mail encrypted with TLS and OpenPGP encryption, encrypted web forms, a signed BAA, and other features that are included to make your life easier and more secure. Visit Hushmail for Healthcare and try out an account for 60 days, risk free

About Author: Anabeli has been with Hushmail since 2014 and has over 20 years of marketing and communications experience in various industries, with a special interest in online marketing. Anabeli has a B.A. in Communications Sciences and an MBA with a specialization in marketing. Originally from Mexico, she lived in the U.K. before moving to Vancouver in 2010 and becoming a Canadian citizen. She is fluent in Spanish and English and spends her time outside of Hushmail enjoying her one-year-old daughter and the Vancouver outdoors with her family.