The Ultimate Guide To HIPAA Compliant Email For Therapists (BAAs, Secure Forms, And More)
October 11, 2019
Therapists are responsible for keeping their clients and potential clients safe. The sphere of safety extends beyond the time that clients are in session and includes their digital safety - namely around their protected health information and how it is transferred and stored online.
For many therapists, digital security matters can feel like an overwhelming responsibility. After all, it's not what you studied in grad school. You're not a professional tech nerd.
This ultimate guide was created to help provide the straight-to-the-point information you need to make an informed decision. It will help you with:
- What email providers are HIPAA compliant - a selection of HIPAA compliant email providers including a comparison chart, pricing information, and suggested recipes for combining your tech in a secure and comfortable-for-all way
- BAA email - suggested services that offer Business Associates Agreements, also known as a BAA
- Cheapest HIPAA compliant email - how to have HIPAA compliant email on a budget
- HIPAA compliant forms - which email providers offer the ability to create secure forms such as secure contact forms or appointment request forms on your website
- G Suite for therapists - discovering if G Suite can be used in a compliant way
- Is Gmail HIPAA compliant - answering with certainty if free Gmail is a good fit for HIPAA
But first, a quick disclaimer:
HIPAA Compliant Email Service Comparison Chart
Compare email services based on features and price. Find chart definitions below.
| Free Gmail | Premium Gmail/G Suite |
Proton | Paubox | Hushmail | LuxSci | |
|---|---|---|---|---|---|---|
| HIPAA compliant use possible? | No | Yes | Yes | Yes | Yes | Yes |
| Without non-secure communication request? | No | No | Yes | Yes | Yes | Yes |
| BAA | No | Yes | Yes | Yes | Yes | Yes |
| Seamless Encryption | No | No | No | Yes | No | Yes |
| Secure Email | No | No | Yes | Yes | Yes | Yes |
| Secure forms | No | No | No | No | Additional Fee | Additional Fee |
| Cost | Free | $6/m |
Free or 4E/m to use your domain |
$30/m for 3 users You also need an email |
$10.79/m* *Get this price |
$50/m For up to 50 users |
Comparison Chart Definitions
HIPAA compliant use possible?
Whether or not the email service can be used in a HIPAA compliant way.
Without non-secure communication request?
Is HIPAA compliant use possible w/o a request for non-secure communication? If an email service does not have secure email feature, clients will have to request non-secure communication in order for the email service to be used by you in a HIPAA compliant way.
BAA (Business Associates Agreement)
Under HIPAA, therapists need a Business Associates Agreement, also known as BAA, wherever you send and receive emails. Without a BAA, you are in violation of HIPAA.
Seamless Encryption (Secure Fallback)
Your provider will fall back to an encrypted/secure message option if the recipient email provider does not accept encrypted emails ensuring your message is encrypted or secure 100% of the time.
Secure Email (Escrow Email)
Secure email gives you the most amount of predictability and control possible. Also known as escrow, it asks recipients to log into a secure site to read emails.
Secure Forms
The ability to create secure forms and either send clients a link to fill the form out or an option to embed the forms on a page of your website.
Important: You Are Responsible For HIPAA Compliance, Not The Software
No software is "HIPAA compliant" but some software can be used in a HIPAA compliant way. This is not a matter of semantics, rather an important mindset: you are the one that uses things in a HIPAA compliant way and the software itself is not "compliant" alone.
In other words, you need to engage in a set of policies, procedures, and practices to be HIPAA compliant. Simply using software that can be used in a compliant way is not enough to be compliant.
But What Does All This Mean For You? Help Figuring Out What You Need
Do You Need Secure Messaging (Escrow Email)?
All therapists should be using secure messaging for all communication unless a client specifically requests unsecure email (request for non-secure email communication).
When Do You Need Secure Email?
Anytime you are sending or requesting highly sensitive client information, you ought to use secure email. Examples include:
- Superbills
- Release of records
- Forms, attachments, or messages that include a client’s social security number
- Forms, attachments, or messages that include a client’s insurance information
- CPT codes
- Diagnosis information
- Anything else that shouldn’t be sitting in a client’s email inbox
These items ought to be sent over secure means even in cases when a client requests communication in general to be over insecure channels as it is in their best interest for these particular items to always be kept secure.
Is There An Alternative To Secure Email?
Yes. You can use the secure portal provided by many EHRs to send and receive sensitive information.
For example, Simple Practice has a secure messaging feature that can be enabled on their Professional Plan. Other EHRs may have similar functionality.
Can Clients Request Non-Secure Email Communication?
Yes. Clients can request non-secure email under HIPAA. That said, note that such a request doesn’t cancel all of HIPAA for that client and that request only applies to email communication.
In order to fulfill a client’s request for non-secure email, you need to take extra steps:
- Inform clients about the risks of non-secure email (this is an ethics suggestion)
- Provide them with the option to receive secure emails instead (this is an ethics suggestion)
- Get them to sign off on their request confirming they agree to receive non-secure email (this is required under HIPAA)
When is Premium G Suite (Conventional Email with a BAA) Acceptable?
Conventional email, like G Suite with a BAA, is acceptable to use only when a client has explicitly requested non-secure email and you’ve done your due diligence to educate them, provide them a secure alternative, and get them to sign off once they understand as outlined above.
If a client has requested non-secure email, you are still ethically bound to use your judgement as to whether you would recommend for that client’s information be sent unsecured. Highly sensitive client information should always be sent secure.
Once Clients Request To Use It, What Types Of Email Messages Are OK To Send With Conventional Email with a BAA?
Conventional email with a BAA should only be used for not-so-sensitive stuff. In contrast with highly sensitive information, not-so-sensitive stuff would be things like scheduling:
- “I’m running late”
- “Let’s reschedule for next week”
- “How about Tuesday at 3pm?”
Is There Anything Better Than Conventional Email with a BAA For Not-So-Sensitive Communication?
Yes perhaps! You can also use a phone messaging/texting app like Signal (when used correctly) for this type of not-so-sensitive type of communication. Signal is a secure and convenient alternative to emailing.
How To Choose An Email Service Provider As A Therapist
What you choose will depend on what you need. But for the sake of being able to recommend something, let’s assume that your needs are as follows:
- You, like all therapists in the USA, need a BAA under HIPAA
- You need to communicate with clients on non-sensitive things
- You need to communicate with clients with sensitive things
All therapists operating under HIPAA need to have a signed BAA with their email service provider. This rules out any email service that does not offer a BAA like free Gmail.
Almost all therapists need to have a secure, digital way to get sensitive information to and from their clients. That could be through secure email like Hushmail, Paubox, or Luxsci or it could be through a secure client portal in their EHR.
If you don’t have secure messaging through your EHR, then you likely ought to choose Hushmail, Paubox, or Luxsci so that you have a secure way of communicating with your client.
If you will be using secure messaging through your EHR, then you could go with a more conventional email service like premium G Suite, allowing your clients the option to request receiving insecure mail through those services, and use them for less sensitive client communication like scheduling. (Note that you still need clients to understand that these services are not secure, that receiving not secure email is a choice and not a requirement. And then you need to collect their signature on a document in which they agree to not secure email).
A strong alternative to conventional BAAed email is an app like Signal for text messaging with clients for the more not-so-sensitive stuff. Signal works well for that in combination with a secure email or messaging option so you can both reach your client for the not-so-sensitive stuff but have a way to reach them securely as well.
Suggested Recipes
Here are some combinations that could work for you depending on your budget and the way you’d like to communicate with your clients.
The Luddite
Doesn’t use computers
Cost: Free
- For not-so-sensitive client communication, use phone only (ensure your phone service can be used in a HIPAA compliant way)
- Never send highly sensitive client information digitally
- Never use email
The Money Saver
Proton & Signal
Cost: Free
- For not-so-sensitive client communication, use Signal text messaging
- For highly sensitive client communication, use Proton Secure
- Never use conventional email with a BAA unless a client requests non-secure email
The EHR Lover
EHR & Signal
Cost: Free (if you already use an EHR)
- For not-so-sensitive client communication, use Signal text messaging
- For highly sensitive client communication, use your client portal messaging service
- Never use conventional email with a BAA unless a client requests non-secure email
The Reliable Roy
Hushmail & Signal
Cost: $8.20/month (get this price with our AF link)
- For not-so-sensitive client communication, use Signal
- For highly sensitive client communication, use Hushmail Secure
- Never use conventional email option from within Hushmail unless a client requests non-secure email
- Bonus: create secure contact forms on your website
The All Bases Covered
EHR & G Suite & Signal
Cost: $6/month (assuming you have an EHR)
- For not-so-sensitive client communication, use Signal text messaging
- For clients who request non-secure email (maybe they do not want to use Signal) offer to email them through G Suite after explaining the security implications of that option, offering secure alternative, & getting them to sign on their request
- For highly sensitive client communication, use EHR
The Seamless
Luxsci & Signal
Cost: $50/month
- For not-so-sensitive client communication, use Luxsci which will be seamless for most recipients
- For further not-so-sensitive client communication, use Signal text messaging
- For highly sensitive client communication, use the escrow option within Luxsci
- Bonus: create secure contact forms on your website
Frequently Asked Questions About HIPAA Compliant Email
Getting More Help
If you need more help figuring out the right way forward with digital communication, there are several options out there.
For more content on HIPAA compliant communication, check out HIPAA compliance and online communication – what you need to know over at Hushmail and The HIPAA-compliant virtual healthcare practice
For courses and consultancy, I can't recommend Person Centered Tech highly enough. In addition to their free articles, check out their courses, one-on-one coaching, and other security products to build your practice's security program empowering you to protect and care for your client's privacy.
*Quick Affiliate Disclaimer/Disclosure: Many of the links on this page are affiliate links. An affiliate link means that I will earn a comission if you choose to use the link to make a purchase. Don't worry though! The commission that I get does not increase the pricing for you. In some cases, you'll get a discount, trial, or bonus by using my link. I only recommend companies that I have experience with and that I would recommend anyway, even if no affiliate program existed. My hope is you find products and services that fit your needs and that will help you grow.
