HIPAA-compliant email: a review

The problem

In the months since the COVID-19 pandemic forced me to practice by video and phone, I’ve exchanged much more email with patients than I did before. Previously, I discouraged email from patients. For one thing, I knew it was an insecure channel, not “HIPAA-compliant.” It’s also somewhat less personal than a phone call. But starting last March I gave patients my work email, which they needed in order to connect to my video link (usually Doxy.me) for sessions. Most also use it to pay me online. Perhaps inevitably, email has become the most convenient way to send short messages back and forth, mostly medication refill requests and appointment confirmations or changes.

Due to the pandemic, I also linked an online version of my intake form to the front page of my website, so new patients could complete it remotely. The completed form was transmitted to me by non-secure email as well.

As the months dragged on, I realized I needed to treat all this electronic communication more carefully. I started researching secure email designed for medical practices. Below I’ll tell you what I found.

What is HIPAA-compliant email?

But first, a brief dive into terminology. HIPAA, short for the Health Insurance Portability and Accountability Act of 1996, is a federal statute that, among other things, regulates the secure sharing of medical information, especially electronically. Those of us who traffic in “protected health information” (PHI) — “covered entities” such as doctors, hospitals, clinical laboratories, insurance companies, and others — must store and transmit PHI in secure ways. We also sign “business associate agreements” (BAAs) with each other. A BAA is basically a contract that says covered entities will only share PHI with other covered entities.

While many people assume HIPAA exists to assure privacy, the law actually arose to facilitate electronic information exchange, often without the patient’s explicit consent. For example, HIPAA allows behind-the-scenes sharing of PHI to “coordinate care.” But for purposes of this review, I’ll focus on the privacy safeguards, not the many other parts of HIPAA.

To be HIPAA-compliant, email must be protected at both ends, e.g., with passwords, and engineered to prevent interception and reading en route. Technically, HIPAA does not demand that email be encrypted (translated into unreadable code), although that is typically the strategy used. The email provider and the covered entity using that provider should sign a BAA.

Regular email, in contrast, isn’t designed to be secure. Messages are copied in readable form from one internet node to the next. Bad actors can intercept them along the way.

What I found

So who offers HIPAA-compliant email? One option are companies that provide complete electronic practice management systems. These typically include secure messaging with patients as part of their larger range of services. I didn’t deeply research this, as I’m not in the market for such a system. Using one solely for secure messaging seemed too expensive, unwieldy, or both. But I did briefly look into ChARM EHR and Luminello, both of which include secure communication with patients, and offer a free version with limited features to try out. ChARM is designed for all types of small medical practices, not just mental health, while Luminello is for mental health only, including non-medical therapists and “wellness clinicians.” Perhaps thanks to its specificity, I found Luminello much more user-friendly; I’d seriously consider it if I were in the market.

But I’m not, so I turned to free-standing email services.

Best I can tell, all HIPAA-compliant email is actually webmail. That is, the recipient receives a regular email with a link to a secure website to pick up the message.  Services differ with respect to email storage, often 1 to 5 gb; ways that non-subscribers, e.g., patients and potential patients, can reach you securely; whether you can use an existing email address versus having to get a new one; and whether you can choose an email address from a website domain you own (e.g., therapist@mycompany.com).  All include a BAA.

Several companies provide secure email to larger clinics with multiple clinicians, administrative staff, and maybe a dedicated IT person. They usually charge monthly fees to match. That’s not my situation, and I do not review them here. Instead, here are a few sized for the solo practitioner:

Hushmail for Healthcare (www.hushmail.com) – $109/yr:
Pros: Secure forms submission, with two nicely customizable forms at the above price. 10 gb storage. Can use your own domain for email.
Cons: Can’t use an existing email address in a domain you don’t own (e.g., gmail, hotmail, yahoo, etc).  The price doubles for more forms.

MailHippo (www.mailhippo.com) – $60/yr:
Pros: Arguably slightly stronger encryption than Hushmail (AES 256 bit versus OpenPGP).  Can recall an email message, for example if addressed incorrectly.  Uses your existing email address.  Includes a personal URL so anyone can send you a secure email; adding this URL to your website, or to your signature at the bottom of regular email, invites secure messages from others.
Cons: No forms.

MD OfficeMail (www.mdofficemail.com) – $23/yr with their email address, $32/yr with your own
Pros: Cheapest paid HIPAA-compliant email I could find.  Includes a personal URL so anyone can send you a secure email.
Cons: User interface is old and clunky.  No forms.

The following offer encrypted email — and are based in Europe, not the US — but are not designed for HIPAA specifically, i.e., no BAA: 

ProtonMail (www.protonmail.com) – Free, or $48/yr for more features and email storage
Tutanota (www.tutanota.com) – 12 euro/yr for “business,” free for “private.” Includes a secure calendar and address book, which would make Tutanota my choice if I merely wanted these encrypted features for personal use.

There are also a number of free, ad-supported apps that will encrypt email on handheld devices. These aren’t HIPAA-compliant either.

And the winner is… my patients

In the end I decided to go with Hushmail, mainly because it offered the secure forms I needed: a general contact form and an intake form for my website. I also was able to use my own web domain (@stevenreidbordmd.com) for my new email address. If I hadn’t needed the forms, I would have chosen MailHippo instead, to keep my existing email address.

Once signed up, I converted the contact form and intake form on my website to Hushmail. Then, using my old, unsecured email, I sent a final message to my active patients asking them to stop using that address, and to expect secure email from me going forward. Since replying to a secure email also makes the reply secure, this is a good way to start a private, HIPAA-compliant email channel with each patient.

One of the best uses I’ve found so far for secure email is sending monthly billing statements electronically, as pdf attachments, instead of by mail. If patients or potential patients want to reach me securely before I send them anything, they use the contact form on my website to start the exchange. So far, my new system has been working well.

In the comments below, let me know how any of these solutions work for you, or if you have others to recommend.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

2 comments to HIPAA-compliant email: a review

  • jlee

    I have certainly used hushmail, and feel totally confident in all the layers of protection and encryption. Have you heard of virtru, it’s an add on to gmail, and offers end to end encryption, and hipaa compliant too. It’s what my employer uses, and its easy and works great, and no need to open up a different email acct for encrypted private emails.

    https://www.virtru.com/

    • Thanks for writing. Looking at their site, Virtru serves larger businesses, not solo or small-group practices. That’s what their “case studies” indicate. Also, they don’t list prices, and they ask potential customers to schedule a demo. As I wrote above, I ran across several such services, but didn’t review them. Glad you like them, anyway.

      By the way, while standard gmail is not secure or HIPAA-compliant, Google Workspace (formerly G Suite) includes “secure business email” for as low as $72/yr. I didn’t look into whether this is HIPAA-compliant, as I don’t associate Google with privacy.

Leave a Reply to Steven P Reidbord, MD Cancel reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.