In January 2021, I described my search for a HIPAA-compliant email provider for my practice, and reviewed several options. In the end I chose Hushmail for Healthcare. It was, and is, a good service: thoughtfully featured, reasonably priced (with minor changes since then), and fast support when needed. But the truth is, I didn’t stay with Hushmail.
This is the continuing saga of my search for secure email and online forms for my practice. And here’s the punchline up front: I haven’t found a service that provides all I want. Lately I’ve cobbled together two competing services that “kind of” work in combination. If anyone reading this happens to work at one of these companies and wants to please a customer like me, please take note.
The need
As I wrote in 2021, regular email is not in compliance with HIPAA, the longstanding federal law that governs the confidentiality and “portability” of medical information. Along with many other provisions, HIPAA has rules for maintaining the security of electronic medical data, and the transfer of protected health information from one place to another.
Small private practices like mine sometimes ignore these rules. I had used Google Calendar for patient scheduling for years, and with the start of the Covid pandemic, I started exchanging email with patients. Neither Google Calendar nor regular email is secure or HIPAA-compliant. But plain email is the easiest option for quick doctor-patient communication (except perhaps for texting, which isn’t HIPAA-compliant either). It’s a no-brainer for doctors and patients alike.
However, doctors and other healthcare providers need to take our fiduciary responsibility seriously. The easiest and most convenient options aren’t always, or even usually, the best. This misguided tradeoff crops up everywhere now. For example, many health care startups cut corners clinically to make their services cheaper or “frictionless.” Medical ethics are a higher standard than business ethics, and as a profession we should resist the seductions of lower standards.
As my use of email expanded, I grew troubled by the hypocrisy of writing and teaching about medical and psychiatric ethics, while engaging in unethical practices myself. During the height of the pandemic, when I was working exclusively online, I realized I needed HIPAA-compliant email, HIPAA-compliant online forms for initial inquiries by patients and my short intake questionnaire, and a HIPAA-compliant alternative to Google Calendar. That’s what prompted my initial search.
Hushmail’s tragic flaws
At the time I signed up, Hushmail offered two secure, customizable forms along with email and 10 Gb of storage, all for about $100/year. There was no calendar option, but it otherwise seemed to fill my needs, and the price was right.
The forms were great. The email proved problematic, for two reasons I hadn’t anticipated. First, patients didn’t use it. Per Hushmail’s recommendation, I created a dedicated email address in my website domain stevenreidbordmd.com, to be used solely for Hushmail. But as soon as I started sending secure webmail using that address, patients would use the address to send me regular, un-secured email. I was constantly asking patients not to contact me that way.
The bigger problem was passwords. When non-Hushmail users, i.e., all of my patients, received their first secure message from me, Hushmail asked them to set a personal password to decrypt that message, and all subsequent messages. I didn’t know their passwords. So every month, I’d hear from patients, usually by plaintext email, that they forgot or misplaced their passwords, and couldn’t read their billing statements. They’d reset their passwords, and I’d have to re-send their statements. Since their new passwords wouldn’t open any old messages, sometimes I needed to re-send several documents.
Back on the search
After about two years of this, in late 2022 I got fed up and looked again at my options. This time I was drawn to Proton, largely because it also offered an encrypted calendar. When I reviewed it in 2021, Proton either wasn’t HIPAA-compliant (no Business Associate Agreement) or I didn’t notice that it was. In any case, it was now.
Proton didn’t offer secure online forms. But it featured an ecosystem of HIPAA-compliant services — email, calendar, cloud storage, and VPN — and I figured I’d work something out. It offered 15 Gb of storage, ten customizable email addresses, the same ability to link to my custom domain that Hushmail offered, and it was only $84/yr for the “Mail Essentials” option. With some regret I bid Hushmail goodbye, and signed up with Proton.
Proton pros and cons
I finally had a secure calendar for scheduling patients. This was long overdue, works great, and feels like a necessity going forward.
Proton also solved the lost password problem. I assigned a password to each patient, and could remind them when they forgot. I gave each patient a unique 7-character password, based in part on their name. I assumed this would be more secure than one password for everyone.
On the other hand… this worked well for about six months. Unfortunately, at that point Proton suddenly required all passwords to be eight characters or more, without ever documenting any password-length requirement anywhere. I had to send out notices, further confusing many patients who didn’t quite grasp password-protected webmail in the first place. Exasperated, I gave everyone the same password.
I changed my prior Hushmail address to auto-respond with an error message, and created a new Proton email address for sending and receiving secure webmail. Proton Mail works very well, much as Hushmail did. However, patients started using my new address to send me plaintext email, just like before.
So here’s my first concrete request: Please, someone provide HIPAA-compliant email that doesn’t disclose an address that non-subscribers can use to send back plaintext email.
Then there’s the online forms. For most of the year, I left a non-secure contact form on my website, which I insisted that established patients not use. Some did anyway, of course.
I asked new patients to download my blank pdf intake form, fill it out on their computer, and return it to me using Proton Mail. This meant sending Proton Mail to them first, so they could reply to it. That way, their reply, with the attached intake sheet, was secure as well.
This was convoluted. I had to collect new patients’ email addresses in my first phone contact, before they ever saw my intake form. And I had to convey their new Proton Mail password somehow. One option was a “password hint” attached to my first Proton Mail that revealed their new password in plaintext. Another was to explain this all verbally on the phone. A third was to send them, in a separate email without encryption, a “read me” file explaining what all this was about. It was awkward at best.
Proton could streamline secure forms submissions in one of several ways. They could offer HIPAA-compliant online forms, as Hushmail and other services do. Or they could provide a “mail drop” feature allowing non-subscribers to upload files securely to a subscriber’s Proton Drive (perhaps in a quarantine folder or similar). Or, like MailHippo‘s SendSafe feature, Proton could assign each subscriber a unique URL that allows non-subscribers to securely send messages and attached files to the subscriber.
But Proton did none of these, so I had to continue searching.
Adding secure online forms
MailHippo, which I reviewed back in 2021, now offers HIPAA-compliant forms as well. They call the combination FormHippo. Per my 2021 review, I hadn’t chosen MailHippo solely due to their lack of forms. I now realize that their SendSafe feature, even without forms, would have saved me a great deal of trouble compared to the workarounds I needed with Proton.
FormHippo is $107/yr for email, up to five customizable forms, 5 Gb of email storage, message recall (not offered by the others), and the SendSafe feature. The drawbacks? No calendar, they still disclose an email address that non-subscribers can use to send plaintext email, and (sorry to say this) the hippo name and logo itself, clearly a play on “HIPAA,” which looks a bit unprofessional. Otherwise, it appears to be a very good option.
However, I’m not quite ready to abandon Proton’s ecosystem, with its calendar, cloud storage, and VPN. I’m generally happy with Proton Mail, and right now they’re rolling out a password manager, Proton Pass, that may compete favorably with the Bitwarden I currently use.
My solution so far
I simply added FormHippo to Proton. The email part is redundant, but both together still cost under $200/yr. I use FormHippo for online forms (contact and intake) and for the SendSafe URL. I ask all patients to use the SendSafe option if they ever want to contact me online. As usual, not all do. I use Proton for everything else.
(To complicate things even further, the SendSafe URL includes the login email address that the subscriber uses for MailHippo or FormHippo. I didn’t want to advertise this address, so I added yet another layer: redirection from an innocuous URL in my own domain to the SendSafe URL. Furthermore, if I want to reply online to a SendSafe message, I’m still stuck sending either MailHippo or Proton webmail, possibly to someone who doesn’t understand all this arcana. Whenever possible, I just use the phone.)
While I don’t plan to change anything for now, I consider other permutations. I could downgrade FormHippo to MailHippo (costs a little less), have patients download my intake sheet from Proton Drive, and submit it to me using SendSafe. Or I could cancel Proton, just use FormHippo, and opt for another secure calendar solution. Tutanota, for example, offers encrypted, but not HIPAA-compliant, full-featured calendars to businesses for $76/yr. (My pricing for Tutanota in 2021 must have been a misprint.)
Or I could go back to Hushmail, and tell all my patients what password to use — maybe the same universal one they now use for Proton. Hushmail also now offers a feature called a “private message center.” Information about it is scarce on their website. Apparently it allows non-subscribers to access Hushmail messages using their Google, Apple, or Microsoft credentials — instead of a password? If so, that might simplify matters too. They still don’t have a calendar though.
I confess that this journey has been challenging. It’s easy to see why many in my position don’t bother. I confess that I still send and receive texts from patients, even though I know I shouldn’t. There comes a point when you do what you reasonably can, and then don’t sweat it anymore. I’m about at that point, but still open to suggestions and comments. Let me know how you (or your psychiatrist/therapist) handles these challenges, and thanks for reading.
ever try virtru? https://www.virtru.com/lp-hipaa-email-encryption-demo/
I believe you also suggested Virtru in response to my 2021 review. My reply then:
Looking at the video you linked, my impression once again is that Virtru isn’t aimed for solo practitioners like me. The video refers to office staff of “health care organizations,” not doctors, interacting with Virtru. The testimonials are all from companies, not individual users. And Virtru is “embedded in Gmail and Google Drive, via a Chrome browser extension” — none of which I use. Thanks again for your interest.
Steven,
Why not just use HIPAA compliment EMR for everything? Forms, ERx, Video, notes and forms. Luminello offers all of that and more. It’s not ideal, but easy enough to use.
Hi Yelena,
(I’ve known Dr. Zalkina many years.) Good to hear from you. You certainly gave me something to think about. I went back and looked at Luminello; I even made a little spreadsheet comparing what I have and what they offer.
I still use paper charts. At this point in my career, I’m reluctant to change that, although not totally opposed. I’m also a do-it-yourselfer by nature. I’ve cobbled together a system from several vendors: Proton for secure messaging and calendar, Zoom for secure video, iPrescribe for electronic prescribing, FormHippo for secure forms, SolAce for Medicare billing. It’s somewhat unwieldy and clearly not perfect, but it works. All together, it’s also about $50/month less than Luminello would be.
It’s helpful for me to reflect periodically on how I may devalue my own time, that I sometimes take the hard way instead of the easy way. However, I’m not ready to jump to Luminello or any EMR at this point.
I appreciate the food for thought. Thanks and take care.