{"id":1532,"date":"2021-01-24T01:16:21","date_gmt":"2021-01-24T09:16:21","guid":{"rendered":"http:\/\/blog.stevenreidbordmd.com\/?p=1532"},"modified":"2021-04-16T01:12:42","modified_gmt":"2021-04-16T08:12:42","slug":"hipaa-compliant-email-a-review","status":"publish","type":"post","link":"http:\/\/blog.stevenreidbordmd.com\/?p=1532","title":{"rendered":"HIPAA-compliant email: a review"},"content":{"rendered":"\n
\"\"<\/figure><\/div>\n\n\n\n

The problem<\/strong><\/h4>\n\n\n\n

In the months since the COVID-19 pandemic forced<\/a> me to practice by video and phone, I’ve exchanged much more email with patients than I did before. Previously, I discouraged email from patients. For one thing, I knew it was an insecure channel, not “HIPAA-compliant.” It’s also somewhat less personal than a phone call. But starting last March I gave patients my work email, which they needed in order to connect to my video link (usually Doxy.me<\/a>) for sessions. Most also use it to pay<\/a> me online. Perhaps inevitably, email has become the most convenient way to send short messages back and forth, mostly medication refill requests and appointment confirmations or changes.<\/p>\n\n\n\n

Due to the pandemic, I also linked an online version of my intake form to the front page of my website<\/a>, so new patients could complete it remotely. The completed form was transmitted to me by non-secure email as well.<\/p>\n\n\n\n

As the months dragged on, I realized I needed to treat all this electronic communication more carefully. I started researching secure email designed for medical practices. Below I’ll tell you what I found.<\/p>\n\n\n\n

What is HIPAA-compliant email?<\/strong><\/h4>\n\n\n\n

But first, a brief dive into terminology. HIPAA, short for the Health Insurance Portability and Accountability Act of 1996, is a federal statute that, among other things, regulates the secure sharing of medical information, especially electronically. Those of us who traffic in “protected health information” (PHI) \u2014 “covered entities” such as doctors, hospitals, clinical laboratories, insurance companies, and others \u2014 must store and transmit PHI in secure ways. We also sign “business associate agreements” (BAAs) with each other. A BAA is basically a contract that says covered entities will only share PHI with other covered entities.<\/p>\n\n\n\n

While many people assume HIPAA exists to assure privacy, the law actually arose to facilitate<\/em> electronic information exchange, often without the patient’s explicit consent. For example, HIPAA allows behind-the-scenes sharing of PHI to “coordinate care.” But for purposes of this review, I’ll focus on the privacy safeguards, not the many other parts of HIPAA.<\/p>\n\n\n\n

To be HIPAA-compliant, email must be protected at both ends, e.g., with passwords, and engineered to prevent interception and reading en route. Technically, HIPAA does not demand that email be encrypted (translated into unreadable code), although that is typically the strategy used. The email provider and the covered entity using that provider should sign a BAA.<\/p>\n\n\n\n

Regular email, in contrast, isn’t designed to be secure. Messages are copied in readable form from one internet node to the next. Bad actors can intercept them along the way.<\/p>\n\n\n\n

What I found<\/strong><\/h4>\n\n\n\n

So who offers HIPAA-compliant email? One option are companies that provide complete electronic practice management systems. These typically include secure messaging with patients as part of their larger range of services. I didn’t deeply research this, as I’m not in the market for such a system. Using one solely for secure messaging seemed too expensive, unwieldy, or both. But I did briefly look into ChARM EHR<\/a> and Luminello<\/a>, both of which include secure communication with patients, and offer a free version with limited features to try out. ChARM is designed for all types of small medical practices, not just mental health, while Luminello is for mental health only, including non-medical therapists and “wellness clinicians.” Perhaps thanks to its specificity, I found Luminello much more user-friendly; I’d seriously consider it if I were in the market.<\/p>\n\n\n\n

But I’m not, so I turned to free-standing email services. <\/p>\n\n\n\n

Best I can tell, all HIPAA-compliant email is actually webmail. That is, the recipient receives a regular email with a link to a secure website to pick up the message.  Services differ with respect to email storage, often 1 to 5 gb; ways that non-subscribers, e.g., patients and potential patients, can reach you securely; whether you can use an existing email address versus having to get a new one; and whether you can choose an email address from a website domain you own (e.g., therapist@mycompany.com).  All include a BAA.<\/p>\n\n\n\n

Several companies provide secure email to larger clinics with multiple clinicians, administrative staff, and maybe a dedicated IT person. They usually charge monthly fees to match. That’s not my situation, and I do not review them here. Instead, here are a few sized for the solo practitioner:<\/p>\n\n\n\n

Hushmail for Healthcare<\/strong> (www.hushmail.com<\/a>) – $109\/yr:
Pros: Secure forms submission, with two nicely customizable forms at the above price. 10 gb storage. Can use your own domain for email.
Cons: Can\u2019t use an existing email address in a domain you don\u2019t own (e.g., gmail, hotmail, yahoo, etc).  The price doubles for more forms.<\/p>\n\n\n\n

MailHippo<\/strong> (www.mailhippo.com<\/a>) – $60\/yr:
Pros: Arguably slightly stronger encryption than Hushmail (AES 256 bit versus OpenPGP).  Can recall an email message, for example if addressed incorrectly.  Uses your existing email address.  Includes a personal URL so anyone can send you a secure email; adding this URL to your website, or to your signature at the bottom of regular email, invites secure messages from others.
Cons: No forms.<\/p>\n\n\n\n

MD OfficeMail<\/strong> (www.mdofficemail.com<\/a>) – $23\/yr with their email address, $32\/yr with your own
Pros: Cheapest paid HIPAA-compliant email I could find.  Includes a personal URL so anyone can send you a secure email.
Cons: User interface is old and clunky.  No forms.<\/p>\n\n\n\n

The following offer encrypted email \u2014 and are based in Europe, not the US \u2014 but are not designed for HIPAA specifically, i.e., no BAA: <\/p>\n\n\n\n

ProtonMail<\/strong> (www.protonmail.com<\/a>) – Free, or $48\/yr for more features and email storage
Tutanota<\/strong> (www.tutanota.com<\/a>) – 12 euro\/yr for \u201cbusiness,” free for \u201cprivate.” Includes a secure calendar and address book, which would make Tutanota my choice if I merely wanted these encrypted features for personal use.<\/p>\n\n\n\n

There are also a number of free, ad-supported apps that will encrypt email on handheld devices. These aren’t HIPAA-compliant either.<\/p>\n\n\n\n

And the winner is… my patients<\/h4>\n\n\n\n

In the end I decided to go with Hushmail, mainly because it offered the secure forms I needed: a general contact form and an intake form for my website. I also was able to use my own web domain (@stevenreidbordmd.com) for my new email address. If I hadn’t needed the forms, I would have chosen MailHippo instead, to keep my existing email address.<\/p>\n\n\n\n

Once signed up, I converted the contact form and intake form on my website to Hushmail. Then, using my old, unsecured email, I sent a final message to my active patients asking them to stop using that address, and to expect secure email from me going forward. Since replying to a secure email also makes the reply secure, this is a good way to start a private, HIPAA-compliant email channel with each patient.<\/p>\n\n\n\n

One of the best uses I’ve found so far for secure email is sending monthly billing statements electronically, as pdf attachments, instead of by mail. If patients or potential patients want to reach me securely before I send them anything, they use the contact form on my website to start the exchange. So far, my new system has been working well.<\/p>\n\n\n\n

In the comments below, let me know how any of these solutions work for you, or if you have others to recommend.<\/p>\n\n\n\n

Image courtesy of Stuart Miles at FreeDigitalPhotos.net<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

The problem <\/p>\n

In the months since the COVID-19 pandemic forced me to practice by video and phone, I’ve exchanged much more email with patients than I did before. Previously, I discouraged email from patients. For one thing, I knew it was an insecure channel, not “HIPAA-compliant.” It’s also somewhat less personal than a phone […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4,67],"tags":[13,81],"class_list":["post-1532","post","type-post","status-publish","format-standard","hentry","category-current-events","category-medical-practice","tag-ethics","tag-online-therapy","odd"],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=\/wp\/v2\/posts\/1532","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1532"}],"version-history":[{"count":9,"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=\/wp\/v2\/posts\/1532\/revisions"}],"predecessor-version":[{"id":1567,"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=\/wp\/v2\/posts\/1532\/revisions\/1567"}],"wp:attachment":[{"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1532"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1532"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.stevenreidbordmd.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1532"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}