Editors note: The following is not meant to be considered legal advice, for more information, please consult an experienced attorney in your jurisdiction.
Therapists ask us all the time if online therapy is HIPAA compliant. We probably receive dozens of emails per month about the legality and compliance of online counseling. The most popular question recently has been “Is Skype HIPAA compliant?” (Hint: no, it’s not, read why here..) However, a question we almost never recieve is about the legality of therapy client emails.
Ironically, email is a far more prevalent and misunderstood form of client-therapist communication than any other mode. As a therapist in the modern world, understanding the safety and security of email is critical. While this article is focused around the health privacy laws in the United States, similar laws exist worldwide; if you are practicing outside the United States, your legal environment is obviously different, yet the same general principles of client privacy apply.
What is Protected Health Information?
Protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
Essentially anything considered PHI is covered by health privacy laws. So the obvious would be treatment notes. For example, Client “Susie Smith” is suffering from anxiety and takes Xanax. That information is clearly protected health information. However, what is a little less clear is that Susie paid you $85 for a session on January 15th. You enter that payment into your accounting software as “Session Payment from Susie Smith, January 15.” If you use a cloud-based system like Quickbooks online, or if you share your accounting information with a CPA or a bookkeeper, you might have just violated client confidentiality!
The fact that Susie Smith paid for a therapy session is PHI. So unless you and your accountant have proper safeguards and agreements in place, you may have violated the law. Essentially, you’d need your accountant to provide you with a Business Associates Agreement to ensure his or her legal obligation to protect the information as required.
paranoid yet? Don’t worry. HIPAA and protecting client confidentiality isn’t as stressful as it might seem. You just need to be aware of all of the different points of exposure that your client information has. In a future post, we’ll talk more about those client privacy exposure points, but for now, let’s talk email.
Is email HIPAA compliant?
The short answer is “it can be.” The full answer is a little more complex. Let’s walk though a hypothetical scenario.
A woman finds your contact information through a directory or through an online profile somewhere. Since email is listed, that woman sends you an inquiry reading something like this:
- Susie types the email and sends it from her Gmail account.
- It passes through a series of Google servers until it’s finally delivered to your inbox.
- You open the email and click “reply.”
- You send her a response suggesting an appointment time.
- She responds to you and confirms the appointment.
Can you identify any points in the flow that could result in a breach of client confidentiality?
First, everything that happens before it’s delivered to your inbox is not covered by HIPAA or health privacy laws. Susie is the one providing the information, Susie is the “owner” of the information until which point it arrives in your possession. Since you are a health care entity, you are subject to the health privacy laws, but Susie is not.
When you hit reply and include her original text in the reply, you now just exposed protected health information to the outside world. When Susie gets your reply, that reply text plus her original message (which was included in the email) is now scanned by Google. So you just provided Protected Health Information to Google’s advertising algorithm — even if your own email account is encrypted and covered by a Business Associates Agreement. Susie’s email is not covered by a BAA.
Always delete the client’s original email text in a reply.
Also, ensure that your reply doesn’t inadvertently reveal PHI. For more detailed replies, it’s best to schedule a phone call or even offer an initial video consultation (using a HIPAA compliant video conferencing platform of course!)
Legally you’re not “on the hook” until you receive the email, however morally, you certainly don’t want to encourage Susie to potentially violate her own privacy. For example, when she sends this email from her Gmail account, the email is scanned by Google in order to provide targeted advertising to Susie. Susie might start seeing ads for anxiety medication or treatment centers as she browses the web. That isn’t your fault, however the goal is to take care of the client, regardless of who is ultimately responsible.
How iCouch protects client confidentiality
At iCouch, we have a feature called Secure Messages. How this works is that on your online therapist profile, your phone number and address (if you do in person sessions,) is listed on your profile, however your email is not. Our philosophy is to discourage the use of email for initial client inquires because of the reasons outlined above. What a client would do is click ‘Send a Secure Message’ which opens up a secure form.
The client can safely write whatever they want; the form is not only on an https:// secure connection, the message content itself is completely encrypted as well. The only thing that makes reading the message possible is your password.
The bottom line
Email is a great tool, but it needs to be used with care. Even though you may have an encrypted email service, your clients most likely do not. You need to be aware of what you send to clients. Take special care with quoting their replies. It’s best to simply follow up to arrange a phone call or schedule a video therapy consultation, perhaps a 15 minute conversation over video or the phone.