You’ve heard by now that email, as a general medium, lacks those technological things we would want it to have for security. Those of us that are required to be HIPAA compliant need to be thoughtful about the ways we use it. Here’s the kicker, though: we need to be thoughtful about when we don’t use it, too.
Email is part of a modern culture of high-transparency communication. We clinicians sometimes find ourselves using it for sensitive conversations despite our usual vigilance around confidentiality.
Sounds pretty bleak, right? In some circumstances it is. But that’s what risk management is for — to empower us with creativity to make the bleakest situations workable.
Any email you send or receive with clients contains both of your email addresses. It is also going to be about something related to clinical work. It may be as simple as an appointment time, but it’s always about health care. (If it isn’t about health care, one wonders about the relationship involved.)
Email addresses can be used to identify people very easily, and email addresses are on the list of 18 identifiers that HIPAA defines as without-a-doubt personally identifying.
Personally identifying information combined with health information makes what HIPAA calls “protected health information.” Ethically, we would consider it “confidential information.”
This means that any email between clinician and client needs to be protected. But here’s where we go off the rails: “protected” doesn’t always mean what you think it means.
“Protected” means using encryption, right?
Don’t get me wrong: encryption is super-fantastic. The day that encryption stops working for all people is the day that society as we currently know it starts to capsize. (Somebody please tell the FBI director this, btw.)
“Protected” means that we apply a risk management lens to the confidentiality problems raised by email and come up with appropriate risk management strategies. That’s it.
So what are the confidentiality problems raised by email?
Good question. Let’s find out. And while we’re at it, let’s talk about some risk management solutions, too.
Problem 1) The Postcard Thing
Email is like a postcard passing through the wild hinterlands of the open Internet. Various nefarious elements may be able to see its contents as it goes by.
The most obvious and powerful risk management measure would, indeed, be to encrypt all emails. Encryption means using secret codes, so encrypted emails would appear as useless gobbledygook to anyone who sees them as they zip by on the Internet.
The rub, though, is that encryption is not an invisible add-on that we can slap onto anything we want to secure. Encryption is a secret code, and everyone who wants to read the email needs to be in on the code.
So just like an encrypted email would be useless gobbledygook to hackers who watch it fly by, it would also be useless gobbledygook to the client who receives it without some predetermined setup for unlocking the encryption.
Actually encrypting all emails would require a society-wide decision to cooperate in making all emails encrypted. As a society, we had a chance to do that back in the late 90s and early aughts. As a society, we opted against it.
Google Has a Plan
Google and like-minded companies have been pushing for a slightly less powerful but still effective version of encryption for all our emails. They’ve been pretty successful in getting most email providers to set up encrypted tunnels between each other. So even though our emails would not be encrypted themselves, many of them would travel through tunnels of encryption when being sent between providers who are onboard with this plan.
Google, et al’s big plan is not something we can rely on for practice management purposes (yet), but it can certainly help when things go south. See Google’s Transparency Report for some more details on how that project is coming along. Also see Rob Reinhardt’s article on how encrypted tunnel notices show up in Gmail.
Secure Messaging Providers Have a Plan, Too
As providers, we can always use secure messaging services. These services are often called “encrypted email,” but that’s similar to the phrase “white chocolate.” White chocolate isn’t actually chocolate, just like these secure messaging services aren’t actually email. But no one cares. We call it that anyways. In the same vein, I may refer to secure messaging services as “encrypted email.”
Secure messaging services help us get around the problem of figuring out how to share the secret code of encryption with our clients. The result is clumsy, but still perfect for when encryption is the only reasonable solution to your confidentiality problems.
You and Your Clients Can Also Have a Plan
An alternative to using encrypted email or secure messaging services is to just not send anything that a hacker would care to see.
It may sound overly simple. And to be honest, it is. There is a lot that goes into the idea of collaborating with clients who want you to send them ordinary, unencrypted emails. While it is more than achievable and completely reasonable to do, you need to approach it with a good sense of how risk management works and with a good knowledge of the risks at play.
For starters, you can check out our article, Clients Have the Right to Receive Unencrypted Emails Under HIPAA. You can also get a lot of useful info from our courses on email, texting, and other client communications.
Problem 2) Email Sits In Places
When email is sitting in one place, it has a place to sit in. This place can be a smartphone, a computer, an account on a server on the Internet, etc. If you’ve ever worked with clients who have nosy or abusive people in their lives, you may be familiar with the vulnerability of any of these things.
And here’s what’s really problematic about this one: even if you and the client are encrypting your messages, that won’t stop the nosy or abusive intruders. Why not? If the client can unlock the encryption for their own viewing, then they can certainly do so for the abuser. And abusers generally demand passwords from their targets.
Thus we see one of the many reasons why “encrypted” is not a synonym with “secure,” despite the advice we so frequently get in our professional circles.
A less obvious application of this problem is in work or school email accounts. Those accounts are held on the servers of the client’s employer or school. Admins and managers can (and do!) view the emails on those servers. Legal precedents protect employers who do this. You can imagine where the story goes from there.
Last application of problem 2: what’s going on with your own email account? Which company holds your emails for you? Why do you trust them to hold emails exchanged with your clients? How well are your own devices protected from intrusion? (See our Device Security Pack for help with that.)
Regardless of what other risk management measures we take, HIPAA requires that our email services execute a Business Associate Agreement with us. Just like you would require a reception person in your office to sign confidentiality agreements, HIPAA requires you to sign a BAA with your email service. Later in this article is a short list of email services who will oblige on this point.
Note: We offer our free Email and Texting Risk Questionnaire form to our (also free) newsletter subscribers. This questionnaire helps you and your clients cover the problems described above. Subscribe to our newsletter here to get access to these and other useful forms.
Email is not something we want to ignore in our practices. Clients often want to use it, and that is perfectly fine when the risks can be managed. Take appropriate steps to do that, and you can leverage the empowerment of risk management.
Learn more about the services and tools we recommend in your practice:
This is Step 1: Service Selection of the PCT Way.
Build your tech stack without fear. Learn More.