While it is true that HIPAA provides room for clients to request that we send them unencrypted emails and texts, those unencrypted emails and texts aren’t always the only way for us to conveniently and effectively communicate with them between sessions. And even where it isn’t as convenient as we might like, there is a case for putting in the effort to make secure communications work.
Let’s take a look at it.
Making a Safe Space For Clients
Sacred space of therapy is founded on the safety of the environment, and we have long accepted that both privacy of the physical space and the promise of confidentiality in the professional relationship are foundational to that safety — both felt and actual.
Safe, confidential space online requires technical security. Encryption is the cyber-equivalent of sound-resistant walls, closed doors and noise machines in the hallway.
In terms of stretching ethical confidentiality standards, unencrypted communication could be likened to walk-and-talk therapy or therapy in coffee shops. In other words, they’re ethically feasible with earnest and healthy due diligence and when the client gets sufficient benefit to justify accepting the risks involved (or the risks are low enough at the start to be acceptable.)
A vital difference, however, is that walk and talk therapy and ecotherapy inherently offer health gains that can justify stretching confidentiality. For each client, we need to determine if we can say the same of nonsecure communications. If we cannot, then it will take very special circumstances to justify putting that stress on the client’s confidentiality.
And if you wish to maintain the sanctity of the therapy space, whether in an office or online, wouldn’t you need to employ secure communications tools for that?
Getting Clients Onboard
Many clinicians have complained to us that it is difficult to convince clients to use secure communication tools, such as secure messaging (aka “encrypted email”) or secure texting apps. On the other hand, we have talked to clinicians who seem to have little trouble at all getting their clients onboard with secure communications.
Our experience — and the body of research on using Internet tech in mental health practice — indicates that the therapist’s level of comfort with a piece of tech has a large impact on the client’s comfort and interest in using it.
Imagine, for example, the differences between these two scenarios:
Jane Therapist realizes she needs secure communications, so she gets a secure email service that clients can sign up to use with her. In her intake paperwork, she informs clients that they need to sign up for it. She also verbally emphasizes this during the first session.
In secret, the secure email service makes her nervous and she doesn’t enjoy using it, but she tries not to show that to her clients.
When she later gets unencrypted text messages from clients who still have not signed up for the secure email service, she feels frustrated with the whole thing. Her feelings sometimes slip out when she responds by telling them again to go sign up.
Jane Therapist chooses an encrypted email service that best fits her needs. It’s not initially a joy to use. So she spends some time figuring out ways to make it comfortable for her, and for her clients, before introducing it to her practice.
In her intake paperwork, she asks clients to think about how they want to use email or texting during the relationship. At intake, she brings up email and texting and asks the client if it’s something they prefer to use and would like to use with her.
If they say yes, she talks about the benefits of using her encrypted email service and asks the client if they need assistance with it, such as showing them how to use it on their smartphone. If requested, she shares some of her techniques for using it more comfortably.
When clients who haven’t yet signed up for the service inevitably send her unencrypted texts or emails, she usually calls them back or waits for the next session to respond. When the client arrives, she’s ready with some information to continue the informed consent process around confidentiality, including the benefits of using secured communication.
She patiently monitors this aspect of the informed consent process throughout the relationship.
The second vignette is likely to be more successful but also requires more comfort and emotional investment on the therapist’s part in the use of the secure email service.
Very importantly, the second process is one that requires up-front focus and time investment, but becomes second nature as time goes on. That investment also turns into improved security for clients and the practice.
Making It Comfortable
Our experience in speaking with colleagues is that most clients request unencrypted emails and texts from their therapist because they want their communication with the therapist to be fast and easy. Clients and therapists also like to use what they’re accustomed to, and most people don’t use HIPAA-secure services for email and texting in their everyday lives.
So let’s look at some recipes — and these are just a couple that come to our minds — for creating the same kinds of convenience while using secured communication services.
Get That Email Service Onto Client Smartphones
A number of secure messaging (aka “encrypted email”) services have smartphone apps. This can turn the annoying secured messaging rigmarole into a simpler process that’s much more akin to texting. But it doesn’t require either of you to use it like texting if you don’t want to.
When either of you wants to use it like email, use it on a computer. When either of you wants to use it like texting, use it on a smartphone.
Not all encrypted email services make it easy for your clients to get their own accounts on the service, though. So part of this strategy is to look for services that do provide both free accounts for your clients and smartphone apps that you and your clients can use. Ask around to find services that fit this description.
Focus on Secure Texting Apps Instead of Email (Where Appropriate)
If you use proper secure texting apps, then therapist and client can both feel secure that so long as you’re in the app, your confidentiality is protected.
The options for secure texting have gotten pretty great. For a free (both free as in speech as well as free as in beer) option, we deeply recommend Signal. More secure texting options can be found in our HIPAApropriateness Reviews here.
The big flaw in any recipe we can propose is that they all require getting the client (and the therapist, too!) to use something new. Sometimes people are not excited about that.
Remember, though, that most clients will follow your lead when it comes to deciding what’s right for them in therapy. If you’re excited and confident with the secure tools, they’re more likely to be so, as well.
Getting there yourself may take some practice. You might not jump right in to using secure apps with your clients until you’ve played with them for a while. Practice with friends and family. Get advice from people who like the apps you’re using. Find your way of feeling positive and happy when you use these secure tools.
After all that, start bringing them to your clients.
Remember that nothing really good gets built instantly. Creating a solid foundation of comfortable and secure client communications is no different, and taking your time will mitigate more risks than trying to patch your security and compliance holes overnight. It’s okay — nay, good! — to take a little time to get accustomed to secure tech.
A Brief Case For Nonsecure Email and Texting
It would behoove us to point out, if it isn’t already obvious, that our strategies thus far rely on clients having access to fancy gadgets that they can use in private spaces. Not everyone has a smartphone, and some people only get Internet access at the library.
In these kinds of cases, a risk management approach is still called for. For some clients, this circumstance means that you never use texting of any kind with them due to the dangers involved. For many such clients, however, requests for nonsecure emails and texts might make sense. See our article on that topic, or our Level I Digital Confidentiality training for deeper information.
HIPAA-secure communication is the way of the health care future, and we are likely on a path that eventually leads to us never using anything else.
We do think that future picture is more comfortable and easy than it may sound at this point, though. It just takes some adjusting. So why not get started on it now?