I’d like to tell you about two software services that may be of interest to most clinicians who are looking for ways to provide a high level of privacy for clients. But first, some background:
At Person-Centered Tech, we are often asked how clinicians can do both of these things:
- Do texting or email with clients in a way that meets HIPAA standards.
- Keep texts and emails with clients highly private, regardless of who might be interested in seeing them. They usually want even the company that provides the service to be unable to read the messages or report the messages to outside parties.
These two things can be surprisingly hard to do together. It’s not that HIPAA wants to spy on you. That’s not the case at all. It’s that HIPAA, and our professional ethics, want us to keep thorough records. (Not sure how much you need to document about texts and emails? See our article on it here.)
There are a bunch of different apps out there that can do what I’ve decided to call “high privacy.” That would be private communications where no one but you and your client could feasibly ever read the messages you exchange. It can even mean they aren’t able to know if you’re exchanging messages at all. There are numerous reasons why some clinicians might want this. It could be that they just want the strongest privacy they can get for their clients. Many clinicians have also reported to us that their clients are concerned about their own privacy, and they want their therapist to support it as strongly as possible.
Very importantly, “high privacy” as I have defined it here is not a requirement for HIPAA compliance. With a proper HIPAA Business Associate Agreement (BAA) in place, it’s legal to use texting and email services that are able to read your messages. That’s the purpose of the BAA — it’s the company’s assurances that they’ll keep your information private and secure. So in this article, we’re talking about serving clients with even higher privacy desires than are typical or required by HIPAA.
Whatever the reason for wanting a high-privacy text or email service, the problem typically lies in these two points:
- Many high privacy apps keep privacy high by destroying messages and records shortly after they’re read. This interferes with our ability to maintain the availability and integrity of the messages, which would violate both HIPAA and our professional ethics.
- Most of the apps keep your messages on servers owned by the companies that make the apps. This requires a Business Associate Agreement for HIPAA compliance, which these companies generally aren’t prepared to do. This is true even if the company is not able to read your messages. It’s even true if they delete your messages but retain logs about who you exchanged messages with.
The above two points rule out most high-privacy apps. Fortunately, though, we know of two high-privacy apps that can meet our needs.
Our Reviews for Signal and ProtonMail
Signal is an open-source texting app for pretty much all smartphones. “Open source” means it is free as in “free beer” but also free as in “free speech.” For this among other reasons, we are happy to support and encourage its use by clinicians. It is very easy to use for both clinicians and clients, but it isn’t a “download and forget” kind of app. You do need to keep up your end of the security bargain, which we cover in an important link below. Signal’s servers retain nothing about your texting exchanges, which makes Signal very resistant to all forms of privacy invasion (so long as you keep up your end of the security bargain, of course.)
A nice bonus about Signal is that in addition to providing high privacy, it also provides very easy-to-use secure texting. Many clinicians will want it simply for that reason.
ProtonMail is a commercial secure email service that provides an extra layer of privacy which prevents the ProtonMail company from reading your messages that they keep on their servers. Unlike Signal, however, ProtonMail does have information about who you exchanged messages with. So the privacy is not quite as high as Signal’s. It is very high, though.
“HIPAApropriateness” Reviews of These Services, Now Made Public For You
One service we provide here for our paid members is our HIPAApropriateness reviews. These are reviews where we explore the ways in which products meet or don’t meet our HIPAA and ethical needs, and where we give some guidance on how to use them in ways that maintain your HIPAA and ethics needs. See the full list of reviews here.
Our paid members of Person-Centered Tech Support are entitled to request new reviews for any products they need at any time. Normally only the paid subscribers would have access to read the reviews, as well.
Because of the growing importance of high privacy for our community, however, we have decided to make our reviews of Signal and Protonmail public. This means you don’t need to be a paid member of our site to read them. So we encourage you to read through them to help you decide if either of these services will be a good addition to your practice and your risk management planning.
Note that even with high privacy services, texting and email still pose other risks that you need to manage yourself or in collaboration with clients. The full exploration is well beyond the scope of this little article, but is covered in our CE courses.