Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 612: Free Email Isn’t Worth It: Why It’s a Bad Idea and What To Do Instead.

 

Liath Dalton 

This is a conversation that is worth having, because it is something that is still happening, both in solo practice and group practice contexts. So we thought we would dive into it. And as the title says, talk about why it’s a bad idea,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

and what to do instead. So let’s dive in.

 

Evan Dumas 

Yeah. So we see this all the time. You know, we’ll get an email, and it’s usually the format of first name, last name therapist, or maybe even the name of a whole [email protected], or @yahoo.com or there’s even some hotmails and AOL emails, sometimes also emails from like internet service providers, like at Comcast or things like that, XFINITY. We see them all the time.

 

Liath Dalton 

And that is something that instantly lets us know that it is not HIPAA compliance compatible.

 

Evan Dumas 

Nope.

 

Liath Dalton 

Right.

 

Evan Dumas 

No, no. Because, yeah, the bare minimum for HIPAA compliance is to get this little thing called a Business Associate Agreement. And we know there is no free email provider that gives you one. So it’s a very easy read. And this is really great for you group practice owners, if you’re looking at bringing on contractors, and they’re like, Yeah, I got my own email. It’s @gmail.com and I’ll just be using that. And you can say, Oh, they don’t know. They need to switch. Okay.

 

Liath Dalton 

Exactly. And, I will say that in group practice contexts, the most frequent time that we see free email use that is impossible to be HIPAA compliance compatible is in the context of having contractor permissions.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right, where they’re supplying some of their own tools for client communication or internal operations and so on. And as Evan said, at the bare minimum for email to be HIPAA compliance compatible, a Business Associate Agreement must be in place between the service provider, so that’s the company that’s providing the email, and the HIPAA covered entity. And there is confusion, that we have seen a rise around this, where folks will say, well, my client gives a HIPAA waiver.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Right?

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

And so that means that the HIPAA waiver for email communication extends to waiving the HIPAA requirement that I, as a HIPAA covered entity, need to have a HIPAA Business Associate Agreement with my email service provider.

 

Evan Dumas 

Yeah, what a common misunderstanding. Like think about the logical conclusion of you can’t have a client say, Yeah, I want to use Facebook Messenger or Instagram, DMs, or, you know what, let’s just chat in a Facebook group about PHI, and I’m going to waive my right to it being private. That means you don’t have to worry about it. That’s ridiculous.

 

Liath Dalton 

Exactly, and that’s a perfect analogy, Evan. So it is true that clients can give a request for non-secure communication, which is permitted under the HIPAA Privacy Rule. And basically that has a provision for clients to be able to request alternative communication. And what that means is that alternative communication is where the transmission security standard, where encryption while it’s being sent over the Internet is not guaranteed to be in place, that is distinct from and separate to the business associate rule. And the business associate rule is something that covered entities are subject to, and there is no method for that being waived, and no instance in which it is not applicable.

 

Liath Dalton 

In fact, during the early covid times, when there was, you know, this emergent need for folks to switch from in person to telehealth in order to continue delivering client care, and a lot of folks weren’t set up for doing telehealth, or even in some instances, electronic communications that were HIPAA copacetic, there was a notice of non enforcement related to the video platforms and communication channels.

 

Evan Dumas 

Yep.

 

Liath Dalton 

What’s really important to sort of extrapolate from that is it wasn’t that the rule was suspended, at all. It was that during this finite period of time, we are not going to enforce the rule, and we will not penalize people from not following the rule. But the rule still stood, and it was merely non-enforcement as a stopgap measure so that folks could get set up with the right systems that were HIPAA compliance compatible.

 

Evan Dumas 

Mhm, yeah. So to all of this, what would you say, Liath, when we get the classic pushback of, hey, I’m just using this free email for scheduling, or, Hey, I got a footer that says, Whoa, no, PHI, please, email isn’t confidential. Can I use it that way?

 

Liath Dalton 

That’s a great question. And the answer is that it is still Protected Health Information. Even if it doesn’t contain clinical information, it is still Protected Health Information which means it is in HIPAA’s scope.

 

Evan Dumas 

Yep.

 

Liath Dalton 

And let’s just again define what constitutes PHI, because it’s a lot broader than we would sometimes like to think right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And protected Health Information is any identifying information, plus health information, where health information is about any past, present or future health care services. Another way to put this is that if you, as a health care provider, are exchanging communications with a client or prospective client about scheduling a healthcare service, that absolutely 100% without any doubt or question, is Protected Health Information. It meets that definition.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So PHI is not limited to like diagnosis codes or discussion of symptoms or life circumstances. It is as simple as you as a health care provider exchanging an email with a prospective client or a client where the identifier is just their email address.

 

Evan Dumas 

Yeah, that’s it. Yeah.

 

Liath Dalton 

That’s all that’s needed.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So we’ve addressed the yes, it’s PHI, which then means it’s in HIPAA’s scope, and HIPAA applies portion of that. And then to the what about having a footer in my email that says, please don’t include PHI.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

That goes back to the point that clients cannot waive HIPAA, and the business associate rule as it applies to covered entities. Also, it’s not clients’ responsibility to know what is and isn’t PHI. And yes, you can guide clients to limit the sensitivity of PHI that they are including in email communications. And we recommend that that is something that you address in a communications policy with that’s client facing that specifies what content is appropriate for which HIPAA consistent communication platforms you have available.

 

Liath Dalton 

So that’s something that you should be sharing. But the responsibility for safeguarding any PHI that is being exchanged is on you as the covered entity, right?

 

Evan Dumas 

Mhm.

 

Evan Dumas 

And documenting it. So you sending a footer to a client, sure, may inform them of risks, or may say, hey, if you got this in error, please delete it. Sure that’s all good. It is not documentation that you did it or that they consented. Because that second piece having, you know, for the request for non secure communication, having written consent, signed consent, is what’s important. So you informing them, sure, that’s that’s just half the battle. So don’t rely on on purely informing clients for policies and things. You need it to be signed off on.

 

Liath Dalton 

Exactly.

 

Liath Dalton 

And it’s also really noteworthy that, as we just described, the mere exchange of emails with a client or prospective client is PHI. So having a footer that in your email that says, please don’t include PHI, that ship is already sailed, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Just by exchanging an email, because their email address is an identifier, you’re healthcare provider. That means anything between the two of you constitutes Protected Health Information.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So having that disclaimer is not something that can take it out of the scope of HIPAA. Which, in this instance, means that you have to have a Business Associate Agreement with your email service provider.

 

Evan Dumas 

Mhm, yeah, exactly.

 

Liath Dalton 

One other piece in the like, why not, why this is a bad idea, is just the professionalism that is conveyed as well. Right?

 

Evan Dumas 

Mhm.

 

Liath Dalton 

You want a email that communicates an established, an official business entity. And to anyone that knows anything about email security, that it is also conveying that it is a appropriate system. That it’s not just a free email. Because that doesn’t convey professionalism or that safeguards are in place. And while that may not be a red flag to every client or prospective client, it will be to at least a number of them. I can tell you when I’m working with different healthcare providers, I absolutely take note of what their email address is and how they manage communication, and what footers or disclaimers and so on they have in their emails.

 

Evan Dumas 

Yeah, you wouldn’t get an email from a [email protected], that’s like. And treat yourself at that same level of professionalism. When you’re like, well, I’m not a doctor. Yeah, you’re still a professional. You’re still someone who wants to show that, yes, you’ve you’re trained for this. You didn’t just make it up. Anyone can make up a little free gmail account that says you’re a therapist. Now that’s outside the scope of what we’re talking about.

 

Evan Dumas 

But you know, even if you don’t want your own domain name, which is very easy, paid Google accounts are very, very cheap, and it’s sort of the one that we recommend. There are services that provide BAA protected email. Like Hushmail is one that we really like, and you’ll sign up with them, and they’ll give you a @hushmail.com account. And you’re like, oh, what’s Hushmail? And you’re like, yes, it’s secretive. It’s special. It’s for therapists. There’s other services like this too, but it shows that you took into account that your needs of a therapist also encounter your needs for secure email.

 

Liath Dalton 

Exactly. So now that we’ve made, I think, a very compelling case as to why it’s a bad idea, let’s expand a little bit on the what to do instead. Evan, can you elaborate

 

Evan Dumas 

Yeah.

 

Liath Dalton 

on the domain and all of that?

 

Evan Dumas 

Of course. The domain is the whatever.com. Like, superhappytherapist.com. And you can get one of these. Granted, a lot of them are taken but, you know, not as many as you think. So your name therapist, or whatever your brand name is, things like that. You can go via like GoDaddy, which I don’t recommend. You can go via Google. You can get your domain name registered at a registrar, and that’s how you get this piece of the puzzle. It’s sort of second half of your email address.

 

Evan Dumas 

Now you need someone to handle your email, to, like, handle the emails coming in and going out, things like that. Well, if you’re used to Gmail, you can get a paid Gmail account. It’s very affordable. We recommend you get the Business tier, because that gives you a BAA. And you sign up with that, like, seven bucks a month, now cheaper if you pay per year. And they say, Hey, what’s your domain name? And you say, Oh, I’ve got this one. Or you can register with them, and they say, Okay, what would you like your email address to be? And you can say your name @ whatever, or therapist @ or admin, or, you know, depending on what you want it to look like. And then you have your very own professional BAA ish protected email address. Now, some discussion around that.

 

Evan Dumas 

But if all of that sounds like way too much effort and way too much work. You can get a service that is purely email, nothing else. Hushmail, even they have some nice forms too, where you can sign up with them, and it’s very secure email. It’s BAA HIPAA protected. It’s even like escrow style email, which is phenomenal. And you just have their @ Hushmail account. You don’t have to get a domain name. You can if you want, but you don’t have to. It’s really nice.

 

Liath Dalton 

Exactly. And they do have different options as well for

 

Evan Dumas 

Oh, great.

 

Liath Dalton 

the tail end. So it’s not just @hushmail.com but @ securetherapist and various

 

Evan Dumas 

Very cool, very cool.

 

Liath Dalton 

options you can click through the ones they have there if you don’t want to set it up with your own domain.

 

Evan Dumas 

Yeah, that’s, great.

 

Liath Dalton 

I will say, in the context of domains, a couple questions often come up. One is, how much does it cost to get my own domain?

 

Evan Dumas 

Yeah, it’s about like 15 bucks a year. Depends with you go through, there’s some real cheap ones out there. NameCheap, I like. You know, I have a few domains, just because I don’t want anyone taking my name, even if I’m not using it. I would, I would hate to have an evandumas.com that someone else owns. And so I have a few just sort of parked. And they end up being like maybe 12, 15 bucks a year. If you see something higher than 20, shop around, look around, because you can definitely get a better deal.

 

Liath Dalton 

Mhm. And then the other point of this it, that sort of goes without saying, but I’m going to say it anyway, is that if you have your own website for your practice, you already have a domain.

 

Evan Dumas 

Ideally, yes, unless you’re using Wix or Squarespace, but yes, ideally.

 

Liath Dalton 

That is true. There can be setups where you may have used a website builder that didn’t. I think they do give you options.

 

Evan Dumas 

They do, yeah, they’ll sell it to you for sure.

 

Liath Dalton 

But then, you can there is a path to creating a website without actually getting a domain.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

But one, one thing that I want to say is that it is really considered kind of necessary in the modern practice context to have a practice website.

 

Evan Dumas 

Definitely, yeah. And just as you wouldn’t use a therapist.freewebsite.com, like that doesn’t look so great. You wouldn’t use a @gmail.com email address.

 

Liath Dalton 

Exactly. And the benefits of having your own practice website are multi-fold, even if your primary referral sources are community referral partners or directories, you still want a website that you control and that has information about you and how you practice, and, if you’re a HIPAA covered entity, that has your HIPAA Notice of Privacy Practices.

 

Evan Dumas 

Oh, of course, yeah.

 

Liath Dalton 

And if you’re a telehealth only provider, you really must have a practice website,

 

Evan Dumas 

Mhm yep.

 

Liath Dalton 

So check out the show notes, because we’re going to include a couple additional resources here.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

One that talks about different kinds of email and how to make a HIPAA informed choice, because there is a difference between HIPAA friendly email like Google workspace with the BAA, which is what Evan and I have been talking about primarily here, and then HIPAA secure email, like what Hushmail provides.

 

Liath Dalton 

So having an understanding of the different types of email and how that fits within the HIPAA picture and getting or, when you need to get a request for non-secure communication from clients which know, if you’re using Google workspace email, you technically do need to get that, even though it’s HIPPA friendly, that’s all explained in a handy dandy article with some nice graphics that make it easy to understand.

 

Liath Dalton 

So check that out, and we hope you have found this helpful. Thanks for listening.

 

Evan Dumas 

Yeah, talk to you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.