The Health Insurance Portability and Accountability Act (HIPAA) has been with us since 1996. First of all, can you believe it’s been over twenty years? True, many of the provisions didn’t go into effect until much later but the very idea that HIPAA has been around that long is pretty remarkable.
Before we go too deep here, let me say something: I am not a lawyer and I am not posting anything below in an effort to give you legal advice. That’s for the attorneys. If you have any questions or concerns about how HIPAA might impact you or your practice, your best bet will be to make contact with a trusted lawyer.
For practices that bill insurance companies or handle certain other aspects of their business electronically, HIPAA most likely applies to you. And, if that’s the case, then part of your role is to make sure that you are operating in compliance with everything that is expected of you. Every practice is different and, even within the law, there are allowances for small practices vs larger practices.
Even without HIPAA, it’s important for us as professionals to ensure that we are doing everything reasonably within our power to serve our clients and to protect their confidentiality.
With that in mind, let’s talk email.
If you are a newly minted practitioner or even if you’ve been operating for a while, you are probably using email to conduct a majority of your business. HIPAA certainly allows for the use of email but there are some catches that you definitely want to be aware of.
First of all, if you’re using email, you’re most likely making use of a cloud service – you’ve entered into an agreement with another company (e.g. Google, Yahoo, Microsoft) to provide a service to you and you’re using their systems to end and deliver your messages. They have become a business associate to your practice. Even if that service is free, simply by signing up and using their service, you’ve entered into a business relationship with them.
This has some pretty big implications for HIPAA. There were some changes made to HIPAA a few years ago called the HITECH Act and in there are some new requirements that govern just these sorts of business relationships. There are details in there about what is expected from companies like email providers to make sure that any electronic protected health information (ePHI) is protected.
Here’s one of the major ways that it might affect your small practice.
If you use email to transmit any ePHI, you have to enter into an official Business Associate Agreement (BAA). This is true of any cloud service that you might use (e.g. if you use a service like SimplePractice). Many of the therapy-centric services already include this in your terms of service, but your email likely does not.
Here’s the other thing: If you’re using any of the free email services (e.g. if you have a free GMail, Yahoo, Outlook, etc account), you’re likely not in compliance. Why not? These services don’t meet the technical criteria needed and they don’t allow you to sign a BAA with them..
Whenever people ask me, I strongly suggest using Google’s paid email/cloud service (called G-Suite). Not only does it allow you to tie your practices domain to your email (i.e. so you can have email@example.com as your email address), but it also is highly encrypted and secure AND Google has an easy process for entering into a BAA. It does take a little technical knowledge to set up these accounts sometimes, but there are people who can offer help with that process if you feel like you need it.
Even if you are not required to adhere to HIPAA standards, ensuring that you’re doing all you can to protect your clients is an expectation in the codes of ethics for all of the mental health counseling professions.
Ultimately, it’s on you as a private practitioner to ensure that you’re meeting all of the expectations laid down by HIPAA. This idea – signing a BAA with the company that is providing your email service – is just one of the many things that you need to do to protect your clients. Even if you use Google's G-Suite, there are additional steps that you need to take - especially if you're practice is larger than one person to further lock down the security of your setup.
But it’s one that can easily be overlooked!
We can help! Just head over to our contact page and let us know what you need. We can help you with a wide range of challenges — from marketing to technical.