Paubox blog: HIPAA compliant email made easy

Can physical therapists use email to send and receive HIPAA forms?

Written by Liyanda Tembani | February 15, 2024

Yes, physical therapists can use email for HIPAA forms, but it requires specific conditions for compliance. They must use a HIPAA compliant email service, secure written consent from patients, encrypt attachments, and implement security measures like multifactor authentication. Physical therapists must find a balance between convenience and security. Alternative methods like HIPAA compliant online forms can enhance protection.

 

How HIPAA applies to email communication

HIPAA doesn't directly regulate email but applies to any electronic communication containing protected health information (PHI). This means:

  • Sharing PHI via email requires reasonable safeguards to ensure its confidentiality, integrity, and availability. This includes encryption in transit and at rest and secure access controls.
  • When disclosing PHI, unless for permissible disclosures (treatment, payments, and healthcare operations ) obtain and document patient consent.
  • HIPAA doesn't prohibit email, but it sets expectations for secure handling. Regular email services lack these safeguards, making them generally unsuitable for PHI.

Note: HIPAA emphasizes protecting patient privacy, and email use requires extra caution and specific security measures to comply.

 

What are HIPAA forms? 

Authorization forms, commonly called HIPAA forms, are used by physical therapists when they need to share a patient's PHI for reasons beyond treatment, payment, or healthcare operations. This may include sharing information with family members, insurance companies for claims processing, or researchers for studies.

While signing isn't mandatory, these forms hold significant weight. They document patient consent, ensuring transparency and protecting therapists from potential privacy violations. Physical therapists must choose the correct form, obtain informed consent, and follow secure communication practices to comply with HIPAA regulations.

 

HIPAA compliance conditions for using email with HIPAA forms

Use a HIPAA compliant email service

  • Choose a HIPAA compliant email service like Paubox, specifically designed to meet HIPAA standards.
  • Ensure the service encrypts data both in transit and at rest, providing a secure environment for PHI.
  • Regular email services like Gmail are not inherently HIPAA compliant.

Related: How can I make my existing Gmail account HIPAA compliant? 

Obtain written consent

  • Secure written consent from patients explicitly granting permission for electronic communication.
  • Consent forms should detail the associated risks of email communication, ensuring patients are informed.

Read more: How to obtain patient consent for email communication

Secure attachments

  • When sending HIPAA forms as attachments, use HIPAA compliant email services.
  • These services often offer built-in encryption features for attachments, maintaining confidentiality during transmission.

Implement secure email practices

  • Enhance account security by implementing multifactor authentication.
  • Multifactor authentication adds an extra layer of verification beyond a password, reducing the risk of unauthorized access.

 

Alternatives to email 

Physical therapists can use HIPAA compliant online forms like Paubox to securely transmit sensitive information. These platforms offer a dedicated and encrypted space for patients to complete forms electronically, which ensures the confidentiality of PHI. By using online forms instead of traditional email, physical therapists can comply with HIPAA regulations and ensure secure communication.

 

FAQs

Can I use a regular email service for sending HIPAA forms as a physical therapist?

No, using a regular email service like Gmail or Yahoo Mail is not recommended for transmitting HIPAA forms. You must use a HIPAA compliant email service to ensure the encryption of patient information and comply with privacy regulations.

 

Are there specific details that must be included in the written consent for electronic communication?

Yes, the written consent should explicitly mention the risks associated with email communication and grant permission for the secure transmission of PHI. Clear and comprehensive consent forms help inform patients and establish a legal foundation for electronic communication.

 

Can physical therapists use cloud-based storage for storing HIPAA forms received via email?

Physical therapists can use cloud-based storage, but it must be a HIPAA compliant cloud service with appropriate security measures. Ensure that the chosen platform encrypts data and adheres to HIPAA standards for safeguarding patient information.