The American Psychological Association (APA) recommends using a HIPAA compliant emailing platform, like Paubox, to encrypt emails with protected health information (PHI).
Can providers use unsecured email to send PHI?
According to Stacey Larson, JD, PsyD from the American Psychological Association (APA), “The Health Insurance Portability and Accountability Act (HIPAA) does not prohibit using email to send a patient [their] PHI. Nor does it require [providers] to use encrypted email.”
However, unsecured emails are susceptible to interception, risking patients’ protected health information (PHI).
Specifically, Dr Larson advises providers, including mental health professionals, to “Inform [their] patients that emails can be intercepted during transmission, and that unencrypted messages (and any attachments) can be read, and potentially copied and forwarded, by anyone.”
Why unsecured emails are ineffective
Limited content
While unsecured emails can be limited to “administrative matters, such as appointment reminders or preappointment paperwork”, this approach does not fully address the vulnerabilities in unencrypted communication. Even administrative emails can be intercepted and misused, and any lapse in content sensitivity could lead to unintentional exposure of PHI.
Impersonal
The APA suggests providers “eliminate full names from [their unsecure] emails.” However, excluding identifiable information like full names does not prevent data interception.
Furthermore, personalized emails create more valuable and appealing communication that improves patient engagement and satisfaction.
Unverified recipients
The APA advises providers to “double-check the email address of the intended recipient to ensure it is going to the correct person.” However, mistakes in recipient verification can still occur, and even with correct addresses, unencrypted emails are susceptible to breaches during transmission.
What does the APA recommend?
According to the APA, “Encryption is best defense against a data breach... Encrypted messages are not readable without the appropriate password (or key).” Encryption safeguards protected health information (PHI) from unauthorized access and data breaches.
More specifically, the APA recommends using a “HIPAA level encryption email” platform, like Paubox. These platforms use encryption, authentication measures, and access controls to protect PHI.
Additionally, using a HIPAA compliant emailing platform helps providers mitigate the risk of non-compliance violations that result in severe fines and other penalties.
Read also: Top 12 HIPAA compliant email services
FAQs
What makes an email HIPAA compliant?
An email is HIPAA compliant when it meets the HIPAA requirements for protecting sensitive patient information. Therapists must use a HIPAA compliant emailing platform with encryption, access controls, and audit trails to safeguard patients' mental health information and mitigate data breaches.
Additionally, the platform must sign a business associate agreement (BAA) with the healthcare entity to ensure HIPAA compliance.
Can providers use regular emails for patient communication?
No, regular email services, like Gmail and Outlook, are not secure. Instead, providers must use a HIPAA compliant emailing platform, like Paubox, to safeguard patients' protected health information (PHI).
Can HIPAA compliant emails include personalized mental health support?
Yes, providers can use HIPAA compliant emails to send personalized mental health resources, self-care tips, and educational materials directly to patients.
