Paubox blog: HIPAA compliant email made easy

What does the APA say about unsecured email and PHI?

Written by Caitlin Anthoney | August 06, 2024

The American Psychological Association (APA) recommends using a HIPAA compliant emailing platform, like Paubox, to encrypt emails with protected health information (PHI).

 

Can providers use unsecured email to send PHI?

According to Stacey Larson, JD, PsyD from the American Psychological Association (APA),The Health Insurance Portability and Accountability Act (HIPAA) does not prohibit using email to send a patient [their] PHI. Nor does it require [providers] to use encrypted email.” 

However, unsecured emails are susceptible to interception, risking patients’ protected health information (PHI).

Specifically, Dr Larson advises providers, including mental health professionals, toInform [their] patients that emails can be intercepted during transmission, and that unencrypted messages (and any attachments) can be read, and potentially copied and forwarded, by anyone.” 

 

Why unsecured emails are ineffective

Limited content

While unsecured emails can be limited toadministrative matters, such as appointment reminders or preappointment paperwork”, this approach does not fully address the vulnerabilities in unencrypted communication. Even administrative emails can be intercepted and misused, and any lapse in content sensitivity could lead to unintentional exposure of PHI.

 

Impersonal

The APA suggests providerseliminate full names from [their unsecure] emails.However, excluding identifiable information like full names does not prevent data interception. 

Furthermore, personalized emails create more valuable and appealing communication that improves patient engagement and satisfaction.

 

Unverified recipients

The APA advises providers todouble-check the email address of the intended recipient to ensure it is going to the correct person.However, mistakes in recipient verification can still occur, and even with correct addresses, unencrypted emails are susceptible to breaches during transmission.

 

What does the APA recommend?

According to the APA,Encryption is best defense against a data breach... Encrypted messages are not readable without the appropriate password (or key). Encryption safeguards protected health information (PHI) from unauthorized access and data breaches.

More specifically, the APA recommends using aHIPAA level encryption emailplatform, like Paubox. These platforms use encryption, authentication measures, and access controls to protect PHI.

Additionally, using a HIPAA compliant emailing platform helps providers mitigate the risk of non-compliance violations that result in severe fines and other penalties.

Read also: Top 12 HIPAA compliant email services

 

FAQs

What makes an email HIPAA compliant?

An email is HIPAA compliant when it meets the HIPAA requirements for protecting sensitive patient information. Therapists must use a HIPAA compliant emailing platform with encryption, access controls, and audit trails to safeguard patients' mental health information and mitigate data breaches.

Additionally, the platform must sign a business associate agreement (BAA) with the healthcare entity to ensure HIPAA compliance.

 

Can providers use regular emails for patient communication?

No, regular email services, like Gmail and Outlook, are not secure. Instead, providers must use a HIPAA compliant emailing platform, like Paubox, to safeguard patients' protected health information (PHI).

 

Can HIPAA compliant emails include personalized mental health support?

Yes, providers can use HIPAA compliant emails to send personalized mental health resources, self-care tips, and educational materials directly to patients.