TheraNest has a New Home! Please visit Theranest on
Learn about why we have rebranded
What Therapists Need to Know About HIPAA Compliant Communications
This post has been authored by Anabeli Fernandez, Marketing Manager at Hushmail, as part of our guest post series. Learn more about Anabeli at the bottom of this post. As a therapist, you have the privilege of being allowed into your clients’ private lives where you are entrusted with personal information that must remain confidential. Your clients need to feel a certain level of trust to benefit from your services, and a good part of this trust comes from knowing that the information they give you is safe and HIPAA compliant.  You’ve probably taken all the necessary precautions to protect your clients’ information within the office. You’ve educated your office staff about proper procedures for handling client files. You’re careful to maintain appropriate boundaries with clients and always act with professional integrity.  What about your online communications? Even if you use a secure EHR system to manage your practice, there will likely still be times when you need to communicate outside your system through email or web forms. If any of these communications contain client information, then they should be secure and HIPAA compliant. But what does this mean exactly? Let’s take a look at what makes a communication HIPAA compliant, features you should look for in a HIPAA-compliant email and web forms service provider, and steps you can take to make sure your HIPAA-compliant communications are, indeed, HIPAA compliant.

What makes a communication HIPAA-compliant?

HIPAA’s Security Rule requires all entities covered by HIPAA to provide appropriate safeguards to protect their clients’ electronic protected health information (ePHI). What that safeguard is, exactly, is left up to the practitioner. Encryption is commonly used to provide this protection because, first, if you set it up correctly, it’s a very reliable form of security, and second, it’s easy to demonstrate if you’re ever audited.   When you consider different encrypted email and web form services, you’ll find that they use different types of encryption. TLS encryption secures email during transit as long as all the email servers support TLS. Gmail, Yahoo Mail, and other commonly used email services provide this type of encryption.  HIPAA-compliant email services usually offer an extra layer of encryption for storage, such as OpenPGP encryption, which must be enabled (either with a switch or a password) and protects information both in transit and in storage once it’s reached its destination. Another sign that an email service is HIPAA compliant is a Business Associate Agreement. This signed document transfers the responsibility for protecting the PHI sent through email and web forms from you to the email service, fulfilling your legal obligation under HIPAA. 

What to look for in HIPAA-compliant email and web forms


When you’re researching different services, you want to find one that gives you both security and convenience. For security, look for the following:
  • An extra layer of encryption that protects data in storage
  • A separate email archive (this is important so you have a record  of all of your communications if you ever encounter an audit)
  • The option to create a security question (this is a nice extra layer of security if you have any uncertainty about the recipient of your email)
  • Two-step verification (prevents unauthorized access to your email account by using a two-stage process to authenticate your identity)
  • A signed BAA

Convenience and ease of use

Once you’ve found a service that meets your security needs, take a look at how easy it will be to incorporate it into your practice. Here are some things to look for:
  • The ability to send and receive encrypted email to and from people who use regular email. 
  • Extra features and services that will benefit your practice. Encrypted web forms that you can link to in your emails or embed on your website are extremely useful, and yes, web forms need to be encrypted too if you’re using them to collect PHI. Are templates available? How about smart forms? These are prewritten forms like the PHQ-9 (a depression screening) that provide a calculated score upon completion. 
  • E-signatures. If you expect your clients to sign your web forms, the ability to add an e-signature field is another valuable bonus. 
  • Don’t forget to consider how the service handles customer service. You definitely want to be able to reach someone who can help if you have questions. 
If you do your homework, you’ll find you can get all of these services and features in one HIPAA-compliant account, making your life much easier when it comes to your online communications. 

Steps you can take to ensure your emails are HIPAA compliant

An encrypted email service will go a long way toward meeting your HIPAA requirements, but you also need to make sure that human error doesn’t undo the security. Here are a few steps you can take each time you compose and send an email that will help prevent common mistakes that could sabotage all of your good security efforts.
  • Make sure you’re sending to the right recipient. 
  • Be careful about putting sensitive information in the subject line, which isn’t necessarily encrypted. Check with your service to find out if subjects are secure. 
  • Refrain from sending group emails. Even if you BCC recipients, someone eavesdropping could uncover the addresses. 
  • Don’t forget to encrypt. Depending on how you configure your encryption settings, it might be automatically enabled, or you might have to use a switch or password. 
  • Pause before sending. Just five seconds can be enough to remind yourself that you’re sending PHI and to handle it carefully.
Hushmail for Healthcare offers HIPAA-compliant communication tools to serve all of your communication needs that fall outside of your EHR system’s abilities. When you combine Hushmail with your EHR, all of your bases are covered.  To learn more about Hushmail and to sign up for a healthcare account, visit Hushmail for Healthcare
Post written by Anabeli Fernandez with Hushmail   Anabeli has been with Hushmail since 2014 and has over 20 years of marketing and communications experience in various industries, with a special interest in online marketing. Anabeli has a B.A. in Communications Sciences and an MBA with a specialization in marketing. Originally from Mexico, she lived in the U.K. before moving to Vancouver in 2010 and becoming a Canadian citizen. She is fluent in Spanish and English and spends her time outside of Hushmail enjoying her one-year-old daughter and the Vancouver outdoors with her family.   Hushmail  

  Start Your Free 21 Day Trial, No Credit Card Required