Published on October 26, 2017
By Roy Huggins, LPC, NCC
Using secure email services like Hushmail helps you stay compliant with HIPAA, but compliance isn’t the only piece in protecting clients and their confidentiality. While HIPAA does a lot to push good security practices, it’s no replacement for good judgment and ethical decision-making.
As mental health professionals, we care deeply for our clients and their welfare. What’s more, we enjoy a significant advantage over many other healthcare fields in that we can take the time to know our clients and talk with them about important topics, e.g., making good privacy choices.
Consider the process of sending a secure email with a service like Hushmail. When you send an encrypted email to your client, there are two pieces to the sending process:
Sounds good so far. But as with any service we use in the therapy business, there remain pieces to the security puzzle that are still up to us. When any service like Hushmail sends the notification email, that notification contains:
Clearly, we need to be mindful when crafting our subject lines. Make sure they don’t disclose any confidential information. This point is both a HIPAA issue and an ethical one.
Furthermore, what happens when the notification email arrives in the client’s personal inbox? In the immortal words of ethics teachers across the world, “it depends.” Consider the following issues in light of the clients to whom you may want to send secure emails:
The confidential message is protected, of course. But the notification email can potentially be seen by others. What to do about this issue?
Be aware of what it means for 3rd parties to see your notification emails. If your Hushmail email address is email@example.com (a hyperbolic example), then even seeing the sender’s address could reveal information that is risky for some clients.
Talk to clients about how you use any communication tech with them. It doesn’t have to be a big discussion. It can simply be enough for you and the client to determine what works and what doesn’t to communicate safely in light of the client’s (and your) needs. At Person Centered Tech, we recommend that all therapists have a communications policy for clients that spells out these details at intake. A sample communications policy is available for our free newsletter subscribers.
As we think through the process of sending secured, or unsecured, emails, it’s no wonder that all of our major professional ethics codes and tech guidelines ask us to inform clients about the possibilities of disclosure to 3rd parties when we use Internet-based tech to communicate with clients.
HIPAA would conceptualize this kind of behavior as a part of your “security policies and procedures.” However you think of it, there’s no denying it’s good for clients and good for your therapeutic relationships. Talking to clients about these issues lets you learn more about them and helps you extend the safe, private space of your office into the digital realm.