Guest post: beyond encrypting email

By Roy Huggins, LPC, NCC

Using secure email services like Hushmail helps you stay compliant with HIPAA, but compliance isn’t the only piece in protecting clients and their confidentiality. While HIPAA does a lot to push good security practices, it’s no replacement for good judgment and ethical decision-making.

As mental health professionals, we care deeply for our clients and their welfare. What’s more, we enjoy a significant advantage over many other healthcare fields in that we can take the time to know our clients and talk with them about important topics, e.g., making good privacy choices.

Consider the process of sending a secure email with a service like Hushmail. When you send an encrypted email to your client, there are two pieces to the sending process:

• The notification email: This is the notification email that goes out to your client as an ordinary, classic email. The notification contains the link (it’s usually a big blue button) that the client will click on to read your confidential message.
• The confidential message: The other piece is your confidential message itself. This message can only be read on the Hushmail website, and readers need the link from the notification email in order to access the confidential message.

Sounds good so far. But as with any service we use in the therapy business, there remain pieces to the security puzzle that are still up to us. When any service like Hushmail sends the notification email, that notification contains:

• The sender’s (i.e., your) email address
• The subject line of the confidential message that you wrote

Clearly, we need to be mindful when crafting our subject lines. Make sure they don’t disclose any confidential information. This point is both a HIPAA issue and an ethical one.

Furthermore, what happens when the notification email arrives in the client’s personal inbox? In the immortal words of ethics teachers across the world, “it depends.” Consider the following issues in light of the clients to whom you may want to send secure emails:

• Are there other people with access to the client’s email account? Will they be able to see the notification email? What will it mean if they do?
• What kind of email service is the client using? Is it a work or school email account? If so, then bosses or school administrators are be able to see and read these notifications.

The confidential message is protected, of course. But the notification email can potentially be seen by others. What to do about this issue?

Be aware of what it means for 3rd parties to see your notification emails. If your Hushmail email address is roy@roys-depression-and-anxiety-counseling.com (a hyperbolic example), then even seeing the sender’s address could reveal information that is risky for some clients.

Talk to clients about how you use any communication tech with them. It doesn’t have to be a big discussion. It can simply be enough for you and the client to determine what works and what doesn’t to communicate safely in light of the client’s (and your) needs. At Person Centered Tech, we recommend that all therapists have a communications policy for clients that spells out these details at intake. A sample communications policy is available for our free newsletter subscribers.

As we think through the process of sending secured, or unsecured, emails, it’s no wonder that all of our major professional ethics codes and tech guidelines ask us to inform clients about the possibilities of disclosure to 3rd parties when we use Internet-based tech to communicate with clients.

HIPAA would conceptualize this kind of behavior as a part of your “security policies and procedures.” However you think of it, there’s no denying it’s good for clients and good for your therapeutic relationships. Talking to clients about these issues lets you learn more about them and helps you extend the safe, private space of your office into the digital realm.