Implementing secure email in your therapy practice with tools

Research by Akilnath Bodipudi in the Journal of Scientific and Engineering Research notes the vulnerability in healthcare communications by stating that, "Healthcare organizations handle vast amounts of sensitive patient data, including personal information, medical records, and financial details. Email security is crucial to ensure this data is protected from unauthorized access and breaches."

Keeping in mind these security challenges, selecting appropriate technology solutions and establishing protective measures isn't just recommended, it's needed for every healthcare practice that communicates with patients electronically.

Choosing the right tools

Standard email services aren’t immediately HIPAA compliant, even if they offer some security features. To send patient information securely, you have several options:

• HIPAA compliant email services: Specialized providers like Paubox, offer email services designed for healthcare. Paubox encrypts messages automatically, maintains proper security standards, and provides the necessary BAAs. It also integrates with your existing email, making the transition smooth for both you and your patients.
• Secure file sharing with email notification: Services like Dropbox Business, Box, or Microsoft OneDrive for Business can be configured for HIPAA compliance when used with the proper agreements and settings. You can upload sensitive documents to a secure shared folder and send patients an email notification with access instructions, rather than attaching the files directly.

Data loss prevention

The research from the Journal of Scientific and Engineering Research highlights that "DLP systems scan emails and attachments for sensitive information based on predefined policies and rules. This helps in identifying and blocking potential data leaks."

Bodipudi's study demonstrates that "when integrated, DLP and email encryption provide a robust defense against email-related security threats. DLP can identify sensitive data within emails and trigger encryption automatically, ensuring that all critical information is protected."

This integration means that even if a staff member accidentally attempts to send unencrypted patient information, the system can automatically detect the sensitive content and either encrypt it or block the transmission until proper security measures are applied.

Emerging technology risks

As reported by Reuters, the Office for Civil Rights has placed focus on the potential for unauthorized use or disclosure of PHI through emerging technologies. While HHS has not yet released AI-specific HIPAA requirements, organizations must be aware that AI can increase the risk of disclosure due to its ability to process and potentially infer PHI from various non-sensitive data points, including reidentification of deidentified data.

This means that data processed through AI tools or tracking technologies could potentially expose patient information. Healthcare providers must evaluate how PHI is being used and accessed by third-party AI tools and ensure that technologies don't gain unauthorized access to protected information.

Learn more: Ethics of AI that analyze communications involving patient data

Securely sharing treatment plans

Treatment plans often contain diagnostic information, medication lists, and therapeutic strategies. When sharing these documents, use your secure email service.

Consider breaking up information when appropriate. While the full treatment plan should be transmitted securely, you might send appointment reminders or general wellness tips through less sensitive channels. 

Document sharing rather than information pasting can be more secure. Instead of writing treatment details in an email body, attach a PDF through your secure system. This approach gives you better control over the information and creates clearer audit trails.

Managing follow-up communications

Follow-up emails require the same security considerations as initial communications. Whether you're checking on a patient's progress, sending appointment reminders, or providing additional resources, any communication that references their care or personal health information must be protected.

When following up on specific treatment concerns or patient questions, always respond through your secure system, even if the patient contacted you through an unsecured channel. 

Proper disposal of PHI in emails

Healthcare attorneys James B. Riley, Kimberly J. Kannensohn, and Paige Dowdakin from McGuireWoods note that HIPAA compliance doesn't end when providers hit the "send" button. Emails containing PHI that remain stored on computers, mobile devices, or that have been printed continue to present risks for unauthorized re-disclosure. While HIPAA regulations don't mandate one specific disposal method, the attorneys strongly advise that practices must adopt clear policies for PHI destruction and train all workforce members on these procedures.

The McGuireWoods attorneys recommend that disposal policies should account for several factors; whether the PHI exists in electronic or printed form, whether it contains particularly sensitive information like social security numbers or financial details, and the type and volume of PHI involved. 

For electronic PHI, the attorneys note that devices such as CDs, DVDs, flash drives, and mobile phones should be cleared of all patient information before being recycled or reused. This can be accomplished through software that overwrites data with non-sensitive information, through degaussing (exposing media to strong magnetic fields), or through physical destruction of the storage media.

For printed emails containing PHI, Riley and colleagues stress that these documents should never be placed in standard dumpsters or recycling bins accessible to the public or unauthorized individuals. Appropriate disposal methods include shredding, burning, or otherwise rendering the information completely unreadable and impossible to reconstruct. If providers use third-party vendors for PHI destruction, they must keep all materials in secure, locked storage areas until the destruction occurs.

Considerations for text messaging

The McGuireWoods attorneys address text messaging as well, noting that while HIPAA doesn't prohibit texting PHI, they recommend that practices allowing text communication with patients should utilize encryption technology specifically designed for secure messaging. If such technology isn't available, providers should consider alternative communication methods. As with email, if patients insist on receiving PHI via text message and the practice permits it, providers must obtain written consent and implement the same safeguards used for email communications. The attorneys also note that even appointment reminders sent via text may constitute PHI and should be handled accordingly.

Training your team

As the Reuters article notes, the Office for Civil Rights continues to state that organizations must implement training to educate staff on new and emerging security threats.

According to the Journal of Scientific and Engineering Research paper, "The success of DLP and encryption initiatives heavily relies on the acceptance and correct usage by healthcare staff. Comprehensive training programs are essential to help users understand the importance of these security measures."

According to Data privacy in healthcare: Global challenges and solutions, healthcare information systems staff must be thoroughly trained on data privacy and security importance. They should understand the risks associated with data breaches and be educated on prevention strategies.

The future of email security in healthcare

Bodipudi notes that "AI algorithms can analyze large volumes of email data to detect patterns indicative of phishing, spam, and other malicious activities. Machine learning models can be trained on historical data to recognize and flag suspicious emails."

These systems can provide real-time threat detection, automatically identifying and blocking suspicious emails before they reach healthcare providers' inboxes. 

The Reuters article concludes that covered entities and business associates can stay ahead of the curve by taking proactive compliance and risk-mitigation measures, including rigorous security risk analyses, evaluation of technical controls, staff training, and review of policies and procedures for effectiveness and consistency with ever-changing legal requirements.

Read also: Inbound Email Security

FAQs

Do I need a business associate agreement (BAA) with any email security vendor I use?

Yes, HIPAA requires a BAA with any third-party service that handles PHI on your behalf.

Can I use Gmail or Outlook without additional security configurations?

Not safely, because standard email accounts alone do not meet HIPAA’s encryption and access-control requirements.

Are email audit logs required by HIPAA?

Yes, HIPAA requires audit controls that track activity involving PHI, including email access and transmission.

Is it acceptable to email PHI to patients who request it through unsecured channels?

Yes, but only if the patient gives informed written consent acknowledging the risks.