Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

4 min read

To be or not to be HIPAA compliant

To be or not to be HIPAA compliant

Ninety percent of U.S. adults use email, making simple email one of the most powerful messaging tools for mental health therapists today.  But what about HIPAA compliance and avoiding violations? "Ay, there's the rub!" HIPAA compliance prevents providers from sending emails that include PHI unless it is encrypted and secure per HIPAA regulations. 

So, how can you automate personalized, HIPAA compliant email without extra work? Is there a way? To be or not to be HIPAA compliant, that is the question!


Demystifying PHI for therapists

Paubox makes it easy for mental health professionals to contact patients with personalized messages with just a button click. Read on to once and for all demystify PHI and HIPAA compliance rules so you avoid costly fines.  Learn how easy it is to send emails to your patients. It's so easy that you could be up and running today.


What is PHI exactly? 

  • An individual's past, present or future physical/mental health or condition
  • The provision of healthcare to the individual, or
  • The past, present, or future payment for the provision of healthcare to the individual
  • PHI isn’t just related to medical records or individually identifiable health markers, but can be anything that can identify a patient and is used during the course of his or her care.
  • Not all data and information that is recorded is considered PHI. Remember the two conditions to consider:
    • Data needs to be personally identifiable to the patient
    • Data must be used by or disclosed to a covered entity during the course of care


What happens if I send an email with PHI?

Any email that contains PHI must be HIPAA compliant, which means it must be encrypted and secure. PHI can be tricky because what may seem like a benign email where you feel the message is helping your patient could land you in hot water with costly fines. For example, sending a patient a follow-up email with articles to read can identify them for the condition for which they are seeking treatment. So make sure all your emails are encrypted, and you'll be safe!


How can I tell what information is PHI? 

In a nutshell, PHI is any characteristic that can uniquely identify individuals during their care. There are 18 unique patient identifiers that HHS recognizes as PHI, so it is important to know them all. In addition, keep an eye out for segmenting your email marketing lists by condition, as that is an identifier.


What are the unique identifiers of PHI? 

  1. Name 
  2. Social Security Number
  3. Vehicle identifiers
  4. Address
  5. Medical record number
  6. Device identifiers
  7. Email health plan numbers
  8. Web URL
  9. Telephone number
  10. Account number
  11. IP address
  12. Fax number
  13. Certificate/license number
  14. Finger or voice print
  15. Photographic images
  16. Any other characteristic that can uniquely identify an individual
  17. All elements of dates related to an individual birth, admission, discharge, age, and death

Can being a member of an email marketing list be considered a unique identifier?

Because a segmented list can indicate that the recipients have the condition discussed in the email, the answer is yes! A segmented list falls under "Any other characteristic that can uniquely identify an individual."   Imagine helping patients improve their health through better treatment compliance by sending email newsletters with advice, treatment options, and encouragement for their specific condition. However, the only way to do this without violating HIPAA is:
  1. Send a generic message to your entire practice, so a group with a specific condition is not recognized, or
  2. Use a HIPAA compliant email solution, like Paubox Email Suite, that ensures segmented newsletters are HIPAA compliant and secure

Seven steps for therapists to send PHI in patient emails

  1.  Use a HIPAA compliant email platform, such as Paubox Email Solutions
  2.  Send a warm-up email to confirm recipients' email addresses before you send any PHI
    1. Before sending any emails that include PHI, send everyone on your email list a message asking them to confirm their identity. This is the perfect way to ask them to opt-in as well.
  3. Have patients opt-in to emails per the CAN-SPAM Act. If you are selling or letting another agency use your patient database, you must conform to HHS marketing regulations which can be found here.
  4. Use a "send from" address that an actual human monitor
  5.  Include an unsubscribe button
  6.  Include your physical address
  7.  Include a footer that states the email is secured and HITRUST CSF certified

What do therapists need in a HIPAA compliant email provider?

When it comes to choosing a secure and HIPAA compliant email software, there are three key capabilities you need include: 


Emails and contacts need to be secured when stored (at rest) and when they are sent (in transit) to your patient

✅ Encryption at rest Paubox encryption at rest meets HIPAA guidelines, but it also generates a unique volume encryption key for each Paubox disk volume. 

✅ Encryption in transit One hundred percent of your emails are secured in transit to your recipient's inbox. As a result, it's a seamless and stress-free experience. Unlike other providers, Paubox makes HIPAA compliant emails behave like regular emails for both senders and recipients.


A signed business associate agreement

✅ A BAA Paubox's sole focus is serving the HIPAA compliant email market. And just as we eliminated the extra steps from reading secure, HIPAA compliant email, our BAA is easy to access and review.  You our review our BAA here . Paubox will sign a BAA for every client. 


A seamless user experience or your email will not be opened

✅ Seamless user experience for a high open rate
  • No user-error Patented technology encrypts every outbound email so that it is HIPAA compliant whether it contains ePHI or not. That means it eliminates the possibility of user error when sending out emails with PHI.
  • No extra steps - Your team and your patients easily send and receive emails without extra steps, clicks, or log-ins to ensure HIPAA compliance.


Paubox checks all the boxes for HIPAA compliant email.


Paubox Email Suite, a HITRUST CSF certified product, will:

  • Ensure your emails are HIPAA compliant, which will eliminate concerns about user error
  • Provide the highest level of military-grade encryption, so you're emails are safely encrypted 
  • Allow you to include PHI in your emails, so you can make them as personalized as you wish
  • Allow patients to read your emails directly from their inboxes with no extra steps, so it is incredibly easy for them
  • Paubox provides the required BAA needed for HIPAA compliant email
  • It's EASY. Installation takes minutes and runs friction-free with Microsoft and Gmail
  • You and your patients don't need to learn new behaviors or remember extra passcodes


With Paubox, the question is answered. It is HIPAA compliant. 


Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified 4.9/5.0 on the G2 Grid Paubox secures 70 million HIPAA compliant emails every month.

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.