I’ve never been a phone call person.
I rarely have my phone close enough to hear it ring, and even when I do I’ve forgotten to turn the ringer back on after teaching a class.
When I first started practicing, I was super excited to use email as my primary form of communication with clients.
- Schedule appointments via email? Check.
- Answer quick questions electronically? Yep.
- Send follow-up recommendations & appointment reminders? Yessiree.
And it worked SO WELL.
My blissful ignorance lasted until a year or two ago, when I discovered that email is not generally considered a secure way to transmit personally-identifying information relevant to someone’s health.
Um, what?
Yes, you read that right.
When you email a client via Gmail, Yahoo!, etc. you’re potentially exposing their private health information.
Well, crap. <– my first thought.
Before we talk about what you should do, let’s define what information shouldn’t be transmitted electronically without special precautions. The short answer is that any individually identifiable health information is considered private and should only be transmitted securely.
So what is individually identifiable health information?
Ready for some fun legalese?
According to HIPAA.com, the following definition is found in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification.
(Yep, apparently this is the simplified version.)
“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
No, really, what is personal health information?
Essentially anything that could personally identify someone and that also relates to their health is protected and shouldn’t be transmitted or stored electronically without proper precautions.
Specifically the following information is included:
- Names
- Any geographical information smaller than state (e.g. city, county, street address, zip code,etc)
- Any kind of date (e.g. birth date, date of admission, date of appointment, etc)
- Phone & fax numbers
- Email addresses
- Social security numbers
- Account numbers,
- Certificate or license numbers
- IP addresses
- Full face photography or comparable images
- And basically anything similar
And, of course, anything relating to the client’s health or healthcare.
It’s kind of hard to send an email without including someone’s name and email address. So unless you happen to be emailing your client about last night’s ball game & include NOTHING AT ALL ABOUT THEIR HEALTH OR ANY APPOINTMENTS, PAST OR FUTURE, you should probably figure out a different plan.
What should you do instead?
Two options.
- Go old-fashioned. Get a horse, get a leather messenger bag and combine exercise, fresh air and message delivery. Okay, kidding. Use the phone and take notes (which are stored securely).
- Use a secure email platform. There are several options, some free and some paid. You can search for “HIPAA compliant email” to get a feel for what’s out there.
FAQ
What HIPAA compliant services do you recommend?
I use SendInc, which I’ve mentioned before. They offer free and paid accounts that you can use to email clients securely. The catch is that clients must read your message within 7 days; the message self-destructs after that time.
If I had decided to ramp up my clinical practice to more than a teeny-tiny part time, I would probably choose to pay the monthly fee and use CounSol for HIPAA compliant video conferencing, messaging, etc. It’s a platform for therapists; however they are willing to work with other practitioners.
Of course, there are numerous other options out there. If you’ve used one that you like & recommend, please comment below or send me a message.
Does this apply to me?
All of this HIPAA stuff is likely more applicable to licensed practitioners rather than unlicensed/unregulated ones (e.g. herbalists). Officially HIPAA applies to “covered entities” which includes anyone who provides health care services and transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
You can find out if you are officially a covered entity here.
Even if you’re not covered, I think it’s worthwhile to consider some of these issues with your clients as well. After all, the purpose of these guidelines is to ensure that client data doesn’t get into the wrong hands.
It all boils down to whether you are acting as a healthcare provider. In my opinion it’s difficult to argue that you are not providing healthcare when you’re taking a medical/health history, etc. In that light, and in an effort to provide the best care to your clients, it seems better to be safe than sorry.
What should I do if a client emails me and includes PHI?
Clearly you can’t control the content of emails that are sent to you. I usually reply via secure email when someone emails me with PHI. You can also ask the client to email you using Sendinc or a similar service. For example, if the client schedules a last-minute appointment and needs to get an intake form to you the night before an appointment, she could use SendInc to send it. You can also alert the client that she can use Gmail or similar but that if she does there is no guarantee that the contents of the email are secure.