With all the criticism of the 2013 HIPAA Omnibus Final Rule, an under looked positive side of the updated law was the explicit expansion of patient/client rights and autonomy.
Of great note to myself and others in professional mental health was the specification that clients have the right to consent to receive normal, unsecured emails from their providers if the provider first informs the patient/client of the risks and the patient/client still wants the email.
We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.
US Department of Health and Human Services, 2013
As an aside: We assert that “email” is a stand-in for messaging that uses the Internet. From the perspective of transmission security standards, there is little or no real difference between email, SMS (classic texting), and any other kind of messaging that uses the Internet. Also, HHS guidance states that non-secure means besides email are acceptable so long as they don’t compromise the security of the practice organization.
The above clarification from the Omnibus is mighty confusing in light of the fact that no mention was made of this gem from HIPAA’s original Security Rule:
Standard: Transmission security.
Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.
US Department of Health and Human Services, 2005
So what the heck does that mean? Well, it means that when you send stuff over the Internet (e.g. emails and texts), you need to employ technical measures for securing it. In the real world of 2016, it means you need to encrypt your emails and texts.
So how the heck do those two pieces of law not contradict each other? The Omnibus Rule is from 2013, so maybe it overrules the 2005 thing?
Not so. There is no legal opinion out there we’ve seen that indicates any retraction or overriding going on here.
These two things coexist, in our opinions, because of two magical ideas: risk management and client autonomy.
Risk Management Solves Problems
The HIPAA Security Rule requires us to take a risk management approach to the security of protected health information. It also sets out a bunch of standards we need to implement as part of our risk management plans (that “Transmissions Security” standard was one of them.)
Autonomy means that clients may make their own decisions regarding their care. HIPAA supports autonomy a lot, and we can see that they support it even when it comes to transmission security.
It’s not a simple matter of clients just making a decision out of the blue, however. Regardless of how we might arrive at sending unencrypted emails or texts to clients, risk management must be involved in the process.
In fact, even before the Omnibus Rule, there was some opinion that client decisions could push a clinician towards sending PHI in unencrypted emails. Here I’ll quote a well-cited article from attorney Elizabeth Johnson that is dated 2012 (before the Omnibus Rule):
For patients who simply insist on receiving email [as a means of releasing records], if that email cannot be encrypted then a health care provider may be left with two unappealing choices. Choice one is to refuse, in which case patients may rightly insist that the provider has not respected their right… Choice two is to fulfill the request, send the unencrypted email, and risk violating the HIPAA Security Rule. We think the better choice is to send the email, but only after the health care provider engages in the required feasibility analysis and documents the outcome as described above to help ensure Security Rule compliance. It’s also a good idea to advise patients of the potential risks and insecure nature of email, and then ask again if they really want the record sent in that manner.
Johnson, 2012
Johnson may have been prophetic, as you’ll notice that the Omnibus Rule’s clarification regarding client autonomy to request unencrypted communications does, indeed, require that their clinician warn them of risks before agreeing to the request.
We assert that warning clients of applicable risks and benefits allows them to make informed risk management decisions. In the security risk management world, there is a concept called “accepting risks,” and being informed is an essential part of it.
When one has evaluated all the ways that a risk can be reduced but has decided that those risk reduction measures are undesirable for some reason, one might decide to simply accept the risk as it is without implementing those measures. Accepting risks means that some potential risk management strategies were rejected — often because of cost or difficulty in implementation — and that over time, one will continue to revisit measures that can reduce the accepted risks. (Stewart, Chapple, Gibson, 2015)
In this case, we’re talking about clients rejecting the use of encryption and accepting the resulting risks.
We believe that the Omnibus Rule is asserting that us clinicians, who are charged with keeping our client’s information secure, are responsible for ensuring that clients make informed decisions when they accept risks. We think there are corollaries to this, as well, which will be discussed below.
Ethics Codes and Local Laws on Non-Secure Communication
Ethics codes also, generally speaking, support client autonomy. That doesn’t always mean they allow confidentiality risks the way HIPAA does, however. Let’s look at relevant quotes:
6.3 Confidentiality and Professional Responsibilities
It is the therapist’s or supervisor’s responsibility to choose technological platforms that adhere to standards of best practices related to confidentiality and quality of services, and that meet applicable laws.
AAMFT Code of Ethics, 2015
Counselors use current encryption standards within their websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic means.
ACA Code of Ethics, 2014, H.2.d
Psychologists who provide telepsychology services take reasonable steps to ensure that security measures are in place to protect data and information related to their clients/patients from unintended access or disclosure.
Guidelines For the Practice of Telepsychology, 2013, Guideline 5
Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.
Code of Ethics of the National Association of Social Workers, 2017, 1.07(m)
NCCs shall use encryption security for all digital technology communications of a therapeutic type. Information regarding security should be communicated to individuals who receive distance services.
NBCC Policy Regarding The Provision of Distance Professional Services, 2012, Standard 5
The ACA and NBCC codes are of particular interest, because they explicitly mention the use of encryption. Only the NBCC code seems to be outright proscribing unencrypted communications, however. All the codes and guidelines do call for the use of technical security when sending information over the Internet — just like the HIPAA Security Rule’s good ol’ Transmission Security standard!
The precise interpretation of the above citations is left to your research. We encourage you to earnestly consider, however, that sending unencrypted emails and texts to clients may not be ethical, even if you do so legally under HIPAA. Consultation on this point is a good idea.
We will say, however, that our professional ethics universally put us in the position of “the person who should know better.” And they’re more serious about it than HIPAA. HIPAA’s requirements for us to warn clients of confidentiality risks in unencrypted emails and texts are surprisingly low. Here is what they say on the point:
We do not expect covered entities to educate individuals about encryption technology and the [sic] information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.
US Department of Health and Human Services, 2013
That’s pretty clear. But we believe that the ethical standard for responsibility is well summed up in the ACA Code of Ethics here:
Counselors inform clients about the inherent limits of confidentiality when using technology. Counselors urge clients to be aware of authorized and/ or unauthorized access to information disclosed using this medium in the counseling process.
ACA Code of Ethics, 2014, H.2.c emphasis mine
“Urge clients to be aware” has been identified by the committee that authored this as counseling the client to fully know what they’re getting into. That same standard would apply to working with clients who request unencrypted emails and texts. Our informal surveys of hundreds of interdisciplinary colleagues have indicated that we, as allied professionals, see that standard as the reasonable one.
If you’re reading this section and thinking, “Man! Unencrypted texts and emails are probably a no-go for me!” then read this article on making the secure stuff work for you and clients. We think it’ll help.
Local Law
As much as it would be a major bummer to get through the gauntlet of HIPAA rules and ethics codes only to discover yourself stymied by state law, it could certainly happen. Some licensing boards and other state agencies require in law that Internet transmissions to clients always use encryption.
Business Associate Agreements
Since the question arises frequently, I’ll address it here: client requests for nonsecure communications don’t impact the Business Associate Rule. You always need a Business Associate Agreement with your email provider to maintain your HIPAA compliance. More in our article on email and HIPAA compliance, and a deeper explanation is provided in Level I of our Digital Confidentiality training.
Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.
Roy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
Working With Clients Around Accepting Nonsecure Communications Risks
Accepting risks means accepting possible negative consequences that haven’t been mitigated by other measures, and HIPAA asserts that clients have a right to do this. An important corollary is that therapists may not do this on behalf of clients. Nor should therapists assume that they can rely on their clients to request unencrypted emails and texts as part of their practice management strategy.
Therapists have a legal and an ethical duty to make sure clients understand Internet transmission risks before requesting those nonsecure emails and texts. To assist with this, we offer our Email and Texting Risk Questionnaire to our free newsletter subscribers. We also strongly encourage clinicians who wish to facilitate requests for unencrypted communications to first take our Level I training so they better understand the associated risks and can help clients navigate them.
We also offer our free Email and Texting Risk Questionnaire form to our (also free) newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.
Even when technical measures, e.g. encryption, are not employed, a basic desire to protect clients’ safety calls for other measures to be taken to the maximum extent possible. The main measure that comes to mind is agreeing that unencrypted communications will be limited to the things for which clients typically want quick, nonsecure communications anyways: scheduling and other logistical issues. Once again, our Level I training explores in depth why this is preferable and why anything further is likely to be dangerous for clients (indeed, even those topics could be dangerous for certain clients.)
While clients may decide they want unencrypted emails and texts, they are unlikely to understand the clinical impacts of the decision. Ethically, we must always take the responsibility for that. So don’t forget to contemplate that one risk in nonsecure communication is a breach of the sacred space that is created in private, safe offices. More below.
Do We Need To Provide Secure Options?
We assert that clients aren’t really accepting risks on their own accord if a secure method of communication isn’t available to them and presented well and with an earnest desire for the client to use it productively.
Secure communication methods are not only very affordable (sometimes even free), but many secure texting apps are just as convenient as any other app on the same phone. And secure messaging (aka “encrypted email”) services are affordable and plentiful.
As such, if the clinician hasn’t made secure options reasonably available, it doesn’t seem quite right to assert that a client’s request for unencrypted communication is a fully informed decision.
Cost-benefit analysis must be part of the overall equation. Remember that if the request for nonsecure communications is mostly rooted in the habits of the client (or the clinician!), then the cost-benefit analysis does not make unencrypted communication look good. There needs to be a more compelling reason than that to forego the secure options that help ensure client confidentiality.
Documenting the Client’s Request
Given the overabundance of paperwork and logistical considerations that are weighing down modern practice, our professional culture is often invested in the use of waivers to help us expedite informed consent processes and make therapy smoother. Requests for unencrypted emails and texts from the therapist are not a situation where conceptualizing the process as a waiver is likely to be legally, ethically or clinically successful, however.
If we think of these requests as an option that HIPAA leaves open to clients out of respect for their autonomy to make decisions around their own confidentiality, however, we are more likely to succeed all around.
As such, we have revised our “Consent for Nonsecure Communications” document with a new title, “Request for Nonsecure Communications.” The body of the document also reflects the new theoretical slant.
We offer our sample Request for Nonsecure Communications (e.g. email) forms to our free newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.
We also offer our free Email and Texting Risk Questionnaire form to our (also free) newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.
Even if the law and your ethical requirements allow the client to take on the liability risks of requesting nonsecure communications from you, there remains a really, really important question:
Should they do that?
And the vital follow up is: should you agree to their request?
To help answer that, we have written a counterpoint article to this one. We believe that no one should act on the educational information in this article until, at the very least, they’ve read our counterpoint. Read it here: Even Though They Have a Right Under HIPAA To Unencrypted Emails: A Case For Only Using Secure Email and Texting With Clients.
Conclusions
The Omnibus Rule’s clarification on unencrypted emails and texts remains the same as it was in 2013, and it certainly gives our clients flexibility in choosing how they wish to communicate with their providers.
However, the passage of time has brought out better ways to do secured communications. With that has also come increasing professional standards to use encryption when communicating with clients.
However, those clients who insist on requesting nonsecure methods, or who have some need for them, are still given the right to choose under HIPAA. So long as other applicable authorities agree, the risk management scenario looks favorable, and there is a real and important net benefit to complying with the request, you might decide to do so.
Learn more about using email with clients legally and ethically:
17 CE Credit Hours
11 Legal-Ethical
We must also consider ethical standards so be sure to check your code of ethics. Even if “legal” it is considered best practice to encrypt therapeutic information whenever possible. Just as we want our banking information encrypted, most want private health information and sensitive conversations encrypted as well…
DeeAnna
Excellent site. While I understand that the patient has the right to receive regular ‘ol email, doesn’t the provider, if they are going to respond, need to have a Business Associate Agreement with the email service provider, who likely has all emails (unencrypted) on their servers? I’m so curious to hear thoughts on this.
Janette: Yes, if you use an email provider that stores your emails on their server (that’s pretty much all them), HIPAA compliance would call for a BA contract with them. This is because they are storing protected health information “on the cloud.”
For this reason, I’ve been referring a lot of my risk analysis consulting clients to Google Apps for Business (“paid Gmail”) and Microsoft 365. Both of those services will supply the BA contracts and strong assurances of security.
Oh, and for anyone interested in reading about using Gmail, Google Drive and Google Calendar in their practice, here’s my article on it: https://dev-personcenteredtech.com/2013/11/google-and-hipaa-compliance-gmail-drive-and-calendar-now-accessible-for-health-care-professionals/
Do we need a separate permission form on this? The reason I ask is that, new clients sometimes contact me by email. I’m not doing teletherapy, just responding to their request for an appointment. Sometimes in that email to me they share a little clinical info, like, “I have anxiety.” When I reply there is a disclaimer at the bottom of the email that states that email is not secure etc. I feel that if they reply to this by email I then have their informed consent. Does this need to be more complicated than that? My understanding from reading your previous articles (I think with the Zur Institute) is that I should be covered merely by having that statement at the bottom of my email, and that the client then has given informed consent. I’ve never send entire records via email and don’t plan on doing that ever. I am using regular email and thought that that was also ok.Regarding that initial email to me, I also felt that there was understanding by hipaa that the public generally understands that there is some risk with email and that they have chosen to proceed with that medium and its risk by inquiring via email.
Hi Marilee,
Well, I wouldn’t have said myself that a disclaimer in the email is sufficient. It is generally a more complex issue than that. In fact, it would be difficult to address all your questions in this comment. :)
A partial answer is that written consent from clients is quite important to prove that you followed the steps described above (keeping in mind that state laws or licensing board rules may be more restrictive than HIPAA.) We do provide sample clinical forms for Consent for Nonsecure Communication to our newsletter subscribers, along with some other useful documents. You can subscribe here: https://dev-personcenteredtech.com/get-our-articles-and-updates-by-email/
And we do cover all the questions you’re asking about it in our Digital Confidentiality webinar: https://dev-personcenteredtech.com/training/ce-program-offerings/heart-centered-hipaa-and-ethical-security-for-client-and-clinician-protection-level-i-ii/
Also, I am available for short or long consultation: https://dev-personcenteredtech.com/web-consulting-services-and-fees/consulting-for-mental-health-professionals/
Cheers,
-Roy
Thanks Roy. The free forms will be enormously helpful. What I find confusing is how I get consent to communicate by email with people who are not yet clients, as I can’t have them sign a form.
Yes, I call that the Initial Contact Problem. It’s useful to remember that you may not have a clinician-client relationship yet, and that people can send you whatever they want however they want. These facts are not really enough to cover the whole issue, however, as there are various ethical concerns involved. It’s not a simple problem to solve. :)
where can I find the Consent for Nonsecure Communications form now that I have sign up for your newsletter? thank you for the information share. Great knowledge!
Hi, Marion.
When you confirmed your subscription, you should have received a welcome email. The link to the Members’ Page is in that email.
Also, whenever a newsletter is sent out, the link to the Members’ Page is in the sidebar of the newsletter.
Thanks for subscribing! :)
-Roy
Roy,
When Omnibus states that client’s have a right to health information to be sent via un-secure electronic means, does this mean if a client requests this that we must provide it? What if we do not even have electronic records?
Thank you
You must provide copies of records, when requested, within 60 days. If you have electronic records, clients have a right to their copies being in an electronic format.
What do you think about applying this to video therapy so the client can choose skype over Vsee?
Donald,
With the video, it’s more about Business Associate issues, which are independent of client consent. Also, I just wouldn’t use Skype for that level of sensitive info when much better alternatives exist and are either free or reasonably priced.
This is helpful. It seems as though HIPAA has not until recently caught up with the times, and this law is a good step in the right direction. It is important to note that many of my clients who contact me via phone regularly do so through VOIP (e.g. Google Voice), or cell phone, neither of which are 100% secure. I am curious whether the California BOP imposes a more restrictive stance on email than HIPAA. If anyone knows, this information would be much appreciated.
Hello,
I am very interested in your website. There is very good information here. I am looking for the download Consent for Nonsecure Communications but do not see it on the page or anywhere else even though I subscribed to the Newsletter. Your help would be appreciated in finding this as I have one client who prefers email communication. Thank you.
John M. Haroian, Ph.D.
I found them! Thank you, these resources are great!
JMH
Hi John,
If you log in to the site, you’ll see a blue bar at the top. On that bar, click My Account. Then click My Free Downloads.
BTW, I’m glad you framed it as “I have one client who prefers email communication.” :) That’s good modeling for people reading this. It’s important to remember that clients choose to use email with us when they desire it and can know it is low enough risk for them — and not the other way around.
BTW, I hope you also use the Email and Texting Risk Questionnaire. It could be vital. Details on the how and why for that are in our Level I Digital Confidentiality course here (3 CE hours): https://dev-personcenteredtech.com/client-centered-hipaa-and-technology-live-online-learning-groups/#1
If it is legal/ethical in my state with my board, can I create a policy that states I will not email even if the client invokes his/her right to receive non-secure email communication?
Hi Dan,
Sure, but I’m not sure why it’s necessary. The article is talking about client’s rights to make their own privacy decisions. If you don’t want to to use email, you don’t have to. Unless, for some reason, it ends up being the only possible way to get to a client some information that they are entitled to by law.
Feel free to ask about this in Office Hours, too. I’m more than happy to chat with you about it.
-Roy
I’ve been researching this, and haven’t found much. What sites/apps/programs/etc. would you recommend for telemedicine that are HIPAA compliant?
Hi Taneal,
Thanks for your message. We would suggest checking out the following 2 resources: Free Online Therapy Software Compared and TeleMental Health Comparisons
Please let us know if you have any additional questions!
Cheers! Thanks!
what if your agency does not have the capability to give copy in electronic format just paper.
do we get dinged for that?
Hi Theresa,
I’m not really sure what you’re asking. I can’t imagine why you would be dinged in any way for giving any type of forms or information on paper.
meaning if our facility was not able to give a patient their PHI in a electronic format we could only provide in paper format.
I’m not sure why that would be a problem. This article is about the right of clients to request that electronic communications be done via nonsecure means. It doesn’t mean electronic communications are required.
I’ve updated my consent paperwork to reflect the new California opt-in rule for electronic communication. Feel free to check it out if you are crafting yours.
Howdy,
Where would we see it? And thanks for sharing!
-Roy
Happy to have found this discussion – can anyone tell me if I have encrypted email but am sending an email to a client via that and THEIR email is not encrypted, then is the whole thing encrypted? As in, when they reply to mine? Do you know what I am asking about? I cannot find the answer to this though I have tried and tried. Thanks for any thoughts on this!
For a little more info on this question, I have a specific client email (actually it is this email address that I am using here) hosted by BlueHost and have a BAA with them. But I don’t have anything (that I am aware of) that tells me to tell clients what to do in order to send back an email that is also secure (if that makes sense)…so as I am reading about this I am feeling like there is something I am missing here? I don’t do forms or anything else over email and don’t have forms on my website – so I have been wondering about this for some time now. Thanks again!
Great question, Kirsten. That’s something Roy could address in a short individual consultation. If you would like to schedule that, please take the following steps:
1. Purchase time here: https://dev-personcenteredtech.com/product/1-1-consultation/
2. Email me at [email protected] with several of your preferred dates and times of availability (including timezone) and I’ll get your consultation with Roy scheduled as soon as possible!
You may also find this article of interest: https://dev-personcenteredtech.com/2017/02/21/is-conventional-email-getting-hipaa-secure-almost/
If you have additional therapy tech and HIPAA questions, I offer a free 10-minute consultation to see how Person Centered Tech can help you with those needs and point you to our resources that address your specific questions and considerations. Please email me at [email protected] if you would like to schedule that.