Thanks for joining us for part two of this four-part series on technology and ethics. In this article, we’re going to take a look at the use of email. Let’s face it, it’s difficult to run a private practice, work for an agency, or even do community outreach without an email account. It’s a part of our lives and it is quickly becoming essential for healthcare practice. In my previous article from September 2018, I described the term “Business Associate Agreement”, better known as a “BAA.” Whether working in an agency or in your own private practice, every vendor you use for any electronic communication must include a BAA. Why? A BAA is required by federal law and protects the privacy of your clients’ information. How so? Well, let’s take a step back.
An email provider, like AOL or Gmail, is a vendor. In addition to providing us with email services, they collect information from us to use for designing future products, marketing strategies, and can sell information to third parties for a lot of money. You may be asking, can they actually do this? Yes, because we sign a contract with them giving permission to do so when we become their customer and technically, “our data” includes all the data in our email messages, saved email addresses, names of contacts, etc. (therefore, email providers actually own our clients’ data too, for example if we email with clients to schedule appointments). In order to stop email providers from doing this, we have to get a signed BAA contract. Once they do so, they are not allowed to mine, or use, the data in our email account for their own purposes or to sell to third parties.
I frequently attend workshops and other events with colleagues and when the topic of email comes up, many social workers will say to me “Oh, but that’s ok because I don’t use email with clients.” While that may be the case, it’s important to think through different risk scenarios first, to see if you’re using email in a way that really does necessitate a BAA; even when we set boundaries around email, we cannot always control when a client emails us and what information may be contained in the email. Here are three scenarios to consider:
- Do people email you via your Psychology Today profile or from your website, wanting to schedule an appointment?
- Do you email other providers about referrals, records requests, etc.?
- Do you allow clients to email you if they need to change an appointment time or for billing purposes?
If you answered “yes” to any of these questions, then you need to make sure your email provider has provided you with a BAA and other federal standards. Unfortunately, many email providers do not offer a BAA–probably because doing so means they have to take on more liability and spend more money to ensure they are complying with the terms of the BAA contract. Here are two that do:
GSuite is the business option for a Google account which includes a Gmail account, Google Drive for cloud storage, Google Calendar, and other Google Apps. One Google App that is not covered under the BAA is Google chats, a.k.a. “Hangouts”. For this reason, you’ll want to make sure you only use the Google Apps that are covered, like Gmail, Google Drive and Google Calendar. If you choose to sign up for a GSuite account, make sure you then ask for a BAA. At the bottom of this article you’ll see helpful links for their BAA and information about GSuite. GSuite is available on any device, including iPhones and Android phones. I recommend giving Google a call to discuss questions and to ask about additional security features they can provide for free to keep your phone secure should you access your GSuite and Gmail account on your phone. When I called, they added a feature where they can wipe my phone if I call them to report it has been stolen or is missing–this service is only offered if you have a GSuite account.
Hushmail is a company based out of Canada. Along with providing email services to the general public, they also provide healthcare providers with services to encrypt their emails and forms. While it does not offer all the features that GSuite does, it adheres to the same requirements for privacy, like encryption, outlined in the U.S. federal regulations and guidelines which include HIPAA and the Privacy Rule. Hushmail is currently available on computers and on iPhones, but not on Android phones.
Regardless of which email provider you choose, you’ll want to be mindful of who you are sending emails to as well as ensuring that the storage of your email messages, drafts, etc. meets compliance requirements. However, your responsibility doesn’t end there: We are further required to ensure that the transmission of our email to the recipient is compliant with security standards and we need to make a good faith effort to ensure that the recipient of the email is using a secure and compliant account. This can be hard, if not impossible to do, should you choose to use email with clients for scheduling, or other reasons. Ideally, we can avoid any compliance issues by using a secure patient portal to send electronic messages to clients, instead of email–the client has the right to opt out of this option and use unsecured email instead–or you can adopt a no-email policy that is clearly stated in your consent and other forms.
This may seem like a lot of work, but it is easily manageable. As we mentioned in the previous article on phones and PHI, members of NASW can contact the legal team for a copy of a template technology disclaimer and a technology use policy to have clients sign. These two measures will document that clients are agreeing to opt out of using a patient portal, and instead agree to assume any risk they incur by using unsecured email or messaging(keep in mind, if you email PHI to another healthcare provider, both parties are required to have a BAA and encrypted emails for healthcare communication).When reviewing email vendors for your professional use, here are some key questions to ask:
- Do you provide a free Business Associate Agreement that you and I both sign and date? Will a copy be provided to me?
- Will I be the only person with access to my data? Does this include deleting the data?
- If I put your app on my phone, will your app share data with other apps on my phone?
- If your app does share data with other apps on my phone, is there firewall protection? How strong is the encryption?
- If my email messages are stored on my phone, how do you ensure that this data will be safe and accessible to only me in the event my phone is lost, damaged or stolen?
- To pay for email services that are HIPAA compliant, do I have the option to pay monthly versus annually? Is the cost reduced choosing one over the other? Are there promotional codes or a referral reward program I can take advantage of to lower the cost?
- Is there a contract of service I sign with your company? If so, what penalties will I pay if I leave early?
This may seem like a lot of questions but it is important to make the most informed choice possible about compliant email use and your practice. I would love to hear from members about other options they’re using for their email needs.
Stay tuned for future articles about compliance, ethics and different forms of technology, like social media and video counseling! I use different forms of technology, including email, blogging, and texting in my own practice and have found them both useful and safe, but it took me some time to do the research. If you don’t have time to look into these things on your own, feel free to contact me for additional help and keep an eye out for my future training events. I’ve also added some links below for your reference. Roger that! Over and out….
G Suite HIPAA Business Associate Amendment
G Suite and Cloud Identity: HIPAA Implementation Guide
NASW, ASWB, CSWE, & CSWA Standards for Technology:
This post was originally published to the Washington State Society for Clinical Social Work, and was authored by Tiffany Chhuom.