Hey there, Jane Community. š
Weāve been getting a lot of questions aboutĀ HIPAA-compliant emailsĀ lately, so we thought weād hop on here to share what we know about secure, private e-communication.
Weāre going to cover a few topics, so if youāre a HIPAA expert or looking for something specific, feel free to skip ahead!
- What is HIPAA, and does it apply to me?
- Secure, private e-communication
- Sending HIPAA-compliant messages through Jane
What is HIPAA & Does It Apply To Me?
Did you know HIPAA is only used in the USA? 𤯠If not, youāre far from alone! We often hear āHIPAAā being used as a catch-all for any law that protects the privacy and security of personal information.
So when someone from a country that isnāt the USA asks if something is HIPAA-compliant, we know theyāre generally asking if it meets the privacy and security standards set out by their country, region, or regulatory body.Ā
To help us all understand these laws a little better, letās take a look at a few of them:
šŖšŗ GDPR š¬š§ DPA - EU & UK
šŗšøĀ HIPAA- USA
HIPPA,Ā or the Health Insurance Portability and Accountability Act, is a law that requires a set of rules to be in place to protect Patient Health Information (PHI) from being disclosed without consent or knowledge. This law is fulfilled by theĀ Privacy Rule, which are standards for ensuring health plans, clearinghouses, and providers are protecting electronic PHI and theĀ Security Rule, standards for protecting the confidentiality, integrity, and availability of electronic PHI.
šØš¦ PIPEDA- Canada
PIPEDA, or the Personal Information Protection and Electronic Documents ActĀ (we dare you to say that five times fast), sets the ground rules for how private-sector organizations collect, use, and disclose personal information across Canada. To add another layer,Ā each provinceĀ has separate laws that govern public and private-sector healthcare providers. What most of these laws boil down to, though, is obtaining a patientās consent to collect, use, or disclose personal information in any way.
šŖšŗ GDPR š¬š§ DPA- EU & UK
GDPR,Ā or the General Data Protection Regulation, is a framework for data protection rules with 7 main principles concerning the collection, storage, and utilization of personal information. The DPA (Data Protection Act), is the UKās implementation of this framework.Ā Security is one of the 7 main principles, but there are no hard and fast rules for what good security practices look like. Generally, it states that cybersecurity needs to be appropriate to the size and use of your network and information systems.
š„ In a nutshell: While HIPAA only pertains to those in the USA, if an email service is HIPAA-compliant, it generally complies with Canadian and UK/EU privacy and security laws as well!
Secure, Private e-Communication
When you start digging into what makes HIPAA-compliant email challenging, there seem to be two main concerns:
-
Messages containing Protected Health Information (PHI) must beĀ transmitted securely.
-
Messages containing PHI should beĀ securely archivedĀ for several years (the exact number varies based on the content of the message).
There are several HIPAA-Compliant Messaging services that have been designed to address these concerns. Want some more good news? Jane already has some great solutions to these issues as well (with more on the way!).
To know what to look for in a secure messaging service, or if youāre thinking of going it alone, read on! š
1. Secure Transmission
In the world of secure e-communication, the termĀ end-to-end encryptionĀ comes up a lot. While it isnāt specifically required by HIPAA, it is the gold standard for ensuring secure transmission of e-communication, so letās take a closer look.
Did you ever get into playing spy and sending coded messages as a kid? Surely, we canāt be the only Nancy Drew fans here. š End-to-end encryption (E2EE) is kind of like that. Letās start with a few definitions:
š¤ Encrypt:Ā to turn a message into a secret code.
š§©Ā Decrypt: to take a coded message and translate it back to its original meaning.
šĀ Public Key:Ā used toĀ encryptĀ a message.
- Every message recipient will have a Public Key that is used to encrypt a message before it is sent to them.
- Anyone sending someone a message can access this Key.
šļøĀ Private Key:Ā used toĀ decryptĀ a message.
- Every message recipient will also have a matching Private Key, used to decrypt messages encrypted with their Public Key.
- Only the message recipient can access this Key.
With E2EE, everyone sending and receiving messages will have both a Public Key (to encrypt) and a matching Private Key (to decrypt) that work together to keep their messages secure.
2. Secure Archiving
Now, HIPAA doesnāt specifically mention email archiving either, but there are parts of the Security Rule that relate to email retention. To err on the side of caution, you should consider archiving any emails that contain PHI for a minimum of six years. Depending on the volume of messages you send, this can present a bit of a data storage issue.
People often turn to email archiving services, or choose a secure messaging service that includes archiving, to help with this. Using these services will allow you to store PHI-containing emails on a serviceās secure servers, where they are indexed to allow quick retrieval.
HIPAA-Compliant Messaging Services
There are many, many secure messaging and archiving services out there. Weāve highlighted a couple that some of our customers have spoken highly of:
Hushmail: allows you to send encrypted emails to clients regardless of their email service provider, from any device. They create a separate archive account that keeps a record of all emails sent or received. They also give you the option to have clients fill out secure online intake forms by logging into a client portal. Starting price is $9.99/month.
MailHippo:Ā allows you to log in to a client communication portal to send and receive secure messages through any email provider. You and your clients will receive email notifications when messages are received, but both have to log in to access the message. All records are encrypted and stored on the secure MailHippo platform. Starting price is $4.99/month.
Jane: surprise! Weāre adding ourselves to this list because in researching some of these other services, we realized what Jane can do isnāt all that different. Plus, itās all included in your current monthly fee and means one less username/password for you and your clients to remember! Weāll explore this more in the next section.
Curious what other practitioners are using? Janeās community forum is a great place to ask!
Sending HIPAA-Compliant Messages Through Jane
A lot of the HIPAA-compliant messaging services we found use a secure client portal to get around those challenges we mentioned surrounding emails and HIPAA. Basically, when you use them to send your client an email, the client receives a message asking them to log in to their portal to read what youāve said.
And we thought, hey⦠that sounds pretty familiar: did you know you can Share Chart Entries and Files with your clients through their My Account area in Jane?
Check out the video below to see how!
The My Account area is a secure client portal š that contains your clientās history with you and your clinic, including any Documents you share with them or Intake Forms they need to fill out for you.
When you share documents with your clients, Jane will give you the option to send them an email letting them know that they should log in to their client portal to view your message.
Some ideas for how you can use Janeās secure e-communication include providing:
- Treatment plans
- After-care instruction
- Progress reports or test results
- Personalized handouts, resources, or educational materials
- Self-assessments, worksheets, or exercises
- Doctorās notes or notes requesting accommodation from schools or workplaces
š„ Now, the bad news:
Janeās communication is one-way at this point. You can send a secure message to your client, but they wonāt be able to send a secure message back to you.
Before you feel too disappointed, weāre actively working on building two-wayĀ Secure Messaging into Jane!
You can add your vote to the linked feature request and weāll send you updates on how this feature is coming along.
Are Janeās Reminder & Notification and Financial emails HIPAA compliant?
-
To read more about how we ensure your and your clientās privacy and security, you can take a peek at our Third Party Messaging Service FAQ.
-
You can also find out more about sending Secure Financial Emails through Jane.
Wow. If youāve made it all the way through this post, our hats off to you! š© We deeply appreciate how much you value your clientās privacy and weāre committed to working with you to maintain that through Jane.
If youād like to chat more about any of this, feel free to give us a call or send us an email! We love hearing from you.