Jane's Blog Tips, News, and Thoughts from the Jane Team

HIPAA-Compliant Emails

November 17, 2021

Hey there, Jane Community. 👋

We’ve been getting a lot of questions about HIPAA-compliant emails lately, so we thought we’d hop on here to share what we know about secure, private e-communication.

We’re going to cover a few topics, so if you’re a HIPAA expert or looking for something specific, feel free to skip ahead!

What is HIPAA & Does It Apply To Me?

Did you know HIPAA is only used in the USA? 🤯 If not, you’re far from alone! We often hear ‘HIPAA’ being used as a catch-all for any law that protects the privacy and security of personal information.

So when someone from a country that isn’t the USA asks if something is HIPAA-compliant, we know they’re generally asking if it meets the privacy and security standards set out by their country, region, or regulatory body. 

To help us all understand these laws a little better, let’s take a look at a few of them:


🇨🇦 PIPEDA- Canada

🇪🇺 GDPR 🇬🇧 DPA - EU & UK


HIPPAor the Health Insurance Portability and Accountability Act, is a law that requires a set of rules to be in place to protect Patient Health Information (PHI) from being disclosed without consent or knowledge. This law is fulfilled by the Privacy Rule, which are standards for ensuring health plans, clearinghouses, and providers are protecting electronic PHI and the Security Rule, standards for protecting the confidentiality, integrity, and availability of electronic PHI.

🇨🇦 PIPEDA- Canada

PIPEDA, or the Personal Information Protection and Electronic Documents Act (we dare you to say that five times fast), sets the ground rules for how private-sector organizations collect, use, and disclose personal information across Canada. To add another layer, each province has separate laws that govern public and private-sector healthcare providers. What most of these laws boil down to, though, is obtaining a patient’s consent to collect, use, or disclose personal information in any way.

🇪🇺 GDPR 🇬🇧 DPA- EU & UK

GDPRor the General Data Protection Regulation, is a framework for data protection rules with 7 main principles concerning the collection, storage, and utilization of personal information. The DPA (Data Protection Act), is the UK’s implementation of this framework. Security is one of the 7 main principles, but there are no hard and fast rules for what good security practices look like. Generally, it states that cybersecurity needs to be appropriate to the size and use of your network and information systems.

🥜 In a nutshell: While HIPAA only pertains to those in the USA, if an email service is HIPAA-compliant, it generally complies with Canadian and UK/EU privacy and security laws as well!

Secure, Private e-Communication

When you start digging into what makes HIPAA-compliant email challenging, there seem to be two main concerns:

  1. Messages containing Protected Health Information (PHI) must be transmitted securely.

  2. Messages containing PHI should be securely archived for several years (the exact number varies based on the content of the message).

There are several HIPAA-Compliant Messaging services that have been designed to address these concerns. Want some more good news? Jane already has some great solutions to these issues as well (with more on the way!).

To know what to look for in a secure messaging service, or if you’re thinking of going it alone, read on! 👇

1. Secure Transmission

In the world of secure e-communication, the term end-to-end encryption comes up a lot. While it isn’t specifically required by HIPAA, it is the gold standard for ensuring secure transmission of e-communication, so let’s take a closer look.

Did you ever get into playing spy and sending coded messages as a kid? Surely, we can’t be the only Nancy Drew fans here. 🔍 End-to-end encryption (E2EE) is kind of like that. Let’s start with a few definitions:

🔤 Encrypt: to turn a message into a secret code.

🧩 Decrypt: to take a coded message and translate it back to its original meaning.

🔑 Public Key: used to encrypt a message.

  • Every message recipient will have a Public Key that is used to encrypt a message before it is sent to them.
  • Anyone sending someone a message can access this Key.

🗝️ Private Key: used to decrypt a message.

  • Every message recipient will also have a matching Private Key, used to decrypt messages encrypted with their Public Key.
  • Only the message recipient can access this Key.

With E2EE, everyone sending and receiving messages will have both a Public Key (to encrypt) and a matching Private Key (to decrypt) that work together to keep their messages secure.

2. Secure Archiving

Now, HIPAA doesn’t specifically mention email archiving either, but there are parts of the Security Rule that relate to email retention. To err on the side of caution, you should consider archiving any emails that contain PHI for a minimum of six years. Depending on the volume of messages you send, this can present a bit of a data storage issue.

People often turn to email archiving services, or choose a secure messaging service that includes archiving, to help with this. Using these services will allow you to store PHI-containing emails on a service’s secure servers, where they are indexed to allow quick retrieval.

HIPAA-Compliant Messaging Services

There are many, many secure messaging and archiving services out there. We’ve highlighted a couple that some of our customers have spoken highly of:

Hushmail: allows you to send encrypted emails to clients regardless of their email service provider, from any device. They create a separate archive account that keeps a record of all emails sent or received. They also give you the option to have clients fill out secure online intake forms by logging into a client portal. Starting price is $9.99/month.

MailHippo: allows you to log in to a client communication portal to send and receive secure messages through any email provider. You and your clients will receive email notifications when messages are received, but both have to log in to access the message. All records are encrypted and stored on the secure MailHippo platform. Starting price is $4.99/month.

Jane: surprise! We’re adding ourselves to this list because in researching some of these other services, we realized what Jane can do isn’t all that different. Plus, it’s all included in your current monthly fee and means one less username/password for you and your clients to remember! We’ll explore this more in the next section.

Curious what other practitioners are using? Jane’s community forum is a great place to ask!

Sending HIPAA-Compliant Messages Through Jane

A lot of the HIPAA-compliant messaging services we found use a secure client portal to get around those challenges we mentioned surrounding emails and HIPAA. Basically, when you use them to send your client an email, the client receives a message asking them to log in to their portal to read what you’ve said.

And we thought, hey… that sounds pretty familiar: did you know you can Share Chart Entries and Files with your clients through their My Account area in Jane?

Check out the video below to see how!

The My Account area is a secure client portal 🔒 that contains your client’s history with you and your clinic, including any Documents you share with them or Intake Forms they need to fill out for you.

When you share documents with your clients, Jane will give you the option to send them an email letting them know that they should log in to their client portal to view your message.

Some ideas for how you can use Jane’s secure e-communication include providing:

  • Treatment plans
  • After-care instruction
  • Progress reports or test results
  • Personalized handouts, resources, or educational materials
  • Self-assessments, worksheets, or exercises
  • Doctor’s notes or notes requesting accommodation from schools or workplaces

😥 Now, the bad news:

Jane’s communication is one-way at this point. You can send a secure message to your client, but they won’t be able to send a secure message back to you.

Before you feel too disappointed, we’re actively working on building two-way Secure Messaging into Jane!

You can add your vote to the linked feature request and we’ll send you updates on how this feature is coming along.

Are Jane’s Reminder & Notification and Financial emails HIPAA compliant?

Wow. If you’ve made it all the way through this post, our hats off to you! 🎩 We deeply appreciate how much you value your client’s privacy and we’re committed to working with you to maintain that through Jane.

If you’d like to chat more about any of this, feel free to give us a call or send us an email! We love hearing from you.

Blog Posts