At Jane, we love to help people understand the technology side of things to make intelligent decisions and give customers confidence that we’re taking privacy and security very seriously. So, grab a cup of tea & get comfortable — we’d like to get into some detailed Q&A here! 🙂
Feel free to jump to each section:
- Are Jane’s emails encrypted?
- Is encrypted email required for personal health information (PHI) and personal identifying information (PII)?
- Is emailing an encrypted PDF possible?
- What information is sent when a receipt is sent from Jane via email to a client?
- Could there ever be a way to allow a client to access a receipt that isn’t transmitted through email?
Because there is no email encryption standard across different programs that allow people to send end-to-end encrypted emails easily to one another, the short answer is no. Both you and your client would need to use the exact same program to send encrypted emails. However, as we know, people receiving allied health care services use their personal email addresses to manage their appointments, so it’s just not possible for most clinics to guarantee that their client could decrypt the email that is sent from Jane — or any software.
It’s worth noting that Jane’s email providers use opportunistic encryption when sending emails, if the client’s email provider supports this. This type of encryption ensures that the emails are encrypted in transit between Jane’s email provider and the client’s email provider.
Is encrypted email required for personal health information (PHI) and personal identifying information (PII)?
Ontario’s Privacy Commissioner gives some guidance on this topic; they say to use encrypted email where feasible, but they also make allowances for unencrypted email depending upon a number of factors, including the sensitivity of the information and client expectations. Here’s the full text of their recommendations for Communicating PHI via Email.
It is important to point out that encryption and password-protected emails/receipts are not the same thing. PDF password protection is not very strong. There are websites like this one: (https://smallpdf.com/unlock-pdf) where you can drag and drop a PDF to remove the password. And it’s also possible that the PDF reader that your client has on their computer won’t be able to decrypt that file.
Jane is careful, and we do not transmit any sensitive medical information via email. Jane only keeps the basic information in the receipt: the session type, the duration, the cost, the client’s name, the location for the client to attend, etc.
This challenge with email encryption is why the Privacy Commissioner is essentially making an allowance for things like receipts to go unencrypted. Otherwise, if all receipts were encrypted, many clients probably wouldn’t be able to read them, and this would create a whole lot of work on your end to deliver receipts to clients.
Could there ever be a way to allow a client to access a receipt that isn’t transmitted through email?
Yes, Jane is currently working to allow practitioners to provide client receipts as PDFs within the Jane portal. This will be much stronger than a password-protected PDF being sent by email. At that point, everything will stay within the client’s encrypted Jane account, and receipts can be downloaded securely from your Jane account.
Of course, if you have any questions, please do not hesitate to get in touch with us. Our email is firstname.lastname@example.org.