What is HIPAA compliance?

When the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was signed into law in the United States, its primary purpose was to ensure that people could keep their insurance coverage during job and life transitions. A portion of HIPAA, the Administrative Simplification Act, focused on becoming more efficient in handling patient information by using electronic means to transmit and store patient data. The HIPAA Privacy and Security rules were written so patients could feel confident that their information would be kept private when it was transmitted online. The HITECH Act was enacted in 2009 to further encourage healthcare providers to adopt electronic health records and improve privacy and security protections for healthcare records.  Both HIPAA and HITECH were updated in 2013 and the requirements are generally referred to as those of HIPAA.

Online communication comes with vulnerabilities that are troublesome for anyone, but especially for those managing a healthcare practice. If your work is in the healthcare field, the safety of your clients’ and patients’ most sensitive information is at risk. Understanding and complying with HIPAA’s Privacy and Security rules is very important.

Who is required to comply with the HIPAA rules?

HIPAA compliance affects all online communication no matter if it's a small, medium, or large practice. It’s a common misconception that HIPAA compliance doesn’t apply to all

Technically speaking, not all healthcare practitioners are required to comply with the HIPAA rules. The primary distinction is whether or not you accept insurance. If you don’t, in most cases, you’re not considered to be a “covered entity” and not required by law to comply with HIPAA. This article from the U.S. Department of Health & Human Services explains what a covered entity is. 

However, even if you’re not a covered entity, securing your online communications with your clients when they contain information of a sensitive and personal nature is important from a professional, ethical standpoint. Thus, the HIPAA guidelines for handling protected health information online should be followed by anyone providing healthcare services to their clients or patients.

Why comply with HIPAA?

Without HIPAA, our protected health information (PHI) could be passed back and forth online regardless of who might be viewing or stealing it.

If you’re a healthcare professional, it’s important that you have a good understanding of privacy and security, the two concepts that make up the foundation of HIPAA. Although the terms might occasionally be used interchangeably, and even though there is some overlap of their intent to protect personal information, the terms have very different meanings. In short, privacy has to do with the right to keep personal information safe and confidential, and “security” has to do with the safeguards that are put in place to actually protect that information.

The HIPAA Privacy Rule requires secure communication of PHI and provides some recourse when it’s mishandled. Without HIPAA to uphold a clear expectation, what might seem like common sense could quickly be forgotten in the shuffle of managing a busy healthcare practice. HIPAA serves as a constant reminder to remain vigilant against negligence and the threat of cybercrime.

The HIPAA Security Rule allows patients to feel safe. The HIPAA Security Rule requires practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities. If you're a practitioner, the last thing you want is for your clients to be wondering about how you're storing their PHI and if it’s secure and safe from unauthorized access. You want them to focus on their health and the care they’re receiving, not your practice’s technology and security measures.

The HIPAA Breach Notification Rule holds you and others accountable. In spite of precautions, breaches can still occur. When they do, the HIPAA Breach Notification Rule ensures that those who are affected are informed so they can take steps to protect themselves. The notification must occur within a specific time frame following the breach and must include details of how the breach occurred, the types of information it affected, what’s being done to remedy the situation, and what affected individuals can do to protect themselves from harm.

Talk with us

What’s a BAA, and who needs one?

When you sign on with a third-party service who may have access to your clients’ PHI, whether that’s an accounting firm or an email service, that third-party is required to protect your clients’ privacy and provide security just as much as you are. That third-party is referred to as a “business associate,” and the HIPAA Privacy Rule requires that practices sign a business associate agreement (BAA) with any such third-party.

A signed Business Associate Agreement (BAA) affirms a third-party service provider's willingness to accept responsibility for the safety of your clients' PHI, maintain appropriate safeguards, and comply with the HIPAA Security Rule when they handle PHI on your behalf.

In the words of the Department of Health and Human Services (HHS), the BAA must accomplish the following:

...describe the permitted and required uses of protected health information by the business associate; provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and require the business associate to use appropriate safeguards to prevent abuse or disclosure of the protected health information other than as provided for by the contract.

Here are some examples of third-party service providers that should provide you with a BAA if they have access to your clients’ PHI:

  • Billing service
  • Email service
  • Online fax service
  • Electronic health record (EHR) software provider
  • Electronic signature service
  • IT contractors
  • Attorneys
  • Collections agency

HIPAA compliance failures

In 2016 and 2017, the Office of Civil Rights (OCR) conducted audits of 166 covered entities, including 150 healthcare providers, with respect to their compliance with selected provisions of the HIPAA Rules.

The results of the audits were published in December 2020 in the 2016–2017 HIPAA audits industry report.

Here are some of the findings:                    

  • Only two percent of covered entities fully met the requirements of the Notice of Privacy Practices standard.              
  • 89 percent failed to show they were correctly implementing the individual right of access
  • Only a small percentage of covered entities (14 percent) met the requirements for safeguarding protected health information (PHI) through risk analysis
  • 94 percent of covered entities and 88 percent of business associates failed to implement the HIPAA Security Rule requirements for risk management that would reduce risks to a reasonable level.

There are numerous actions you can take to ensure that you’re a practice that gets it right when it comes to HIPAA compliance.

Make sure your Notice of Privacy Practices is up to speed 

The HIPAA Privacy Rule requires practices to provide a notice explaining individuals’ rights regarding their PHI and informing them of the practice’s privacy policies. The OCR audits revealed that most covered entities had Notices of Privacy Practices (NPPs) that didn’t meet all of the requirements including the requirement to be written in plain language. According to the report “ almost all NPPs were missing required content, often related to individual rights."

The best step you can take to ensure that your NPP is up to speed is to review the model NPPs provided by the OCR and then create your NPP to match. The OCR provides several different versions of the models, all using plain language and approachable designs, so you can choose the design you feel will best serve your practice. 

Correctly inform your clients of their right to access their records

The Privacy Rule stipulates that individuals have the right to request access to their protected health information (PHI) at any time, in the format of their choice or in a hard copy format agreed upon by the individual and the health care practice. 

It is the responsibility of the practice to implement easy-to-understand policies and procedures that make it easy for an individual to make this request. Practices also must respond in a timely manner and document the request and the practice’s response.

The OCR has developed the following document that gives useful insight into the patient/client experience by following three personas on their journey to obtain their records: Improving the Health Records Request Process for Patients

At the end of the day, make sure you document with as much detail as possible. Write out exactly how you will respond to requests for PHI and communicate that information to your clients. Then, be sure to keep records of every request that comes in. Next, document your response. By placing your focus on meticulous documentation and following the guidelines mentioned in this post, you’ll be well on your way to satisfying HIPAA’s individual right of access requirement.

Conduct a risk analysis and establish ongoing risk management

Risk analysis involves identifying a practice’s digital assets, including all ePHI created, maintained, received, or transmitted by the practice and identifying the risks and vulnerabilities posed to the confidentiality, integrity, and availability of that ePHI.

Risk management comes after you’ve conducted the risk analysis and identified all of your digital assets, including your ePHI, and their risks and vulnerabilities. As stated in the 2016–2017 HIPAA audits industry report, risk management is the “implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” 

Completing a risk analysis (or risk assessment) might sound intimidating, but it doesn’t have to be, and you don’t have to do it all in a day. A good risk analysis plan is easy to follow and allows you to go through the steps when you have time. Here are some of the things you can do and resources you can use to get the job done in a timely manner.

  • Develop policies and procedures for completing the risk analysis. Spell out exactly how you plan to conduct your risk analysis and update your policies and procedures as your practice changes.
  • Conduct the risk analysis. See the resources below for useful guides on how to do this.
  • If you’ve already conducted a risk analysis for your practice, review it and make any necessary updates. This is especially important now since there have been so many recent changes to the healthcare environment due to the pandemic.

Hushmail’s blog post Is your new virtual practice secure? Conduct a risk assessment explains the steps of a risk analysis and includes a downloadable guide.

Once you’ve conducted your risk analysis, you’ll see the areas that are in need of additional attention (risk management). You can then take remedial steps such as:

  •  Documenting your security policy and procedures
  • Conducting regular staff trainings on your practice’s security policy and procedures
  • Using encryption where appropriate
  • Obtaining signed BAAs from all third-party service providers that handle your practice’s digital assets, including its ePHI
  • Strengthening passwords and/or subscribing to a reliable password manager

Talk with us

What happens if a HIPAA complaint is filed against you

Even if you’re doing your best to follow the rules, you could inadvertently make a mistake.

Let's take a look at how HIPAA violations occur, how they are reported, what happens during and after an investigation, and what you can do to prevent a complaint from being filed in the first place.

First, here are some of the most common HIPAA violations, as listed in this informative HIPAA Journal article: What is a HIPAA violation?

  • Impermissible disclosures of protected health information (PHI)
  • Unauthorized accessing of PHI
  • Improper disposal of PHI
  • Failure to manage risks to the confidentiality, integrity, and availability of PHI
  • Failure to implement safeguards to ensure the confidentiality, integrity, and availability of PHI
  • Failure to enter into a HIPAA-compliant business associate agreement with vendors before giving access to PHI
  • Failure to provide patients with copies of their PHI on request

How is a HIPAA violation reported?

If a client thinks there has been a violation, they can file a complaint with the OCR by mail, fax, email or via the OCR Complaint Portal.

They will need to submit the name of the covered entity (which would be you) and any business associate involved, and describe the perceived violation. 

The report needs to be filed within 180 days of when the client believes the violation occurred. However, the OCR may extend the 180-day period if the complainant can show "good cause."

You can visit the OCR website to download the forms and for additional information about how someone can file a complaint. 

What happens after a complaint is filed?

After a complaint has been made to the OCR, the next step is an investigation. According to the US Department of Health and Human Services (HHS) explanation about How OCR enforces the HIPAA Privacy & Security Rules:

If OCR accepts a complaint for investigation, OCR will notify the person who filed the complaint and the covered entity named in it. Then the complainant and the covered entity are asked to present information about the incident or problem described in the complaint. OCR may request specific information from each to get an understanding of the facts. Covered entities are required by law to cooperate with complaint investigations.

After the investigation, OCR will issue a letter with the results of the investigation. If it’s found that you, the practitioner, did not comply with the HIPAA rules, then you must agree to 1) voluntarily comply with the rules, 2) take corrective action if necessary, and 3) agree to a resolution. According to the HHS:

A resolution agreement is a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement may include the payment of a resolution amount. If HHS cannot reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, including a resolution agreement, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity.

While the process of filing and investigating a complaint is fairly straightforward, there is plenty of room for interpretation. Therefore, it’s best to be proactive when it comes to complying with HIPAA rules. Keeping compliance at the forefront of your practice management ensures that your clients’ information is protected and helps you avoid penalties. To learn more about HIPAA complaints and resulting penalties, read our blog post What happens when a HIPAA complaint is filed against you.


Best practices for communicating online with PHI

One of the most important things you can do as a healthcare professional to ensure HIPAA compliance is to sign up for an encrypted email and web form service.

Encryption serves as a safeguard to protect your clients’ ePHI when you send or receive it through email or web forms. Hushmail uses OpenPGP encryption that encrypts data during transit and in storage. This provides an extra layer of security on top of the TLS encryption that most email servers support. Here is a helpful Q&A to answer your questions about HIPAA-compliant, encrypted email.

However, encryption is just the first step. The next step is to apply a healthy dose of common sense before you communicate.

Tips for communicating through encrypted email

Be wary of addresses you don't recognize

If you receive an email requesting information that might qualify as PHI, and you aren’t sure where the email is coming from, confirm who the person is and the purpose of the email. Check the actual email address of the sender in addition to the name. This is a simple good communication practice in the healthcare world, but in the middle of multitasking, it can be easy to fall into a pattern of reacting quickly rather than devoting time to a thought out response. Just be aware and consider where your email will go if you respond.

Make sure you're sending to the right recipient

This advice might seem simplistic, but you’d be surprised how many errors are made by not looking closely at the recipient. When your email application automatically fills in a name, it’s easy to mistake a John Smith with a Jon Smith. Or a Heather Bell with a Heather Biel. The solution is to slow down when sending an email and take the time to carefully select the correct address.

Don't put sensitive information in the subject line

Subject lines are the most visible part of an email. They are displayed when listing emails and can be seen in notifications on some devices.  Be sure to place any private or identifying information in the body of the email, not the subject line. Examples of inappropriate subject lines include: “Feedback on your depression screening” or “Welcome back to our ADHD support group.” While seemingly straightforward, these subjects tell too much information about the recipient.

Don't send group emails

As a rule, group emails are a bad idea when it comes to protecting PHI. If the email implies information about the recipients, such as an email welcoming new members to a support group, then it’s considered PHI and under the protection of HIPAA. If you must send group emails, make sure they contain only very general information.

Make sure you encrypt

All encrypted email services are different and have unique encryption mechanisms. It’s important that you understand what they are, when they’re automatic, and when they require action. Hushmail’s service includes automatic encryption between Hushmail users, but if you’re communicating with someone who doesn’t have a Hushmail account, it requires you to check an Encrypted box in webmail. Take the time to make sure the encrypted email you think you’re sending is, indeed, encrypted.

Archive your emails

Hushmail for Healthcare has a built-in email archive feature—an account that automatically keeps a record of all emails sent and received by all users in a domain. HIPAA has no specific retention requirements for PHI. However, it does have retention requirements around your compliance and privacy policies. It provides that documentation such as policies and procedures, security risk analyses, complaint and resolution documentation must be retained for six years. Read more about why maintaining an archive is important to your practice’s HIPAA compliance.

Tips for communicating on third-party websites

Use encrypted contact forms on directory profiles

The email button on your Psychology Today profile invites potential clients to submit their protected health information, which could be of a very personal nature, in a manner that isn’t encrypted or secured in any way. 

The Psychology Today email button leads to a generic form that submits to the email address of your choice. The message field allows for 200 words. Potential clients could be inspired to include all sorts of private information, unaware that it’s not guaranteed to be kept private or to reach the practitioner. 

Fortunately, if you’re a Hushmail customer, you already have the perfect solution. Along with an email button, Psychology Today also allows you to enable a website button that links to your website. We suggest that you disable the email button and set the website button to link to your website’s secure contact form that you built with Hush™ Secure Forms. 

Or, if you don’t have a website, you can include the link to your secure web form that we host for you. In fact, even if you have a website, it doesn't hurt to include the direct link to your contact form in your profile. That way, your potential client knows they have an easy way to reach you when they’re ready to connect.

Respond to patient reviews with encrypted email

You might think that responding to reviews on a site like Yelp would be a best practice for maintaining good patient relationships, and you’re right! Responding to reviews is important. However, due to privacy concerns, responding to reviews from patients requires careful consideration. If your responses aren’t handled correctly, they could leave you vulnerable to significant fines and other penalties for disclosing patient information. There’s a definite right and wrong way to respond to reviews.

First, never confirm the relationship. It might seem counter-intuitive. A patient has just written a rave review about your service, and you can’t even take credit. Why? Because the fact that they are a patient is considered protected health information (PHI). Even if a review discloses a practitioner/patient relationship, the practitioner can’t confirm the relationship.

Second, never disclose PHI, even if the review does. Along with not confirming a relationship, you also can’t confirm any of the details that are revealed in the review. For example, if a dental patient leaves a review saying they had a great experience with a teeth whitening procedure, it’s not OK to respond back saying that you’re glad she was happy with the procedure. And definitely don’t volunteer any information.

And third, reviews must stay on the review site. The best reviews read like testimonials giving details about your services and why they made your patient so happy. Some of them may be so well written that it seems like a waste for them to only be viewable in one place. Why not in your brochures and website? This is a great idea but only if you have written consent from the patient. In 2012, a physical therapy office was fined $25,000 for posting a testimonial from a review without permission.

Encrypted email provides a HIPAA-compliant solution to the challenge of responding to reviews. To learn about the right way to respond to reviews, read our blog post The right and wrong way to respond to patient reviews.

Is HIPAA-compliant communication affordable?

When you begin shopping for HIPAA-compliant tools and services to support your practice, you may be surprised by the difference in prices. Services might include bells and whistles you don’t need or charge a premium for a BAA, with the extra fee potentially increasing the price by hundreds if not thousands of dollars. At Hushmail, we think HIPAA compliance should be easily affordable for the small to medium-sized practice and provide HIPAA-compliant tools and services to support your practice – without breaking the bank.

View pricing

Hushmail encrypted email

We have a proven track record of providing industry-standard OpenPGP encryption to protect the contents of the email, ensuring its security, privacy, and authenticity. In addition, all communications between you and our servers use a secure connection. 

Hushmail allows you to email sensitive information directly to your clients, regardless of their email provider. They will be able to reply directly to your message and send documents securely, even if they don’t have a Hushmail account. 

Hush™ Secure Forms

Hush™ Secure Forms is our secure alternative to old-fashioned paper forms. You can create your own customized secure web forms with our drag-and-drop form builder. Simply drag one or more fields from the toolbar to your form, name your fields, and click Publish when you’re done. It's that easy. You won't need to hire an expensive web developer or learn to write code. Need some help getting started? We have a collection of templates you can use as a starting point for your form.

Hushmail e-signatures

If your clients are still signing with pen and ink, you're going to love our e-signature feature. It's perfect for informed consent forms, disclosure forms, health history questionnaires, and more.

We've built electronic signing right into Hush™ Secure Forms. Create your first e-signable web form in minutes using our drag-and-drop form builder. Your clients can complete and sign your forms from anywhere, on their own time, and on their preferred device.

Talk with us

More HIPAA-compliant tools

Hushmail has built relationships with numerous like-minded organizations that offer valuable services to our customers. In doing so, we’ve developed a robust network of reliable, highly valuable resources. Hushmail partners provide a multitude of tools and services that complement Hushmail services and support your practice’s HIPAA compliance.

Offers from our partners

The virtual practice and HIPAA compliance

Due to the COVID-19 pandemic, many healthcare professionals have switched to telehealth to provide care to their clients and patients. Relaxed HIPAA requirements in March of 2020 allowed the use of video applications such as Google Hangouts, Zoom, or Skype. Yet, accounts of data mining and breaches make it important to remember the purpose of the HIPAA requirements – to protect your clients. 

Online communication of any sort comes with myriad vulnerabilities that are troublesome for anyone, but especially for those managing a healthcare practice. Today, as the majority of us are adapting with some kind of remote office that requires most if not all of our work to take place online, these vulnerabilities are an even greater threat to the safety of our data. If your work is in the healthcare field, that means the safety of your clients’ and patients’ most sensitive information is at risk. Understanding and complying with HIPAA is more important than ever.

The pandemic has presented an opportunity to step back and look at all the ways you have to communicate securely. Everyone has their preferred method of communication, and if you can stick to that medium, you’re more likely to successfully engage with your clients and have a positive experience. To make sure you’re making a decision that will meet your needs during and after the pandemic, while supporting your practice’s HIPAA compliance, follow these simple steps:

  • Decide what method you’re going to use
  • Document your policies and procedures around using that method
  • Conduct a risk assessment for that method

Hushmail is the best fit for many practices

Hushmail has proven to be the perfect fit for numerous healthcare professions from behavioral health therapists to dentists to optometrists and many others. One of the best ways to understand how Hushmail can benefit your practice is to read the stories of those who have already made the switch to encrypted email and web forms. Here are three customer success stories from different professions that demonstrate how Hushmail can be the best answer to a variety of challenges.

Carol Park, LPC-S, RD

Find out how Carol Park, a Licensed Professional Counselor and Registered Dietitian, is managing her practice during the pandemic using HIPAA-compliant web forms to help her provide telehealth services to her clients.

In Carol’s success story, you’ll read about:

  • How she quickly put technology in place during a stressful time
  • How her practice changed when she started using secure web forms
  • How she’s adjusted to using telehealth to care for more clients
  • A little about the history and use of telehealth

Carol’s story

My practice provides psychological and nutritional therapy for individuals struggling with eating disorders. I was, and still am, an individual practitioner with a full caseload. Prior to the pandemic, about 90 percent of my cases were in-office with the rest over telehealth.

I’ve been using Hushmail for years as my secure email provider, but it wasn’t until just before the COVID-19 pandemic that I started putting Hush™ Secure Forms to full use in my practice. In all candidness, I’m not the most tech-savvy person in the world, and a colleague helped me put the web forms on my website. You can find them under the Helpful forms tab.

Download the complete Success Story

Neil J. Gajjar, DDS

Explore how dentist Dr. Neil Gajjar safely continued providing emergency care at the height of the pandemic and reopened his elective services using encrypted web forms as part of his strategy to maintain safe contact with his patients.

In Neil’s success story, you’ll read about how he:

  • Used secure web form to reduce contact, increase efficiency, and streamline operations
  • Maintained positive interaction with patients while limiting physical contact as much as possible
  • Launched intake forms patients could fill out and sign at home
  • Efficiently screened patients and staff for COVID-19

Neil’s story

The news that I had to close my practice except for emergent care was unprecedented and a bit of a shock. I’d just returned from a trip to the US, and I chose to quarantine myself for 14 days, although at that time it wasn’t mandatory. It was the prudent decision.

When I returned to my practice, I found a stack of intake forms on my desk that were damp. When I asked why, I learned that because the forms had gone through multiple hands and multiple areas in the office, my staff had attempted to sanitize them by spraying them with disinfectant. They were difficult to read, and it was clear that paper forms would no longer work for us. It was also clear that we would have to examine all areas of the practice to make sure we responded appropriately to this situation.

Download the complete Success Story

Kevin L. Gee, OD, FAAO

Get to know Dr. Kevin Gee, an optometrist in Missouri City, Texas, who placed encrypted email and web forms at the center of his practice’s strategy to keep staff and patients safe during reopening, and found them to increase his efficiency in unexpected ways.

In Kevin’s Success Story, you’ll read about:

  • The two web forms he uses to safely welcome patients for their appointments
  • How he used easy-to-edit web forms to keep up with frequent changes to pandemic recommendations
  • An unexpected silver lining that’s helping him get to know his patient’s better
  • His three recommendations for managing a practice during uncertain times

Kevin’s story

We shut down our practice in March, except for emergency cases. During this time, it was important that our patients felt they were still connected with us. I knew communication would be key! We used an automated response on our phones to inform them that our practice was closed, and messages were rerouted to my Hushmail inbox, so I was always apprised of their needs and could respond promptly. This was a confusing time for everyone, and we figured that reliable communication would be an important component in helping our patients feel safe.

Because the future was uncertain, we sent out a newsletter encouraging our contact lens wearers to contact me if they had less than a three month supply. Within 18 hours, we filled 45 orders! Rebates, receipts, other documents were easily sent securely back and forth with Hushmail.

Download the complete Success Story

Want to learn more about Hushmail for Healthcare?

View pricing

Did you get a lot out of this page?

We're always publishing new information to help you better understand the intricacies of secure communication. Here are some other pages that might interest you as well:

The HIPAA-compliant virtual healthcare practice
Online forms can transform your healthcare practice


US Department of Health and Human Services:

2016–2017 HIPAA audits industry report
Business Associates
Covered Entities and Business Associates
Physical therapy provider settles violations that it impermissibly disclosed patient information
Model Notices of Privacy Practices
Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19
Nationwide Public Health Emergency

The Office of the National Coordinator for Health Information Technology:

Improving the Health Records Request Process for Patients

Hushmail partners:

Empathy Sites - The Ultimate Guide to HIPAA Compliant Email for Therapists (BAAs, Secure Forms, and More)
Person Centered Tech - Comprehensive Teletherapy and HIPAA Security Compliance Training, Tools, and Support for Mental Health Professionals

Other publications:

HIPAA Journal – What Is Considered Protected Health Information Under HIPAA?

Money Back Guarantee
No Fixed Contract