I recently read an article entitled Google’s Email Security Change does not make Online Counseling Secure. I was interested in the article because I was aware of Google’s recent change to an HTTPS default setting for Gmail. And I agree with the writer of the article that this is not a HIPAA compliant service since the HTTPS simply means that when you login to your Gmail account, you are more secure, particularly if you are logging in from a wifi hot spot. It does not mean however, that emails sent from a Gmail account are encrypted as explained in this WIRED article entitled Google Turns on Gmail Encryption to Protect Wi-Fi Users.
So I thought I would go to the source- at least the most accurate source I know of- to give us all the answers.
For years I have used Hushmail email services with clients to ensure my email exchanges are encrypted. The service is easy and affordable. In fact Hushmail offers a free account too. That can be handy if a client only needs an account temporarily while working with a therapist online. The service is HIPAA compliant and Hushmail is willing to sign a HIPAA Business Associate Agreement (required in the United States). The agreement means that any 3rd parties that may be privy to confidential client information understand their responsibility to keep the information confidential.
I emailed Hushmail support and asked if they could explain more about their service and how encryption works. I asked specifically how Hushmail differs from Gmail. I received this response and I am posting the response here with permission:
Thank you for your email and we are delighted to help with this.
Hushmail has been providing web-based secure email services for over a
decade now and uses the well known and well used OpenPGP standard for
encrypting email. We are a hosted service where users create accounts
on our servers and their email/data is stored securely on our servers.
All interactions a Hushmail user has with our servers are, and always
have been done over SSL (HTTPS), which provides a secure tunnel
between the users computer and our servers. If a Hushmail user sends a
message from one Hushmail user to another the email it will be sent
securely over its entire journey over SSL. Gmail is now doing the same
as we are, and we think this is a really good thing. Hushmail however
provides additional security in that users have the ability to easily
individually PGP encrypt their messages before sending them, encrypted
messages are also stored on our servers in an encrypted state. This
means that email has greater protection not only in transit, but also
when it is being stored.
One other area where Hushmail provides additional security is in that
with Hushmail you can send an encrypted message to a non-Hushmail
user, you do this by setting a shared secret as the key to encrypting/
decrypting the message. This is different to gmail in that the message
is individually encrypted (gmail messages are not) but also, once a
message is sent to a recipient outside of your network you may not
have control over whether the email is sent securely over SSL.
Individually encrypting your message resolves this issue.
We have many customers who use our service for counselling via email
and have been doing so for a long time.
If you have any further questions please do not hesitate to contact me.
604 685 7288
I hope you find this explanation as helpful as I did. You can follow @hushmail on twitter. Click HERE to receive 10% off Hushmail at sign-up!