If a potential client has your email address, and they want to get in touch with you, they will probably send you an email. Many of us rightly worry about confidentiality and HIPAA concerns around this – not to mention the potential missed voice and language cues that come from skipping that initial phone call.
I recall an issue of the Zits comic strip where our adolescent protagonist lies blithely on the couch while his phone rings off the hook (not that it has a hook, of course.) Concerned, his mother asks why he won’t answer it and he replies, “If it was important, they’d text me.”
Voice phone calls are quickly going the way of the typed letter. This presents some problems for mental health clinicians, as the classic voice call is our easiest fallback for communicating with clients in a way that is recognized as “secure enough.”
Codes of ethics vary on our exact responsibilities towards potential clients and confidentiality. What is generally true, however, is that potential clients can expect that we will respect and maintain their privacy. As for HIPAA, it is unclear if email communications with a potential client would be considered protected health information. Some attorneys have stated that they may be.
HIPAA, of course, allows clients to ask for us to send them emails and consent to us sending those emails after we have informed them of the risks of doing so. Ethical standards around confidentiality would generally allow the same (with some restrictions depending on what is being emailed.)
The problem with email for potential clients is that, unlike current clients with whom we’ve had meetings and gone through the intake process, we haven’t had a chance to discuss risk of email and document their consent. A simple email disclaimer is not sufficient, either.
Clients can send us emails all they want, of course. The problem lies in how we respond. So with that in mind, I offer you 2 ways to try to head off those initial email contacts in the first place and 3 things you can do to help mitigate the risks when the emails come in anyways.
2 Ways to Reduce Initial Contacts by Email
Many of you are probably concerned at this point that I am going to suggest something that will reduce the number of potential client contacts you get. I understand (and identify with) that concern. My intention is not to reduce incoming leads, but rather to try to reduce the amount of unsecured contact that potential clients make with you.
- Include lots of logistical and professional information on your website. A lot of people are emailing because they want more information about you. Your website is a great way to communicate with potential clients in a manner that is completely in their control and on their terms. Miranda and Kelly can tell you a whole heckuva lot about this one, I’m sure. Including as much as you can — including writings about your work, fees, location, hours, etc. — will help reduce how often people feel the need to make “quick contacts,” e.g. contact by email.
- Put a secure contact page on your website. Hushmail is an encrypted email service that offers “secure forms.” Secure forms allow you to make a page on your website where anyone, including current and potential clients, can go to send you a message that is delivered securely to your encrypted email account. This only works one way – any responses you send probably won’t be by encrypted email. So your secure form should be designed to ask the potential client for their phone number instead of asking for their email address. This helps set up the expectation with the client that we’re doing this initial contact thing in a way that protects their privacy.
3 Things To Do When Someone Decides to Email You Anyways
Once again, clients can send us emails all they want. We do need to be thoughtful about how we respond. However, one concerning thing I’ve seen some clinicians do is to ignore emails from potential clients altogether because the clinician is concerned that they may violate HIPAA or behave unethically by responding to the potential client by email.
Whether or not it’s a “HIPAA violation” to respond to an email is a grey area, but in my opinion it does not follow from standards of ethical professional behavior or HIPAA’s focus on patient autonomy to refuse a response. As such, I offer some methods of reducing confidentiality risks when you have no recourse but to reply by email.
- When replying, delete the sender’s original message. A great thing about email is that when we hit reply, the past messages in our conversation typically get attached to our reply. This helps us follow the thread of the conversation. It also means, however, that everyone’s past comments get sent over the Internet, again and again, every time someone hits reply. If you simply delete the old conversation thread each time, you avoid re-transmitting this archive of your conversation with each reply. This helps us follow a “minimum necessary” approach to emailing confidential information. On a similar note, you might also consider modifying the email subject if it contains especially sensitive information.
- Reply with a pleasant offer to connect by phone. In general, you want to get this conversation somewhere more “secure” than email. Consider a professional and warm statement like, “Thanks for reaching out. Can we connect by phone at 555-867-5309? I’m available after 3 pm today.” You may need to negotiate timing over a few emails, but you and the client are working to move your conversation to a more confidentiality-friendly medium.
- If all else fails, try to get the conversation into your office, on your secure telehealth software, or on the phone. The above approaches will do the trick for most initial client contacts. Some clients may try to continue the email conversation, however. Remember that you aren’t there to provide email therapy (unless you are, of course), and the client is theoretically seeking whatever kind of therapy you do provide. Some potential clients have a need for their initial contact to be in a textual medium, such as those who are deaf or mute or who feel debilitating anxiety on the phone. If they are still an appropriate client for your practice, help them know that it works best to do initial consultations or intakes in a different medium, and work to set up a time to meet in that medium – whether that be by phone, secure telehealth software, or in-person at your office.
Roy Huggins, LPC NCC is the Director of Person-Centered Tech, a firm dedicated to helping mental health professionals get up to speed on technology in clinical practice. He also acts as Technology Committee Chair for the Oregon Counseling Association as well as being a member of the Ethics Committee. He is an Advisory Board member for the Zur Institute, where he is the resident expert on Security and Privacy. He is also an adjunct instructor at the Portland State University Department of Counselor Education, where he teaches Legal & Ethical Issues among other courses.
Roy worked as a professional Web developer for 7 years before changing paths, and makes it his mission to grow clinicians’ understanding of the Internet and other electronic communications mediums for the future of our practices and our professions. He routinely consults with mental health colleagues on ethical and practical issues surrounding tech in clinical practice.
Roy also offers two separate 3-hour ethics trainings for mental health counselors, marriage and family therapists, clinical social workers and psychologists in psychotherapy practice on assessing our practices for security and privacy of client information, compliance with HIPAA Security and HITECH mandates, and helping our particular clients with their specific needs around electronic security and privacy. These are two separate webinar events taken in series. Each is 3 CE Ethics hours, for a total of 6 hours between the two. It is highly recommended to take both, and potential attendees should take Level I before Level II.