I’ve been fielding a lot of questions recently about secure messaging, so I thought I’d take a moment and explain how it works and why you probably need it.
Why you need it
Many of us live in countries with privacy regulations that affect our business activities. Additionally, IBCLCs have an ethical obligation to protect client privacy that may supersede our legal obligations. Secure messaging offers our clients the highest level of privacy and by making it available to our clients we can meet our legal and our ethical obligations at the highest level.
While we all have a commonly held understanding that our emails belong only to us, the way a physical letter does, in reality, we don’t really have many claims on privacy when it comes to email.
If you’re using a free service like Gmail, yahoo, Hotmail, or something similar, then your emails are all being read. Now, this doesn’t mean that a human being is opening your email and reading it to find out where you’re going on vacation next week or what time you have to get your kids to that birthday party.
Instead, what it means is that these free services have programs that are scouring your emails to analyze words, behaviors, and actions. That cumulative data gets aggregated and used to develop the sophisticated internet marketing strategies. This is why all of us lactation consultants end up seeing ads for bras all the time,
If you’re using an email service provided to you by an employer or an educational institution, those emails are not owned by you, and you may not even be able to take them with you when you leave.
In other words, your emails are private but not secure on any level.
Encryption is really having its moment these days. Everybody seems to be jumping on the bandwagon and offering ways for people to send messages that can only be read by expressly designated parties.
End-to-end encryption means that when you write a message to me, a special electronic key is created and associated with that message, and only you and I have that key. No one can observe that message without that key. Apps like WhatsApp and Signal, and email providers like Hushmail make encrypting your messages really easy. Third-party solutions like Virtru and Paubox can add encryption to your G-Suite and Office 365 emails, though that encryption ends as soon as those emails leave your system.
It almost sounds like you can stop here, right? If encryption means that nobody can read your messages, isn’t that enough to meet the legal and ethical obligations for privacy?
Sadly, it’s not. End-to-end encryption is only as secure as the users on either side and their behaviors. For example, you could send an encrypted WhatsApp message to someone using an unlocked phone, or who has notifications pop up on their lock screen.
These messages may be theoretically “secure”–meaning encrypted–but they’re not necessarily private.
With secure messaging, you’re inviting your client into a completely private environment where precautions have been taken to prevent any intrusions. Messages cannot be viewed or read unless you unlock the door, step inside, close the door, and lock it again. You have full security and privacy, creating the safest possible environment to share sensitive information.
Most EHR platforms include secure messaging as a feature, and standalone apps like Spruce can be used for secure messaging as well. G-Suite at the business level has “confidential mode” but it’s only good for sending secure messages. Your clients can reply to your secure messages, but you will not be able to store them longterm. Replies expire and disappear forever, so you’ll need to chart those replies before the expiration date (and confidential mode won’t let you copy and paste the exact message).
The good news
You may be freaking out at this point, wondering how on earth you’re going to make your clients use secure messaging with you.
Relax! You only have to offer it to them in a way that explains the risks of non-secure communication, and then allow them to opt-out if they prefer to use another kind of communication with you.
In my Guide to Secure Messaging, I have attorney-reviewed scripts that you can use to get informed consent from your clients around secure messaging, to meet your ethical obligations without burdening your clients.
Remember that protecting client privacy is not only an ethical obligation, but it’s the right thing to do. By building trust with your clients, you’ll improve their self-efficacy and create better health outcomes.