Compliance
5 common HIPAA myths and what the rules actually say
Estimated reading time: 10 minutes.
TL;DR
- HIPAA can apply before someone becomes a client if they share identifiable health information.
- Email can be HIPAA compliant when appropriate safeguards are in place.
- Removing a client's name does not automatically de-identify information under HIPAA.
- Small practices can face HIPAA enforcement, but compliance requirements scale to practice size.
- You cannot waive your HIPAA obligations.
You're scrolling through a Facebook group for therapists where someone has asked a question about HIPAA and email. The thread has a few dozen replies. One person says email can never be HIPAA compliant. A few comments down, someone else says encryption takes care of it. Another reply insists that solo practices don't really get audited. Everyone sounds like they know what they're talking about. The problem is, none of them agree.
If you've been in one of those threads, you know the feeling. You came looking for a clear answer and left more confused than when you started.
Those misconceptions are more common than you'd think. Most providers didn't get much HIPAA training in grad school, and the advice you find online doesn't always account for the nuance. When you're handling compliance on your own, there isn't always someone to verify what you find.
"The HIPAA confusion I see in small practices usually isn't about carelessness. Providers are trying to piece things together without much formal guidance. That's a training problem, not a compliance problem, and it's fixable."
Liath Dalton, Director, Person Centered Tech
This guide walks through five of the most common HIPAA myths and explains what the rules actually say.
Myth #1: HIPAA only applies after someone becomes a client
A common assumption is that HIPAA kicks in when a client signs an intake form or shows up for their first session. Before that, the thinking goes, you're just answering questions.
It's an understandable assumption. In most professional contexts, obligations start when a formal relationship begins. But HIPAA doesn't work that way. It defines PHI as individually identifiable information related to past, present, or future healthcare services. That word "future" is doing a lot of work. It means HIPAA can apply before someone ever becomes your client.
Say someone finds you in a therapist directory and sends you a message: "I've been struggling with anxiety, and I'm looking for someone who specializes in CBT." They include their name and phone number. You've never met this person, but you're already holding identifiable information tied to a healthcare need. That's PHI.
This catches a lot of providers off guard, and it's one of the areas we've covered in more depth in our posts on what counts as PHI and handling emails from prospective clients.
Reality: HIPAA can apply from the very first message. If someone shares identifiable information while reaching out about care, you're holding PHI whether or not they've become a client.
What this means for your practice: If you receive inquiries through directories, your website, email, or voicemail, make sure those channels have reasonable safeguards in place from the start.
Myth #2: Email is never HIPAA compliant / Encryption alone makes it compliant
These two misunderstandings tend to travel together, and both come from the same place: oversimplified advice. Providers hear "email isn't secure" and avoid it entirely, or they hear "we use encryption" from their email provider and assume that's enough.
Both are off.
HIPAA doesn't ban email. What it requires is reasonable safeguards. And most major email providers already encrypt messages during delivery (TLS is now standard). So the question isn't really whether your email is encrypted. It's whether your overall setup meets HIPAA's requirements.
Here's where it gets practical. A free email account may encrypt your messages, but it probably won't sign a business associate agreement (BAA). It may not offer access controls, audit logs, or the policies HIPAA requires you to have in place. Encryption is one piece. Compliance involves the full setup: a BAA with your email provider, access controls, policies for handling PHI, and a risk management process.
On the other hand, avoiding email entirely can push clients toward less secure channels or create communication gaps. The better question isn't "email or no email" but "does my email setup have the right safeguards?"
We covered this in more detail in our post on whether sending email securely is enough.
Reality: Email isn't off-limits, and encryption isn't a silver bullet. Compliance depends on the full setup: encryption, a BAA, access controls, and policies for handling PHI.
What this means for your practice: Check whether your email provider signs a BAA and offers access controls. If not, encryption alone isn't covering your compliance needs.
Myth #3: Removing the name makes information de-identified
If you've ever redacted a client's name from a document and assumed that made it safe to share, you're not the only one. It's a natural instinct. In everyday language, "de-identified" sounds like it just means "name removed." But under HIPAA, de-identification has a specific legal meaning, and it takes a lot more than that.
Initials, dates, locations, and contextual details can all still point back to a person. A therapy transcript with the name removed might still describe a situation specific enough for the client to recognize themselves in it. That's still PHI.
HIPAA recognizes two formal methods for de-identification. The first is Safe Harbor, which requires removing all 18 categories of identifiers and having no actual knowledge that the remaining information could identify someone. The second is Expert Determination, where a qualified statistical expert confirms that the risk of re-identification is very small.
For most small practices, the practical point is simpler: you probably don't need to de-identify records. You need to protect them. If you're looking for a deeper look at how HIPAA defines PHI and where de-identification fits, our PHI post covers it in detail.
Reality: Removing a name is not de-identification under HIPAA. If someone could still be identified from what's left, it's still PHI.
What this means for your practice: If you're sharing case details for consultation or training, focus on protecting the information with appropriate safeguards rather than stripping identifiers yourself.
Myth #4: Small practices aren't really targets for HIPAA enforcement
It's easy to assume that OCR's enforcement efforts are aimed at hospitals and large health systems. That belief sticks around because the cases that make the news usually involve large organizations and big fines. But OCR has reviewed and taken action against small and solo practices too, often for missing safeguards that are well within reach.
Risk analysis is one of the most common issues OCR highlights in Security Rule enforcement actions. Not a sophisticated breach, not a cyberattack, just a missing or incomplete assessment of where PHI is at risk. A solo therapist with no documented risk assessment is more likely to face a compliance problem than one who has identified risks and taken reasonable steps to address them.
Here's the part that's worth sitting with: HIPAA doesn't expect a solo therapist to have the same security infrastructure as a hospital. It requires reasonable safeguards that are appropriate to your size and complexity. For most small practices, that means a current risk analysis, BAAs with your vendors, and secure channels for handling PHI.
“HIPAA doesn't expect a solo therapist to have the same infrastructure as a hospital. It expects you to identify and document your risks and take reasonable steps to mitigate them. For most small practices, that's a shorter list than they assume.”
Steven O. Youngman, VP of Legal and Compliance, Hushmail
OCR's focus is on whether you've done the analysis and taken reasonable steps, not on whether your setup is flawless. Our post on whether HIPAA is enforcing risk analysis more strictly goes into more detail.
Reality: OCR does investigate small practices. But HIPAA scales to your size. What matters is that you've identified your risks and taken reasonable steps to address them.
What this means for your practice: Start with a basic risk analysis. It doesn't have to be complicated, but it needs to exist and be documented.
Myth #5: You can waive HIPAA
A client says, "Just email me, I don't care about all that." It feels like permission, and some providers treat it that way, assuming they can set aside HIPAA requirements at the client's request. But HIPAA is a federal law. Your obligations as a provider don't go away because a client prefers convenience over security.
Providers sometimes believe this because it mirrors how consent works in other areas of practice. If a client gives informed consent, that changes what you can do. But HIPAA compliance isn't something you can opt out of on a client-by-client basis. It applies to how you handle PHI regardless of what a client prefers.
You can accommodate a client's communication preference, but must still warn about risks and document the request where appropriate. For example, a client might ask you to send appointment reminders to their personal email via regular email. You may do that with a Request for Alternative Communication form. But you still need to keep a secure option available for anything involving PHI, and you need to document the client's request.
Our "What therapists call a 'HIPAA waiver' and why HIPAA can't actually be waived" article goes into more detail on how this works and what documentation looks like.
Reality: A client's preference doesn't change your obligations. You can't waive your HIPAA responsibilities.
What this means for your practice: If a client asks to communicate through a less secure channel, accommodate the request, document it, and keep a secure option available for sensitive information.
HIPAA is about protecting trust, not just avoiding fines
It's easy to think of HIPAA as a set of rules you follow to stay out of trouble. But it's also what backs up the trust your clients place in you when they share sensitive information.
A breach doesn't just mean a potential fine. A breach can also mean becoming a defendant in a lawsuit and having a difficult conversation with a client about what happened to their information. That conversation can damage the therapeutic relationship in ways that are hard to undo.
Some providers step back from this by saying "I don't bill insurance" or "My practice is too small for this to matter." But the legal and ethical responsibility to protect client information exists regardless of your billing model or practice size. HIPAA is the floor, not the ceiling. What you build beyond it is up to you.
And you don't have to get everything right at once. Small steps add up. Reviewing your BAAs, switching to a secure channel for PHI, and doing a basic risk analysis. Each one moves you closer to a setup that protects your clients and your practice. Once a few of those pieces are in place, the rest starts to feel a lot more manageable.
How Hushmail helps
Several of the myths in this post come back to the same question: how do you put reasonable safeguards in place without overcomplicating your workflow?
Hushmail provides encrypted communications, a signed BAA, and built-in access controls as part of the service, so your setup supports multiple HIPAA requirements in one place.
If a client asks to receive messages through a less secure channel, you already have a secure default to fall back on, making it easier to document the request and keep a compliant option available.
Your next step
Pick one myth from this post that surprised you and check whether it applies to your practice.
If you're not sure where to start, here are two good first steps: confirm you have a BAA with every vendor that handles PHI, and check whether your communication channels have reasonable safeguards in place.
“Clients trust you with their stories. Protecting that information is part of the care you're already providing. The compliance part just gives it structure.”
Steven O. Youngman, VP of Legal and Compliance, Hushmail
For a more detailed walkthrough, our HIPAA compliance checklist can help you see where you stand and what to tackle next.
Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail.
Overwhelmed by the business side of private practice? In this guide, therapists share 20 ways they've offloaded what drains them, to create more space for the work they love.