Mental health
Is sending email securely enough? What therapists should consider about client privacy
Estimated reading time: 7 minutes
As a therapist, you take your responsibility to your clients seriously. You know privacy is important, not just in therapy sessions, but also in how you run your business. So you're very careful to keep communication, including emails, confidential.
But you're a solo practitioner. And that means you do everything behind the scenes as well. You're the one who emails the intake forms, appointment reminders, and supporting resources.
If there's a way to make these administrative tasks easier and faster, you're here for it.
You may have heard that there's a way to add an extra layer of security to regular emails so that you can send protected messages directly to clients' inboxes. It sounds quick and simple. But you wonder if it's secure. Does it offer enough protection? Is there a risk of PHI being exposed? And would you still be HIPAA compliant?
You worry about sacrificing ethical care and compliance for convenience.
In fact, a secure web page where clients read and reply to messages helps reduce risks.
Here's what you need to know.
TL;DR: Encrypting email while it's being sent is important, but it doesn't address what happens after delivery. Once protected health information (PHI) reaches a client's regular inbox, you lose visibility and control over how it's stored, accessed, or shared.
From a HIPAA risk management perspective, secure messaging systems reduce long-term exposure by keeping sensitive communication in a protected environment. For therapists, choosing appropriate safeguards isn't about convenience. It's about responsibility.
Why therapists need to keep email secure
You deal with some of your clients' most private and personal health information, and they rely on you to keep it confidential. That includes not just what happens in therapy sessions, but also communications between appointments and storage of their medical files.
By using secure methods, you help safeguard their information from theft, abuse, and exploitation.
A healthcare-specific secure email helps you build trust with your clients and meet your professional responsibilities, such as:
- HIPAA compliance
- Ethical care
- Risk management
👉 Learn more: If you want a more detailed breakdown of what HIPAA requires when sending email, see our guide to HIPAA-compliant email for therapists.
Two common ways sensitive information is sent by email
There are several ways to protect sensitive information sent by email.
Many email tools protect messages while they're being sent to a client's inbox. In technical terms, this is called encryption in transit. It means the message is scrambled as it travels between email servers. It helps prevent messages from being read along the way.
But once the message arrives in a client's regular inbox, that protection ends. From that point on, the provider has little control over who can access it or how long it's stored.
Other tools, like Hushmail, protect messages by storing them in a secure online message center rather than a personal inbox. Clients receive a notification and sign in to read and reply to the message securely, instead of accessing it in their regular email account.
Messages stay in an encrypted environment, and PHI never reaches a personal inbox.
| Email protected while being sent | Secure web page for client messaging |
|---|---|
| How it works | |
| Scrambles messages while they're on the move, so that if anyone other than the intended recipient intercepts them during the journey, they can't read the content. Emails are decrypted and readable only once they reach the right inbox. | Keeps all client communication, information, and documents secured in a private online platform, also known as a "portal," "private message center" or "escrow-style secure email." Emails never leave the secure environment. Both the client and the provider log in to the password-protected space to exchange messages and files. |
| Advantages | |
|
|
| Limitations | |
|
|
👉 Learn more: If you'd like a closer look at how secure email works, read our guide on How secure email works.
Why regular email may not be enough for PHI
Most regular email tools use a type of encryption called Transport Layer Security, or TLS. This keeps emails safe from prying eyes while messages travel from one inbox to another.
TLS is the most common form of digital encryption and a foundational part of how information is shared securely on the internet. You already use it for banking and shopping online.
TLS protects emails while they move from your server to your client's inbox.
However, there could be gaps in security once your message arrives in a regular inbox:
- Once delivered, the message may sit in readable form in a personal inbox. After it reaches your client's email account, it is no longer protected as it was while being sent. It can remain stored in readable form, increasing the risk of exposure over time. You also have no control over whether it's forwarded or retained long-term.
- Someone else may have access to your client's inbox. A shared family email, using the same computer as a partner, logging on (and forgetting to log off) on a public computer, an old device retained after separation — there are times when someone else might be able to read your client's private messages.
- Your client might not follow security measures. There is also a risk of PHI exposure if your client doesn't use a password on their device, loses it, or doesn't enable two-step verification on their email account.
Emails that are protected while they're being sent to a client's inbox can still be exposed once they're delivered. That means they may not fully address HIPAA risk management considerations.
HIPAA requires "reasonable and appropriate safeguards" to protect PHI. That includes thinking about risk beyond the moment a message is sent.
- Storage. HIPAA requires providers to make all reasonable efforts to safeguard PHI. But once PHI is stored in a client's personal inbox, the provider has no way to assess or influence how that information is stored, retained, or accessed over time. That increases risk exposure.
- Legal exposure. You are responsible for keeping PHI secure and may face consequences for HIPAA violations.
⚠️ It's important to remember that your clients are not subject to HIPAA, and the act doesn't govern how they use their own email accounts. However, you are responsible for how you send protected health information and for applying reasonable safeguards.
How secure messaging reduces risk after delivery
A secure web page or portal reduces exposure after delivery by keeping protected health information inside a secure environment. It:
- Limits access to authorized users. Only individuals who sign in to the secure environment can view the message.
- Provides audit trails. Tracks activity like logins and opens.
- Supports compliance. Helps you apply reasonable and appropriate safeguards to protect PHI.
Making secure communication simple for your practice
Using a secure web page where clients read and reply to messages is pretty straightforward. But if you or your clients need a little help, here are two things that can make it easier:
- Take advantage of the resources your platform provides. For example, Hushmail has a library of help articles, a blog, and a Customer Care team.
- Explain to clients why you take the extra step of using a secure web page and provide them with an onboarding experience to introduce them to the platform. For example, give them a personal tour of how to use it or provide a written guide.
Peace of mind and professional responsibility
Behavioral health requires extra care. The messages you send to your clients can include highly sensitive disclosures. Emails can reveal long-term therapeutic relationships. Your ethical duties go beyond minimum compliance.
Using a secure web page where clients read and reply to messages can put you and your client's mind at ease. From a risk management perspective, it reduces the uncertainty of sending messages directly to clients' inboxes.
With a secure message center, you can feel more confident that your communications are handled with appropriate safeguards.
Plus, it shows your clients that you're professional and respect their privacy. It helps build trust.
Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail.
Overwhelmed by the business side of private practice? In this guide, therapists share 20 ways they've offloaded what drains them, to create more space for the work they love.
