Estimated reading time: 7 minutes
As a therapist, you take your responsibility to your clients seriously. You know privacy is important, not just in therapy sessions, but also in how you run your business. So you're very careful to keep communication, including emails, confidential.
But you're a solo practitioner. And that means you do everything behind the scenes as well. You're the one who emails the intake forms, appointment reminders, and supporting resources.
If there's a way to make these administrative tasks easier and faster, you're here for it.
You may have heard that there's a way to add an extra layer of security to regular emails so that you can send protected messages directly to clients' inboxes. It sounds quick and simple. But you wonder if it's secure. Does it offer enough protection? Is there a risk of PHI being exposed? And would you still be HIPAA compliant?
You worry about sacrificing ethical care and compliance for convenience.
In fact, a secure web page where clients read and reply to messages helps reduce risks.
Here's what you need to know.
TL;DR: Encrypting email while it's being sent is important, but it doesn't address what happens after delivery. Once protected health information (PHI) reaches a client's regular inbox, you lose visibility and control over how it's stored, accessed, or shared.
From a HIPAA risk management perspective, secure messaging systems reduce long-term exposure by keeping sensitive communication in a protected environment. For therapists, choosing appropriate safeguards isn't about convenience. It's about responsibility.
You deal with some of your clients' most private and personal health information, and they rely on you to keep it confidential. That includes not just what happens in therapy sessions, but also communications between appointments and storage of their medical files.
By using secure methods, you help safeguard their information from theft, abuse, and exploitation.
A healthcare-specific secure email helps you build trust with your clients and meet your professional responsibilities, such as:
π Learn more: If you want a more detailed breakdown of what HIPAA requires when sending email, see our guide to HIPAA-compliant email for therapists.
There are several ways to protect sensitive information sent by email.
Many email tools protect messages while they're being sent to a client's inbox. In technical terms, this is called encryption in transit. It means the message is scrambled as it travels between email servers. It helps prevent messages from being read along the way.
But once the message arrives in a client's regular inbox, that protection ends. From that point on, the provider has little control over who can access it or how long it's stored.
Other tools, like Hushmail, protect messages by storing them in a secure online message center rather than a personal inbox. Clients receive a notification and sign in to read and reply to the message securely, instead of accessing it in their regular email account.
Messages stay in an encrypted environment, and PHI never reaches a personal inbox.
| Email protected while being sent | Secure web page for client messaging |
|---|---|
| How it works | |
| Scrambles messages while they're on the move, so that if anyone other than the intended recipient intercepts them during the journey, they can't read the content. Emails are decrypted and readable only once they reach the right inbox. | Keeps all client communication, information, and documents secured in a private online platform, also known as a "portal," "private message center" or "escrow-style secure email." Emails never leave the secure environment. Both the client and the provider log in to the password-protected space to exchange messages and files. |
| Advantages | |
|
|
| Limitations | |
|
|
π Learn more: If you'd like a closer look at how secure email works, read our guide on How secure email works.
Most regular email tools use a type of encryption called Transport Layer Security, or TLS. This keeps emails safe from prying eyes while messages travel from one inbox to another.
TLS is the most common form of digital encryption and a foundational part of how information is shared securely on the internet. You already use it for banking and shopping online.
TLS protects emails while they move from your server to your client's inbox.
However, there could be gaps in security once your message arrives in a regular inbox:
Emails that are protected while they're being sent to a client's inbox can still be exposed once they're delivered. That means they may not fully address HIPAA risk management considerations.
HIPAA requires "reasonable and appropriate safeguards" to protect PHI. That includes thinking about risk beyond the moment a message is sent.
β οΈ It's important to remember that your clients are not subject to HIPAA, and the act doesn't govern how they use their own email accounts. However, you are responsible for how you send protected health information and for applying reasonable safeguards.
A secure web page or portal reduces exposure after delivery by keeping protected health information inside a secure environment. It:
Using a secure web page where clients read and reply to messages is pretty straightforward. But if you or your clients need a little help, here are two things that can make it easier:
Behavioral health requires extra care. The messages you send to your clients can include highly sensitive disclosures. Emails can reveal long-term therapeutic relationships. Your ethical duties go beyond minimum compliance.
Using a secure web page where clients read and reply to messages can put you and your client's mind at ease. From a risk management perspective, it reduces the uncertainty of sending messages directly to clients' inboxes.
With a secure message center, you can feel more confident that your communications are handled with appropriate safeguards.
Plus, it shows your clients that you're professional and respect their privacy. It helps build trust.
Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail.