20 time-saving tips
Download 20 quick tips to help you spend less time on admin and more time helping your clients!

Mental health

A non-intimidating guide to HIPAA-compliant email for therapists

Everything you need to know about HIPAA-compliant email and how to choose a secure email service for your therapy practice.

Does the thought of HIPAA give you heartburn as a therapist?

How about “HIPAA-compliant email?” 

If just thinking about HIPAA rules and email gives you anxiety, you’re not alone. There’s a lot of confusion around what HIPAA-compliant email is and how to use it.

What’s a therapist to do?

In this non-intimidating guide, we’ll explain everything you need to know about HIPAA-compliant email. What it is, who needs it, and the risks if you don’t use it. Then we’ll wrap it all up with a chart comparing several popular email services and a handy FAQ.

After reading this guide, you’ll know how to choose a HIPAA-compliant email service that’s perfect for your therapy practice.

Do all therapists need to use HIPAA-compliant email?

The short answer is “yes.” If you use email as a therapist, it should be HIPAA compliant. 

Secure online communication is key to running a responsible, reputable practice. It lowers the risk of being audited or fined. Most importantly, it keeps your clients’ sensitive information safe. 

Technically, you’re only required to follow HIPAA’s guidelines for communicating electronic health information if you’re a “covered entity.” That’s anyone who accepts health insurance. 

A Covered Entity is a health care provider such as a:

  • Doctor
  • Clinic
  • Psychologist
  • Dentist
  • Chiropractor
  • Nursing Home
  • Pharmacy

… if they electronically send information that’s connected with financial or administrative activities related to healthcare (i.e., insurance claims).

However, if you’re not a covered entity, you should still strive to comply with HIPAA for professional and ethical reasons.

As Rob Reinhardt, CEO of Tame Your Practice, advises, “Even if you aren't technically a covered entity under HIPAA, it's still important to be mindful of digital security. First, our codes of ethics require that we protect our clients' privacy and imply that we should follow accepted standards. Further, most states now have data privacy laws that have requirements similar to HIPAA. In short, it's imperative for all mental health professionals to be taking all reasonable steps to secure client information and communications.”

It's imperative for all mental health professionals to be taking all reasonable steps to secure client information and communications.

Rob Reinhardt, LCMHCS, NCC
CEO of Tame your Practice

What exactly is HIPAA-compliant, secure email? 

HIPAA-compliant email meets the HIPAA requirements for safe electronic communication of protected health information (PHI). We’ll explain PHI in more depth later on. 

The HIPAA Security Rule explains the steps you need to take to determine what safe online communication means for your practice. The rule requires you to:

  1. Assess the risk of using email (or other online form of communication)
  2. Identify options for protecting PHI
  3. Choose a solution
  4. Document your decision

Ultimately, it’s up to you how you protect your clients’ information, which is nice, but…

It’s a little intimidating having to make the right choice without more specific guidance. That’s where encryption comes in.

What is encryption?

Encryption is a method used to make information unreadable to anyone other than the intended recipients.

Computers do this by scrambling the information into a secret code while only telling the recipient how to decode it. This means that if anyone else gets hold of the information while it’s encrypted, it won’t make any sense to them.

For a more technical explanation, read about how to use Hushmail encryption to support your practice.

The Security Rule mentions encryption as “an addressable implementation specification.” This means that if it’s reasonable to use encryption, you should. Or carefully document why you haven’t. 

Encryption and HIPAA compliance  

While HIPAA doesn’t explicitly require encryption, it’s a best practice for meeting its standards. However, not all encryption is equal. It’s important to consider when a service is encrypting your email. 

Is it encrypting your email on its way to your client but not in your client’s inbox? 

When your client sends back a reply, is that encrypted?

Many secure email providers claim to encrypt email when it’s moving from sender to recipient and back again. But that only happens if both sides support encryption. That’s not always the case.

According to Hushmail Chief Technical Officer Brian Smith, “Many providers also claim to encrypt email when it’s in your inbox. This might be true, but it doesn’t say whether or not your recipient is also encrypting the message in their inbox. A private message center keeps the message in one secure location where it can be replied to and stored securely.”

What is a Private Message Center? Private Message Center

A private message center is a secure web page where your clients can read and respond to your encrypted emails. Even if they don’t have an encrypted email service themselves.  

Sending and receiving messages through a message center is a lot like email. Email addresses are used. You can reply and send attachments. The big difference is that the messages are kept within the private message center where they’re encrypted and safe.

The best way to ensure your emails are always encrypted is to use a service that offers a private message center.

02_Encrypted email_HIPAA-compliant email

What are the risks of using regular email to communicate PHI?

You’re taking a risk if you send and receive PHI online without any kind of protection. 

PHI is information that could identify an individual and relates to:

  • the individual’s past, present, or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual.

You can find more information about what PHI is in the Summary of the HIPAA Privacy Rule from the US Department of Health & Human Services (HHS).

03_PHI word cluster_HIPAA-compliant email

Sending PHI to your client using regular email, such as regular Outlook or regular Gmail, is like sending their most sensitive information on a postcard. Don’t do it!

Can’t I just use a “HIPAA” disclaimer?

HIPAA disclaimers are those blocks of text in italics at the bottom of an email warning that “this message is private and might contain PHI.” Some disclaimers advise you to alert the sender if the message wasn’t meant for you.

Example of a HIPAA disclaimer:


These disclaimers do nothing to ensure HIPAA compliance. In fact, they can make things worse by encouraging you to reply, sending the PHI out into unsecure cyberspace again. 

Common email problems faced by therapists

As a healthcare provider, you probably communicate with your clients in all sorts of ways, many of them online.

You might be surprised by what needs to be secure and what doesn’t…

  • Appointment reminders don’t have to be secure as long as you state in your Notice of Privacy Practices (NPP) that you send them out, and clients can opt out if they choose. Just make sure the appointment reminders are limited to only the necessary information. 

What is an NPP?

An NPP lets your clients know how you’re going to use and disclose their health information. You can read all about NPPs here.

👉 Learn more: "Notice of Privacy Practices (NPP): What Small Healthcare Practices Need to Know"

  • Newsletters can be sent using regular email as long as they don’t contain PHI or identify the recipients as clients. 
  • “Email me” forms on directory websites, such as Psychology Today, are popular with therapists. But did you know they’re not secure? These forms can present a problem when a prospective client sends you sensitive information, not knowing it’s vulnerable. Instead, a solution is to direct people to a secure form on your website.

So do all emails have to be secure?

Not all emails. You can send emails that don’t contain PHI using regular email. 

Clients can also request that you send them regular emails even if they contain PHI. For this, you must get them to sign a “request for non-secure email communication” form and file it with their health record. The form gives your client the option to use or not use non-secure communications and informs them of the risks.

What if you’re using email that’s not HIPAA compliant?

Here’s what you can expect if someone files a complaint against your practice:

HIPAA Investigation

The key to HIPAA-compliant email for therapists

Encrypted, HIPAA-compliant email is a key component of keeping your clients’ information safe. However, it’s ultimately up to you to ensure your emails are secure. We’ve put together six practical tips that will help prevent mistakes that could undo your security measures.

Subscribe to our newsletter by entering your information below... and we’ll send the six tips straight to your inbox. 

What to look for in a HIPAA-compliant email provider

Affordable and secure email 

Look for an affordable service. However, don’t forget to factor in the fines you might incur if you don’t keep your clients’ information safe. Consider this laboratory that was audited and found guilty of not conducting a risk assessment and implementing the necessary safeguards. They received a $25,000 fine. You might decide that protecting yourself against such a penalty, not to mention two or three years of monitoring by HHS, is well worth the cost of a reliable, secure email service.

A BAA is crucial

A HIPAA-compliant email service will provide you with a signed business associate agreement (BAA). This document is needed to affirm the email service’s willingness to accept responsibility for the safety of your clients' PHI. With a BAA, you can feel confident that they’ll protect the PHI and comply with HIPAA requirements. Look for a service that not only provides a BAA but allows you to sign it electronically for free.

Find the right email encryption

Look for encryption that protects your emails through their entire lifecycle. As explained before, a private message center is one of the best ways to make sure the message is encrypted at all times. If you’re considering an email service that doesn’t offer this, make sure it encrypts your emails on their way to your recipient and back to you when they reply, and keeps them encrypted in your inbox and theirs. 

Built-in archive

There are times when you might need to access your emails quickly. For example, if a client or court asks for particular records or evidence of an interaction. A built-in email archive provides easy access to every conversation and record you exchanged. Also, it’s a HIPAA requirement.  

HIPAA requires that you retain emails containing the following for six years:

  • Policies and procedures
  • Security risk analyses
  • Complaint and resolution documentation

Secure email that’s easy to use 

Spend some time testing out a service as both the sender and receiver. There might be some extra steps when you use a private message center, but they should be simple and well communicated. For example, take a look at what clients experience when they use Hushmail’s private message center

Excellent Customer Care

Don’t forget the importance of support that’s accessible and helpful. Having an expert walk you through issues can make all the difference. And you shouldn’t expect to pay extra for this help either.

Look for additional features such as forms

Some email providers offer more than just email.

For example, as a therapist, you likely use intake forms, informed consent forms, and health questionnaires. Instead of sending PDFs or using paper forms, email providers like Hushmail give you web forms to use instead.

These web forms serve the same purpose as PDF forms, but they’re secure, easier to read, and can be filled out from anywhere. You can even get them signed electronically by your clients.

By choosing a provider that offers more than just email, you’ll get more bang for your buck.

A comparison of 5 encrypted email services

  Hushmail for Healthcare Google Workspace Paubox Virtru Microsoft 365 Business Premium (Outlook)
BAA ✅ 
Basic email encryption ✅ 
Private message center 1 ✅ 
Built-in archive ❌ 
Free designated customer success team
Secure healthcare form templates
E-signatures  Optional
Cost Starts at $11.99/mo Starts at $7.20/mo Starts at $38/mo Starts at $119/mo Starts at $20/mo
1 Google has a feature called “confidential mode”, but it doesn’t support secure replies from recipients unless they also have Gmail.

Frequently Asked Questions About HIPAA-Compliant Email For Therapists

But isn’t regular Gmail supposed to be HIPAA compliant now?

Regular Gmail is not HIPAA compliant. You might hear that Gmail uses encryption. It does, but only when the email is traveling between and stored in the inboxes of Gmail users. If you send an email to someone who doesn’t use Gmail, you have no guarantee that the email will be encrypted. Regular Gmail also doesn’t provide a BAA which is necessary for HIPAA compliance.

Will HIPAA-compliant email be difficult for my clients to use?

It doesn't have to be. A secure email service with a private message center, like Hushmail, is simple to use and ensures the privacy of your conversations. Clients who use traditional email services can sign in to Hushmail's private message center using their Google, Apple, or Microsoft accounts, or create a passphrase, to exchange secure messages and web forms with you. 

Read your secure email

If I use a HIPAA-compliant email service, are all my emails automatically secure and HIPAA-compliant?

Not necessarily. If you’re confused about this, however, you’re not alone.  Consider the puzzlement from one therapist unclear about how Hushmail makes their emails secure and HIPAA compliant: 

I was under the impression that using your product for communication to and from patients means all communication is HIPAA compliant. What am I missing?

Robert J. Berchick, Ph.D.

What was confusing to Dr. Berchick confuses a lot of practitioners. There’s no one way to make email HIPAA compliant, and ultimately, it’s your responsibility to ensure the safeguards are in place. 

A HIPAA-compliant email service is an excellent foundation for your compliance. However, it’s up to you to:

  • Ensure encryption is enabled
  • Leave PHI out of the subject line (subject lines usually aren’t encrypted)
  • Send the email to the right email address

If I switch to a HIPAA-compliant email service, will I lose all of my old emails? 

Most HIPAA-compliant email services make it easy for you to move your emails over from your old service by providing instructions. Or some services like Hushmail can also move them over for you for a small fee. 

Are attachments, such as practice forms, secure if I use a HIPAA-compliant email service?

Attachments are usually secure. However, if you use an encrypted email service like Hushmail that also provides secure web forms, you won’t have to attach your forms. Instead, your clients can fill out their information online and send it securely back to you. This is much easier than having to print, fill out, scan, and attach PDFs. 

Hushmail for Healthcare gives therapists what they need

Hushmail is easy to use

Thank goodness Hushmail is easy to use. I don't have to learn a lot, and that's a relief when there are so many other things to think about right now.

Carol Park, LPC-S, RD

Made for healthcare professionals 

Hushmail for Healthcare is an email and web form service that’s uniquely tailored to your work as a therapist. Notice how we have:

  • Healthcare-specific web form templates
  • A website that talks to you specifically (take a look at our testimonials!)
  • A Customer Care team trained to understand the unique requirements of your job

Personalized customer support

At Hushmail, our Customer Success team holds your hand as you get started with your new account. The minute you sign up, you have a dedicated team behind you to make sure everything is set up correctly. You’ll get the most out of your Hushmail plan from the very start. 

Last thoughts about HIPAA-compliant email

If you’re a therapist who uses email to communicate with your clients, you need to use a HIPAA-compliant email service. Choosing a service doesn’t have to be complicated. Find one that provides a private message center that encrypts your emails to and from your clients even if they don’t have encryption themselves. Decide what additional features you need, such as intake form templates and e-signatures. And make sure you get a signed BAA. 

Then be sure to use your new email service correctly to protect your clients’ sensitive information. 

Sign up for Hushmail for Healthcare

Similar posts