Estimated reading time: 7 minutes.
TL;DR: Yes. If a message from a prospective client includes identifiable information about seeking healthcare, it is considered Protected Health Information (PHI) when you receive it as a healthcare provider.
What this means: HIPAA can apply from the very first message, even before someone officially becomes your client.
What to do: Move the conversation to a secure, HIPAA-compliant messaging channel as early as possible.
Here's a scenario that comes up more often than you'd think. Someone visits your practice website, fills out your contact form, and writes something like: "Hi, I'm looking for a therapist who works with couples going through a rough patch. Do you have availability on weekday evenings?"
You see the message come through to your regular Gmail. You reply from that same address: "Thanks for reaching out. I have a few openings next week. Would you like to schedule a quick 15-minute consultation to see if it's a good fit?"
It feels like a perfectly normal exchange. But here's the thing: HIPAA may already apply, even though this person isn't your client yet. The message you just received might already qualify as Protected Health Information (PHI).
“Most providers are surprised to learn that their HIPAA obligations can begin with the very first message a prospective client sends. You don't need a signed intake form for PHI to exist. As a healthcare practitioner, you just need to hold identifiable information related to healthcare.”
Steven O. Youngman, VP of Legal and Compliance at Hushmail
If that's news to you, you're in good company. This catches many providers off guard.
Let's walk through why HIPAA applies earlier than most practices expect, where the common pitfalls are, and what a simple, secure workflow actually looks like.
Many therapists assume that HIPAA only kicks in once someone officially becomes a client. It makes intuitive sense: no signed paperwork, no formal relationship, no HIPAA.
But that's not how it works.
Under HIPAA, PHI includes information related to past, present, or future healthcare services, as defined by the U.S. Department of Health and Human Services (HHS) in the HIPAA Privacy Rule. That word "future" is the key. The moment someone contacts you about receiving care, they're reaching out about future healthcare. If they include identifying details along the way, you're holding PHI.
For a deeper look at what PHI actually includes (and some common misconceptions), see our blog on what counts as PHI.
The takeaway here is simple: your HIPAA responsibilities don't start at intake. They start at first contact.
Before we get into what to do, it helps to look at the common ways information about a prospective client first reaches your practice.
Most providers don't consider whether these entry points are set up to handle PHI securely, or assume HIPAA doesn't apply until later in the process. Here are the most common ones:
These tools are designed for visibility and convenience, and they're great at that. But many of them aren't set up to handle PHI securely by default. Even when a standard contact form uses basic encryption, it often sends submissions straight to your regular email without the safeguards or agreements required for HIPAA compliance.
That's not a reason to stop listing your practice on directories or sharing your contact information. It's a reason to think about what happens after the message arrives.
💡 Hushmail tip. Listing an email address on your profiles doesn't protect a prospective client's first message. Even if the message is sent with basic encryption, it typically arrives in a regular inbox without the safeguards or agreements required to handle PHI. A secure contact form helps protect information from the start and keeps it within a service covered by a BAA.
Let's walk through an example.
A potential client finds your practice website. There's no contact form, but your email address is listed on the "Contact" page. They write to you directly: "Hi, I came across your website and I'm looking for someone to talk to about stress and burnout. I've never been to therapy before. Do you have openings?"
You see it in your inbox and reply: "Thanks so much for reaching out. I do have some availability. Would you like to schedule a quick consultation to see if it's a good fit? And do you have insurance you'd like to use?"
The conversation continues over a few more emails. The prospective client confirms they want a consultation, mentions their insurance provider, and asks about your availability.
At what point did this become a compliance concern?
The first message. The moment that person shared their name and that they were seeking therapy through regular email, you were holding PHI. Every reply you sent via an unsecured email continued the conversation in a channel not covered by a BAA.
Instead of continuing the conversation over regular email, send your message through a secure, HIPAA-compliant service and move the conversation there.
💡 Hushmail tip. Standard email isn't designed to handle PHI on its own. If you're relying on it for client communication, it's worth understanding the risks and how secure messaging helps protect that information.
Most practices don't realize this is happening because nothing about the conversation feels clinical. There's no diagnosis, treatment plan, or session notes. But under HIPAA, the connection between an identifiable person and their seeking healthcare services is sufficient.
The scenario above isn't unusual. In fact, it's one of the most common ways small practices end up with a compliance gap without knowing it. And the behaviors that lead there are the same ones that make you a responsive, caring provider.
💡 Hushmail tip. If you're using a secure contact form, collecting details early is actually a strength. You can ask the questions that help you determine fit before intake, and the information is protected from the start. If you're not using a secure form, don't reply over the unsecured channel. Move the conversation to a secure channel before sharing or requesting any details.
If this is starting to feel like HIPAA makes it impossible to talk to prospective clients, take a breath. It doesn't.
HIPAA doesn't prohibit communication. It requires reasonable safeguards. You're not expected to avoid these conversations. You're expected to have them through channels that protect the information being shared.
That's an important distinction, because some providers overcorrect. They stop responding to inquiries promptly, or they make their intake process so cumbersome that prospective clients give up. That's not what HIPAA asks for, and it's not good for your practice either.
In practice, this means responding to prospective clients the way you already do, but routing those conversations through a secure channel.
And here's something worth knowing: your prospective client's experience doesn't have to change much either. With a service like Hushmail, your client receives a notification in their regular inbox with a link to read your secure message. They sign in with their existing email address, read your message, and can reply, attach documents, or complete forms right there. There's nothing to download or install. Most people find it straightforward, and it often comes across as more professional.
Here's a simple way to handle messages, based on where they arrive:
For messages that arrive in your secure inbox (for example, a secure contact form on your website):
That's it. No extra steps needed.
For messages that arrive in your regular inbox (for example, emails from clients or colleagues, or inquiries from directory profiles like Psychology Today or Google Business)
💡 Hushmail tip. If you need to collect additional information, send a secure form, such as an intake, consent, or questionnaire, and make sure it's handled through a tool covered by a BAA, like Hush™ Secure Forms.
Every Hushmail for Healthcare plan includes a signed BAA, so you're covered for both messages and web forms from day one. Learn more about BAAs and why they matter.
The goal is simple: move the conversation into a secure channel as early as possible, and keep it there.
Here's a quick action step you can take right now: consider where prospective client messages are arriving. Is there a secure contact form on your website?
If not, that's the single most impactful change you can make. A secure form means every inquiry is protected from the start, before you've even seen it.
After that, make sure you have a secure way to respond when prospective clients reach out through your Psychology Today profile, your Google Business listing, or anywhere else they might find you. Your first message should go through a secure channel covered by a BAA.
Hushmail gives you both: secure messaging with a signed BAA and secure web forms, designed for healthcare providers who want to handle compliance simply and get back to the work that matters. You can keep using your regular email for everyday communication and sign into Hushmail when things need extra care. Make sure your first reply is as secure as the care you provide.
“The best compliance setup is one you don't have to think about. When your messages are secure, and your BAA is in place, you can focus on connecting with the people who need your help rather than worrying about whether your tools put you at risk.”
Steven O. Youngman, VP of Legal and Compliance at Hushmail
For a broader overview of your compliance setup, see our HIPAA compliance checklist.
And if you're ready to simplify your secure communication workflow?
Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail.