HIPAA violations can result in financial penalties and even damage to your professional reputation. According to research by Shojaei, Vlahu-Gjorgievska, and Chow in their systematic literature review on health information systems security, healthcare faced the highest number of breaches among all industries in 2018, accounting for 536 out of 2,216 total data breaches reported from 65 countries. More recent findings from Towards a model for understanding failures in health data protection: a mixed-methods study revealed that the average total cost of a healthcare data breach reached $9.23 million in 2021, showing the financial risks facing healthcare providers.
According to the "What small healthcare practices get wrong about HIPAA and email security" report by Paubox, over 90% of healthcare providers are affiliated with small organizations, yet these same practices often operate with outdated assumptions and minimal safeguards when it comes to email security. Understanding common email mistakes and implementing safeguards is a must for therapists who communicate electronically with clients.
Standard email services like Gmail, Yahoo, or Outlook, without proper configuration send messages as plain text, readable by anyone who intercepts them during transmission.
HIPAA requires that electronic protected health information (ePHI) be encrypted. When you send an unencrypted email containing a client's diagnosis, treatment plan, or even appointment details, you're potentially exposing that information to unauthorized parties. Research by Shojaei and colleagues confirms this vulnerability, noting that hacking and IT incidents are the most prevalent forms of attack behind healthcare data breaches, followed by unauthorized internal disclosures.
The Paubox report reveals that while 98% of small practices say their platform encrypts emails by default, many use common platforms like Microsoft 365 or Google Workspace where encryption may drop if the recipient's server doesn't support modern protocols. This creates a false sense of security that leaves practices exposed to both cyber attacks and compliance violations.
How to avoid it: Invest in a HIPAA compliant email service or enable encryption features. Paubox is designed for healthcare providers to encrypt emails in transit with no additional steps from the sender.
The Paubox report found that 83% of small healthcare practices believe that patient consent removes the need for encryption, a misunderstanding of HIPAA requirements.
HIPAA requires explicit authorization before communicating protected health information through unsecured channels. Patient agreement to communicate electronically doesn't waive the requirement for appropriate safeguards, HIPAA still mandates encryption or documented risk-based alternatives under 45 CFR ยง 164.530(c).
Clients may not understand the privacy risks associated with email, including the possibility that others might access their accounts, that employers might monitor work email, or that emails could be subpoenaed in legal proceedings. The mixed-methods study emphasizes that lack of cybersecurity awareness among users remains a vulnerability, noting how individuals often underestimate the potential harm caused by routine actions like unauthorized access to clinical notes or improper handling of patient data.
How to avoid it: Create an email communication policy and obtain written consent during intake. Your authorization should explain the risks of email communication, specify what types of information will and won't be discussed via email, and document the client's understanding and agreement.
A subject line like "RE: Your depression medication adjustment" or "Follow-up on our trauma processing session" exposes protected health information before the recipient even opens the message.
When emails are forwarded, replied to, or appear in thread histories, those subject lines are still there and multiply the privacy breach. Given that the Paubox report shows the average small healthcare employee has access to more than 5,500 sensitive files including PHI, the potential for unauthorized exposure increases.
How to avoid it: Keep subject lines generic. Use phrases like "Appointment information," "Following up," or simply "From [Your Practice Name]." Never include diagnoses, symptoms, treatment details, or anything that would identify the nature of your therapeutic relationship in subject lines.
Learn more: How to craft compelling, HIPAA compliant subject lines
An email stating "Reminder: You have a therapy appointment with Dr. Smith on Tuesday at 2pm" reveals that someone is receiving mental health services, which is protected information.
This is a problem when appointment reminders are sent to work emails or shared family accounts, potentially exposing a client's mental health treatment to unintended recipients. As the mixed-methods study notes, email and network servers have become increasingly attack-prone locations for hackers in recent years, making unsecured appointment reminders even more risky.
How to avoid it: If you send appointment reminders via email, use secure, encrypted channels or send only minimal information that doesn't identify you as a mental health provider.
Therapists sometimes respond to crisis communications or urgent clinical questions via email, creating both liability and HIPAA concerns. These exchanges often contain protected health information and may be sent without proper security considerations.
The consequences of this mistake are made worse by the time it takes to detect breaches. According to the Paubox report, healthcare breaches took an average of 224 days to detect and another 84 days to contain in 2025, over 10 months total. The longer it takes to spot a breach, the higher the cost, and many small organizations lack the systems to see it coming.
How to avoid it: Establish boundaries in your email policy about what constitutes appropriate email communication. Specify that email should never be used for emergencies or urgent clinical matters. Provide clients with alternative contact methods for crises, such as your office phone, an after-hours answering service, or crisis hotline numbers. Include an auto-responder on your email noting that you don't check email constantly and providing emergency resources.
The Paubox report reveals that 20% of small healthcare practices don't utilize any form of email archiving or audit trail, leaving one in five unable to investigate incidents after they happen. Without these visibility tools, practices cannot prove compliance or respond effectively to breaches.
How to avoid it: Develop an email retention policy that aligns with your state's record-keeping requirements. Implement secure deletion practices that account for backups and archives. Consider using email management systems designed for healthcare that automatically handle retention and disposal according to HIPAA requirements.
Learn more: Defining which emails to retain
The Paubox report found that over 70% of healthcare data breaches originated from phishing attacks as of 2024, with 43% of small and midsize healthcare organizations reporting a phishing or spoofing incident in the past year.
Attackers often target small practices because they lack formal training programs, technical defenses, or dedicated security staff. The report shows that about 50% of small practices lack anti-phishing controls beyond default spam filters, making them easy targets for cybercriminals.
Harbor Behavioral Health experienced an email breach in February 2019 when an unauthorized person gained access to an employee's email account for five days. The compromised account contained client names, dates of birth, client identification numbers, health insurance information, and details about services received. The breach wasn't discovered until March 20th, more than a month after it occurred.
In their statement, Harbor Behavioral Health stated that they "take the security and privacy of our patients seriously" and immediately hired a computer forensic firm to investigate, conducted internal risk assessments, and increased security measures. Despite these responsive actions, the incident shows how a single compromised email account can expose protected health information for numerous clients.
As Melanie Fontes Rainer, Director of the HHS Office for Civil Rights, noted in the Paubox report, every organization regardless of size is required to comply with the HIPAA Security Rule, and risk assessments are foundational, not optional.
Develop an email communication strategy that includes written policies, staff training, regular audits, and clear client communication. Your policy should specify what can and cannot be discussed via email, required security measures, response timeframes, and procedures for handling breaches.
The mixed-methods study reinforces this approach through its People-Process-Technology framework, demonstrating that effective data protection requires addressing human behavior, organizational workflows, and technical safeguards simultaneously. Healthcare organizations that focus on only one aspect leave themselves vulnerable to preventable breaches.
As Shojaei, Vlahu-Gjorgievska, and Chow note in their research, ensuring the security and privacy of medical data is necessary to achieve high-quality healthcare services. When clients know their privacy is protected, they're more likely to engage openly in treatment.
No, personal email accounts normally lack the necessary business associate agreements, encryption capabilities, and audit controls required for HIPAA compliance, regardless of how you organize your messages.
Respond using your secure channel to acknowledge receipt, avoid repeating the sensitive information in your reply, and remind them of your practice's email communication policy for future correspondence.
Review your email security measures and policies at least annually, and immediately after any breach incident, software updates, or changes in HIPAA regulations.