A therapist's guide to choosing a HIPAA compliant email provider

According to the Paubox Report titled What healthcare gets wrong about HIPAA and email security, in the first half of 2025, 107 email-related incidents were reported to HHS. The report further states that the average cost of a breach for the healthcare industry is $9.8 million, the highest costs out of all sectors. 

An analysis in Security and Privacy of Technologies in Health Information Systems: A Systematic Literature Review examined 1,138 breaches affecting 164 million patients and found that 53% of breaches were internal, this means they resulted from the healthcare entities' own errors or neglect. This shows that the greatest threat to your clients' information often comes from within your own practice systems and processes.

Furthermore, a single breach can damage your professional reputation. As Carolyn Petersen notes in Through Patients' Eyes: Regulation, Technology, Privacy, and the Future, trust that providers and health care organizations will act in accordance with privacy regulations is a key element in patients' relationships with the health care system. For therapists, this trust is the foundation of the therapeutic alliance.

Moreover, research by Watzlaf, Moeini, and Firouzan on healthcare communication privacy highlights that under HITECH Act revisions, penalties now apply even in cases where a covered entity did not know about the violation, making compliance measures essential rather than optional. 

Petersen explains that for patients, information disclosure is often a forced event in which medical events compel them to disclose information they would rather not share. In therapy, clients reveal their most personal information and mishandling of the information can be traumatizing. This makes your choice of email provider not just a compliance issue, but a matter of respecting the trust your clients place in you.

Read also: Safely using email communication in therapy

Understanding the business associate agreement

A BAA is a contract between a HIPAA-covered entity and a vendor with access to PHI that ensures the email service will protect client information according to federal regulations.

Paubox CEO Hoala Greevy states in the Paubox report, "Too many vendors still treat HIPAA as optional. If you're handling PHI without encryption or a BAA in place, you're creating liability." If an email provider won't sign business associate agreements, it means they assume no responsibility for protecting your clients' protected health information. As Watzlaf, Moeini, and Firouzan note in their research on healthcare communication technologies, establishing whether a technology provider functions as a business associate to your covered entity is a compliance question that must be answered before implementation.

Learn more: What is the purpose of a business associate agreement?

Automatic encryption

According to the Paubox report, 82% of healthcare IT leaders worry that their staff will miss a critical alert or skip a security step. The Systematic Literature Review found that among breaches during health information communication, 65.5% involved mailing errors and 34.5% were email mistakes, with common causes including wrong recipients, using cc instead of bcc, and unencrypted content. Furthermore, the research reveals that more than a quarter of all human factor-based breaches result from carelessness, negligence, or apathy. Watzlaf and colleagues' research on healthcare communication security emphasizes this risk, noting that legitimate users may perform incorrect or unauthorized functions, particularly when given access levels higher than necessary for their role.

The solution is a system that encrypts every single email by default, whether it contains protected health information or not. This approach, sometimes called "blanket encryption," removes the decision-making burden entirely. Providers like Paubox automatically encrypt all outbound messages without requiring any additional steps from users. You compose emails exactly as you always have, and the encryption happens automatically in the background. As the Systematic Literature Review states, strong encryption techniques are essential, including encrypting communication channels between devices and servers. After breaches, entities often adopt corrective measures including mandatory verification of the recipient, the copy protocol (bcc vs cc), and the encryption of content before emailing PHI, but these manual verification steps still rely on human memory. 

Learn more: Encryption at rest: what you need to know

The user experience matters

Therapists have encountered older HIPAA compliant email systems that require recipients to log into a secure portal, remember passwords, or download special software to read messages. These systems technically meet regulatory requirements, but they create practical problems.

The Paubox report reveals that 65% of portal users stop engaging after day one, and 22% cite difficulty navigating basic portal functions. 

The best HIPAA compliant email providers deliver encrypted messages directly to recipients' inboxes, where they can be read like any other email. This user-friendly experience is not just convenient, but it allows important communications to actually get read in a timely manner.

Read also: Patient portals vs. email: Comparing security, costs and implementation

Integration with your existing workflow

The right email provider should work with the platforms you already use, such as Google Workspace or Microsoft 365, without requiring you to learn new software.

Look for a solution that integrates with your existing email platform. You should be able to continue using Gmail or Outlook exactly as you always have, composing messages the same way, accessing them on your phone or tablet, and managing your inbox with familiar tools. 

This integration is also needed for other tools you might use in your practice. If you utilize client relationship management tools or send calendar invitations for appointments, your HIPAA compliant email solution should work with these systems as well, ensuring that every communication remains protected.

Beyond basic encryption

While encryption protects your emails in transit, modern email security requires defending against other threats such as phishing attacks. Healthcare organizations have become targets for cybercriminals who use social engineering tactics to gain access to sensitive systems.

Paubox is HITRUST CSF Certified, which demonstrates a commitment to comprehensive security measures. When evaluating email providers, look for those that offer HITRUST certification, as this represents a higher standard of security verification than basic HIPAA compliance alone.

Advanced email providers now incorporate intelligent filtering systems that can identify and block phishing attempts before they reach your inbox. Some use artificial intelligence to detect unusual patterns. These protections operate continuously, providing an additional layer of security that complements the encryption features.

Read also: Inbound Email Security

Retention and archiving capabilities

HIPAA regulations recommend retaining electronic protected health information for at least six years. An ideal HIPAA compliant email provider should offer archiving features that automatically preserve all inbound and outbound messages, along with attachments and metadata. This automated approach maintains compliant records without the burden of manually saving important emails or worrying about accidentally deleting something you need to retain.

Should you ever need to conduct an audit or respond to a legal discovery request, having a comprehensive, searchable archive makes this process simple and more reliable.

Learn more: What are HIPAA's email archiving and retention requirements

Data loss prevention

Data loss prevention features scan outgoing emails and can block messages that violate your established policies. For instance, you might configure rules that prevent any email containing social security numbers or diagnosis codes from being sent outside your practice's domain. These automated safeguards provide an additional safety net that complements your staff training and policies.

Learn more: What is Paubox data loss prevention?

Building and maintaining trust through transparency

When choosing an email provider, remember that privacy management isn't just about meeting regulations, it's about honoring the therapeutic relationship. As Petersen writes in Through Patients' Eyes: Regulation, Technology, Privacy, and the Future, practicing transparency to build and maintain trust must be both an underlying principle and practice.

Your clients need to know that you take their privacy seriously, not just because HIPAA requires it, but because you understand the vulnerability in seeking mental health services. When you implement a HIPAA compliant email system, you're sending a clear message that protecting their information is a priority in your practice.

FAQs

Can I use my personal Gmail or Outlook account to communicate with clients? 

No, personal email accounts lack the necessary business associate agreements and automatic encryption required for HIPAA compliance when discussing any protected health information.

What should I do if I accidentally send PHI through a non-compliant email system? 

You must report the breach to your compliance officer or directly to HHS if required, document the incident, notify affected clients, and implement corrective measures to prevent recurrence.

Are text messages or secure messaging apps better alternatives to email for client communication? 

While some secure messaging platforms offer HIPAA compliance, email remains the most professional and widely accessible option when properly secured with a compliant provider.

Do I need separate email accounts for administrative correspondence versus client communication? 

No, a properly configured HIPAA compliant email system encrypts all messages automatically, eliminating the need to maintain separate accounts for different types of communication.