Can therapists email clients? What HIPAA says

Therapists are increasingly relying on electronic communication to coordinate care, share resources, and stay connected with clients between sessions. As Stephan Ginn in the article Email in healthcare: pros, cons and efficient use notes, “In 2021 the total number of business and consumer emails sent and received each day worldwide was forecast as more than 319 billion and predicted to grow to over 376 billion by the end of 2025. The healthcare sector was initially more cautious about the adoption of email than other sectors, but email is now a primary method of correspondence between healthcare professionals.”

That raises the question: Can therapists email clients? According to the U.S. Department of Health and Human Services (HHS), the answer is yes. As HHS explains, “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.” This means that HIPAA does not prohibit therapist–client email; however, it does set important conditions. Therapists can email clients as long as they take reasonable steps to protect any protected health information (PHI) shared in those messages.

When HIPAA applies to therapist–client email

HIPAA applies to therapists when…:

The therapist is a HIPAA-covered entity

A therapist is generally considered a covered entity if they electronically transmit health information in connection with billing, insurance claims, or eligibility checks. Most therapists who accept insurance fall under this definition. Those who operate strictly as cash-pay providers may not be HIPAA-covered entities, although they are still governed by state privacy laws and ethical standards.

The communication contains identifiable health information

HIPAA regulates the transmission of PHI. That includes any information that can identify a client and relates to their health, treatment, diagnosis, or payment for care. Even a simple email like “Your appointment for depression counseling is confirmed” could be considered PHI because it ties the client’s identity to a health service.

Read more: Are mental health professionals covered entities under HIPAA?

HIPAA’s position on email

As stated above, HIPAA does not prohibit the use of email, or any form of electronic communication between healthcare providers, including therapists, and patients. However, the providers must “apply reasonable safeguards” to protect PHI. These safeguards aim to “avoid unintentional disclosures” and include “checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.” 

HIPAA does not require any particular technology, but the Privacy and Security Rules require that covered entities:

• Ensure the confidentiality, integrity, and availability of electronic PHI (ePHI)
• Protect against reasonably anticipated threats or impermissible disclosures
• Train workforce members on secure communication
• Have policies governing electronic communications

This means therapists can email clients, but only if they implement appropriate administrative, physical, and technical safeguards.

What “reasonable safeguards” look like in practice

HIPAA does not prescribe a one-size-fits-all solution. Instead, it expects therapists to adopt measures that are proportionate to the risk. Common safeguards include:

Encryption in transit and at rest

Previously, encryption was considered an “addressable implementation specification” under HIPAA’s Security Security Rule. However, recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the Security Rule. The proposed changes include removing “the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific.” If approved, encryption will no longer be an “addressable implementation specification,” but rather “required.”  

Encryption ensures that if an email is intercepted or accessed without authorization, it cannot be read. 

For therapists who use standard email services, like Gmail or Outlook, consumer accounts generally do not meet HIPAA requirements. Therapists must use the enterprise or healthcare versions of such services and sign business associate agreements (BAAs) with the provider. Alternatively, they can use a provider that is inherently HIPAA compliant, such as Paubox.

Access controls and authentication

Only authorized individuals should be able to access PHI. As HIPAA states, “Access

controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of §164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.” 

Therapists should:

• Require strong, unique passwords
• Enable multi-factor authentication (MFA)

Audit trails

HIPAA requires covered-entities “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” This helps detect unauthorized access and supports breach investigations.

Policies and procedures

Therapists should develop written policies on:

• When email can be used
• What staff may send via email
• How to verify recipient addresses
• How to document consent
• What happens when an email is misdirected

Verifying the client’s address

Simple mistakes, like mistyping a client’s email, often lead to HIPAA breaches. A verification step, such as sending a test message or confirming the address during intake, can prevent accidental disclosures.

Minimizing content

HIPAA’s Mininimun Necessary Requirement mandates that “covered entities take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.” For therapists, that may mean:

• Avoiding detailed clinical content
• Keeping subject lines generic
• Directing clients to secure portals for sensitive communication

This reduces the risk of accidental disclosure.

The special case of psychotherapy notes

HIPAA establishes stricter rules for psychotherapy notes, which it defines as “notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.”

Psychotherapy notes receive heightened protection because of their sensitivity. HIPAA requires client authorization before they can be used or disclosed for most purposes.

As a result:

• Psychotherapy notes should not be sent by email, especially unsecured email.
• Therapists should never include psychotherapy notes in appointment reminders or follow-up messages.
• Even secure email systems should be used sparingly for such notes, and only with explicit authorization.

The safest approach is to keep psychotherapy notes internal and separate from any digital communication with clients.

Read more: Privacy protection for psychotherapy notes

When a patient requests regular (unencrypted) email

HIPAA recognizes that some patients may prefer the convenience of standard email, even if it is not secure. HHS allows therapists to honor such requests as long as they inform the client of potential risks and document the client’s preference.

This involves:

• Explaining that unencrypted email carries privacy risks
• Offering a secure alternative
• Documenting the client’s informed choice in their record

Once the client knowingly accepts the risk, therapists may email them using unsecured channels, but only to the extent necessary and with prudent limitations. Documentation is essential here.

Best practices for therapists who email clients

To balance convenience and compliance, therapists can adopt the following best practices:

Use a HIPAA compliant email service 

Platforms designed for healthcare often offer:

• Automatic encryption
• Access controls
• Audit logs
• Secure messaging portals

Examples include services integrated with EHRs or standalone secure email providers like Paubox, which offer built-in HIPAA compliance and automatic encryption.

Read also: Top 12 HIPAA compliant email services

Obtain client consent for electronic communication

Include a clear email consent form in your intake paperwork that:

• Explains risks
• Outlines acceptable uses of email
• Documents the client’s choice (secure or unsecure email)
• Provides opt-out options

Read more: A guide to obtaining explicit consent

Keep clinical content out of email

Sensitive or complex therapeutic issues should not be discussed by email. Instead, email should be used for:

• Scheduling
• Billing
• Sharing resources (within reasonable limits)
• Directing clients to secure portals

Separate clinical notes from email systems

Psychotherapy notes and progress notes should remain in the medical record, not in email threads or attachments.

Train staff thoroughly

If administrative staff help manage email communications, they must:

• Know HIPAA rules
• Understand what PHI is
• Follow your practice’s email policies
• Report any accidental disclosure immediately

Go deeper: HIPAA training for email communication

Have a breach response plan

Emails sent to the wrong address, containing more detail than intended, or accessed without authorization may constitute HIPAA breaches. Therapists should have a clear, written plan outlining:

• How potential breaches are investigated
• When clients must be notified
• When to notify regulators
• Documentation procedures

Read more: Developing a HIPAA compliant incident response plan for data breaches

Paubox for therapists

Paubox offers therapists a secure, HIPAA compliant way to communicate with clients without adding extra steps or portals. Unlike regular encrypted email solutions that require recipients to log in to a separate platform, Paubox delivers encrypted messages directly to the client’s inbox, making it both secure and convenient. Therapists can send appointment reminders, billing information, and other administrative updates confidently, knowing Paubox automatically encrypts every message by default. With features like automatic TLS encryption, inbound security tools, and a required BAA, Paubox helps therapists meet HIPAA requirements while maintaining a smooth communication experience for clients.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Do therapists need a HIPAA compliant email service?

If emails contain PHI, then yes, therapists must use a HIPAA compliant email solution or document that the client has chosen to use regular, unencrypted email despite being informed of the risks.

Can therapists email clients using Gmail or Outlook?

Only if they use the enterprise or healthcare versions that support HIPAA compliance and sign a BAA with Google or Microsoft. Consumer-grade accounts are not HIPAA compliant.

What happens if a therapist sends an email to the wrong client?

This could be a HIPAA breach. Therapists must follow their breach response plan, assess the risk, and determine whether notifications to the client or regulatory authorities are required.

What should therapists do if they suspect an email breach?

They should immediately follow their breach response procedures, including investigating the incident, mitigating harm, notifying affected clients if necessary, and reporting to HHS OCR if the breach meets reporting thresholds.