Therapists are increasingly relying on electronic communication to coordinate care, share resources, and stay connected with clients between sessions. As Stephan Ginn in the article Email in healthcare: pros, cons and efficient use notes, “In 2021 the total number of business and consumer emails sent and received each day worldwide was forecast as more than 319 billion and predicted to grow to over 376 billion by the end of 2025. The healthcare sector was initially more cautious about the adoption of email than other sectors, but email is now a primary method of correspondence between healthcare professionals.”
That raises the question: Can therapists email clients? According to the U.S. Department of Health and Human Services (HHS), the answer is yes. As HHS explains, “The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.” This means that HIPAA does not prohibit therapist–client email; however, it does set important conditions. Therapists can email clients as long as they take reasonable steps to protect any protected health information (PHI) shared in those messages.
HIPAA applies to therapists when…:
A therapist is generally considered a covered entity if they electronically transmit health information in connection with billing, insurance claims, or eligibility checks. Most therapists who accept insurance fall under this definition. Those who operate strictly as cash-pay providers may not be HIPAA-covered entities, although they are still governed by state privacy laws and ethical standards.
HIPAA regulates the transmission of PHI. That includes any information that can identify a client and relates to their health, treatment, diagnosis, or payment for care. Even a simple email like “Your appointment for depression counseling is confirmed” could be considered PHI because it ties the client’s identity to a health service.
Read more: Are mental health professionals covered entities under HIPAA?
As stated above, HIPAA does not prohibit the use of email, or any form of electronic communication between healthcare providers, including therapists, and patients. However, the providers must “apply reasonable safeguards” to protect PHI. These safeguards aim to “avoid unintentional disclosures” and include “checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”
HIPAA does not require any particular technology, but the Privacy and Security Rules require that covered entities:
This means therapists can email clients, but only if they implement appropriate administrative, physical, and technical safeguards.
HIPAA does not prescribe a one-size-fits-all solution. Instead, it expects therapists to adopt measures that are proportionate to the risk. Common safeguards include:
Previously, encryption was considered an “addressable implementation specification” under HIPAA’s Security Security Rule. However, recently, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the Security Rule. The proposed changes include removing “the distinction between “required” and “addressable” implementation specifications and make all implementation specifications required with specific.” If approved, encryption will no longer be an “addressable implementation specification,” but rather “required.”
Encryption ensures that if an email is intercepted or accessed without authorization, it cannot be read.
For therapists who use standard email services, like Gmail or Outlook, consumer accounts generally do not meet HIPAA requirements. Therapists must use the enterprise or healthcare versions of such services and sign business associate agreements (BAAs) with the provider. Alternatively, they can use a provider that is inherently HIPAA compliant, such as Paubox.
Only authorized individuals should be able to access PHI. As HIPAA states, “Access
controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of §164.308(a)(4), the Information Access Management standard under the Administrative Safeguards section of the Rule.”
Therapists should:
HIPAA requires covered-entities “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” This helps detect unauthorized access and supports breach investigations.
Therapists should develop written policies on:
Simple mistakes, like mistyping a client’s email, often lead to HIPAA breaches. A verification step, such as sending a test message or confirming the address during intake, can prevent accidental disclosures.
HIPAA’s Mininimun Necessary Requirement mandates that “covered entities take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.” For therapists, that may mean:
This reduces the risk of accidental disclosure.
HIPAA establishes stricter rules for psychotherapy notes, which it defines as “notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.”
Psychotherapy notes receive heightened protection because of their sensitivity. HIPAA requires client authorization before they can be used or disclosed for most purposes.
As a result:
The safest approach is to keep psychotherapy notes internal and separate from any digital communication with clients.
Read more: Privacy protection for psychotherapy notes
HIPAA recognizes that some patients may prefer the convenience of standard email, even if it is not secure. HHS allows therapists to honor such requests as long as they inform the client of potential risks and document the client’s preference.
This involves:
Once the client knowingly accepts the risk, therapists may email them using unsecured channels, but only to the extent necessary and with prudent limitations. Documentation is essential here.
To balance convenience and compliance, therapists can adopt the following best practices:
Platforms designed for healthcare often offer:
Examples include services integrated with EHRs or standalone secure email providers like Paubox, which offer built-in HIPAA compliance and automatic encryption.
Read also: Top 12 HIPAA compliant email services
Include a clear email consent form in your intake paperwork that:
Read more: A guide to obtaining explicit consent
Sensitive or complex therapeutic issues should not be discussed by email. Instead, email should be used for:
Psychotherapy notes and progress notes should remain in the medical record, not in email threads or attachments.
If administrative staff help manage email communications, they must:
Go deeper: HIPAA training for email communication
Emails sent to the wrong address, containing more detail than intended, or accessed without authorization may constitute HIPAA breaches. Therapists should have a clear, written plan outlining:
Read more: Developing a HIPAA compliant incident response plan for data breaches
Paubox offers therapists a secure, HIPAA compliant way to communicate with clients without adding extra steps or portals. Unlike regular encrypted email solutions that require recipients to log in to a separate platform, Paubox delivers encrypted messages directly to the client’s inbox, making it both secure and convenient. Therapists can send appointment reminders, billing information, and other administrative updates confidently, knowing Paubox automatically encrypts every message by default. With features like automatic TLS encryption, inbound security tools, and a required BAA, Paubox helps therapists meet HIPAA requirements while maintaining a smooth communication experience for clients.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
If emails contain PHI, then yes, therapists must use a HIPAA compliant email solution or document that the client has chosen to use regular, unencrypted email despite being informed of the risks.
Only if they use the enterprise or healthcare versions that support HIPAA compliance and sign a BAA with Google or Microsoft. Consumer-grade accounts are not HIPAA compliant.
This could be a HIPAA breach. Therapists must follow their breach response plan, assess the risk, and determine whether notifications to the client or regulatory authorities are required.
They should immediately follow their breach response procedures, including investigating the incident, mitigating harm, notifying affected clients if necessary, and reporting to HHS OCR if the breach meets reporting thresholds.