The systems designed to protect client privacy can sometimes become barriers to care. Researchers developing a clinical trial for marginalized communities recently encountered this paradox firsthand. When institutional interpretation of HIPAA's Security Rule required switching from conventional text messaging to secure web links, they discovered that "the additional 'clicks' required to open the secure browser appeared to reduce engagement with the intervention." The very safeguards meant to protect participants made the intervention less accessible to those who needed it most.
Mental health practitioners face a version of this challenge every day. Secure email systems, client portals, and encrypted messaging platforms protect confidentiality, but only if clients actually use them. When security measures feel confusing, clients may disengage entirely.
The solution isn't to abandon secure communication. It's to explain it in ways that invite participation rather than create friction. As Lindsey et al. observed in the Journal of Perinatology, "Empowered patients can provide informed consent and express preferences," but that empowerment depends on understanding what they're consenting to and why it matters.
Read more: Using HIPAA compliant email for research participant communication
HIPAA requires covered entities to inform clients about their privacy practices, but the logic is about more than just regulatory checkboxes. Clients who understand why you use certain communication methods are more likely to cooperate with those methods. Those who don't understand may work around your systems, replying to secure messages via standard email, texting sensitive information because it feels faster, or assuming that any digital communication carries the same level of protection.
The research on technology in mental healthcare proves this point. The researchers found that clients "may wrongly assume that only providers can access messages, further undermining informed consent." When clients don't grasp the differences between communication channels, they can't make informed choices about how to reach you or what to share electronically.
Letzring and Snow (2011) draw an important distinction between HIPAA consent and traditional informed consent. The latter addresses proposed treatment and the client's decision to accept or reject it. HIPAA consent involves agreeing to limited disclosure of protected health information (PHI). "There is nothing that prevents the mental health practitioner from giving the patient a single form containing both consents," they note, but the conversation supporting those forms matters as much as the paperwork itself. When clients understand what you're doing and why, they become partners in protecting their own privacy rather than obstacles to navigate.
Technical explanations tend to lose people quickly. Terms like "encryption," "secure portal," and "HIPAA compliance" may mean everything to you and nothing to your client. Instead, begin with the purpose behind your practices.
Instead of saying, "We use HIPAA compliant email with TLS encryption to protect your protected health information when communicating electronically."
Try saying, "I want to make sure that when we communicate by email, only you and I can read what's in those messages. I use a secure email system that protects our conversations from being seen by anyone else."
The second version accomplishes the same goal without requiring clients to understand regulatory frameworks or technical specifications. It focuses on what they care about, which is their privacy.
From there, you can add layers of detail based on the client's interest and comprehension. Some might nod and move on. Others will probably ask follow-up questions that invite more explanation. Let the client's curiosity guide the depth of the conversation.
Analogies bridge the gap between unfamiliar concepts and everyday experience. When explaining email security, consider comparisons like:
Such a comparison might not be perfect, but it doesn't need to be. It provides a mental framework that helps clients grasp the concept that some communication methods offer more protection than others, and you've chosen methods that prioritize their privacy.
Avoid analogies that introduce unnecessary complexity or fear. Comparisons involving hackers, data breaches, or identity theft may be technically relevant but can create anxiety that interferes with the therapeutic relationship.
A recent study on relational safety in therapeutic relationships found that patients are more likely to engage when communication fosters safety rather than fear. Studies of doctor–patient communication identify anxiety as a barrier to engagement, while psychotherapy research emphasizes that safety in communication fosters stronger therapeutic relationships.
Most clients aren't curious about encryption protocols. They want answers to practical questions:
Explain what types of communication work well via email (scheduling, brief check-ins, sharing resources) and what belongs in session (clinical discussions, crisis situations, sensitive disclosures). Be specific about your response time expectations.
Walk them through the process. If your system requires them to click a link, create an account, or enter a password, demonstrate or describe those steps. Uncertainty about logistics creates friction that discourages use.
Acknowledge that secure systems sometimes feel less convenient than regular email or texting. Explain that you've chosen this approach because their privacy matters to you, and that the minor inconvenience serves an important purpose.
This requires a nuanced response. Some practitioners allow clients to consent to less secure communication after being informed of the risks. Others maintain secure channels as a non-negotiable practice standard. Whatever your policy, explain it clearly and document the conversation.
The APA Guidelines for the Practice of Telepsychology support this practical approach. The guidelines encourage psychologists to discuss "the manner in which they and their clients/patients will use the particular telecommunication technologies, the boundaries they will establish and observe, and the procedures for responding to electronic communications." They also emphasize that psychologists "make reasonable efforts to use language that is reasonably understandable by their clients/patients" when explaining these policies. In other words, the professional standard isn't to deliver a technical lecture but to ensure clients genuinely understand how you'll communicate, what to expect, and how their information stays protected.
The timing and context of security discussions affect how clients receive them. A rushed explanation during paperwork completion lands differently than a thoughtful conversation woven into the intake process.
In a survey of psychotherapists published in BMC Medical Ethics, 92% understood informed consent as "an ongoing process that accompanies the course of therapy and not as a one-time event at the beginning of treatment." The researchers note that this procedural approach should be "complementary to formal consent at the beginning of therapy" rather than a replacement for it. Email security fits naturally within this framework, address the basics during intake, then revisit and reinforce as questions arise or circumstances change.
The complexity of your security explanation depends largely on the systems you've chosen. Platforms that require portals, passwords, or multiple steps demand more client education and create more opportunities for confusion and disengagement.
Paubox Email Suite eliminates much of this friction by design. The platform integrates directly with Google Workspace and Microsoft 365, encrypting every outbound email automatically. Your workflow stays exactly the same, compose and send from Gmail or Outlook as you always have. No extra steps, no toggles to remember, no risk of accidentally sending unencrypted PHI.
For clients, secure emails arrive directly in their regular inbox and can be read like any other message. No portal logins, no passwords to manage, no special apps to download. This matters because, as the Lindsey et al. research demonstrated, each additional step reduces engagement. When secure email looks and feels like regular email, clients are far more likely to use it consistently.
For practitioners building or refining their communication systems, choosing tools that prioritize recipient experience isn't just a matter of convenience. It directly supports the therapeutic goal of maintaining connection between sessions without creating barriers that discourage clients from engaging.
The NASW Standards for Technology in Social Work Practice specify that "as part of the informed consent process, social workers shall explain to clients whether and how they intend to use electronic devices or communication technologies to gather, manage, and store client information." The standards further recommend that technology policies "be reviewed with clients during the initial interview in the social worker–client relationship and revisited and updated as needed." Your documentation creates a record that these conversations occurred and provides a reference point for future discussions as circumstances or systems change.
Document the conversation including the risks you explained and the client's decision. Some practitioners allow clients to sign a consent form acknowledging they prefer less secure communication despite understanding the risks.
You don't need to become an IT expert, but you should understand the basics of how your system protects client information and be able to explain it in simple terms.
Yes, though the conversation can be briefer. Even scheduling information, when connected to your practice, constitutes protected health information.