Everyday therapist emails that could violate HIPAA if not encrypted

Statista reports that “e-mail is one of the most widely used tools for communication, organization, and marketing. Every minute, over 251 million e-mails are exchanged among global users, approximately five times more than the number of instant messages exchanged during the same time at the end of 2024. In August 2025, the United States was the market with the highest volume of e-mails exchanged, with 9.8 billion daily e-mails sent on average.” Moreover, Stephen Ginn from Cambridge University notes that “email is a major means of communication in healthcare, and it facilitates the fast delivery of messages and information.” This demonstrates the ubiquity of email and its widespread use in healthcare.

Healthcare organizations can implement email for a variety of uses. This includes “for both formal and informal communications with colleagues and patients; to perform administrative duties; to conduct routine communication; and to undertake research and improvement projects. It is also used by management at all levels to convey information to large or small groups of staff,” as Ginn states. However, convenience can quickly turn into compliance risk. Many everyday therapist emails contain protected health information (PHI), and if those messages are sent without encryption or a HIPAA compliant platform, they may constitute a HIPAA violation.

This risk is especially significant in mental health care, where the sensitivity of information is higher, and the potential harm from unauthorized disclosure is greater. Even emails that seem harmless on the surface, such as a scheduling confirmation, can expose PHI when viewed in the wrong context.

Why email is a HIPAA risk for therapists

HIPAA defines PHI as any individually identifiable health information that relates to a person’s physical or mental health, healthcare provision, or payment for healthcare. For therapists, this definition covers a wide range of information, including the simple fact that someone is receiving mental health services. Furthermore, therapists handle psychotherapy notes, which are more strictly regulated. As the US Department of Health and Human Services states, “Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes. Therefore, with few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes.”

Standard email is not inherently secure. Messages may be intercepted, sent to the wrong recipient, accessed by unauthorized individuals, or stored on unsecured servers. Without encryption or another HIPAA compliant safeguard, therapists risk exposing PHI and violating the HIPAA Privacy and Security Rules.

Importantly, HIPAA violations are not limited to sharing diagnoses or treatment notes. Many routine emails fall under HIPAA simply because they link a person to therapy services.

How encryption protects PHI

Encryption is a critical safeguard in protecting protected health information (PHI) during electronic communication, including email. It converts readable data into an unreadable format, allowing “only the authorized parties with the right secret key, known as the decryption key, can unscramble the data,” says IBM

What encryption does

When an email is encrypted, the message content and any attachments are transformed into code as they travel from the sender to the recipient. The process prevents unauthorized users, hackers, or malicious actors from intercepting and reading sensitive information while it is in transit.

Learn more: What happens to your data when it is encrypted?

Encryption in transit and at rest

HIPAA requires that PHI be protected both when transmitted and when stored. Encryption protects data in transit (while being sent over networks) and at rest (when stored on servers or devices). This dual protection ensures that even if data is intercepted or accessed without permission, it remains unreadable and useless to unauthorized individuals.

Why encryption matters for therapists

Therapists often send emails containing PHI, such as appointment details, treatment information, and billing data. Encryption safeguards these communications against breaches that could cause harm to patients and legal consequences for providers.

Limitations of encryption

While encryption is a powerful tool, it does not eliminate all risks. Providers must combine encryption with other HIPAA safeguards such as access controls, user authentication, staff training, and policies to ensure comprehensive protection.

Read also: Does encrypting an email automatically make it HIPAA compliant?

Emails that can risk HIPAA violations

Appointment-related emails

Appointment emails are among the most common communications therapists send, with an expected growth of USD 633.47 million from 2021 to 2025. However, these emails may be among the most overlooked HIPAA risks.

Examples:

• “Just confirming your therapy session tomorrow at 3:00 PM.”
• “Your counseling appointment has been rescheduled to Thursday.”
• “You missed your psychotherapy session last week—please let us know if you’d like to rebook.”

Why these emails are risky

Even without mentioning a diagnosis or treatment plan, these messages confirm that the recipient is receiving mental health services. If an unencrypted email is accessed by an employer, family member, or hacker, it can reveal sensitive information about the individual’s healthcare.

Subject lines are particularly problematic. A subject line such as “Your therapy appointment” exposes PHI before the email is even opened.

Follow-up and check-in emails

Therapists often send follow-up emails to support continuity of care and strengthen the therapeutic relationship. While well-intentioned, these messages frequently include PHI.

Examples

• “I wanted to check in and see how you’ve been feeling since our last session.”
• “Following up on our discussion about managing your anxiety.”
• “Let me know if your mood has improved since we adjusted our approach.”

Why these emails are risky

These messages directly reference mental health status, symptoms, or treatment discussions. If sent without encryption, they expose highly sensitive PHI that could cause emotional, social, or professional harm if disclosed.

Treatment instructions and homework

Therapy modalities may involve exercises, worksheets, or between-session tasks. Sharing these materials via email can easily cross HIPAA boundaries.

Examples

• “Please complete the CBT worksheet before our next session.”
• “Here are the grounding exercises we discussed for panic symptoms.”
• “Try practicing the trauma-informed breathing technique daily.”

Why these emails are risky

Treatment instructions can reveal the type of therapy being used and often imply the underlying condition being treated. Even attachments alone, without explanatory text, can constitute PHI when linked to a patient’s identity.

Intake forms, assessments, and consent documents

Administrative emails frequently involve forms, assessments, and legal documentation. These are some of the most PHI-dense messages therapists send.

Examples

• “Attached is your mental health intake form.”
• “Please complete the PHQ-9 and GAD-7 assessments before your appointment.”
• “Kindly review and sign the consent form for therapy services.”

Why these emails are risky

Intake forms and assessments often include medical history, diagnoses, medications, and personal identifiers. Sending these documents via unencrypted email significantly increases the risk of unauthorized disclosure.

Billing, insurance, and payment emails

Financial communication is another area where therapists commonly underestimate HIPAA risk.

Examples

• “Your therapy invoice for October is attached.”
• “Your insurance denied coverage for recent counseling sessions.”
• “Please send your medical aid information so we can process payment.”

Why these emails are risky

HIPAA considers payment-related information PHI when it is connected to healthcare services. An invoice for therapy or a message about insurance denial clearly identifies the individual as a mental health patient.

Related: Healthcare billing using HIPAA compliant email

Crisis-related and highly sensitive emails

Some of the most serious HIPAA risks arise during crisis communication, when urgency may override caution.

Examples

• “I’m concerned after your message about self-harm thoughts.”
• “Following up on the panic attack you experienced last night.”
• “Please contact me urgently regarding your safety plan.”

Why these emails are risky

These messages contain sensitive PHI. A breach involving crisis-related content can have severe consequences for the patient’s safety, dignity, and trust in care.

Emails that reveal the therapist–patient relationship

Even emails that contain minimal content can violate HIPAA if they reveal the existence of a therapeutic relationship.

Examples:

• Subject line: “Your therapy session”
• Automatic replies signed: “Dr. Smith, Licensed Clinical Psychologist”
• CC’ing a third party without explicit authorization

Why these emails are risky

HIPAA protects the confidentiality of the provider–patient relationship itself. Simply confirming that someone is a therapy client can be a disclosure of PHI.

Best practices for HIPAA compliant email communication

To reduce risk and protect patient privacy, therapists should adopt the following practices:

• Use HIPAA compliant email solutions: Employ email services, like Paubox, that provide encryption, access controls, audit logs, and a business associate agreement (BAA).
• Minimize email content: Keep messages brief and non-specific. Avoid diagnoses, symptoms, or detailed treatment discussions in standard emails.
• Obtain and document patient consent: If patients request unencrypted email communication, obtain written authorization and clearly explain the associated risks.
• Train staff regularly: Ensure all administrative and clinical staff understand what constitutes PHI and how email communication can create HIPAA exposure.

Go deeper: HIPAA compliant email best practices

How Paubox can help reduce the risk

An effective way for therapists and mental health practices to reduce HIPAA risk associated with email communication is by using a purpose-built, HIPAA compliant email solution such as Paubox.

Paubox is designed specifically for healthcare organizations and enables providers to send emails containing PHI securely, download attachments, or manage passwords. This ease of use is particularly valuable in mental health care, where accessibility, trust, and timely communication are critical.

Benefits of using Paubox

• Automatic email encryption: Paubox encrypts emails automatically, meaning therapists do not have to decide which messages should be encrypted and which should not. This removes the risk of human error, where staff may unintentionally send PHI through unencrypted channels.
• No portals or passwords for patients: Unlike many secure messaging systems, Paubox delivers encrypted emails directly to the patient’s inbox. Patients can read and respond to messages without creating accounts or remembering passwords, reducing barriers to communication while maintaining security.
• HIPAA compliance support: Paubox is designed to align with HIPAA Privacy and Security Rule requirements, offering safeguards such as secure transmission, access controls, and audit-ready infrastructure. A BAA is available, helping covered entities meet their regulatory obligations.
• Reduced risk of accidental disclosure: By encrypting all outbound emails by default, Paubox helps prevent common mistakes such as sending appointment confirmations, intake forms, billing notices, or follow-up messages through unsecured email. This is especially important for therapists, where even minimal disclosures can reveal sensitive mental health information.
• Improved patient trust and engagement: Secure, seamless communication reassures patients that their privacy is being respected. For therapy clients, knowing that emails about appointments, forms, or follow-ups are protected can strengthen trust and support ongoing engagement in care.

Read more: Why choose Paubox for HIPAA compliant email

FAQS

What if a patient asks to communicate via unencrypted email?

HIPAA allows patients to request unencrypted communication, but therapists must first inform them of the risks and obtain written authorization. Even with consent, providers remain responsible for protecting PHI where reasonably possible.

How does encryption help with HIPAA compliance?

Encryption protects email content during transmission, making it unreadable to unauthorized parties even if intercepted. While encryption alone does not guarantee full HIPAA compliance, it is a critical safeguard under the HIPAA Security Rule.

How can therapists verify if their email system is HIPAA compliant?

Therapists should confirm that their email provider offers encryption in transit and at rest, signs a BAA, and provides audit trails or access controls.