Is regular Gmail okay to use with therapy clients?

Email is one of the most common ways to communicate in healthcare. As noted in the article Email in healthcare: pros, cons and efficient use, “Email is a major means of communication in healthcare and it facilitates the fast delivery of messages and information.” Whether it’s sending appointment reminders, sharing intake forms, or responding to short questions, email feels fast, convenient, and familiar. 

With Gmail used by an estimated 1.8 billion people in 2025, many therapists may assume it’s a safe choice for client communication. However, healthcare communication operates under stricter standards. Therapists handle sensitive information protected by HIPAA, and even a simple appointment confirmation can qualify as protected health information (PHI).

Therapists should thus not use the regular version of Gmail with clients. The free, personal version of Gmail is not HIPAA compliant. It lacks the required administrative controls, and Google does not sign a business associate agreement (BAA) for personal Gmail accounts. Without a BAA, sending or receiving PHI becomes a HIPAA violation. This means therapists cannot use regular Gmail for any client-related communication. Even seemingly harmless messages can identify someone as a client receiving mental health services.

With that said, therapists can use Gmail safely by upgrading to Google Workspace, signing Google’s BAA, and enabling the necessary HIPAA security settings. With that setup, Gmail can be part of a compliant workflow. Without it, both clients and therapists are at risk.

Using email with therapists

“Email therapy can be useful to work with a range of issues, similar to face-to-face therapy,” notes the University of Warwick. “You might choose email therapy (instead of face-to-face) because:

• It allows you to write down your issues and see your own words so you can reflect on them·
• You can read and re-read both what you are writing and what the email therapist is writing at any time·
• You can write your email and read the reply at a time convenient for you·
• It gives you an opportunity for therapy without having to “meet” (albeit possibly virtually) someone face-to-face
• You can work in a ‘virtual therapy relationship’ which, although there are no verbal or visual clues, can be rewarding as you have to be explicit in putting words to your emotions, which can be therapeutic in itself
• It may be easier for practical reasons, such as if you are away from the University abroad and in a different time zone, or you do not have sufficient privacy for a video call.”

Therapists may use email to:

• Confirm or reschedule appointments
• Send pre-session screening tools or intake forms
• Share practice policies or consent documents
• Coordinate billing or insurance questions
• Answer brief, non-clinical questions between sessions
• Communicate with parents or caregivers in family therapy
• Share telehealth links or reminders

Read also: What can email be used for in healthcare?

Why is email regulated in healthcare?

Any information that identifies someone as a client and relates to their care is considered PHI. That includes:

• A billing question tied to a specific diagnosis
• A reminder email with the therapist’s name and clinic
• A signed consent form
• A discussion about scheduling around medication side effects
• Even the fact that someone is corresponding with a therapist at all

Mental health information is particularly sensitive. Therapy notes, diagnoses, medication details, and session content all fall under HIPAA’s protection. As the U.S. Department of Health and Human Services (HHS) explains, “Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes.”

The HHS quote exemplifies just how carefully mental health data must be handled, far beyond general medical information. Even administrative messages that seem harmless can reveal that someone receives mental health services.

This is why HIPAA requires any system handling PHI, including email, to meet specific privacy, security, and documentation standards.

Risk of using regular Gmail in healthcare

Based on the study Digital privacy in mental healthcare: current issues and recommendations for technology use, here is a list of the principal risks from using regular, non-secure, consumer-grade email, like Gmail, for patient/client communication:

• Unintended breaches of confidentiality: The authors warn that using third-party email systems (e.g., free webmail) means therapists “maintain less control over the third-party systems that send and maintain email,” which increases the risk that sensitive client information can leak. This includes human errors such as wrong recipients and incorrectly addressed emails. The study identifies these as a significant vulnerability. 
• Metadata and structural privacy leaks: Even if the content of messages seems harmless, metadata like sender/recipient addresses, time stamps, and subject lines may reveal that a person is a therapy client, which in itself is sensitive information. Since mental health information is especially sensitive, such leaks are particularly problematic. 
• Inadequate encryption and security controls: Regular email often lacks required technical safeguards such as strong encryption in transit or at rest, access controls, and audit logs, making email exchanges more vulnerable to unauthorized access. This increases the risk of interception by hackers and unauthorized third parties or accidental data exposure, especially relevant when messages include PHI. 
• Long-term storage vulnerabilities and third-party data control: With third-party webmail providers, therapists and clients often hand over control of stored data. Once an email is sent or stored, it may persist indefinitely on external servers and be subject to any security or policies the provider uses. Such data storage creates ongoing risk: future data breaches, unauthorized access, or unintended disclosure even long after the original communication.
• Risk of human error: The review identifies human errors, mistyped addresses, forwarding without consent, and mis-clicking as the single most common source of privacy violations in mental-health email correspondence. Given that therapy often deals with emotionally sensitive or stigmatized topics, these mistakes can impact client privacy and trust.
• Lack of accountability, audit, or oversight: Standard email providers typically do not offer audit trails, logs of who accessed what, or controls over forwarding/sharing,  features needed to track and manage PHI securely. Without those, if a breach or misuse occurs, there may be no way to trace what happened, thus undermining compliance, risk management, and ethical obligations.
• Ethical and professional obligations may be violated: The paper argues that mental health professionals have an ethical duty to protect privacy. Using insecure email puts them at increased risk of inadvertently violating confidentiality. Clients’ trust, which is foundational in therapy, may be compromised if sensitive information leaks or is exposed. 
• Barrier to informed consent and transparency: Since standard email lacks inherent privacy protections. Clients might not fully comprehend or consent to the risks involved, particularly if metadata or structural information could disclose their status as therapy clients. This hinders their ability to make completely informed decisions about using email for communication.

The HIPAA compliant solution: Paubox

For therapists who want the convenience of email, Paubox offers a HIPAA compliant alternative to regular Gmail. Unlike standard email platforms, which require complex configurations, optional encryption add-ons, or patient portals, Paubox provides seamless encryption by default.

This means that every email containing PHI is automatically encrypted from the moment the message is sent, with no need for clients to log into a portal or open a secure message link. Messages arrive straight in the client’s inbox, just like a normal email, preserving both usability and privacy.

Read also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

Why Paubox works for therapists

• Automatic HIPAA compliance: Paubox meets all required administrative, technical, and physical safeguards outlined in the HIPAA Security Rule. You don’t need to adjust settings, install plugins, or remember to “turn on” encryption.
• Encryption: Email is encrypted in transit and at rest without any extra steps, ensuring PHI stays protected even if clients use Gmail, Yahoo, or other consumer email services.
• No patient portals: Unlike other secure email solutions, Paubox does not require clients to log in elsewhere. This eliminates friction and improves client engagement.
• Business associate agreement (BAA): Paubox signs a BAA, which is a HIPAA requirement for any third party, including email providers, handling PHI.
• Protects attachments automatically: Session notes, billing documents, consent forms, and intake files are encrypted alongside your email. Therefore, there is no need to use a separate file-sharing service.
• Supports group practices and solo clinicians: Whether you’re an independent therapist or part of a larger clinic, Paubox integrates with existing workflows and scales with your practice.
• Enhances trust and professionalism: Offering HIPAA compliant communication signals to clients that their confidentiality is a top priority, supporting therapeutic rapport.

Learn more: Features of Paubox Email Suite

How Paubox fits into everyday clinical communication

With Paubox, therapists can safely email clients about:

• Appointment reminders
• Billing and invoices
• Homework or worksheets
• Coordination with other providers (with consent)
• Progress updates
• Insurance documentation
• Treatment planning communication

With Paubox protecting PHI, therapists can focus on care, not compliance.

FAQS

Can I make regular Gmail HIPAA compliant by turning on encryption?

No. Even if you enable features like TLS encryption or confidential mode, regular Gmail still lacks a BAA and does not meet HIPAA’s administrative and documentation requirements. 

Is Gmail Workspace (paid Google Workspace) HIPAA compliant?

Google Workspace can be configured to be HIPAA compliant, but only if:

• You sign Google’s BAA
• You configure security settings correctly
• You ensure additional safeguards and documentation

Even then, encryption is not automatic when sending consumer email using Gmail, and therapists often need add-on tools to close compliance gaps.

Does HIPAA allow emailing clients at all?

Yes, email is permitted as long as the therapist uses a HIPAA compliant system and applies appropriate safeguards (e.g., encryption, access controls, and documented policies).

What should I do if I accidentally emailed PHI through regular Gmail?

You may need to:

• Evaluate whether it constitutes a HIPAA breach
• Document the incident
• Notify affected clients
• Report to HHS if required
• Implement safer communication tools

Related: What are the HIPAA requirements after a breach?