Safely using email communication in therapy

Email communication has become a valuable tool in healthcare, particularly as digital communication becomes more integrated into everyday life. According to Paubox, over 17.75 million emails were sent between October 1, 2023, and March 31, 2024. For therapists, email can facilitate ongoing communication, support, and guidance for patients between sessions. However, the convenience that email provides must be balanced with patient confidentiality and privacy.

Benefits of email communication in therapy

The article Social Work Practice in the Digital Age: Therapeutic E-Mail as a Direct Practice Methodology notes the following as benefits of using email in therapy communication: 

• Extends the therapeutic relationship between sessions: The study found that “Utilizing email communication between social worker and client for therapeutic purposes is not intended to serve as a substitute for F2F work, but to be used as an extension of the therapeutic work and relationship.” Furthermore, email blends elements of conversation with reflective writing.
• Improves engagement and follow-through: Clients often use email to raise issues they might forget by the next session. Therapist “email prompts” can encourage completion of therapeutic tasks, and many clients feel supported knowing their therapist is checking in between appointments.
• Increases accessibility for remote or underserved clients: Email expands access for people in geographically isolated or underserved areas. As the study states, “Electronic communication offers opportunities for meaningful interaction with homebound clients and those living in geographically remote and under-served communities where licensed mental health professionals are in short supply.” Additionally, since email is widely used across age groups, it supports a broad, diverse population, not only tech-savvy clients.
• Provides flexibility and convenience: Clients can write at times that suit their schedules, making communication more accessible for those with mobility challenges or limited time. As the article notes, “Additionally, clients benefit from writing about their experiences as they unfold (in the moment), rather than waiting to address matters of importance in the next scheduled meeting with the worker.” 
• Encourages deeper reflection and disclosure: Writing gives clients time to think, organize their thoughts, and express themselves more clearly. For those who are anxious or uncomfortable speaking in person, email can feel less intimidating and promote greater openness.
• Creates a written record of therapeutic communication: Emails generate documentation that can help track progress, revisit earlier themes, and support continuity of care in future sessions.

Related: How to send HIPAA compliant emails

Ethical considerations and best practices

Informed consent and transparency

Therapists must obtain explicit informed consent before initiating email communication. This includes discussing:

• The types of communication that are appropriate via email
• Expected response times
• How email messages will be stored or documented
• The potential risks, including unauthorized access or misdelivery
• Alternatives for urgent or sensitive concerns

Patients should understand that email is not a substitute for an emergency hotline, crisis intervention, or a therapeutic session.

Read also: A guide to obtaining explicit consent

Using secure, encrypted platforms 

The U.S. Department of Health and Human Services (HHS) has proposed the first significant updates to the HIPAA Security Rule in over a decade. The goal is to enhance cybersecurity measures in the healthcare industry. As part of this, encryption will no longer be an “addressable” security measure but will be mandatory. 

Standard email services like Gmail, Outlook, or Yahoo Mail do not encrypt email in a way that meets HIPAA requirements. Since email communication in therapy often involves protected health information (PHI), therapists must use secure, HIPAA compliant platforms.

HIPAA compliant email solutions, such as Paubox, ensure that PHI is protected during transmission and storage. These platforms offer:

• Automatic encryption
• Business associate agreements (BAAs)
• Administrative controls
• Audit logs
• Secure storage

Using a HIPAA compliant email service reduces the risk of PHI exposure and helps therapists meet their legal obligations.

Read more: HHS proposes updated HIPAA security rule

Clear guidelines and boundaries

“Email communication is generally less formal than other professional interactions, risking unprofessional conduct and ambiguously formulated messages that do not provide recipients with the information they require to act,” states Stephen Ginn in the article Email in healthcare: pros, cons and efficient use. Therefore, setting communication boundaries helps maintain professionalism and ensures email remains helpful. Therapists should clarify:

• Typical response times
• What types of issues are appropriate for email
• What topics require a session
• How long messages should generally be
• What patients should do in emergencies

Clear expectations empower patients to use email responsibly and prevent boundary crossings or ethical dilemmas.

Sensitive information handling

Email may not be the right channel for every conversation. Therapists should encourage patients to avoid sharing on highly sensitive topics such as:

• Traumatic incidents
• Suicidal ideation or crisis messages
• Highly personal or sensitive emotional material

Therapists can gently redirect patients to address sensitive topics in sessions where privacy, nuance, and emotional support are more appropriate.

Documentation and compliance

HIPAA’s Security Rule requires “a regulated entity must maintain documentation required for written policies and procedures implemented to comply with the Security Rule and actions, activities, or assessments required by the Security Rule to be documented until six years after the later of: 1) the date of the document’s creation or 2) the date the document was last in effect.” 

For therapists who use email, HIPAA’s documentation requirements apply to all policies and records related to electronic communication. This includes:

• Written and updated email policies detailing how email is used, what information may be shared, response times, and emergency procedures.
• Retention of email communications containing PHI in a secure, compliant system for at least six years.
• Storage of risk assessments, training records, and security evaluations demonstrating how the practice protects PHI.
• Documentation confirming the use of HIPAA compliant tools, such as encrypted email services, access controls, and audit logs.

Emergency protocols

Email may not be suitable for emergencies. Delayed responses, missed messages, or a misinterpreted tone can create dangerous situations for the patient/client and the therapist. As noted in the article, The bias that makes innocent emails seem offensive, “Delayed feedback increases the chances of misunderstanding.”

Therapists should establish a clear crisis protocol that directs patients to the appropriate resources, such as:

• Local emergency hotlines
• Crisis centers
• 911 or immediate medical care
• After-hours crisis support services

Go deeper: Can you discuss health issues with patients via email?

Limitations and recommendations

Email communication should supplement, not replace, therapy. While it can offer valuable support, it is not suitable for every patient or every therapeutic need.

Therapists should consider:

• Whether the patient has reliable access to secure digital tools
• Whether email supports or undermines the patient’s mental-health goals
• The nature of the presenting issues
• Whether the patient understands privacy risks
• The complexity of the therapeutic content

In many cases, secure telehealth platforms provide a better alternative for sensitive discussions. Telehealth offers the benefits of virtual accessibility while maintaining the privacy and confidentiality required in therapy.

Go deeper: How does HIPAA apply to telehealth?

Using Paubox in therapy email communication

Paubox provides a secure, HIPAA compliant email platform that allows therapists to communicate with clients safely while maintaining the convenience of regular email. Unlike standard email services, which often lack the encryption and safeguards required for transmitting PHI, Paubox delivers security by default, without adding extra steps for clients.

Benefits of using Paubox

• Seamless, automated encryption: Every message sent through Paubox is encrypted, ensuring that sensitive therapeutic information cannot be intercepted or accessed by unauthorized parties. Importantly, clients do not need to log into a separate portal or remember additional passwords; they receive emails directly in their inbox, just as they would with regular email.
• Built-in HIPAA compliance: Paubox signs a business associate agreement (BAA) and implements the administrative, technical, and physical safeguards required under HIPAA. 
• Improved workflow and client experience: Therapists can integrate Paubox into their existing email systems, allowing them to send and receive secure messages without switching platforms. 
• Supports documentation and retention needs: Paubox maintains records and logs, which helps practices meet HIPAA documentation and retention requirements. 
• Enhances trust and therapeutic alliance: By using a HIPAA compliant solution, therapists demonstrate a clear commitment to protecting client privacy. This can strengthen the therapeutic relationship and provide reassurance that sensitive information is handled with the highest level of care.

FAQS

Can therapists use regular email to communicate with clients?

Therapists can use email, but standard services like Gmail or Yahoo are not automatically HIPAA compliant. To send or receive PHI, providers must use a secure, encrypted, HIPAA compliant email solution and have the proper policies and safeguards in place.

Will using Paubox change how therapists send email?

No. Paubox integrates with existing email platforms (like Outlook or Gmail for Business), so therapists can send secure emails the same way they send any other message.

Do clients need to install any special software to read secure emails?

No. With products such as Paubox, clients receive messages just like a normal email. This convenience reduces barriers to engagement and increases follow-through on therapeutic tasks.