What therapists need to know about HIPAA compliant email

Dr. Stephen Ginn, a consultant psychiatrist with the NHS, notes in his analysis of email in healthcare, that email has become "a primary method of correspondence between healthcare professionals." For therapists, it offers a convenient way to schedule appointments, send treatment summaries, and maintain contact with clients. However, as the HIPAA Security Standards manual notes, "the ease and convenience of email come with significant regulatory responsibility." Under the Health Insurance Portability and Accountability Act (HIPAA), therapists must ensure that all patient communications, including email, are transmitted securely and stored appropriately. Research from Security and Privacy of Technologies in Health Information Systems: A Systematic Literature Review explains that data breaches "can lead to serious consequences, including identity theft, fraud, and medical malpractice." Failing to implement HIPAA compliant email practices can result in fines, reputational damage, and violation of client trust.

HIPAA regulations apply to therapists as healthcare providers. According to 45 CFR § 160.102, the standards and requirements apply to "a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter." This means that if you're transmitting client information electronically, including via email, HIPAA compliance is mandatory.

Understanding HIPAA and email

HIPAA's Privacy Rule and Security Rule establish requirements for protecting electronic protected health information (ePHI). While email is not prohibited under HIPAA, the regulations require that any ePHI transmitted via email be encrypted and that access to email accounts be restricted to authorized personnel only. According to the HIPAA Security Standards manual, "standard, unencrypted email is not considered a secure method of communication under HIPAA standards." This means therapists cannot send sensitive client information using regular email platforms without additional safeguards. Research from We're on the Same Page: A Usability Study of Secure Email Using Pairs of Novice Users confirms that standard, unencrypted email is not considered a secure method of communication for protecting sensitive information. The Systematic Literature Review further adds that healthcare systems must be designed with privacy and security as foundational elements, requiring secure technologies for data storage and transmission alongside strict access controls.

The Office for Civil Rights (OCR) has stated that the risk of interception and unauthorized access to unencrypted email makes it unsuitable for transmitting ePHI. However, the OCR explains that, “Covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We do not expect covered entities to educate individuals about encryption technology and information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.”

Ginn provides the real-world security risks, noting that users may "mistakenly forward an email containing protected patient data to an unintended recipient," showing how even well-intentioned healthcare professionals can cause breaches. 

Choosing the right platform

Modern EHR systems designed for mental health professionals include built-in secure messaging capabilities. These systems are configured to meet HIPAA requirements and often integrate with clinical workflows. The email usability study found that users preferred secure email integrated into their existing email systems rather than using separate platforms. 

When choosing a platform, look for features such as encryption, secure password requirements, audit trails that track who accessed what and when, automatic message expiration, and the ability to revoke access to messages after sending. Additionally, according to the HIPAA Security Standards manual, "the vendor should provide a Business Associate Agreement (BAA), which is a legal requirement under HIPAA. The BAA ensures that the email provider acknowledges their responsibility to protect ePHI." Paubox offers encryption that works with existing email providers (Gmail, Outlook, etc.), requires no additional logins or portals for clients, and includes automatic HIPAA compliance features with a Business Associate Agreement.

Learn more: User guide: Paubox email encryption

Email policies and documentation

Develop written policies for email use within your practice. These policies should specify which types of information can and cannot be transmitted via email, when email is appropriate versus when alternative communication methods should be used, how ePHI should be handled in email, and consequences for policy violations.

Learn more: Maintaining email policies in healthcare

Best practices for email use

Always use professional email addresses rather than personal accounts. Before sending any email containing ePHI, verify the recipient's email address carefully, one typo could send confidential information to the wrong person. 

Minimize the amount of ePHI in email communications. Instead of including detailed clinical notes, you might email a summary or ask the client to discuss the matter during the next session. When composing emails, Ginn advises that messages should be "clear and concise" to "reduce the need for subsequent back and forth exchanges," this improves efficiency but also reduces the risk of sensitive information being exposed through multiple messages. Be cautious with subject lines, avoid including specific diagnosis information or appointment details that could identify the client if the email is intercepted.

When clients email you, establish guidelines about what they should and shouldn't communicate via email. Following Ginn's guidance on clinical email use, recognize that emails should be "avoided for urgent, complex or sensitive messages" with patients, reserving it instead for administrative and scheduling purposes. Research on secure email systems has shown that when security details are hidden from users, they are less likely to trust the system. The Systematic Literature Review confirms that secure data sharing builds trust between patients and healthcare providers, as patients are more likely to trust providers who take data security and privacy seriously, potentially leading to better outcomes and higher satisfaction.

Learn more: Best practices for patient communication using HIPAA compliant email

Compliance is an ongoing process

According to the HIPAA Security Standards manual, "HIPAA compliance with email is not a one-time setup but an ongoing commitment." Regularly review your email practices, stay informed about HIPAA updates and OCR enforcement actions, and ensure that your technology remains current. As new threats emerge and technology evolves, be prepared to adjust your approach. The Systematic Literature Review notes that maintaining secure healthcare communications requires continuous vigilance, regular security audits, and staying current with emerging cybersecurity threats.

By prioritizing HIPAA compliant email practices, therapists protect their clients, reduce legal and financial risk, and maintain the trust that is essential to the therapeutic relationship. 

Read also: Inbound Email Security

FAQs

Can therapists use texting or instant messaging apps instead of email for ePHI?

Only if the platform is HIPAA-compliant, encrypted, and a Business Associate Agreement (BAA) is in place.

Are there specific email retention requirements under HIPAA?

HIPAA does not set exact timeframes, but email containing ePHI must be stored securely and retained according to your organization’s record retention policy.

How often should risk analyses for email systems be conducted?

Regularly, ideally at least annually or whenever major changes to systems or workflows occur.

Is it acceptable to forward ePHI via email between colleagues?

Only if the email is encrypted, the recipient is authorized, and forwarding aligns with your internal policies.

Can therapists use personal devices to access ePHI via email?

Personal devices are allowed only if they meet your organization’s security policies, including encryption, password protection, and remote wipe capability.