HIPAA Compliant Email For Therapists

Woman on her laptop holding a cup of coffee.

Email has really revolutionized how therapists communicate with patients. Instead of waiting on slow responses to letters, or playing endless games of phone tag, you and the client can discuss information on your own time, and keep a steady line of communication.

However, while online services have many benefits, they also come with security risks, especially as few of us are trained in cybercrime.

In this guide, we’ll explore how to choose the right email service to ensure both you and the client can communicate securely.

Do You Need A HIPAA-Compliant Email Service?

Email is often the easiest way to communicate with a client, as it allows you both to engage in a back-and-forth on your own time. Email also provides a quick way to access and send information.

However, any messages you send as a therapist via email are likely to contain Private Healthcare Information (PHI), and therefore need to follow HIPAA regulations.

Anyone working in a healthcare setting needs to use a HIPAA-compliant email service. This ensures the client’s information is protected, and you’re protected against breaches of HIPAA.

However, you might not need a separate email server if you have a HIPAA-compliant EHR with messaging capability. Some EHR software comes with a built-in messaging service that allows you to communicate securely with clients.

When Does A Therapist Need A HIPAA-Compliant Email Service?

Essentially, any messages you send as a therapist need to come from a HIPAA-compliant email, even if the messages themselves aren’t confidential. Communicating with a client can itself be seen as PHI, so you need to keep it safe!

Any records or bills, diagnosis information, or forms that include a social security number or insurance information need to be protected by HIPAA.

There are times when the information you’ll be exchanging with your client isn’t confidential and doesn’t need to conform to HIPAA regulations. However, it’s best for you and the client to keep all communication to a single source.

By avoiding email servers that don’t meet HIPAA regulations, you won’t accidentally send secure information from the wrong source.

What Makes An Email HIPAA-Compliant?

The HIPAA rules regarding using email to send PHI aren’t exactly clear-cut, and that can cause confusion among therapists.

The easiest way to maintain HIPAA compliance is to choose a messaging service with secure encryption. Encryption essentially makes a message illegible as it travels. It’s only when the message is opened by the intended recipient that the message becomes readable.

You and the email provider must have signed a Business Associate Agreement (BAA). The BAA is a written arrangement between a business and a HIPAA Covered Entity allowing the Covered Entity to disclose PHI to the business.

When signing the BAA, the business entity agrees to put the necessary protections in place to keep PHI secure.

Another useful feature is two-step verification. Two-step verification means anyone logging into a messaging account has to provide a second login credential, such as a verification code, before getting access.

Two people sitting close in therapy.

HIPAA-Compliant Email Servers For Therapists

Want to protect your communications? Here are some of the best HIPAA-compliant email servers for therapists.

Hushmail For Healthcare

Hushmail for Healthcare is a secure email service that has been built to allow healthcare professionals to communicate directly with patients and clients. An email-focused service, Hushmail for Healthcare encrypts all emails and comes with a built-in private message center for quick communication.

When you subscribe with Hushmail for Healthcare, they automatically sign a BAA.


Providing a HIPAA-compliant digital network, Virtru is an encrypted email service with a dedicated healthcare sector. Quick to install and easy to get running, Virtru is a user-friendly platform that allows you to communicate with clients while keeping their PHI safe.


Working with Google Cloud to ensure your information is protected, HIPAA Vault manages your services to ensure your online presence maintains HIPAA compliance. If you’re unsure about HIPAA compliance, this is an excellent solution.

The dedicated live support service ensures you can stay on top of your electronic services.

Google Workspace

Formerly known as G Suite, Google Workspace is the premium upgrade to the standard Google services. If you pay for a Google Workspace account, Google will agree to sign a BAA, allowing you to use the service in a HIPAA-compliant manner.

If you choose Google Workspace, you need to ensure end-to-end encryption is enabled. You should also activate two-step verification.


SimplePractice doesn’t offer an email service, but it does provide a HIPAA-compliant instant messaging system. With bank-level data encryption technology keeping all your information safe, the SimplePractice messaging service allows you to communicate safely and quickly with your clients.

The main disadvantage to the SimplePractice messaging service is that it’s part of a larger EHR package. However, SimplePractice does offer a free trial, so you can try it before investing.

Only You Can Ensure HIPAA-Compliant Communications

Email servers can have security systems in place to improve HIPAA compliance, but any messaging system is only as secure as its user. Choosing an email server is only the first step toward HIPAA compliance.

How you use the service is vitally important to keep your client’s private information safe:

  • Never send an email from a location with an unsecured internet connection.
  • Don’t use the free internet services that you might find in coffee shops and other public places when sending PHI.

Double-check the address you’re sending an email to before you hit send. You have to do this every time, because it is easy to make mistakes. A simple check can prevent you from accidentally CCing people into email chains they shouldn’t read.

It can also prevent the dreaded “reply all”.

Before you leave your computer or phone unattended, make sure no messages are displayed, and the screen is locked. You can inadvertently breach HIPAA by leaving an email on display when you leave a room.

Final Thoughts

A HIPAA-compliant email service protects both you and the patient. By ensuring all information is sent and stored securely, the email service prevents PHI from falling into the wrong hands.

But even the best email service can fall victim to human error, so make sure to follow safe practices when communicating with a client.

Scroll to Top