Yundra
← All articlesTools & Vendors

HIPAA-Compliant Email for Therapists: What You Actually Need

10 min read

Email feels like the most ordinary tool in your practice. You use it to confirm appointments, send intake links, answer a quick question about a billing statement. That ordinariness is exactly the problem — because the moment an email touches anything about a specific client, it becomes a HIPAA matter, and most therapists have never set their email up to handle that.

This is the guide that covers all of it: what actually makes email compliant, which providers will sign the agreement you need, how to configure the one most therapists already use, and what to do when a client emails you from their personal Gmail. Let's do it properly.

First, what counts as protected information in an email

People assume HIPAA only kicks in when an email mentions a diagnosis or describes a session. It's much broader than that.

Protected Health Information (PHI) is any information that connects a specific person to their care. With a mental health provider, the connection itself is the sensitive part. An email that says nothing more than "Hi Sarah, confirming your Tuesday 3pm" reveals that Sarah is your client — and you are a therapist. That is PHI.

So almost every client-facing email you send contains protected information:

  • Appointment confirmations and reminders
  • Intake form links sent to a named person
  • Billing and superbill emails
  • "Sorry I missed your call" follow-ups
  • Anything with the client's name in the to-field combined with your practice identity

Once you accept that, the question stops being "do I need compliant email?" and becomes "which compliant email do I use?"

What actually makes email HIPAA compliant

There's a lot of marketing noise here, so here is the honest version. Email is compliant when these conditions are all true. Not some of them. All of them.

1. There's a signed Business Associate Agreement (BAA) with the provider. Under the Security Rule, any vendor who handles PHI on your behalf is a "business associate," and you must have a signed BAA with them (see §164.308(b) and §164.502(e)). Your email provider stores and transmits client information, so they qualify. No BAA means no compliant email — full stop, regardless of how good the encryption is.

2. The data is encrypted in transit and at rest. Encryption in transit (TLS) protects the message as it travels between servers. Encryption at rest protects it sitting in the mailbox. HIPAA technically treats encryption as "addressable" rather than mandatory under §164.312(a)(2)(iv), but in practice OCR expects it, and any breach involving unencrypted PHI is far harder to defend.

3. You control access to the account. Unique login, multi-factor authentication, automatic session timeout, and no shared mailboxes. This is the access-control safeguard under §164.312(a).

4. PHI stays inside the covered services. A BAA covers specific products, not your whole account. More on this trap below.

5. You can produce a basic audit trail. Knowing who logged in and when supports the audit-control requirement and matters a great deal if you ever face an investigation.

Notice that encryption is only one item on this list. "But my email uses encryption" is the single most common reason therapists wrongly believe they're compliant. Encryption without a BAA is not compliance.

Why standard Gmail and Outlook are not compliant out of the box

Here's the part that catches most people.

A free @gmail.com address can never be made HIPAA compliant. Google does not — and never has — signed BAAs for free consumer Gmail. There is no setting, no upgrade button, no two-factor toggle that fixes this. If you've been confirming appointments from a free Gmail account, you've been out of compliance the whole time.

A free @outlook.com, @hotmail.com, or @live.com address is exactly the same story. Microsoft does not offer a BAA for consumer Outlook. The free tier is built for personal use, and Microsoft says so plainly.

The confusion comes from the fact that both Google and Microsoft do offer compliant, paid, business versions of these same products. The interface looks almost identical. But the legal relationship behind it is completely different — and HIPAA cares about the legal relationship, not the interface.

The email providers that will sign a BAA

Here are the realistic options for a solo therapist, with what each is good for.

Google Workspace (with the BAA signed)

This is the paid version of Gmail at your own domain — you@yourpractice.com. You get the Gmail interface you already know, plus Calendar, Drive, and Meet. Most paid tiers offer the BAA; Business Standard (around $12 per user per month) is the common sweet spot for storage and admin controls.

The BAA is accepted electronically in the Admin Console under Account Settings, Legal and Compliance. It takes a few minutes and is legally binding once accepted. Best for therapists who want one familiar ecosystem covering email, documents, and video.

Microsoft 365 (with the BAA signed)

The paid business version of Outlook, again at your own domain, bundled with the Microsoft apps. Microsoft offers a BAA to eligible business and enterprise subscriptions, and for many plans the BAA is incorporated automatically rather than requiring a separate click — but you should confirm it applies to your specific subscription. Best for therapists already living in Word, Excel, and Teams.

Hushmail for Healthcare

A purpose-built option aimed squarely at small healthcare and therapy practices. Hushmail includes the BAA as standard, offers built-in encrypted web forms (handy for intake), and is designed so you don't have to configure much. Pricing runs higher per mailbox than Workspace, but the trade is simplicity — there's far less to misconfigure. Best for solo therapists who want healthcare-specific tooling without becoming an IT administrator.

Paubox

Paubox's signature feature is that outbound email is encrypted automatically, with no portal and no "click here to read your secure message" step for the recipient. The client just gets a normal-looking email. The BAA is included. It often layers on top of Google Workspace or Microsoft 365 rather than replacing them. Best for practices that send a high volume of client email and want the encryption to be invisible to clients.

A quick word on the rest

You'll see other names — ProtonMail offers business plans with a BAA, various managed-IT resellers package compliant email, and several EHRs include their own secure messaging. The same test applies to every one of them: will they sign a BAA, and is encryption in place? If yes to both, it's a candidate. If no BAA, walk away no matter how secure it sounds.

How to set up Google Workspace properly (the most common path)

Because most therapists migrate from Gmail, here's the realistic checklist. Signing up is not the same as being compliant — these steps are what actually close the gap.

  1. Get on a paid Workspace plan at a domain you own. Free and legacy accounts do not qualify.

  2. Sign the BAA in the Admin Console under Account Settings, then Legal and Compliance. Without this step, nothing else matters.

  3. Enforce two-step verification on every account that touches client information, including your own.

  4. Confine PHI to covered services. The BAA covers a specific list Google calls "Included Functionality" — Gmail, Calendar, Drive, Meet, Chat, and others. It does not cover YouTube, Blogger, Google Photos, or third-party add-ons from the Marketplace. Use the admin settings to disable non-covered services for accounts handling PHI so nothing leaks where the BAA can't reach.

  5. Set up domain authentication — SPF, DKIM, and DMARC records. These prevent spoofing and improve deliverability, and they're part of demonstrating reasonable safeguards.

  6. Turn on basic Data Loss Prevention rules if your tier supports it, to flag obvious PHI patterns leaving your domain.

  7. Document the migration in your Security Risk Analysis. Switching email providers is a significant change that should be reflected in your risk documentation, with the signed BAA stored alongside your other vendor agreements.

The same general shape applies to Microsoft 365: paid business plan, confirm the BAA covers your subscription, enforce MFA, lock down sharing, document it.

The hard part: clients who email you from their personal account

You can run flawless compliant email and still face this. A client emails your practice address from their own personal Gmail, types out something deeply personal, and hits send. You didn't choose their email provider. So what now?

Two things are true here, and they matter.

First, HIPAA does not punish you for what arrives in your inbox. You aren't responsible for the security of the client's email provider. Receiving an unencrypted message from a client is not, by itself, a violation on your part.

Second, your reply is squarely your responsibility. This is where therapists slip. If you reply by quoting their whole message back and adding clinical detail, you've now originated PHI from your side. Send that reply through your compliant email — and be thoughtful about how much you put in it.

There's also a real provision worth knowing. Under the Privacy Rule, a client can request to receive communications by unencrypted email (this lives in the right to confidential communications at §164.522(b), reinforced by OCR's guidance on individual access at §164.524). If you've told them the risks and they've confirmed in writing that they accept those risks, you may communicate with them that way.

But keep this exception in its lane. It is a documented, per-client accommodation — it does not make your overall email setup compliant, and it doesn't let you run your whole practice off unencrypted mail. Treat it as a tool for the occasional client who insists, not as your infrastructure.

A clean, practical policy looks like this:

  • Reply through your compliant email, always.
  • Keep replies minimal — confirm logistics, move clinical conversation to a session or your secure portal.
  • If a client wants to keep using plain email, capture their written request and your risk acknowledgement, and store it.
  • Note your handling of inbound client email in your written policies, so your approach is consistent and documented.

What therapists get wrong most often

In rough order of how often it shows up:

  • "My email uses encryption, so I'm compliant." Encryption without a BAA is not compliance. The BAA is the foundation.
  • "I only put the name and appointment time, nothing clinical." The name plus the fact you're their therapist is already PHI.
  • "I made a separate free Gmail just for clients." A second free account is still a free account. Same rules, same gap.
  • "My EHR has secure messaging, so my email doesn't matter." Only true if you genuinely never email clients from your own address. The day you send one confirmation from a non-compliant inbox, the gap is back.

Where this leaves you

Compliant email comes down to a short, unglamorous list: a signed BAA, encryption in transit and at rest, controlled access, PHI kept inside covered services, and a basic audit trail. Pick a provider that will sign the BAA — Google Workspace, Microsoft 365, Hushmail, or Paubox are all defensible choices — configure it, document it, and handle inbound client email with a consistent policy.

Email is one vendor relationship among many. Your EHR, your scheduler, your telehealth platform, your cloud backup, your billing service — each needs its own BAA and its own scrutiny. Getting email right is real progress, but it's one item on a longer list.

Take the next step

Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.

Start your free assessment →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly