HIPAA Compliant Email, hipaa email, PHI

HIPAA Compliant Email for Therapists


October 23, 2020 | Reading Time: 3 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

Although email is a convenient means of communication, using email to communicate sensitive information poses some risk to those who trust you to protect their privacy and have a legal duty to maintain their confidentiality. Privacy is your client’s or patient’s right to seclude themselves and their information by expressing themselves selectively. Confidentiality in healthcare is the professional’s legal duty to protect the privacy of those who entrust them with care. These issues quickly surface when using email to communicate patient-protected health information (PHI), especially for therapists and behavioral health professionals. While using secured email is a better choice than not in most instances, there are circumstances that warrant using unsecured email if needed. To give providers guidance on how to use email to communicate PHI, both unsecured and secured, HIPAA compliant email for therapists is discussed below.

What about Unsecured Emails?

In June of 2019, the American Psychological Association published a response to a question from a psychologist about their responsibilities involving using unsecured email with a patient. A representative from APA’s legal office responded that, indeed, an unsecured email could be at risk.  Suggested actions are:

  1. Explain the risks.
  2. Manage your protocol to protect patient’s protected health information(PHI).
  3. Consider encryption.
  4. Document Your Decisions. HIPAA requires that professionals evaluate and document their responsibilities and decision-making process (PDF, 3.63MB)

In the article below, these suggestions are detailed in bullet form to help you quickly and easily develop your own approach to using unsecured and HIPAA-compliant emails with clients or patients.

What are the Risks of Using Email to Communicate PHI?

When determining whether or not to use email to communicate protected health information (PHI), it is important to consider and warn patients about the risks of using email for clinical communications.

  • Shared Devices. When patients share their computers with another individual, there is potential for their PHI to be inadvertently exposed to other members of their household. This poses a risk, especially for those patients in an abusive relationship.
  • Email Errors. Before sending an email containing PHI, it is important to double-check the recipient’s email address before sending it. It is recommended that email addresses are confirmed with the patient for correct spelling before sending an email.
  • PHI in Email Subject Lines. PHI should never be in an email subject line. Email subject lines cannot be encrypted, so if an unauthorized individual accesses the email, accesses the email Group Emails. Group emails should never be sent to clients or patients. Email addresses are considered PHI under HIPAA, so when group emails are sent to a patient, their email address is viewable to other recipients.

HIPAA Compliant Email: Develop Email Protocols

With just a few minutes, any professional can develop and document a few simple procedures to compile a HIPAA-compliant email to protect everyone involved.

  • Delete previous portions of email when responding to a client’s or patient’s email.
  • Only use first names.
  • Double-check email addresses before sending your outgoing message.
  • Make it a practice to glance at the To line before clicking the “Send” button.
  • Use a delay feature for an outgoing email that allows you to retract “Sent” mail before it actually leaves your computer.

Consider Encryption

Not all email providers have the proper security features to ensure the confidentiality, availability, and integrity of PHI. When choosing a secured email provider, the following should be considered:

  • Encryption. To prevent unauthorized disclosures of PHI, encryption is a necessary component of HIPAA-compliant email for therapists. Encryption masks data so that unauthorized individuals cannot read it. However, as previously mentioned, email subject lines cannot be encrypted, so they should never contain PHI.
  • Audit Logs. Keeps a record of access to PHI to ensure adherence to HIPAA standards.
  • Access Controls. Limits access to PHI to only those that require access.
  • User Authentication. Email providers that include two-factor authentication are more secure. Two-factor authentication utilizes multiple login credentials to confirm a user’s identity, such as a username and password combined with a security question or one-time PIN.

HIPAA Compliant Email for Therapists: Business Associate Agreements

Software providers, including email providers, are considered business associates. Before it is permitted to share PHI, they must sign a business associate agreement (BAA). Not all email providers will sign a BAA, especially for their free versions, and therefore cannot be used in conjunction with PHI.

See Telehealth.org’s What is HIPAA for Healthcare Workers? to learn more about the HIPAA Privacy Rules for Healthcare professionals.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Introduction to Telehealth Theory & Practice

Enjoy a fast-moving overview of telebehavioral and telemental health. Understand the key points related to telehealth clinical, legal, ethical, technology, reimbursement, social media and other pivotal issues.

Ethics of Texting: Do’s and Don’ts

Explore clinical, legal & ethical requirements for text messaging with clients & patients.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Was this article helpful?

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Blog Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...