Skip to main content
Headway

Compliance and documentation

What to know about HIPAA compliant email for therapists

Learn how to choose a HIPAA-compliant email service for your therapy practice, what features to look for, and which providers meet legal and ethical standards.

September 5, 2025

By Savanah Harvey, AMFT

6 min read

By Savanah Harvey, AMFT

Choosing the right HIPAA compliant email service is important in helping protect your clients’ privacy. Ahead, learn what to look for, which providers to trust, and how to stay aligned with legal and ethical standards.

Why HIPAA compliance matters for email communication

As therapists, we’re trusted with some of the most personal, private, and vulnerable parts of our clients’ lives. That confidentiality doesn't end when a client walks out the session door; it extends to how we handle their protected health information (PHI), including over email. PHI includes any information that could identify an individual and relate to their health status, medical history, or healthcare. Some examples are medical records, insurance information, and genetic information.

HIPAA (the Health Insurance Portability and Accountability Act) sets federal standards for how healthcare professionals must protect PHI. If you're one of the many clinicians who uses email to confirm appointments, send referrals, or respond to clinical questions, it's your responsibility to ensure those communications are secure and HIPAA compliant

Everyday email services don’t meet HIPAA requirements on their own. Without the proper safeguarding technology, you risk exposing confidential client information and compromising the legal and ethical obligations of your practice.

What makes an email service HIPAA compliant?

A HIPAA-compliant email service goes beyond simply encrypting messages. It must include both technical and administrative safeguards to ensure that PHI is handled, stored, and transmitted securely. At minimum, a HIPAA-compliant email service should provide: 

  • End-to-end encryption during both communication and storage
  • Access security so only authorized individuals can view PHI
  • Audit logs that track when, how, and who is accessing data
  • Secure data backup and storage
  • A signed Business Associate Agreement (BAA) acknowledging the email provider’s shared responsibility in protecting PHI

Despite a secure platform, it's your responsibility as a clinician to use the system in ways that align with HIPAA standards. That includes creating clear internal policies, training any staff who use email, and documenting your efforts to stay compliant. 

Practice in-network with confidence

Simplify insurance and save time on your entire workflow — from compliance and billing to credentialing and admin.

Talk to a practice consultant

Top HIPAA-compliant email providers for therapists

If you’re looking for a HIPAA-compliant email service, here are some therapist-trusted options that offer the required safeguards and Business Associate Agreements (BAAs):

  • Hushmail for Healthcare: Encrypted email with a user-friendly interface and customizable web forms. BAA included. 
  • Google Workspace (with BAA): Gmail can meet HIPAA requirements, but only when used through Google Workspace with proper configuration and a signed BAA.
  • Microsoft 365 (with BAA): Outlook is a compliant option when set up through Microsoft’s business-level plans.
  • Paubox: Offers seamless end-to-end encryption without requiring clients to log into a separate portal. 
  • LuxSci: Known for robust security features and widely used in healthcare settings.

If you’re a Headway provider, you also have access to secure, built-in messaging that meets HIPAA requirements, making it easy to stay compliant and communicate with clients directly through the platform.

Can I use Gmail or Outlook for HIPAA-Compliant email?

As mentioned above, yes, but only with the right setup. Standard personal Gmail or Outlook accounts (the kind most people use) are not HIPAA compliant. Simply using a password-protected or free account is not enough under HIPAA guidelines. 

To meet HIPAA requirements, you must use Google Workspace or Microsoft 365 for Business, and sign a Business Associate Agreement (BAA) with either Google or Microsoft. Once you have a signed BAA, you'll need to configure your account to enable encryption and manage access controls.

If you’re not sure whether your current email setup is compliant, we recommend consulting a HIPAA expert, or considering safer options altogether, such as Headway’s secure, encrypted messaging feature.

Best practices for using email in a HIPAA compliant way

Having a HIPAA-compliant email provider is the first step, but knowing how to use email matters just as much.

To protect client privacy and stay aligned with compliance standards, here are a few essential practices:

  • Limit PHI in emails whenever possible. A good rule of thumb is “less is more."
  • Use secure messaging platforms (like Headway’s built-in tool) for clinical conversations.
  • Get informed consent from clients before using email, and clearly explain its risks and limitations.
  • Double-check email addresses before sending to avoid accidental disclosures.
  • Don’t use your inbox for storage, and instead document clinical information in your double-lock secure notes system.
  • Keep your devices secure, with up-to-date software and encryption where possible.

Email can be helpful, but if you're ever in doubt, take a moment and pause. Remember that email is not a replacement for secure clinical communication. A few extra seconds can prevent major compliance missteps and help you keep trust at the center of your care.

Alternatives to email: Secure client portals

While HIPAA-compliant email has its place, many therapists are shifting to secure client portals for a more seamless and confidential experience. These platforms go beyond messaging. They often include encrypted communication, appointment reminders, documentation, and billing, all in one centralized, accessible place. Headway makes this easy with a messaging system that includes secure intake forms, automated reminders, and encrypted communication between you and your clients. It’s a simple, effective way to reduce compliance worries and keep everything organized. Join Headway to use this tool — and many others — all designed for compliance, efficiency, and ease.

Talk to a practice consultant

This content is for general informational and educational purposes only and does not constitute clinical, legal, financial, or professional advice. All decisions should be made at the discretion of the individual or organization, in consultation with qualified clinical, legal, or other appropriate professionals.

© 2025 Therapymatch, Inc. dba Headway. All rights reserved. No part of this publication may be reproduced without permission.

Compliance and documentation

How to write progress notes

Progress notes are the core piece of documentation a provider should write after each client session, but it’s more than just a record of what happened.

How to have a successful client discharge (with discharge summary template)

Every discharge situation is different, but a few best practices can help ensure the discharge note documentation process is successful.

How to write a mental health treatment plan

Whenever you want to change the goal of your therapy care, or the path you want to take with the client to reach that goal, you’ll want to document a treatment plan.