Hello! I’m Roy of Person Centered Tech. We know that you want to focus on your clients, so we provide articles, tools, and continuing education on how to best serve clients in the digital world.

(Sign up for other free articles addressing topics such as: telemental health, HIPAA, and practical technology tools!)


A red door with a letter slot in it, with the word "Private" written above the slot

Photo by Dayne Topkin on Unsplash

Email is old tech by Internet standards, and tech companies have been trying to get it to catch up with the modern world for a while now. With all that’s been happening in the email world, it’s hard to make ethical and HIPAA-friendly choices without a little bit of knowledge.

In this article, we here at Person Centered Tech will help you understand the basic lay of the email land so you can choose the email service(s) you need for optimum client service and security.

What Happens When You Send an Email?

Emails live out their virtual lives in three places that we need to think about:

1) Sitting on your computer/smartphone or on the client’s computer/smartphone.

2) Sitting in your email provider’s data center or in your client’s email provider’s data center. (A “data center” is a place where companies house lots of server computers with gigantic Internet connections.)

3) Moving across the Internet between all those things.

A diagram with a therapist at her computer on the left. Red arrows indicate the Internet connecting her to a building labeled, "Tmail." Red arrows representing the Internet connect that building to another building labelled, "Cmail." Red arrows representing the Internet connect that building to a client.

Here we see a therapist and a client exchanging emails via their services at “Tmail” — for TherapistMail — and “Cmail” — for ClientMail. Any resemblance to actual email services living or dead is purely intentional.

In the diagram above, we see the therapist, the client, and their email services’ data centers connected by red arrows that represent the Internet.

When an email crosses the Internet to get to its next destination, it passes through many different machines on the way. If that email’s content isn’t obscured by encryption, then it can be read by all of those machines through which it passes.

If the therapist has a HIPAA Business Associate Agreement with Tmail, then she’s fine by HIPAA when she allows Tmail to handle and send the email for her. It’s those pesky Internet connections she still has to worry about.

Fortunately, the Internet connection between the therapist and Tmail is very likely protected by encryption. It’s rare that email services don’t use an encrypted “tunnel,” as it were, for Internet connections when we’re sending emails or downloading emails.

So if the therapist has that all-important BAA with Tmail, then the first leg of the Internet trip is well protected in nearly every case. The same will go for the leg of the Internet trip between Cmail and the client.

It’s that leg in the middle that causes most of the problems:

The "Tmail" building from the previous diagram is on the left, it is connected by red arrows representing the Internet to the "Cmail" building from the previous diagram. The other parts of the previous diagram are not present.

Will Tmail and Cmail help each other out with some encryption? Let’s find out!

What happens in that leg of the Internet trip? In the words of Ethics professors everywhere, “It depends!” Let’s explore the possibilities in the form of the three kinds of email security as described by Person Centered Tech.

Three Different Kinds of Email Security

Least Reliably Secure: Conventional Email

When sending between the two data centers, email is typically sent “as-is.” The email can be read by anyone with access to the one of the many machines that the email passes through on its way across the Internet. That is how classic conventional email works.

Email was invented very early in the Internet’s life, when the people who were working with it didn’t anticipate a need for security (yes, really). So in this middle leg of the Internet trip, conventional email is sent “in the clear” across the network without anything to hide its contents from prying eyes.

Sometimes, however, modern email companies will make arrangements to use encryption when sending emails to each other. When they do this, they turn a conventional email into a “TLS-Secured Email,” described below. Many companies are working on doing this as often as possible. You can read about it in our article on “safer email.”

Even though conventional email sometimes gets spontaneously upgraded to TLS-Secured email like depicted below, you can’t predict this upgrade and you usually can’t rely on it except in certain specific situations. See our article on “safer email” for some examples of that.

Second-Most Reliably Secure: TLS-Secured Email

The previous diagram is repeated, except that the building on the left has a speech balloon saying, "TLS?" The building on the right has a speech balloon saying, "Yep!" In between them, there is a locked padlock on top of the red arrows that represent the Internet.

Tmail and Cmail decide to use a TLS-secured connection!

Like described above, we get TLS-secured email when the email providers involved in an exchange agree to use encryption. You usually don’t know when this has happened, except in a few cases. Rob Reinhardt shows us how to find that info on Gmail in his article here.

TLS-secured email is simple to use, and it helps ensure that emails are encrypted all the way across an Internet transmission. It does not, however, secure emails from any prying eyes that may be present when an email sits in a client’s email provider’s data center or on the client’s computer/smartphone. It only protects transmission across the Internet.

For most clients, there is little to no additional risk posed by that situation. For others, important risks can remain. For more details, see our article on non-Internet risks in using email.

TLS-secured email isn’t feasible 100% of the time because it requires cooperation from the receiving email provider. Without such cooperation, conventional email services will just go ahead and send the email without any encryption!

Most Reliably Secure: Escrow Email

From our previous diagram, the "Tmail" label on the building on the left has been replaced by the label, "Escrowmail." Above that building is an enveloped with the phrase, "Click to Read," written on it. The implication is that the "Click to Read" message is being sent over to the building on the right, which is still labeled, "Cmail." Between the two buildings is the red arrows representing the Internet. Over the arrows is a padlock with a question mark over it, representing that we don't know if that leg of the Internet trip is secured or no. To the right of the Cmail building is the client, connected to the Cmail building by red arrows representing the Internet. Coming from the bottom of the client is blue arrows, also representing the Internet, going from the client all the way back to Escrowmail. At the point where the blue arrows meet the Escrowmail building, there is an envelope with the words, "Secret Msg" written on it.

Our therapist has ditched Tmail and is now using Escrowmail in order to make sure that messages are super safe from prying eyes.

Escrow email is so-called because your email service will hold on to your secure message “in escrow,” and invite the intended recipient to come over to their website and read your secure message there.

Escrow email is the kind where you get an email that says, “Your clinician has sent you a secure message. Click here to go read it.” You then click the provided link and it takes you to a webpage on the escrow email provider’s site. Then you do something to authenticate your identity, such as log in to a client portal account, answer a security question, or something like that. After authenticating, you can read the secure message right there on the same webpage. Many hospitals and medical clinics now use escrow email regularly.

Escrow email can be annoying to use, but it provides the best and most reliable and security. Escrow emails never end up in clients’ inboxes or on their phones or computers because they don’t actually get sent over the Internet. Sometimes, for clients, that’s an annoyance. But when you need to ensure that your message or attachment stays away from interlopers in the client’s life, escrow email is one of your best bets.

Even if a snooping employer, school administrator, roommate, or domestic abuser can get into your client’s email account, they likely can’t access the contents of any escrow-secured emails you’ve sent the client. (That is not true of TLS-secured email, which is only secured while it travels over the Internet to the client’s email service.)

This free, informative article is brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure forms for your web page, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.
(Disclosure: Roy now does a small amount of consulting for Hushmail to make their product better for mental health professionals.)

Which Kind of Email Should You Use?

Reasons to Use Conventional Email

There are a couple reasons why conventional email can be attractive to both clinicians and clients:

1) For a particular client, there may be no other choice if they want their therapist to send them emails. It is possible to use conventional email without TLS security and remain HIPAA compliant, although the circumstances are somewhat restricted. See our article on unsecured email and texting for more details.

2) Most (or perhaps all) of the email services that are willing to enter into HIPAA Business Associate Agreements are also willing to engage in TLS security with other email services. Google’s GSuite and Microsoft’s MS 365 are notable examples of such conventional email services.

So if you do it properly and with intentionality, there are several ways that you can use conventional email services — and secure email services that are capable of conventional email, like Hushmail and LuxSci —and maintain HIPAA compliance.

Reasons to Use TLS-Secured Email

There are a few reasons why TLS-secured email can be attractive to both clinicians and clients:

1) Many clients don’t have reason to worry about snooping administrators, bosses, housemates, stalkers, and the like. For them, TLS-secured email covers the email-related security risks that really need to be addressed by the therapist for that client.

For these situations, there are secure email services — most notably Paubox — that default to TLS-secured emails and can fall back on escrow email when a TLS-secured connection is not available.

2) The therapist may only be worried about HIPAA compliance and have little concern for issues beyond that. The scope of your HIPAA requirements around sending an email generally stop once the client’s email service receives the email. Whatever happens after that is likely not covered by HIPAA.

However, it may be worth considering what your ethics codes and colleagues would say regarding professional standards on this point.

We see the previous diagram with Tmail, Cmail, and the client in it. They are, again, connected to each other by red arrows representing the Internet. At the point where the red arrows coming from the Tmail building meet the Cmail building, there is a tall blue line acting as a separator. On the left side of the blue line (where the Tmail building sits) is text reading, "Your HIPAA Zone." On the right side (where the Cmail building and the client sit) is text reading, "Usually Not HIPAA Zone (But Ethics...?)"

The HIPAA Security Rule requires you to secure electronic protected health information that you “create, receive, maintain, or transmit.” After you transmit an email to a client, it usually becomes the client’s own responsibility under HIPAA once their email service receives it.

3) Perhaps the therapist and client agree to only use TLS-secured email the same way they would use conventional email: for low-risk communications about schedule changes and the like. The TLS security means that even these small messages can’t be spied on as they pass over the Internet, and the client would ostensibly know that these messages are safe in their own inbox and on their own computer/smartphone.

Reasons to Use Escrow Email

There are a few reasons why escrow email can be attractive to therapists and to clients:

1) It’s a great way to send very secure documents and messages to people. When clients need records disclosed, letters of summary, superbills, etc., escrow email is great. When clients know that something is really sensitive, they rarely find the inconvenience to be all that bad.

2) Escrow emails can expire. This means that a sensitive document or message can be sent to a client and then, after some period of time, be rendered unavailable to them. This ensures that bad guys who really want to pry and get into those escrow email messages have a limited time to accomplish their nefarious goal.

An email sent directly to the client can’t be taken back, which makes expiring messages impossible with conventional or TLS-secured email. Escrow services can do it. Note that the therapist’s escrow email service can (and usually does) still keep the message in the therapist’s “Sent” folder for permanent access. That way the therapist can access it indefinitely, but no one else can.

Person Centered Tech’s Recommendation

You should get a secure email service!

Pretty much all secure email services designed for health care will do escrow email. Some will do the try-TLS-but-fall-back-on-escrow thing, too. See all of our reviews of secure email services here.

Some therapists have a HIPAA-friendly conventional email service (e.g. GSuite or Microsoft 365) and also a HIPAA-friendly secure email service. Why? GSuite and MS 365 include a ton of other great features which are also covered by their HIPAA Business Associate Agreement. (As an aside: if clients are clamoring to send you convenient messages about scheduling and other small matters, secure texting is cheap and easily available these days. Read here for details.)

Some therapists integrate secure email services into their GSuite or MS 365 account. There are only a few such services available at any given time. Inquire with Google or Microsoft, or schedule your one-time free consult with Person Centered Tech to get more information about how to do that.

Still other therapists just use a single secure email service for all their email needs, whether it’s conventional, TLS-secured, or escrow.

There’s no one right choice for everyone. Simply examine your practice’s email needs, compare them to the options available, and make the best choice for you and your clients.

If you need any guidance, we’re here to help. Members can submit Office Hours questions here. If you’re not a member yet, try scheduling a 10-minute free consult with us to see how we can help you: (503) 893-9717 | info@personcenteredtech.com.

Kiddo with hand on tablet screenJoin Our Telemental Health Certificate Program For The Best Standards-Based Training Available

Get certification of completing a standards-based telemental health program taught by one of the top experts in the nation.

Learn More


Person Centered Tech: we will demystify the legal and technical topics that are required of your profession and provide you with education and tools required to help make your business successful for you, and digitally safe for your clients. PCT is here to help you achieve your personal gold standard of client-centered care in privacy and security.


Person Centered Tech’s membership filters the noise of technology through education, customizable tools, expert consulting with direct answers and tried and tested recommendations to provide you with a clear, manageable pathway to provide excellence in care — all while you get your CE hours!


Get Our Articles and Free Resources by Email

green arrow pointing down Sign up to get authoritative articles in your Inbox, our whole collection of mental health private practice forms for tech ethics and HIPAA, consent forms for email and texting, 2 free CE hours, and much more!