Archived: Is Email HIPAA Compliant?

This article has been archived due to outdated information. The current version can be found here:

Originally Published: January 12th, 2013
Archived: April 18th, 2016

Email In EnvelopeMost clinicians have heard by now that email is low security, and those of us that are required to be HIPAA compliant need to be careful about email or not use it at all.

Basic email has no security, there’s no way to verify the sender of an email, and everyone who can see the Internet path that an email is sent along (which is a lot of people) can see all the contents of the message. Email is like a postcard that gets passed through the hands of numerous people who may or may not be authorized postal workers.

Email is part of a modern culture of highly open, no-security communication, and we as clinicians find ourselves using it for sensitive conversations despite our usual vigilance around confidentiality.

Sensitive communications? No, I only use it for scheduling and things like that.

That’s good. Really. But consider this analogy: If you needed to ask your client about changing an appointment time, would you send a letter to their work place that is clearly marked as being from “Jane’s Mental Health Therapy Services” and addressed specifically to the client? I’m sure you wouldn’t, if not simply because it’s a silly idea. It also could easily violate the client’s confidentiality, right?

We therapists are very sensitive to confidentiality when it involves the physical world. Shouldn’t we apply that same vigilance to the digital world?

I think of emails as having two parts: the envelope and the message. The envelope contains the sender’s address, the recipient’s address, and the subject line. Even if your message is innocuous enough, the envelope alone exposes that this is a communication between you and the client, and it’s not far-fetched to infer that one person in this relationship may be receiving mental health services. That inference is confirmed if the message contains information like appointment discussions, billing information, or other practice business.

But email is what people use. Why should we be behind the times?

Actually, we need to be ahead of the times. The developed world of today uses a no-security approach to communications, but is slowly moving away from that.

For example: Gmail is not secure email, but Google has added security to some aspects of how we use its various services. This was in response to privacy violations that occurred when bad actors managed to eavesdrop on interactions with Google, and to see what people were searching for or read their Gmail messages.

Another example: the latest iPhone software (iOS6 and greater) uses the supposedly-secure iMessage software instead of SMS (the normal system for text messaging) when texting from iPhone-to-iPhone. This was also in response to demands for greater privacy.

If consumers are pushing for security when they want to trade funny cat pictures, shouldn’t we be demanding security for when we communicate with our clients?

So I should never send email to a client?

In a vacuum, yes. There are times when unsecured email is called for, however. Elizabeth Johnson wrote a wonderful article about a circumstance where clinicians may find it appropriate to send an unsecured-yet-sensitive email. Sometimes we find ourselves trapped between our security mandates — like securing emails — and our other, more vital client-service mandates. What do you do? You send the email, of course.

It’s not a cut-and-dry, “yes” or “no” thing, but the better you’re set up to make client communications secure and private, the easier it will be to address each situation.

Alright, so what do I do instead?

The simplest solution is to get an email service that can do secured (sometimes just called “encrypted”) email. Many people use Hushmail, but there are other options, as well. Simply do a Google search for “encrypted email” or “hipaa-compliant email” and you’ll find a lot of options.

Another solution is to abandon email for a different way of exchanging messages. Some online practice management systems include secure messaging with clients. Some electronic health record systems also include “patient portals,” which provide all kinds of patient-clinician communications services.

Whatever you do, the biggest challenge will probably be in justifying the inconvenience of security to clients and to yourself. The more you believe in it and advocate for your clients’ confidentiality, however, the easier it is.

Update (3/18/2013): The HIPAA omnibus final rule, which was released in January of 2013, clarified that it is acceptable for clients to authorize the use of email to communicate protected health information. Clients need to be informed of risks and, despite the risks, decide to authorize the emails. Authorization is more than just informed consent, though. It’s a more formal process which specifies what is being authorized and provides a cutoff date or triggering event that ends the authorization. Your release of information form is likely also an “authorization” form.

When clients authorize the use of email to communicate, it is a form of accepting a risk and foregoing security measures. For that reason, I advise you to document in that client’s record the reasons for accepting the risk and using unsecured email. See our article on client consent to receive email under HIPAA here.


Rob Reinhardt’s excellent article series on cloud-based practice management systems. Many of the systems he reviews likely include “client portals” and/or secure messaging with clients:

Some secure email services I know work well:

How can I learn more about email in practice?

The topics in this article are covered in our online CE courses: Digital Ethics, Security & Privacy in Psychotherapy Practice Management (4 CE hrs, $39) at the Zur Institute; and HIPAA Security and Privacy in Psychotherapy, Counseling and Mental Health Practices (10 CE hrs, $99), also at the Zur Institute.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss