Email and texting are convenient—but convenience doesn't mean compliance. Standard email and SMS texting aren't HIPAA-compliant for protected health information, yet many therapists use them daily without realizing the risk.
This guide covers what's allowed, what's not, and how to communicate with clients while staying compliant.
The Core Problem
Why Standard Email Isn't Compliant
Regular email (Gmail, Yahoo, personal Outlook):
- Not encrypted end-to-end
- Stored on servers without HIPAA protections
- No Business Associate Agreement available
- Vulnerable to interception
Why Standard Texting Isn't Compliant
SMS text messages:
- Not encrypted
- Stored on carrier servers
- Can be intercepted
- No way to verify recipient
- No BAA with carriers
What You Can and Can't Send
Generally Safe (Minimal PHI)
| Content | Example | Risk Level |
|---|---|---|
| Appointment confirmations | "See you Tuesday at 3" | Low |
| General reminders | "Reminder: appointment tomorrow" | Low |
| Office information | "Our address is..." | None |
| Practice announcements | "Holiday schedule enclosed" | None |
Not Safe (Contains PHI)
| Content | Example | Risk Level |
|---|---|---|
| Clinical content | "How's your anxiety this week?" | High |
| Session summaries | "Today we discussed..." | High |
| Diagnosis information | "Regarding your depression treatment..." | High |
| Medication discussions | "Have you started the medication?" | High |
| Scheduling with context | "Rescheduling your trauma session" | Medium |
The Gray Area
Even appointment reminders can become PHI if the email address or phone reveals mental health treatment is occurring.
Example: Email to johnsmith@work.com saying "Reminder for your 3pm appointment at Anxiety Treatment Center" reveals PHI.
Compliant Email Options
Option 1: HIPAA-Compliant Email Services
Dedicated email services with encryption and BAAs:
| Service | BAA | Features |
|---|---|---|
| Hushmail | Yes | Healthcare-focused, easy setup |
| Paubox | Yes | Automatic encryption, no recipient action needed |
| Virtru | Yes | Encryption add-on for Gmail/Outlook |
| ProtonMail (Business) | Yes | End-to-end encryption |
How they work:
- Messages encrypted in transit and at rest
- Recipient may need to access secure portal
- Provider offers BAA
- Audit trails available
Option 2: Business Email with BAA
Workspace-level email with healthcare configurations:
| Platform | BAA Available | Requirements |
|---|---|---|
| Google Workspace | Yes | Business plan, BAA enabled in admin |
| Microsoft 365 | Yes | Business plan, BAA in agreement |
Important: Personal Gmail/Outlook don't qualify—must be paid business accounts with signed BAA.
Option 3: EHR Client Portal
Most practice management software includes secure messaging:
- SimplePractice → Client portal messaging
- TherapyNotes → Secure messaging
- Jane App → Client messaging
Advantages:
- Already covered under EHR's BAA
- Messages stored with clinical record
- Clients already have portal access
Option 4: Don't Email PHI
Policy approach:
- Limit email to scheduling and logistics
- No clinical content via email
- All substantive communication in session or via secure portal
Compliant Texting Options
Option 1: HIPAA-Compliant Texting Platforms
| Platform | BAA | Features |
|---|---|---|
| Spruce | Yes | Practice communication platform |
| Klara | Yes | Patient messaging |
| OhMD | Yes | Two-way texting |
| EHR built-in | Varies | SimplePractice, etc. |
How they work:
- Messages sent through encrypted app or portal
- Not standard SMS
- BAA provided
- Messages retained and secured
Option 2: EHR Messaging Features
Many EHRs include text-like messaging:
- Client receives notification
- Actual message in secure portal
- No PHI in the text notification itself
Option 3: Limit Texting to Non-PHI
Policy approach:
- Text only: "Please call the office"
- Appointment reminders without clinical context
- No clinical discussions via text
Client Consent and Preferences
Informed Consent for Electronic Communication
Before communicating electronically:
- Explain the risks — Even secure methods have some risk
- Get written consent — Document client's agreement
- Document preferences — How does client want to be contacted?
- Allow opt-out — Client can choose more secure methods
Sample Consent Language
I understand that electronic communication (email, text) carries some risk of unauthorized access despite security measures. I consent to receive the following via electronic communication:
- ☐ Appointment reminders
- ☐ General practice information
- ☐ Billing information
- ☐ Clinical communication (via secure portal only)
I understand I may withdraw this consent at any time.
Signature: _____________ Date: ___________
What If Client Sends PHI Via Unsecure Channel?
You can't control what clients send. If a client texts you clinical information:
- Don't respond with PHI in the same channel
- Move conversation to secure platform
- Educate client about secure communication options
- Document your attempts to use secure methods
Practical Implementation
Recommended Setup
For email:
- Get HIPAA-compliant email or business workspace with BAA
- Use EHR portal for clinical communication
- Limit regular email to logistics only
For texting:
- Use EHR or compliant texting platform for anything beyond "call the office"
- Set clear boundaries with clients about text content
- Document communication preferences
Communication Policies
Create written policies covering:
- What communication channels you use
- What can be discussed on each channel
- How to handle client requests for non-secure communication
- Response time expectations
Documentation
Document:
- Client consent for electronic communication
- Client communication preferences
- Attempts to educate about secure options
- Any incidents involving non-secure communication
Common Scenarios
Scenario 1: Client Texts About Suicidal Thoughts
The situation: Client texts "Having thoughts of hurting myself"
What to do:
- Respond immediately—safety trumps HIPAA
- Assess safety via whatever means necessary (call, text back)
- Follow your crisis protocol
- Document the interaction
- Follow up about secure communication later
HIPAA note: Emergency situations permit disclosure/communication as necessary to prevent serious harm.
Scenario 2: Client Wants Session Notes Emailed
The situation: Client asks you to email their session notes
What to do:
- Explain HIPAA concerns with regular email
- Offer alternatives: secure portal, encrypted email, mail, pickup
- If client insists on regular email after understanding risks, document consent
- Client can assume risk for their own PHI
Scenario 3: Client Only Has Email, No Smartphone
The situation: Client can't use your secure portal app
What to do:
- Many portals have web access (no app required)
- Use encrypted email that doesn't require recipient to have special software
- Consider phone calls for clinical content
- Document limitations and consent
Scenario 4: Quick Question Between Sessions
The situation: Client emails asking clinical question, wanting response
What to do:
- If you have secure portal, respond there
- If not, brief acknowledgment + "Let's discuss at next session"
- For urgent clinical matters, phone call
- Document your communication approach
Frequently Asked Questions
- Can I use iMessage? It's encrypted.
- iMessage is encrypted between Apple devices, but: no BAA available from Apple, messages backed up to iCloud may not be secure, falls back to SMS with non-Apple devices. Not recommended for PHI.
- What about WhatsApp?
- WhatsApp has encryption but: no BAA available, data sharing with Meta, not designed for healthcare. Not recommended for PHI.
- Can I email appointment reminders?
- Generally yes, if: no clinical content included, doesn't reveal treatment type, client has consented. Consider: does your email address reveal mental health treatment?
- What if I only use email for billing?
- Billing information is PHI. If sending billing details via email: use compliant email or client portal, or limit to 'Your statement is ready in your portal.'
- Do I need a separate phone number for texting clients?
- Not required by HIPAA, but recommended for: professional boundaries, separating personal and work communication, easier compliance documentation.
Email and texting are part of modern practice, but they require thoughtful implementation. Get compliant tools, educate clients about secure options, document consent, and keep PHI out of non-secure channels. Convenience isn't worth a HIPAA violation.