After a meaningful session, a client sends you an email filled with deeply personal details about their mental health. You reply right away, thinking only about offering support.
But if your email provider isn’t offering a HIPAA-compliant email for therapists, that quick response could trigger a privacy breach, and a costly fine, without you even realizing it.
One wrong click could cost you thousands, jeopardize your license, and permanently damage client trust.
For mental health professionals and other healthcare professionals, email remains one of the most convenient ways to share resources, send reminders, and answer client questions. Yet without HIPAA-compliant email services, any message containing protected health information (PHI) can become a serious liability.
This guide covers HIPAA-compliant email platforms, business associate agreement requirements, security features, and the best HIPAA-compliant email options for your therapy practice, so you can manage client communications with confidence and stay compliant.
What is HIPAA-compliant email?
HIPAA-compliant email means using an email platform that follows the privacy and security standards outlined in the Health Insurance Portability and Accountability Act (HIPAA). These standards are designed to protect sensitive information, including sensitive patient health information and electronic protected health information (ePHI).
HIPAA requires that email communications containing PHI be stored securely, encrypted in transit and at rest, and only accessible to authorized users with proper access controls.
The three pillars of HIPAA-compliant email:
- Security measures: Encryption, secure authentication, multi-factor authentication, and regular audits.
- Administrative safeguards: A signed Business Associate Agreement (BAA) with your email provider.
- Technical compliance: Meeting the HIPAA requirements outlined in the HIPAA Security Rule.
Example of PHI:
“Jane Doe attended therapy for depression” – This is PHI because it links an identifiable person to a health condition.
Why HIPAA compliance matters for therapists
Using a compliant email service isn’t just about following HIPAA regulations, it’s about trust.
Key reasons to invest in HIPAA-compliant email:
- Protects client trust: Clients share highly sensitive data that must remain private.
- Avoids HIPAA violations: Fines can range from hundreds to tens of thousands of dollars per incident.
- Meets ethical duties: Safeguarding mental health records and client information is part of professional ethics.
- Ensures smooth communication with other healthcare providers: A compliant secure email service lets you collaborate without risking breaches.
HIPAA-compliant email vs. regular email services
Before we dive into providers, it’s important to understand why “regular” email services fall short.
On the surface, Gmail or Yahoo might seem secure enough, but they miss several key safeguards that HIPAA requires.
The table below breaks down the critical differences between standard email and true HIPAA-compliant email, so you can see exactly what’s at stake:
Feature | Regular Email (Gmail, Yahoo) | HIPAA-Compliant Email |
|---|---|---|
Encryption | Not guaranteed | Mandatory: encryption for PHI in transit and at rest |
Business Associate Agreement (BAA) | Not available | Required & signed with provider |
Secure Messaging | No | Yes, often with portals or built-in secure options |
HIPAA Disclaimer | Not applicable | Must be included in emails containing PHI |
Access Controls | Basic login only | Limited access to authorized users; MFA required |
Audit Logs | Not maintained | Logs who accessed client data and when |
Security Measures | Spam filters only | Firewalls, MFA, phishing protection, incident response |
Staff Training | Not required | Staff must be trained to identify PHI and use secure messaging |
System Design | General consumer use | Built for healthcare needs & HIPAA Security Rule compliance |
Top HIPAA-Compliant Email Providers for Therapists
Below are some of the most trusted HIPAA-compliant email providers therapists use today.
1. Hushmail
Hushmail is a Vancouver‑based encrypted webmail service tailored for healthcare and legal professionals, it supports HIPAA compliance with encrypted emails, secure web forms, and a healthcare‑specific plan
Pros
- Built‑in secure messaging and encrypted web forms for PHI
- Affordable healthcare plan starting at about $11.99/month
- Positive user feedback: easy to use, reliable customer support from reviews on Capterra and G2
Cons
- No native Android app; limited features like calendar or cloud storage
- Subject lines remain unencrypted; also, encryption relies on OpenPGP done server-side, raising minor privacy concerns
- Some issues with password resets, clients may lose access to earlier messages
Pricing
- Healthcare plan starts at $11.99/month per user
- Alternative plan: $24.99/month for up to five accounts, forms, e-signatures
2. Paubox
Paubox is an email encryption solution that delivers HIPAA‑compliant messaging directly to inboxes, no portals or passwords required
Pros
- Seamless encryption with no extra steps for recipients
- Clear tiered pricing with added inbound security and DLP features on higher tiers
- Users appreciate its transparency and ease of use, particularly integration with Google Workspace, and reliable customer service (G2).
Cons
- Pricier than basic email services
- Portal‑less design may limit control over retracting messages
Pricing
- Standard: from $29/month, includes encryption, secure calendar invites, forms, etc.
- Plus: from $59/month, adds malware/ransomware protection
- Premium: from $69/month, adds DLP and voicemail transcription
3. Google Workspace (with BAA)
Google’s workspace suite (Gmail, Drive, etc.) can be HIPAA‑compliant if configured correctly and used under a signed Business Associate Agreement (BAA)
Pros
- Familiar, widely used email and productivity environment
- Robust infrastructure, advanced certifications, and strong integration options
- Straightforward way to add HIPAA compliance via BAA and configuration
Cons
- Requires the right plan (not Individual or Business Starter), BAA, and secure configuration; defaults aren't sufficient
- Additional configuration needed: encryption, audit logs, controls, training
- Combined pricing with secure layer (e.g., Paubox) can be costly (~$45–60/month for solo practitioners)
Pricing
Google Workspace Business plans generally start at about $6–12/user/month (varies by tier). For HIPAA, you must add a secure email provider, which increases costs
4. Microsoft 365 (Outlook with BAA)
Microsoft 365 (formerly Office 365) can support HIPAA compliance when used under a BAA and configured with security controls
Pros
- Rich suite of productivity tools with enterprise‑grade security
- Capabilities include S/MIME, DLP, encryption, audit logs, retention policies, eDiscovery, and mobile access controls
- Affordable base pricing (~$6/user/month), plus BAA setup
Cons
- Compliance depends entirely on correct configuration and policy enforcement
- Might need admin support and training efforts for secure setup
Pricing
Starts around $6/user/month for small‑business plans; this excludes any additional compliance tools or services.
5. LuxSci
LuxSci offers robust, HIPAA‑compliant email hosting geared toward security-conscious healthcare providers. It supports encrypted messaging, secure connectors for Workspace or Microsoft 365, custom forms, APIs, and high-volume delivery
Pros
- Powerful encryption, flexible deployment, and advanced security features
- Supports high‑volume secure email workflows and detailed reporting
- Strong customer service and trust: long‑term users praise reliability and support (G2)
Cons
- More expensive than simpler options
- Slightly less seamless phone integration
Pricing
Pricing starts at roughly $4/user/month for basic email hosting; higher tiers cost more for additional features.
Side-by-Side Comparison of HIPAA-Compliant Email Providers
Below is a side-by-side comparison of the most popular HIPAA-compliant email providers, so you can see at a glance which might fit your practice best.
Provider | Signs BAA? | Best For | Pricing (approx) | Strengths | Weaknesses |
|---|---|---|---|---|---|
Hushmail | Yes | Solo therapists needing forms | $12–25/month | Built-in forms, easy to use | UI limited, password quirks |
Paubox | Yes | Seamless encryption | $29–69/month | No‑portal delivery, secure features | Higher cost |
Google Workspace | Yes | Familiar productivity suite or practices already on Gmail | $45–60/month | Integrated suite, scalable | Needs careful HIPAA setup |
Microsoft 365 | Yes | Teams using Office tools, Larger teams | ~$6/user/month | Full-featured, flexible | Compliance via correct config only |
LuxSci | Yes | High-volume, secure practices i.e tech savvy ones | From ~$4/user/month (upwards) | Powerful, customizable, strong support | Higher complexity and cost |
How to choose the right HIPAA-compliant email service
When selecting a HIPAA-compliant email service, use this checklist to evaluate your options:
☐ Ease of use for both clients and staff
☐ Cost of the secure email service and any add-ons (secure web forms, PDF forms)
☐ Integration with your current practice tools (intake forms, scheduling, EHR)
☐ Security standards (encryption, MFA, audit logs)
☐ BAA availability – Will the provider sign a Business Associate Agreement?
☐ Reputation in the healthcare industry for reliability and support
☐ Extra features like secure messaging, encrypted forms, or spam/phishing protection
But, not all providers would fit every practice. So,here’s a quick guide to match your needs:
- "I want zero setup hassle" → Paubox – Seamless encryption, no portals, clients don’t need extra logins.
- "I’m already on Gmail"→ Google Workspace + Paubox - Keeps your existing workflow and add compliance.
- "I need forms + secure email in one" → Hushmail – Built-in secure messaging and encrypted web forms.
- "I’m on Microsoft tools" → Microsoft 365 – Great for practices that already use Outlook and Teams.
- "I want maximum customization" → LuxSci – Ideal for tech-savvy, high-volume workflows.
Step-by-step: Setting up HIPAA-compliant email for therapists
- Pick a compliant email for therapists
- Sign the Business Associate Agreement
- Configure security measures: enable encryption, multi-factor authentication, and access controls
- Train your staff on HIPAA compliance and handling sensitive patient health information
- Include a HIPAA disclaimer in all emails
- Use secure forms and web forms for collecting sensitive data online
- Make sure every email account used for PHI is part of the compliant system
HIPAA Compliant Email: Do’s and Don’ts for Therapists
Do | Don’t |
|---|---|
Use secure messaging for PHI when possible | Send PHI through free Gmail/Yahoo without a BAA |
Enable encryption and MFA on every email account | Skip encryption settings even when available |
Store mental health records and intake forms securely | Put PHI in subject lines |
Review email security twice a year | Forget to verify recipient addresses |
Train all staff handling client information | Ignore phishing and spam training |
FAQs
Q1: What is the best HIPAA-compliant email for therapists?
A. Providers like Paubox, Hushmail, and Google Workspace (with BAA) are considered best HIPAA-compliant email options.
Q2: Are all encrypted emails HIPAA-compliant?
A. No. You also need a BAA and must follow HIPAA regulations.
Q3: Can I use HIPAA-compliant email without secure web forms?
A. Yes, but adding secure forms can improve compliance when collecting sensitive information.
Q4: What’s the difference between secure email and HIPAA-compliant email?
A. Secure email may encrypt data, but HIPAA-compliant email meets all legal requirements, including signed BAAs and security standards.
Q5: Do I need HIPAA-compliant email if I never send PHI?
A. If there’s any chance PHI could appear in email communications, compliance is the safest choice.
Q6: How do I know if my email provider will sign a Business Associate Agreement (BAA)?
A. Check the provider’s HIPAA compliance documentation or contact their support team. Without a signed BAA, even encrypted services are not HIPAA-compliant.
Q7: Is it okay to use HIPAA-compliant email on my phone?
A. Yes, as long as your device is password-protected, supports encryption, and you’ve enabled remote wipe in case the phone is lost or stolen.
Q8: Can I send attachments through HIPAA-compliant email?
A. Yes, but ensure attachments containing protected health information are encrypted and sent through a secure channel provided by your email platform.
Q9: How often should I review my email security settings?
A. At least twice a year, or whenever your email provider updates their platform, to ensure all security measures are active and compliant.
Q10: Does HIPAA-compliant email protect against phishing attacks?
A. While most providers include spam and phishing filters, therapist training and vigilance are still essential for avoiding fraudulent emails.
Q11: Isn't Google HIPAA compliant?
A. Not by default. While Google Workspace can be made HIPAA-compliant, you must be on an eligible paid plan, sign a Business Associate Agreement (BAA) with Google, and configure security settings like encryption, MFA, and access controls. Without these steps, using Gmail for PHI would still violate HIPAA regulations.