As with all healthcare professionals in the United States, therapists need to be HIPAA compliant(new window). They must follow the complex set of interlocking rules that make up the Health Insurance Portability and Accountability Act (HIPAA).

The purpose of these rules is to secure patients’ Protected Health Information (PHI), as defined in the HIPAA Security Rule, according to the criteria specified in the Privacy Rule. 

Learn more about the Security and Privacy Rules(new window)

Most therapists are solo practitioners who devote most of their professional time to helping patients, which can make taking the time to understand the complex requirements of HIPAA compliance a challenge.

This article is part of a series discussing various aspects of HIPAA compliance. Proton Mail is the world’s largest secure email provider, used by millions to protect their messages, and we provide HIPAA compliant email to thousands of organizations. In this article, we look at the aspects of HIPAA email compliance that are particularly relevant to therapists.

Read our past articles about HIPAA(new window)

Why therapists need HIPAA compliant email

Everyone is familiar with email, making it a great way for therapists to communicate effectively with patients. It’s also more convenient than phone calls or teleconferencing solutions, as it allows therapists to engage in long-form conversations while giving them greater control over their time.

Email is also much easier for lone therapists to manage than complex web portals, which can be difficult to operate without a tech support team’s assistance. 

However, a problem with most email services is that they are not secure. This is a major issue for therapists because their conversations often cover highly sensitive (and potentially damaging) personal matters. 

HIPAA allows patients to waive their right to secure email communication once all reasonable efforts have been made to alert them about the privacy risks this involves. But this is not an ideal solution, given the highly sensitive nature of the PHI that therapists discuss with their patients.

A much better solution for therapists is to use a HIPAA compliant email service that can ensure sensitive information exchanged by email will remain private.  

Types of sensitive data handled by therapists

Therapists often hear their patients’ innermost thoughts, so as a simple duty of care, it is vital that you secure all forms of their sensitive data. 

According to official Department of Health and Human Services guidelines(new window), “generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information.” This means that the following data is classed as PHI:

  • Patient’s name, contact details, profession, social security number, billing, and insurance details
  • Other personally identifiable information, such as photographs, fingerprints, and emergency contacts
  • Medical history and ongoing treatments
  • Family medical histories

Psychotherapy notes, however, receive special protections. These are defined as any notes “documenting or analyzing the contents of a conversation” held during a therapy session.

Therapists must keep psychotherapy notes separate from other forms of PHI thanks to the particularly sensitive nature of the data they contain — and because they are primarily only of use to the therapist who made them.

While also sensitive, information about medication prescriptions, how and when treatment is furnished, symptoms, prognosis, information contained in a patient’s medical record, or anything else tangential to the contents of a conversation are not considered part of psychotherapy notes.

Under most circumstances, a therapist can only disclose their notes to a third party with their patient’s express permission (except in situations involving abuse or where the patient threatens to harm others).

What to look for when picking the best email provider for therapists

Any email service a therapist considers for use for their practice should:

  • Sign a business associate agreement (BAA)
  • Use two-factor authentication to prevent unauthorized access to accounts
  • Use end-to-end encryption to secure emails 
  • Offer a way to send end-to-end encrypted emails to users of insecure third-party providers. Escrow email is a good example of this.
  • Allow secure (encrypted) sending of email attachments, such as PDF forms
  • Be easy to use
  • Be business friendly (For example, it should support custom domain names and scheduling)

Common issues faced by therapists

Therapists face unique issues when it comes to protecting patients’ PHI due to the highly personal nature of the information they must discuss.

Failure to obtain informed consent

Some experts argue that the 2013 HIPAA Omnibus Rule requires patients to opt-in to communication by email that involves exchanging PHI. Most experts, however, agree that properly informed consent is sufficient. 

This means the therapist must fully alert patients about the privacy dangers of using email and offer alternative secure ways to communicate.

Of course, using an end-to-end encrypted email service that allows secure communication even when a patient uses an insecure email service addresses many of the security problems associated with more traditional email services.

Disclosing too much PHI

Therapists are obliged to disclose the minimum amount of personal health information possible for the purpose at hand. This is particularly important when dealing with other healthcare professionals (HIPAA-covered entities) and business associates.

Not all encryption is equal

The Security Rule(new window) does not, strictly speaking, require encryption for emails, but achieving HIPAA compliance without using encryption is very hard. The problem is that encryption is a very complex subject that many find difficult to understand, no matter how much research they put into it.

Read more about HIPAA compliance for email providers(new window)

Encryption in transit

Most email services (and all HIPAA compliant ones) use TLS encryption to secure emails in transit. That is, as they travel between your computer and the email server they are stored on.

However, there is no way of knowing if a recipient’s email service also uses TLS. If it doesn’t, then emails sent to them will be sent in plaintext, meaning their email service, their internet service provider, and, potentially, malicious actors can see what the email contains. You can address this problem by using a service that offers escrow email. 

Encryption at rest

Most email services (and all HIPAA compliant ones) ensure that data is encrypted when stored on their servers. Again, it is difficult for a therapist to ensure that this is the case for their patient’s email service.

Another point to consider is that if you rely on your email provider to encrypt your emails, it can also decrypt them. That’s why it is vital you sign a business associate agreement (BAA) with your email provider to ensure it is a HIPAA compliant business associate. 

An even better option is to use an email service that offers end-to-end encryption. With end-to-end encryption, emails are encrypted on your device before being sent to your email provider’s servers, so it cannot read them. These messages can then be securely delivered to your patient using an email escrow service.

This provides a robust extra layer of security for sensitive emails, although it does not replace the need to sign a BAA with your provider. 

What is a BAA?

A business associate agreement (BAA) is a contract between a primary healthcare provider (a “covered entity”) and any business associate that it shares PHI with (for example, an email provider).

As a therapist, you are the covered entity, and the email service you use is your business associate. The BAA is basically a written guarantee from the business associate that it will follow all HIPAA rules.

What is escrow email?

Escrow email is a system used to deliver secure end-to-end encrypted emails to a recipient who uses a potentially insecure email service. If you use an escrow email, instead of receiving an email containing sensitive PHI in their inbox, your patients will receive an email that notifies them that an end-to-end encrypted message has been sent to them. To view this secure message, they would log in to a web portal using credentials that you have previously established. 

With escrow email, the intended recipient is the only person who can read the email, no matter how insecure their email service is. Proton Mail’s Password-protected Emails(new window) feature is such an escrow email system. 

What is a secure form?

A secure form is an online HTML form that uses an SSL/TLS certificate to encrypt sensitive information such as PHI. Although popular with some therapists as a way for patients to submit details about themselves, similar results can be achieved using form-fillable PDF documents, which can be sent securely with escrow email.

Some HIPAA compliant email services offer the ability to create secure forms as a feature, but there are also plenty of stand-alone HIPAA compliant options available.

Therapists can use Proton Mail to send HIPAA compliant email

A therapist cannot treat a patient if that patient does not trust them with their thoughts and feelings. You can earn your patients’ trust by demonstrating to them that you take data security and privacy seriously. 

Proton Mail is a HIPAA compliant email service(new window) developed by CERN scientists. It uses strong end-to-end encryption with email escrow to ensure your emails and any attachments remain private. We also use zero-access encryption, which means we encrypt your emails before we store them on our servers, meaning only you and your intended recipient can access your messages. This encryption is done automatically in the background, making it easy for anyone to send or receive a securely encrypted email.

A signed BAA is available on request — just email for assistance. 

It is important for your business to protect your patients’ data, not just to be HIPAA compliant, but because it is the right thing to do. Your patients are entrusting you with sensitive, highly personal information, so it is your legal and moral duty to protect it. Proton Mail is the world’s most popular encrypted email service and is fully HIPAA compliant, making it a safe and convenient choice for therapists. 


Can a therapist communicate with a patient’s family or friends?

Yes. The HIPAA Privacy Rule recognizes the importance of involving a patient’s friends and family in their mental health treatment. Therapists may communicate with such individuals if they have the patient’s consent and believe that doing so is in the best interests of the patient.

Needless to say, any such communication must be done using secure HIPAA compliant channels. For example, using a HIPAA compliant email service.

What happens when a therapist commits a HIPAA violation?

Therapists are subject to the same rules and penalties as other covered entities. Please see What is a HIPAA violation?(new window) for more details. Using a HIPAA compliant email service such as Proton Mail helps to reduce the chances of an unintentional HIPAA violation occurring.

What is escrow email for therapists?

Escrow email is a way to send end-to-end encrypted messages to users of email services that are not end-to-end encrypted. To view a message sent in this way, they need to log in to a secure web portal using a password you have previously shared with them. Proton Mail’s Encrypt for non-Proton Mail users feature is such a system, and it allows the recipient to reply in a way that is also end-to-end encrypted.


Feel free to share your feedback and questions with us via our official social media channels on Twitter(new window) and Reddit(new window).

Protect your business with Proton
Get Proton for Business

Related articles

If you’re comparing different password managers or researching password security, you’ll quickly run into terms like hashing and salting. While these terms might sound like steps you take to make breakfast potatoes, they’re actually processes that ar
People often choose to remove their personal information from the internet due to privacy and security concerns. For example, oversharing on social media can expose you to phishing attacks, identity theft, and cyberstalking. Plus, your data is highl
It’s been roughly three months since the European Union’s Digital Markets Act (DMA), which aims to restore competition and fairness to the internet, came into effect for Big Tech monopolies. Since then, Google has done precisely nothing to comply wit
Today we’re announcing enhancements to our business plans, further enriching our commitment to delivering the best privacy experience for businesses. These upgrades will help us continue expanding our feature suite for organizations, while giving mor
Proton Pass brings secure and private password management to all devices
Today, we’re excited to announce the launch of the Proton Pass macOS app and the Proton Pass Linux app. One of the most popular requests from the Proton community was a standalone desktop app, which is now available on every major platform — Windows,
When you use the internet at home, connected to everything from fitness equipment to game consoles, smartphones, and laptops, marketing companies could be watching you with a tiny piece of surveillance tech you might not even know about. We’re talki