Why Therapists Need HIPAA Compliant Email
As a therapist, counselor, or mental health professional, you handle some of the most sensitive information possible - your clients' mental health records, treatment plans, diagnoses, and personal disclosures. Under HIPAA, this information is protected health information (PHI) that must be safeguarded.
HIPAA Violation Penalties
- Tier 1: $100 - $50,000 per violation (unknowing)
- Tier 2: $1,000 - $50,000 per violation (reasonable cause)
- Tier 3: $10,000 - $50,000 per violation (willful neglect, corrected)
- Tier 4: $50,000+ per violation (willful neglect, not corrected)
- Annual Maximum: Up to $1.5 million per year
Beyond fines, HIPAA violations can result in loss of licensure, malpractice lawsuits, and irreparable damage to your reputation. Using HIPAA compliant email is one of the simplest ways to protect yourself and your clients.
What Makes Email HIPAA Compliant?
HIPAA doesn't specifically mandate email encryption, but it requires "appropriate safeguards" for PHI. In practice, this means your email must have:
Business Associate Agreement (BAA)
A legal contract with your email provider ensuring they protect PHI according to HIPAA standards.
Encryption in Transit
TLS 1.2 or higher encryption for emails while being transmitted between servers.
Encryption at Rest
Data stored on servers must be encrypted when not actively being accessed.
Access Controls
Strong authentication (ideally MFA) to prevent unauthorized access to email accounts.
Audit Logging
Ability to track who accessed PHI and when, required for breach detection.
Secure Storage
U.S.-based data centers with appropriate physical and technical safeguards.
Email Disclaimers Don't Work
Those "This email may contain confidential information..." disclaimers at the bottom of emails provide zero actual protection. They don't encrypt anything and can actually encourage recipients to reply with PHI through unsecured channels. You need real encryption and a BAA.
HIPAA Compliant Email Comparison
| Provider | Price/mo | Best For | BAA | Works w/ Gmail | Secure Forms |
|---|---|---|---|---|---|
| Paubox | $29+ | Zero setup, seamless | โ | โ | โ |
| Hushmail | $11.99+ | Forms + email in one | โ | โ | โ |
| Proton Mail | $6.99+ | Privacy-focused | โ | โ | โ |
| MailHippo | $4.95+ | Budget-friendly | โ | โ | โ |
| NeoCertified | $5.79+ | Phone support | โ | โ | โ |
| MD OfficeMail | $2.10+ | Lowest cost | โ | โ | โ |
| Google Workspace | $12+ | Gmail power users | โ | โ | โ |
Detailed Provider Reviews
1. Paubox - Best Overall
Editor's ChoiceStarting Price
$29/month
Free Trial
Yes
Certification
HITRUST Certified
Paubox is the gold standard for HIPAA compliant email. It integrates seamlessly with Gmail and Microsoft 365, so you don't need to change your workflow. Emails are automatically encrypted - recipients read them directly in their inbox without portals or passwords.
Pros:
- + No portals or passwords for recipients
- + Works with existing Gmail/Outlook
- + HITRUST certified (highest standard)
- + Trusted by 8,000+ healthcare orgs
Cons:
- - Higher price point
- - No built-in secure forms
2. Hushmail - Best for Forms
Best ValueStarting Price
$11.99/month
Free Trial
60-day money-back
Founded
1999 (Vancouver)
Hushmail is specifically designed for healthcare professionals. It includes secure web forms for intake, consent, and surveys, plus e-signatures. Perfect for therapists who need an all-in-one solution without multiple subscriptions.
Pros:
- + Built-in secure forms & e-signatures
- + Healthcare-specific templates
- + Affordable annual plans
- + Chat, email, and call support
Cons:
- - Can't use with existing Gmail
- - New email address required
3. Proton Mail - Best for Privacy
Starting Price
$6.99/month
Based In
Switzerland
Extras
Calendar, VPN, Drive
Proton Mail offers end-to-end encryption with zero-access encryption - even Proton can't read your emails. Swiss privacy laws provide extra protection. Great for therapists who prioritize maximum security and privacy.
Pros:
- + Zero-access encryption
- + Swiss privacy protection
- + Includes calendar & drive
- + Open-source code
Cons:
- - Can't integrate with Gmail
- - New email address required
- - No healthcare-specific features
4. MailHippo - Best Budget Option
Budget PickStarting Price
$4.95/month
Free Trial
30 days
Encryption
AES 256-bit
MailHippo offers a solid HIPAA compliant solution at an unbeatable price. It works with your existing Gmail or Outlook, uses AES 256-bit encryption, and works on both desktop and mobile.
Pros:
- + Very affordable
- + Works with Gmail/Outlook
- + Mobile-friendly
- + AES 256-bit encryption
Cons:
- - Web form support only
- - Fewer features than competitors
Is Gmail or Outlook HIPAA Compliant?
Regular Gmail & Outlook Are NOT HIPAA Compliant
Free Gmail, personal Outlook/Hotmail, and consumer versions of these services should never be used for client communications containing PHI. They don't offer BAAs, lack required security features, and expose you to significant liability.
Google Workspace
Paid Google Workspace ($12+/user/month) CAN be HIPAA compliant if you:
- 1. Sign Google's BAA (in Admin Console)
- 2. Enable 2-Step Verification
- 3. Configure S/MIME or third-party encryption
- 4. Use only HIPAA-covered services
- 5. Train staff on proper usage
Microsoft 365
Microsoft 365 Business Premium ($22+/user/month) CAN be HIPAA compliant if you:
- 1. BAA is automatic with qualifying plans
- 2. Enable Multi-Factor Authentication
- 3. Configure message encryption
- 4. Set up DLP policies
- 5. Enable audit logging
Easier Option: Use a HIPAA Add-On
Instead of configuring Google Workspace or Microsoft 365 yourself, services like Paubox integrate with your existing Gmail or Outlook and handle all the HIPAA compliance automatically. This is often simpler and more reliable.
Quick Setup Guide
Getting HIPAA compliant email set up is straightforward. Here's what to do:
Choose Your Provider
Select based on your needs: Paubox for seamless integration, Hushmail for forms included, MailHippo for budget.
Sign the Business Associate Agreement (BAA)
All providers include this. Sign it during setup or in your account settings. Keep a copy for your records.
Enable Multi-Factor Authentication (MFA)
Required by most BAAs. Use an authenticator app rather than SMS when possible.
Configure Your Email Client
Follow your provider's setup guide to connect your new secure email or integrate with existing accounts.
Update Your Client Communications
Let clients know your new secure email address. Consider adding a note about secure messaging to your informed consent.
Document Your Compliance
Keep records of your BAA, security configurations, and staff training for audit purposes.
Common HIPAA Email Mistakes to Avoid
Using personal Gmail/Outlook for client emails
Switch to a HIPAA compliant provider or add Paubox to your workflow
Thinking email disclaimers provide protection
Disclaimers do nothing - you need actual encryption and a BAA
Not signing a Business Associate Agreement
Always sign the BAA before sending any PHI through the service
Skipping Multi-Factor Authentication
Enable MFA on all accounts - many BAAs require it for coverage
Including PHI in email subject lines
Subject lines may not be encrypted - keep them generic
Assuming client consent allows non-compliant email
Client consent doesn't waive your HIPAA obligations - you must still use compliant systems
Not training staff on secure email practices
Document and train all staff on HIPAA email policies
Frequently Asked Questions
Is Gmail HIPAA compliant for therapists?
No, regular Gmail is not HIPAA compliant. However, Google Workspace (paid version starting at $12/user/month) can be made HIPAA compliant if you sign a BAA with Google, enable MFA, and configure proper security settings. An easier option is to use Gmail with a HIPAA add-on like Paubox.
What makes an email HIPAA compliant?
HIPAA compliant email requires: end-to-end encryption for messages containing PHI, a signed Business Associate Agreement (BAA) with the email provider, access controls and authentication (MFA), audit logging to track access to PHI, and secure data storage with encryption at rest.
What is the best HIPAA compliant email for therapists?
The best option depends on your needs: Paubox ($29/mo) for seamless Gmail/Outlook integration, Hushmail ($11.99/mo) for built-in secure forms and e-signatures, MailHippo ($4.95/mo) for the most affordable option, or Proton Mail ($6.99/mo) for maximum privacy.
Do email disclaimers make email HIPAA compliant?
No, HIPAA disclaimers at the bottom of emails provide zero actual protection. They don't encrypt anything and can actually encourage recipients to reply with PHI through unsecured channels. You need real encryption and a signed BAA for compliance.
Can I use Outlook for HIPAA compliant email?
Microsoft 365 Outlook (Business Premium at $22/user/month or higher) can be HIPAA compliant when properly configured with MFA, message encryption, DLP policies, and the Microsoft BAA, which is automatic with qualifying plans.
What happens if I send PHI through non-compliant email?
HIPAA violations can result in fines from $100 to $50,000 per violation, with annual maximums up to $1.5 million. Beyond fines, you risk loss of licensure, malpractice lawsuits, and damage to your professional reputation.
Does client consent allow me to use regular email?
No. While clients can consent to receive communications via email, their consent doesn't waive your obligation to use HIPAA-compliant systems. You must still use encrypted, compliant email regardless of client preferences.
Summary: Choosing HIPAA Compliant Email
Top Picks:
- Paubox ($29/mo) - Best overall, seamless integration
- Hushmail ($11.99/mo) - Best for forms & e-signatures
- MailHippo ($4.95/mo) - Best budget option
Essential Requirements:
- 1. Signed Business Associate Agreement
- 2. End-to-end encryption
- 3. Multi-Factor Authentication enabled
- 4. Audit logging capability