• The Link
  • Pages
  • HIPAA Email 101: What Every Therapist Needs to Know

What HIPAA requires from your email

HIPAA's Security Rule has three categories of safeguards: administrative, physical, and technical. For email, the technical safeguards are what matter most. The two big ones:

  • Encryption: Any email containing protected health information (PHI) must be encrypted in transit and at rest.

  • Access controls: Only authorized people should be able to read PHI. That means strong authentication, audit logs, and the ability to track who accessed what.

PHI is broader than most people think. It includes anything that ties health information to an identifiable person. A name plus an appointment time counts. So does a referral email mentioning a diagnosis.

Why a BAA is necessary but not sufficient

A business associate agreement (BAA) is a contract between you and your email provider that says they'll handle PHI in line with HIPAA. This is a non-negotiable. Google and Microsoft will sign one but only if you're on a paid Workspace or Microsoft 365 plan.

Signing a BAA does not make your email HIPAA compliant on its own. It just means your provider is willing to be held accountable for the parts they control. You're still responsible for how email is configured, how staff uses it, and whether messages are actually being encrypted when they leave your inbox.

Opportunities to improve compliance and client experience

For mental health practices, the HIPAA compliance gaps often fall into a few areas:

  • Encryption that only works some of the time: Standard Gmail and Outlook use opportunistic encryption. This means that if a recipient's email platform supports it, the email will be sent encrypted. But if their platform doesn't, the email goes out unencrypted. You won't get a warning.

  • Workarounds that frustrate clients: Portals, password-protected PDFs, and "click here to view message" links technically work, but they create friction. Clients give up, miss messages, or email you back through unsecured channels.

  • Free Gmail or Outlook accounts: These providers will not sign a BAA for free consumer accounts, which is a HIPAA requirement.

What to look for in a HIPAA compliant email setup

When evaluating your email, the questions that matter:

  • Is encryption applied to every outbound message automatically?

  • Can recipients read encrypted messages directly in their inbox without portals or passwords?

  • Do you have a signed BAA with your email provider?

  • Does it work with the email platform you already use, or does it require switching everything?

The bottom line

HIPAA compliant email is not about having the most secure system possible. It's about meeting the standard reliably, every time, without depending on staff to remember the right steps. If your current setup requires anyone to think before hitting send, that's the gap to close.

Paubox checks these boxes

If you want an email setup that meets every requirement above without changing how you work, Paubox is built for it:

  • Every email is encrypted, automatically

  • Easily set up Paubox with your existing Google Workspace or Microsoft 365 account

  • Recipients read encrypted emails right in their inbox (no portals, passwords, or extra logins)

  • BAA included

Get $250 off the first year of Paubox with the code PAUBOXPROMO.