Client profile
Get free credentialing when you sign up for SimplePractice

HIPAA-compliant email for therapists: The essential guide

Headshot of Ben Caldwell, PsyD, LMFT
Ben Caldwell, PsyD, LMFT

Published September 24, 2025 Updated on June 26, 2026

A therapist types a client email into their mobile phone and considers the importance of HIPAA compliant email for therapists
simple illustration of a SOAP template document

Download our free HIPAA Compliance Checklist

Download now

Summary

  • HIPAA-compliant email for therapists is critical for securing protected health information (PHI) transmitted digitally. 

  • Understand why standard email footers fail to meet HIPAA email requirements when transmitting PHI.

  • Implement reasonable safeguards recommended by the Department of Health and Human Services (HHS).

  • Select reputable, encrypted third-party software communication tools if you must utilize traditional electronic mail systems.

HIPAA-compliant email for therapists is a key concern for all therapists and healthcare providers. HIPAA compliant email disclaimers have become so common that we often barely notice them. However, understanding HIPAA email requirements is vital for ensuring your practice is compliant in handling protected health information. Read on to learn more on how you can ensure your emails are HIPAA compliant.

Who needs to use HIPAA-compliant email and communication methods?

You must comply with HIPAA if you are a “covered entity” or a “business associate” of a covered entity.

Generally, if you transmit any health information in electronic form in connection with a transaction for which the Department of Health and Human Services (HHS) has adopted a standard, you are considered a covered entity. This typically includes most healthcare providers, including mental health therapists.

For more information on whether you are a covered entity, visit the HHS website, consult with a legal professional, and/or check with your malpractice insurance.

Disclaimer: This article is for informational purposes only, and should not be considered legal or ethical advice. For specific guidance for your situation, consult with an attorney or your professional liability insurer.

Why therapists use ‘HIPAA-compliant’ email disclaimers

HIPAA-compliant email disclaimers are that paragraph of text tacked on at the end of a healthcare provider’s email signature explaining that the email message is private and may include protected health information (PHI).

Many therapists started using these HIPAA disclaimers at the bottom of emails to clients after noticing that many mental health colleagues had added them. The practice seemed to be a new standard. Plus, it was easy enough to implement.

So it may come as a surprise to learn that using these disclaimers alone does not ensure you’re sending HIPAA-compliant emails to your clients. In fact, there are no documented HIPAA email requirements, and there is little evidence that including email disclaimers will protect you or your practice in the event of an email-related breach. They could actually make any security breach worse.


Why ‘HIPAA-compliant’ email disclaimers may not be enough

Neither HIPAA itself nor any Department of Health and Human Services (HHS) regulations specifically mention a mandate for disclaimers required for HIPAA-compliant email for therapists. 

On their own, disclaimers are not enough to ensure secure HIPAA-compliant email and electronic messaging, according to The HIPAA Journal. Poorly phrased instructions can cause unintended recipients to reply or reply-all, unwittingly recirculating PHI. For instance, if your disclaimer asks anyone who is not the email’s intended recipient to reply to the message, each person who does so may be retransmitting the PHI. 

Or, if they mistakenly reply-all on a group message, they’ve inadvertently created multiple additional copies of the PHI they were aiming to responsibly address. Unintended recipients aren’t forwarding PHI with malicious intent. However, it can still be problematic for the client whose information was compromised through such a security incident. 

If you include response instructions in your disclaimer, direct recipients to call you about the error and then delete the message and any attachments to reduce further exposure.

What’s actually required for secure HIPAA-compliant email?

The Privacy Rule, outlined by HHS, does not expressly prohibit email to send PHI, but recommends that therapists double check email addresses before sending and confirming consent to receive PHI via email with the patient. Encryption is not required and there are no formal HIPAA email requirements, but HHS advises that reasonable safeguards must be used when sharing PHI via email.

While an email footer can be useful to address concerns surrounding HIPAA-compliant email for therapists, it is no replacement for a thoughtful, holistic set of policies and practices designed to protect private health information. And, that’s what HIPAA requires of us as clinicians. 

If you’re cautious about sending PHI over email, secure messaging software, such as the feature included in SimplePractice EHR, may be a better option for sending convenient messages that include clients’ personal health information. 

How to use SimplePractice for HIPAA-compliant therapist email templates

As mentioned, HIPAA doesn’t have specific requirements for what’s considered compliant technology—the Security rule allows you as a covered entity to use any security measures that you deem reasonable and appropriate to uphold security standards. 

That said, they do have some guidance and questions to ask yourself before you start using a software or product to help you determine if it’s reasonable and appropriate. 

A secure encrypted messaging platform is the safest option for sending quick messages that contain PHI to clients or to coworkers in a secure way.

SimplePractice offers a HIPAA-compliant Secure Messaging feature, which makes it easy to securely communicate with your clients and team members all in one place. Try it free for 30 days—no credit card required.

Once secure messaging is enabled for a client, you can easily communicate with them on either a computer or the SimplePractice mobile app. When your client receives a secure message from you, they’ll also receive an email containing a Client Portal login link that will allow them to access the message.

With SimplePractice’s Secure Messaging feature, you can answer client questions, consult on a colleague’s case, and adjust treatment plans—all via fast electronic conversation. And it’s always HIPAA-compliant and secure.

All of your SimplePractice account information is safely stored with bank-level data encryption technologies. SimplePractice has been certified through HITRUST—a third-party assessor that verifies the strictest level of HIPAA compliance.

Here’s more info on how to enable and use Secure Messaging in your SimplePractice account.

Additional security steps and common questions for secure HIPAA-compliant email

If you still feel you need to communicate with clients and staff specifically using HIPAA-compliant email for therapists, there are additional steps you can take to ensure your emails are compliant.

What HIPAA-compliant email services are available?

Services like Hushmail for Healthcare, GSuite, Virtru, and other similar vendors that support encryption allow you to send HIPAA-compliant, secure emails at a variety of price points. These vendors sign Business Associate Agreements (BAAs), which ensure they will employ safeguards to ensure HIPAA compliance.

Is HIPAA-complaint email required for therapists?

If you transmit PHI electronically, your email must be HIPAA-compliant. Whether that means doing everything that HIPAA requires of covered entities—such as performing a regular security audit to examine your risks, training your staff, minimizing where PHI is shared, and ensuring your clients have the knowledge they need to control such sharing—or using an encrypted system to send communications will differ from practice to practice. 

That said, you also might decide that an email disclaimer is appropriate to be included as one of several layers of protection against an email-related breach. 

Conclusion

Ultimately, every practice is different. You’ll need to carefully consider the specifics of yours before implementing a strategy to make sure you’re sending secure HIPAA-compliant emails and HIPAA-compliant electronic messaging. 

If you have specific questions or concerns, consult an attorney.

Sources

How SimplePractice streamlines running your practice

SimplePractice is HIPAA-compliant practice management software with everything you need to run your practice built into the platform—from booking and scheduling to insurance and client billing.

If you’ve been considering switching to an EHR system, SimplePractice empowers you to run a fully paperless practice—so you get more time for the things that matter most to you.

Try SimplePractice free for 30 days. No credit card required.


Headshot of Ben Caldwell, PsyD, LMFT

Ben Caldwell, PsyD, LMFT

Benjamin E. Caldwell, PsyD, LMFT, is a California therapist. He serves as adjunct faculty for the graduate program at California State University Northridge, and is the author of several books, including Saving Psychotherapy and Basics of California Law for LMFTs, LPCCs, and LCSWs. He has served on the AAMFT Ethics Committee and spent more than a decade as the Legislative and Advocacy Chair for AAMFT-California, working on groundbreaking legislation including California's first-in-the-nation ban on reparative therapy for minors. He lives in Los Angeles.

simplepractice logo

Sign up for updates

By entering your email address, you are opting-in to receive emails from SimplePractice on its various products, solutions, and/or offerings. Unsubscribe anytime.

Apple StoreGoogle Play
hipaa logohitrust logopci compliant logo

Proudly made in Santa Monica, CA © 2026 SimplePractice, LLC