Therapy HIPAA Hub
EMAIL GUIDE — 2026

Best HIPAA-Compliant Email for Therapists in 2026

Using Gmail, Yahoo, or standard Outlook for client communication is a HIPAA violation. Any email service that handles Protected Health Information (PHI) must sign a Business Associate Agreement — and standard free email providers will not do this. Appointment confirmations, billing questions, and any email that mentions a client's name in connection with their therapy appointment all qualify as PHI under HIPAA.

The good news: switching to a HIPAA-compliant email service takes less than an hour and costs as little as $6 to $10 per month. Here are the four best options for therapists in 2026, with honest assessments of who each one is best for.

Important: Free Gmail = HIPAA violation

Google will not sign a HIPAA BAA for free Gmail accounts. If you are using a @gmail.com address to communicate with clients about their treatment, you are in violation. Google Workspace Business plans do offer BAAs — but you must set it up correctly.

#1BEST FOR THERAPISTS

Hushmail for Healthcare

Best purpose-built HIPAA email for therapists

From $9.99/mo

PROS

  • Built specifically for healthcare
  • BAA included on all plans
  • Secure message center for clients
  • HIPAA-compliant web forms included
  • No IT setup required

CONS

  • Not as full-featured as Google Workspace
  • Smaller storage than Gmail
  • Hushmail branding in email address (unless custom domain)

BAA STATUS

✓ Included on all plans

#2

Google Workspace (Business Starter+)

Best if you already use Google tools

From $6/mo per user

PROS

  • Familiar Gmail interface
  • BAA available on Business plans
  • Integrated with Google Calendar + Drive
  • Large storage

CONS

  • BAA must be requested separately — not automatic
  • Standard free Gmail does NOT qualify
  • More complex setup than Hushmail
  • Risk of accidentally using personal account

BAA STATUS

✓ Business Starter and above — must request BAA manually

#3

Paubox

Best for automatic encryption without client action

From $29/mo

PROS

  • Encrypts all outgoing email automatically
  • No client portal required — emails arrive in normal inbox
  • BAA included
  • Works with existing email domain

CONS

  • More expensive than alternatives
  • Overkill for low-volume solo practices
  • Requires domain setup

BAA STATUS

✓ Included on all plans

#4

Microsoft 365 Business

Best for practices already on Microsoft ecosystem

From $6/mo per user

PROS

  • BAA available for Business plans
  • Full Office suite included
  • Good for Windows-heavy practices
  • Teams for HIPAA meetings

CONS

  • Standard Outlook.com does NOT qualify
  • Business plan required for BAA
  • Less intuitive than Gmail for many users

BAA STATUS

✓ Business plans only — not personal Outlook accounts

☀️ Summer 2026 Offer

Trusted by 225,000+ Therapists

50% Off Your First 4 Months of SimplePractice

SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.

✓ 7-day free trial✓ 50% off first 4 months✓ Free credentialing available (up to 2 payers)✓ BAA included
Claim 50% Off SimplePractice →

Limited-time summer offer · No credit card required for trial

Need HIPAA-compliant email only? See Hushmail for Healthcare →

What Emails Contain PHI — and Which Don't

Many therapists believe they can use standard Gmail for "administrative" emails and only need HIPAA-compliant email for clinical communication. This is incorrect. HIPAA defines PHI as any information that identifies an individual AND relates to their health condition, healthcare provision, or healthcare payment. This means:

PHI — requires HIPAA-compliant email

  • Appointment confirmations mentioning your name (therapist) + client name + date
  • Billing statements showing the service type (psychotherapy)
  • Intake questionnaires
  • Referral requests mentioning diagnosis
  • Insurance pre-authorization requests
  • Any email discussing treatment or progress

Not PHI — standard email may be acceptable

  • General marketing emails not tied to a specific client
  • Staff-only administrative emails with no client data
  • Vendor communications not involving client PHI

In practice, the safest approach is to use a HIPAA-compliant email service for all client-facing communication, without trying to evaluate whether each specific email contains PHI. The cost difference is minimal and the compliance risk of miscategorizing an email is significant.

Step-by-Step Setup Guide

Setting up a HIPAA-compliant email service is a one-time process that takes under an hour. Here are the specific steps for the two most common options for therapists.

Hushmail for Healthcare

  1. 1Go to hushmail.com/healthcare and select your plan (starting at $9.99/month)
  2. 2Create your account and choose a custom domain address (e.g., yourname@yourpractice.com)
  3. 3The BAA is automatically included — no separate request required
  4. 4Import your contacts and update your email signature with your new address
  5. 5Notify existing clients of your new HIPAA-compliant email address

Google Workspace Business

  1. 1Sign up for Google Workspace Business Starter at $6/user/month using your domain
  2. 2Log into the Google Admin Console (admin.google.com)
  3. 3Navigate to Account > Legal > Health Information — and accept the HIPAA BAA
  4. 4Critical: the BAA must be accepted BEFORE you use any Google services for PHI
  5. 5Migrate any existing client emails from personal Gmail to the new Workspace account
  6. 6Train any staff on the importance of using only the Workspace account, not personal Gmail

What Happens if You Keep Using Personal Gmail?

OCR enforcement for email-related HIPAA violations follows a predictable pattern. Most cases begin with a client complaint — often a former client who is unhappy about their care and decides to report a compliance issue they noticed. Here is what the enforcement process looks like:

1

Client files complaint

A client (or former client) files a complaint with OCR at hhs.gov/hipaa. They describe receiving appointment confirmations, billing statements, or clinical information via an unencrypted personal email address.

2

OCR opens investigation

OCR notifies you of the complaint and requests documentation: your BAA with your email provider, your HIPAA policies, and your Security Risk Assessment. If you don't have these, the investigation escalates.

3

Corrective action plan

OCR issues a corrective action plan (CAP) requiring specific remediation steps, including switching to a HIPAA-compliant email service. Fines accompany the CAP — typically $1,000 to $50,000 per violation.

4

Resolution agreement

You sign a resolution agreement, pay the fine, and implement the CAP. OCR monitors your compliance for 1–3 years afterward. The resolution agreement becomes part of your public compliance record.

Prevention cost: $9.99–$6/month for a HIPAA-compliant email service. Average enforcement cost: $43,000 + legal fees + 1–3 years of OCR monitoring.

FAQ — HIPAA Email for Therapists

Can I use Gmail for therapy client emails?

Only if you are using Google Workspace Business (paid plan) AND have signed Google's BAA. Standard free Gmail accounts are not HIPAA-compliant. Google will not sign a BAA for personal accounts.

What emails count as containing PHI?

Any email that connects a client's identity to their health information — including appointment confirmations, billing, treatment summaries, or anything that mentions a client by name along with any health-related information.

Do I need HIPAA email if I only send appointment reminders?

Yes — if appointment reminders mention the client's name alongside the fact that they have a therapy appointment, that is PHI. Many therapists send reminders that say 'Your appointment with [therapist] is tomorrow' — that is covered.

Is Hushmail actually used by real therapists?

Yes — Hushmail for Healthcare is one of the most widely used HIPAA-compliant email services among therapists and counselors. It was built specifically for healthcare professionals who need simple, compliant email without an IT team.