Best HIPAA-Compliant Email for Therapists in 2026
Using Gmail, Yahoo, or standard Outlook for client communication is a HIPAA violation. Any email service that handles Protected Health Information (PHI) must sign a Business Associate Agreement — and standard free email providers will not do this. Appointment confirmations, billing questions, and any email that mentions a client's name in connection with their therapy appointment all qualify as PHI under HIPAA.
The good news: switching to a HIPAA-compliant email service takes less than an hour and costs as little as $6 to $10 per month. Here are the four best options for therapists in 2026, with honest assessments of who each one is best for.
Important: Free Gmail = HIPAA violation
Google will not sign a HIPAA BAA for free Gmail accounts. If you are using a @gmail.com address to communicate with clients about their treatment, you are in violation. Google Workspace Business plans do offer BAAs — but you must set it up correctly.
Hushmail for Healthcare
Best purpose-built HIPAA email for therapists
From $9.99/mo
PROS
- ✓Built specifically for healthcare
- ✓BAA included on all plans
- ✓Secure message center for clients
- ✓HIPAA-compliant web forms included
- ✓No IT setup required
CONS
- ✗Not as full-featured as Google Workspace
- ✗Smaller storage than Gmail
- ✗Hushmail branding in email address (unless custom domain)
BAA STATUS
✓ Included on all plans
Google Workspace (Business Starter+)
Best if you already use Google tools
From $6/mo per user
PROS
- ✓Familiar Gmail interface
- ✓BAA available on Business plans
- ✓Integrated with Google Calendar + Drive
- ✓Large storage
CONS
- ✗BAA must be requested separately — not automatic
- ✗Standard free Gmail does NOT qualify
- ✗More complex setup than Hushmail
- ✗Risk of accidentally using personal account
BAA STATUS
✓ Business Starter and above — must request BAA manually
Paubox
Best for automatic encryption without client action
From $29/mo
PROS
- ✓Encrypts all outgoing email automatically
- ✓No client portal required — emails arrive in normal inbox
- ✓BAA included
- ✓Works with existing email domain
CONS
- ✗More expensive than alternatives
- ✗Overkill for low-volume solo practices
- ✗Requires domain setup
BAA STATUS
✓ Included on all plans
Microsoft 365 Business
Best for practices already on Microsoft ecosystem
From $6/mo per user
PROS
- ✓BAA available for Business plans
- ✓Full Office suite included
- ✓Good for Windows-heavy practices
- ✓Teams for HIPAA meetings
CONS
- ✗Standard Outlook.com does NOT qualify
- ✗Business plan required for BAA
- ✗Less intuitive than Gmail for many users
BAA STATUS
✓ Business plans only — not personal Outlook accounts
Trusted by 225,000+ Therapists
50% Off Your First 4 Months of SimplePractice
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Limited-time summer offer · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
What Emails Contain PHI — and Which Don't
Many therapists believe they can use standard Gmail for "administrative" emails and only need HIPAA-compliant email for clinical communication. This is incorrect. HIPAA defines PHI as any information that identifies an individual AND relates to their health condition, healthcare provision, or healthcare payment. This means:
PHI — requires HIPAA-compliant email
- ✗Appointment confirmations mentioning your name (therapist) + client name + date
- ✗Billing statements showing the service type (psychotherapy)
- ✗Intake questionnaires
- ✗Referral requests mentioning diagnosis
- ✗Insurance pre-authorization requests
- ✗Any email discussing treatment or progress
Not PHI — standard email may be acceptable
- ✓General marketing emails not tied to a specific client
- ✓Staff-only administrative emails with no client data
- ✓Vendor communications not involving client PHI
In practice, the safest approach is to use a HIPAA-compliant email service for all client-facing communication, without trying to evaluate whether each specific email contains PHI. The cost difference is minimal and the compliance risk of miscategorizing an email is significant.
Step-by-Step Setup Guide
Setting up a HIPAA-compliant email service is a one-time process that takes under an hour. Here are the specific steps for the two most common options for therapists.
Hushmail for Healthcare
- 1Go to hushmail.com/healthcare and select your plan (starting at $9.99/month)
- 2Create your account and choose a custom domain address (e.g., yourname@yourpractice.com)
- 3The BAA is automatically included — no separate request required
- 4Import your contacts and update your email signature with your new address
- 5Notify existing clients of your new HIPAA-compliant email address
Google Workspace Business
- 1Sign up for Google Workspace Business Starter at $6/user/month using your domain
- 2Log into the Google Admin Console (admin.google.com)
- 3Navigate to Account > Legal > Health Information — and accept the HIPAA BAA
- 4Critical: the BAA must be accepted BEFORE you use any Google services for PHI
- 5Migrate any existing client emails from personal Gmail to the new Workspace account
- 6Train any staff on the importance of using only the Workspace account, not personal Gmail
What Happens if You Keep Using Personal Gmail?
OCR enforcement for email-related HIPAA violations follows a predictable pattern. Most cases begin with a client complaint — often a former client who is unhappy about their care and decides to report a compliance issue they noticed. Here is what the enforcement process looks like:
Client files complaint
A client (or former client) files a complaint with OCR at hhs.gov/hipaa. They describe receiving appointment confirmations, billing statements, or clinical information via an unencrypted personal email address.
OCR opens investigation
OCR notifies you of the complaint and requests documentation: your BAA with your email provider, your HIPAA policies, and your Security Risk Assessment. If you don't have these, the investigation escalates.
Corrective action plan
OCR issues a corrective action plan (CAP) requiring specific remediation steps, including switching to a HIPAA-compliant email service. Fines accompany the CAP — typically $1,000 to $50,000 per violation.
Resolution agreement
You sign a resolution agreement, pay the fine, and implement the CAP. OCR monitors your compliance for 1–3 years afterward. The resolution agreement becomes part of your public compliance record.
Prevention cost: $9.99–$6/month for a HIPAA-compliant email service. Average enforcement cost: $43,000 + legal fees + 1–3 years of OCR monitoring.
FAQ — HIPAA Email for Therapists
Can I use Gmail for therapy client emails?
Only if you are using Google Workspace Business (paid plan) AND have signed Google's BAA. Standard free Gmail accounts are not HIPAA-compliant. Google will not sign a BAA for personal accounts.
What emails count as containing PHI?
Any email that connects a client's identity to their health information — including appointment confirmations, billing, treatment summaries, or anything that mentions a client by name along with any health-related information.
Do I need HIPAA email if I only send appointment reminders?
Yes — if appointment reminders mention the client's name alongside the fact that they have a therapy appointment, that is PHI. Many therapists send reminders that say 'Your appointment with [therapist] is tomorrow' — that is covered.
Is Hushmail actually used by real therapists?
Yes — Hushmail for Healthcare is one of the most widely used HIPAA-compliant email services among therapists and counselors. It was built specifically for healthcare professionals who need simple, compliant email without an IT team.