IIf you’ve ever been to an early-morning ice rink, you’ve probably seen us: hockey parents juggling gear bags, skates, pads, and sticks, making sure their kids hit the ice safely and prepared. We don’t just toss a stick in the backseat and call it good. We double-check everything, because we know the value of the right gear when it protects what matters most.
When it comes to your therapy practice, email is your gear bag.
It’s how you communicate, schedule, share updates, and sometimes handle sensitive client information. And just like us hockey parents, therapists need the right “protective equipment” to keep client data safe.
That’s where HIPAA-compliant email comes in.
Why Email Compliance Matters
HIPAA, the Health Insurance Portability and Accountability Act, protects your clients’ Protected Health Information (PHI). This means your email system must meet strict privacy and security standards before you use it for client communication.
Many therapists still use personal email accounts such as @gmail.com or @yahoo.com, add two-factor authentication, and include a confidentiality disclaimer in their signature. While these steps show good intent, they do not make your email HIPAA-compliant.
To meet HIPAA requirements, your email provider must be willing to sign a Business Associate Agreement (BAA) — a legal document that binds them to HIPAA standards. Without that agreement, even strong passwords and security tools fall short.
And yes, you should have a professional email tied to your domain, such as hello@yourpractice.com. You simply need to set it up correctly.
Clearing Up Common Misconceptions About HIPAA-Compliant Email
Myth: “Google Workspace isn’t really HIPAA-compliant.”
Reality: It can be, as long as you sign Google’s BAA and configure your account settings properly.
Myth: “A confidentiality disclaimer is enough.”
Reality: Disclaimers build trust but do not create compliance. Only a signed BAA and secure configuration can do that.
Myth: “EU-based companies are safer because of GDPR.”
Reality: GDPR is not HIPAA. You must use a provider that signs a BAA and meets U.S. compliance standards.
Myth: “Only Hushmail or ProtonMail are secure.”
Reality: While they are compliant options, Google Workspace and Microsoft 365 can also meet HIPAA standards when properly set up.
How to Set Up a HIPAA-Compliant Email for Your Therapy Domain
Think of this process like preparing your hockey player’s gear bag: every layer of protection matters.
Step 1: Secure Your Domain
Purchase your domain from a registrar such as GoDaddy, Namecheap, or Google Domains. Owning a domain gives you professionalism but not compliance — that comes from your email configuration.
Step 2: Choose an Email Provider That Offers a BAA
Select an email service that provides HIPAA compliance options:
- Google Workspace (with a signed BAA)
- Microsoft 365 for Business (with a signed BAA)
- ProtonMail for Business
- Hushmail for Healthcare
Confirm that the plan you purchase includes PHI coverage under a signed BAA.
Step 3: Connect Your Domain
To connect your professional domain to your secure email host, update your domain’s MX records using your DNS editor so your email routes correctly through your provider (such as Google, Microsoft, or another HIPAA-compliant service). This ensures your messages are delivered securely and your professional email functions properly through your chosen host. Each email service provider offers detailed documentation online that walks you through how to update your DNS records.
Step 4: Configure Security Settings
- Require strong passwords and two-factor authentication.
- Disable automatic forwarding to personal accounts.
- Ensure encryption is enabled for messages in transit.
- Use client-side or end-to-end encryption when available.
Step 5: Document Policies and Train Your Team
Update your HIPAA compliance documentation to reflect your new setup. Train staff to avoid sending PHI via unsecured email and to use encrypted methods or secure client portals when appropriate.
Making Google Workspace HIPAA-Compliant: Step-by-Step
Google Workspace is a popular and affordable option for secure business email, especially for clinicians and professionals who are just starting their private practice. Its scalability, reliability, and familiar interface make it a common choice for managing professional communications. Because of its accessibility and cost-effectiveness, this guide focuses specifically on setting up and maintaining HIPAA compliance within Google Workspace.
- Sign the BAA with Google. Log in to your Admin Console, review, and accept the HIPAA Business Associate Amendment.
- Identify Covered Services. Only use tools listed as HIPAA-eligible in Google’s Implementation Guide.
- Set Access Controls. Limit PHI access based on user roles or organizational units.
- Enable Two-Factor Authentication and Strong Passwords.
- Turn On Logging and Auditing. HIPAA requires activity tracking and breach detection.
- Train Staff. Technology only works if your team understands how to use it responsibly.
- Maintain and Review Regularly. HIPAA compliance is ongoing — not a one-time setup.
Staying Out of the Penalty Box: Your HIPAA-Compliant Email Checklist
Just like a hockey mom making sure her kids’ gear is ready for game day, staying on top of your email practices is key to keeping your clients’ sensitive information safe. We’ve created a checklist laying out the steps and safeguards of best practices you should follow when using email within your private practice.
- Sign a Business Associate Agreement (BAA) with your email provider.
- Use only HIPAA-eligible services to ensure compliance.
- Enable multi-factor authentication (MFA) for all accounts.
- Keep devices encrypted and password protected.
- Use email encryption whenever sending or receiving PHI (Protected Health Information).
- Conduct and document a risk analysis of your email practices.
- Provide staff training on secure email use and HIPAA requirements.
- Ensure HIPAA-compliant hosting if your website collects PHI.
- Use email only for limited PHI; rely on your EHR platform’s secure messaging system (such as SimplePractice) whenever possible.
- Direct clients to your client portal for sharing or receiving sensitive information.
- Review your provider’s HIPAA settings and renew your BAA as needed.
- Stay current with provider policy updates, as HIPAA eligibility for features can change over time.
Just like hockey gear requires regular cleaning and adjustment, your compliance setup benefits from routine checks and updates.
Protecting What Matters Most
Setting up a HIPAA-compliant email for your private practice may sound complex, but it’s simply a matter of using the right provider, signing the right agreements, and maintaining good habits.
Think of your email provider as the pro shop, they provide the protective gear, but you’re the one who makes sure your player wears it correctly.
Compliance, like safety, is a team effort.
At Tracy Mak Studio, we help private practices like yours choose and implement secure digital tools that meet HIPAA requirements.
If you’re ready to make sure your practice’s team is properly equipped, contact us for a free 15-minute consultation to see how we can help you build a secure, professional, and compliant online presence.
