With all the criticism of the 2013 HIPAA Omnibus Final Rule, an under looked positive side of the updated law was the explicit expansion of patient/client rights and autonomy.

Of great note to myself and others in professional mental health was the specification that clients have the right to consent to receive normal, unsecured emails from their providers if the provider first informs the patient/client of the risks and the patient/client still wants the email.

We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email.

US Department of Health and Human Services, 2013

As an aside: We assert that “email” is a stand-in for messaging that uses the Internet. From the perspective of transmission security standards, there is little or no real difference between email, SMS (classic texting), and any other kind of messaging that uses the Internet. Also, HHS guidance states that non-secure means besides email are acceptable so long as they don’t compromise the security of the practice organization.

The above clarification from the Omnibus is mighty confusing in light of the fact that no mention was made of this gem from HIPAA’s original Security Rule:

Standard: Transmission security.

Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

US Department of Health and Human Services, 2005

So what the heck does that mean? Well, it means that when you send stuff over the Internet (e.g. emails and texts), you need to employ technical measures for securing it. In the real world of 2016, it means you need to encrypt your emails and texts.

So how the heck do those two pieces of law not contradict each other? The Omnibus Rule is from 2013, so maybe it overrules the 2005 thing?

Not so. There is no legal opinion out there we’ve seen that indicates any retraction or overriding going on here.

These two things coexist, in our opinions, because of two magical ideas: risk management and client autonomy.

Risk Management Solves Problems

The HIPAA Security Rule requires us to take a risk management approach to the security of protected health information. It also sets out a bunch of standards we need to implement as part of our risk management plans (that “Transmissions Security” standard was one of them.)

Autonomy means that clients may make their own decisions regarding their care. HIPAA supports autonomy a lot, and we can see that they support it even when it comes to transmission security.

It’s not a simple matter of clients just making a decision out of the blue, however. Regardless of how we might arrive at sending unencrypted emails or texts to clients, risk management must be involved in the process.

In fact, even before the Omnibus Rule, there was some opinion that client decisions could push a clinician towards sending PHI in unencrypted emails. Here I’ll quote a well-cited article from attorney Elizabeth Johnson that is dated 2012 (before the Omnibus Rule):

For patients who simply insist on receiving email [as a means of releasing records], if that email cannot be encrypted then a health care provider may be left with two unappealing choices. Choice one is to refuse, in which case patients may rightly insist that the provider has not respected their right… Choice two is to fulfill the request, send the unencrypted email, and risk violating the HIPAA Security Rule. We think the better choice is to send the email, but only after the health care provider engages in the required feasibility analysis and documents the outcome as described above to help ensure Security Rule compliance. It’s also a good idea to advise patients of the potential risks and insecure nature of email, and then ask again if they really want the record sent in that manner.

Johnson, 2012

Johnson may have been prophetic, as you’ll notice that the Omnibus Rule’s clarification regarding client autonomy to request unencrypted communications does, indeed, require that their clinician warn them of risks before agreeing to the request.

We assert that warning clients of applicable risks and benefits allows them to make informed risk management decisions. In the security risk management world, there is a concept called “accepting risks,” and being informed is an essential part of it.

When one has evaluated all the ways that a risk can be reduced but has decided that those risk reduction measures are undesirable for some reason, one might decide to simply accept the risk as it is without implementing those measures. Accepting risks means that some potential risk management strategies were rejected — often because of cost or difficulty in implementation — and that over time, one will continue to revisit measures that can reduce the accepted risks. (Stewart, Chapple, Gibson, 2015)

In this case, we’re talking about clients rejecting the use of encryption and accepting the resulting risks.

We believe that the Omnibus Rule is asserting that us clinicians, who are charged with keeping our client’s information secure, are responsible for ensuring that clients make informed decisions when they accept risks. We think there are corollaries to this, as well, which will be discussed below.

Ethics Codes and Local Laws on Non-Secure Communication

Ethics codes also, generally speaking, support client autonomy. That doesn’t always mean they allow confidentiality risks the way HIPAA does, however. Let’s look at relevant quotes:

6.3 Confidentiality and Professional Responsibilities
It is the therapist’s or supervisor’s responsibility to choose technological platforms that adhere to standards of best practices related to confidentiality and quality of services, and that meet applicable laws.

AAMFT Code of Ethics, 2015

Counselors use current encryption standards within their websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic means.

ACA Code of Ethics, 2014, H.2.d

Psychologists who provide telepsychology services take reasonable steps to ensure that security measures are in place to protect data and information related to their clients/patients from unintended access or disclosure.

Guidelines For the Practice of Telepsychology, 2013, Guideline 5

Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.

Code of Ethics of the National Association of Social Workers, 2017, 1.07(m)

NCCs shall use encryption security for all digital technology communications of a therapeutic type. Information regarding security should be communicated to individuals who receive distance services.

NBCC Policy Regarding The Provision of Distance Professional Services, 2012, Standard 5

The ACA and NBCC codes are of particular interest, because they explicitly mention the use of encryption. Only the NBCC code seems to be outright proscribing unencrypted communications, however. All the codes and guidelines do call for the use of technical security when sending information over the Internet — just like the HIPAA Security Rule’s good ol’ Transmission Security standard!

The precise interpretation of the above citations is left to your research. We encourage you to earnestly consider, however, that sending unencrypted emails and texts to clients may not be ethical, even if you do so legally under HIPAA. Consultation on this point is a good idea.

We will say, however, that our professional ethics universally put us in the position of “the person who should know better.” And they’re more serious about it than HIPAA. HIPAA’s requirements for us to warn clients of confidentiality risks in unencrypted emails and texts are surprisingly low. Here is what they say on the point:

We do not expect covered entities to educate individuals about encryption technology and the [sic] information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party.

US Department of Health and Human Services, 2013

That’s pretty clear. But we believe that the ethical standard for responsibility is well summed up in the ACA Code of Ethics here:

Counselors inform clients about the inherent limits of confidentiality when using technology. Counselors urge clients to be aware of authorized and/ or unauthorized access to information disclosed using this medium in the counseling process.

ACA Code of Ethics, 2014, H.2.c emphasis mine

“Urge clients to be aware” has been identified by the committee that authored this as counseling the client to fully know what they’re getting into. That same standard would apply to working with clients who request unencrypted emails and texts. Our informal surveys of hundreds of interdisciplinary colleagues have indicated that we, as allied professionals, see that standard as the reasonable one.

If you’re reading this section and thinking, “Man! Unencrypted texts and emails are probably a no-go for me!” then read this article on making the secure stuff work for you and clients. We think it’ll help.

Local Law

As much as it would be a major bummer to get through the gauntlet of HIPAA rules and ethics codes only to discover yourself stymied by state law, it could certainly happen. Some licensing boards and other state agencies require in law that Internet transmissions to clients always use encryption.

Business Associate Agreements

Since the question arises frequently, I’ll address it here: client requests for nonsecure communications don’t impact the Business Associate Rule. You always need a Business Associate Agreement with your email provider to maintain your HIPAA compliance. More in our article on email and HIPAA compliance, and a deeper explanation is provided in Level I of our Digital Confidentiality training.

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

Working With Clients Around Accepting Nonsecure Communications Risks

Accepting risks means accepting possible negative consequences that haven’t been mitigated by other measures, and HIPAA asserts that clients have a right to do this. An important corollary is that therapists may not do this on behalf of clients. Nor should therapists assume that they can rely on their clients to request unencrypted emails and texts as part of their practice management strategy.

Therapists have a legal and an ethical duty to make sure clients understand Internet transmission risks before requesting those nonsecure emails and texts. To assist with this, we offer our Email and Texting Risk Questionnaire to our free newsletter subscribers. We also strongly encourage clinicians who wish to facilitate requests for unencrypted communications to first take our Level I training so they better understand the associated risks and can help clients navigate them.

We also offer our free Email and Texting Risk Questionnaire form to our (also free) newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.

Even when technical measures, e.g. encryption, are not employed, a basic desire to protect clients’ safety calls for other measures to be taken to the maximum extent possible. The main measure that comes to mind is agreeing that unencrypted communications will be limited to the things for which clients typically want quick, nonsecure communications anyways: scheduling and other logistical issues. Once again, our Level I training explores in depth why this is preferable and why anything further is likely to be dangerous for clients (indeed, even those topics could be dangerous for certain clients.)

While clients may decide they want unencrypted emails and texts, they are unlikely to understand the clinical impacts of the decision. Ethically, we must always take the responsibility for that. So don’t forget to contemplate that one risk in nonsecure communication is a breach of the sacred space that is created in private, safe offices. More below.

Do We Need To Provide Secure Options?

We assert that clients aren’t really accepting risks on their own accord if a secure method of communication isn’t available to them and presented well and with an earnest desire for the client to use it productively.

Secure communication methods are not only very affordable (sometimes even free), but many secure texting apps are just as convenient as any other app on the same phone. And secure messaging (aka “encrypted email”) services are affordable and plentiful.

As such, if the clinician hasn’t made secure options reasonably available, it doesn’t seem quite right to assert that a client’s request for unencrypted communication is a fully informed decision.

Cost-benefit analysis must be part of the overall equation. Remember that if the request for nonsecure communications is mostly rooted in the habits of the client (or the clinician!), then the cost-benefit analysis does not make unencrypted communication look good. There needs to be a more compelling reason than that to forego the secure options that help ensure client confidentiality.

Documenting the Client’s Request

Given the overabundance of paperwork and logistical considerations that are weighing down modern practice, our professional culture is often invested in the use of waivers to help us expedite informed consent processes and make therapy smoother. Requests for unencrypted emails and texts from the therapist are not a situation where conceptualizing the process as a waiver is likely to be legally, ethically or clinically successful, however.

If we think of these requests as an option that HIPAA leaves open to clients out of respect for their autonomy to make decisions around their own confidentiality, however, we are more likely to succeed all around.

As such, we have revised our “Consent for Nonsecure Communications” document with a new title, “Request for Nonsecure Communications.” The body of the document also reflects the new theoretical slant.

We offer our sample Request for Nonsecure Communications (e.g. email) forms to our free newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.

We also offer our free Email and Texting Risk Questionnaire form to our (also free) newsletter subscribers. Subscribe to our newsletter here to get access to these and other useful forms.

Even if the law and your ethical requirements allow the client to take on the liability risks of requesting nonsecure communications from you, there remains a really, really important question:

Should they do that?

And the vital follow up is: should you agree to their request?

To help answer that, we have written a counterpoint article to this one. We believe that no one should act on the educational information in this article until, at the very least, they’ve read our counterpoint. Read it here: Even Though They Have a Right Under HIPAA To Unencrypted Emails: A Case For Only Using Secure Email and Texting With Clients.


The Omnibus Rule’s clarification on unencrypted emails and texts remains the same as it was in 2013, and it certainly gives our clients flexibility in choosing how they wish to communicate with their providers.

However, the passage of time has brought out better ways to do secured communications. With that has also come increasing professional standards to use encryption when communicating with clients.

However, those clients who insist on requesting nonsecure methods, or who have some need for them, are still given the right to choose under HIPAA. So long as other applicable authorities agree, the risk management scenario looks favorable, and there is a real and important net benefit to complying with the request, you might decide to do so.

Learn more about using email with clients legally and ethically:

1 CE Credit Hours


2 CE Credit Hours

1 Legal-Ethical

17 CE Credit Hours

11 Legal-Ethical


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss