Woman Putting Letter In MailboxWe talk about email and texting a lot. And one of the concerns we have about the discourse around it is the heavy focus on the privacy of our messages as they pass across the roads of the Internet. Even the federal government is mostly focused on this point.

We do need to also attend to what happens to our messages once they arrive at the client’s own cloud service centers. HIPAA essentially ignores this not because of ignorance, but because once the email arrives there it is no longer in the scope of HIPAA. That law doesn’t require us to think about the messages once they reach the client’s side of things.

As ethical professionals, however, we’re concerned about our client’s needs across the board. And in the spirit of client-centered care, let’s take a look at those “Non-Internet Risks in Email With Clients!”

Secure Messaging vs Encrypted Transmissions

In our article on email and HIPAA compliance, we hinted that there’s a difference between real encryption of emails and “secure messaging,” which is what we most typically use in real health care practices.

Secure Messaging

When you write a message with a secure messaging service, it never actually sends your message across the Internet. Most of the time, secure messaging works by holding on to your message in a safe place. The service then instructs your client to come over to the secure messaging service’s website, give the right password or other credential, and then it will show your message to the client.

Simple enough, and a good solution to the logistical problems involved in exchanging encrypted messages between people who aren’t using the same secure messaging service.

In order to instruct the client on how to retrieve their message, most secure messaging services will send an unencrypted, boilerplate notification email to the client indicating that a secure message is waiting for them. These notification emails don’t contain your full message, but they do generally expose two things that we need to be aware of:

  1. Who the secure message is from. In other words, while the service does not send your original message to the client over the Internet, it does send them an unencrypted notification email stating that you are trying to get a secure message to them.
  2. The subject line of your message. Not every secure messaging service exposes the subject line of your message in notification emails, but most do. If your subject line is not carefully crafted, important information could be exposed through the notification email.

Despite the above concerns, these notification emails are rarely an issue of significance, except for situations like the risk scenarios that we describe below. HHS is generally in favor of health care professionals using these systems.

Actual Encrypted Email

When we’re talking about actual encrypted emails, we’re generally talking about a situation where the email is sent across the Internet roadways using a kind of encrypted tunnel. The email itself is not actually encrypted in the process.

To put it another way: when you send an actual encrypted email to a client, it will cross the Internet in its armored limo of encryption. But when it arrives at the client’s email service, it exits all the protective layering and comes out just as clear and unprotected as any other unencrypted email.

This may not be as bad as it sounds. Once it arrives there, it’s in the protective custody of the client’s email service provider. Unless that provider is bad at its job (and a few of them are, we can presume), the email will likely be safe from the Internet’s anonymous hacker crew. It may be vulnerable to the risks described below, however.

Unencrypted Emails

There is a possibility that you’re sending unencrypted emails to clients because they asked you to.

Maybe you’re doing a great job in working with that request. You might have a BAA with your email service and great security on your end. While HIPAA, and possibly ethics and state law, would allow this, there is the consideration of confidentiality-related dangers once the email hits the client’s email server.

What Email Service Is Your Client Using?

The above two sections show us that whether we’re using encryption or not to send emails, the issue of the client’s email service still arises.

Whatever company operates the client’s email server can potentially read the emails that land there. Most private email services either choose not to read their customers’ emails or may read them but do nothing egregious with the information they find there. Usually the most dastardly use of the emails they receive is to find out what ads they should show the customer while they read their email.

If the email server is owned by an employer, school, or other such party, however, that’s different. There is legal precedent that it’s fine for these institutions to read the emails that their servers manage and do as they please with the information they find there.

So there arises a need to ask your clients: what email service are you using? Is it an employer or school? What would your bosses do if they saw an email from your therapist, or if they saw a boilerplate email indicating that I’m trying to get a secure message to you?

Based on the client’s answer, the two of you can make a risk management plan. It can be as simple as the client choosing to use a separate email address, if it seems there is a need.

How Is Your Client Getting Their Emails and Texts?

People use different methods of getting to their emails and texts. Maybe they go to a website to read them. Maybe they download them to their computer or smartphone (or both.) Texts are usually downloaded to a phone.

People with access to the devices used for emails and texts can read them. Abusers often force their targets to give them access, or may simply be willing to put a lot of energy into worming or hacking their way into the client’s gear. There is also the possibility of innocent exposure, when a family member or other trusted person stumbles across messages on a phone or computer.

A determined bad guy who really wants to spy on a client — again, usually an abuser or stalker — could even try to hack the client’s online account. Most of the time, this “hacking” would be done by figuring out the client’s password by some means or another. If they are physically close to the client, there are many opportunities to get the client’s password. It’s extremely rare that these kinds of privacy invasions are accomplished through the esoteric tech wizardry often depicted by Hollywood.

So the therapist needs to ask clients: what are you using to read and write emails and texts? Who has access to those things? Sometimes “access” just means they can physically get their hands on it — such as with smartphones and computers — even though they don’t know the client’s smartphone pin code or computer password. Would it be unsafe if any of those people read a message that comes from me or saw that I am exchanging messages with you?

Based on the client’s answer, you can develop a risk management plan as necessary.


While this article discussed a number of related issues, they all came down to a few basic questions for clients that are easily answered:

  • What email service(s) are you using?
  • Is your email service operated by an employer? School? Something like that? If so, what would it mean to you for the admins there to see that you and I are exchanging messages?
  • What do you use to access your emails and texts? Is there anyone in your life who you don’t want seeing the messages we exchange?

Once those questions are presented, the next steps simply depend on the answers.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss