BlogHIPAA-Compliant Communication Tools for Therapists: A Practical Guide
HIPAA & Compliance

HIPAA-Compliant Communication Tools for Therapists: A Practical Guide

Not sure which communication tools are HIPAA compliant? A practical guide to secure phone, text, email, and video tools for therapy practices.

Harbor Team··5 min read

HIPAA compliance is one of those topics that makes most therapists' eyes glaze over — until something goes wrong. The regulations can feel overwhelming, and the consequences of getting it wrong are serious. But the basics of HIPAA-compliant communication are more straightforward than most therapists realize.

This guide covers what you actually need to know about using phones, texting, email, video, and newer AI tools in your therapy practice without running afoul of HIPAA.

What HIPAA Actually Requires for Communication

HIPAA does not ban any specific technology. It does not say you cannot use email, text messages, or AI tools. What it requires is that you take reasonable steps to protect protected health information (PHI) in all forms of communication.

In practice, this means three things. First, you need appropriate safeguards — technical, administrative, and physical — to protect PHI. Second, you need a Business Associate Agreement (BAA) with any third-party service that handles PHI on your behalf. Third, you need to document your compliance efforts.

The BAA is the critical piece. Any vendor that stores, processes, or transmits patient information must sign one. If a vendor will not sign a BAA, they cannot be used for anything involving PHI. It is that simple.

Phone Calls

Standard phone calls are generally considered compliant for discussing PHI. The phone network itself is not a "business associate" under HIPAA, and the regulations recognize that some risk is inherent in verbal communication.

However, phone systems that record calls, transcribe voicemails, or store call data in the cloud do fall under HIPAA requirements. If your phone system has any of these features, the provider needs to sign a BAA.

Voice over IP (VoIP) systems like Google Voice, RingCentral, and Dialpad vary in their HIPAA compliance. Some offer BAAs on their business plans, while others do not. Check before using any VoIP system for patient calls.

Text Messaging

Standard SMS text messaging is not considered HIPAA compliant for communicating PHI. Text messages are stored on carrier servers, can be intercepted, and persist on devices in unencrypted form.

This does not mean you cannot text patients at all. You can use texting for non-PHI communications like appointment reminders that do not include clinical details ("Reminder: appointment tomorrow at 3 PM" is fine; "Reminder: your therapy session for depression treatment" is not).

For secure messaging that includes PHI, use a HIPAA-compliant messaging platform. Options include Spruce Health, which provides HIPAA-compliant calling, texting, and faxing; Hush Secure Messaging, designed specifically for therapists; and most major EHR platforms that include a built-in patient messaging feature with appropriate safeguards.

Email

Email is a gray area in HIPAA. The regulations do not prohibit email communication with patients, but they do require appropriate safeguards. In practice, this means using an email provider that offers encryption and will sign a BAA.

Google Workspace and Microsoft 365 both offer BAAs on their business plans. A standard free Gmail or Outlook account is not sufficient.

Many therapists obtain written patient consent to communicate via email, with a disclosure that standard email is not fully secure. This does not exempt you from HIPAA requirements, but it does establish that the patient is aware of and accepts the risk.

Video and Telehealth

Telehealth platforms must be HIPAA compliant and covered by a BAA. The major platforms that meet this standard include Doxy.me (free tier available, very popular with solo practitioners), Zoom for Healthcare (not the standard Zoom, the healthcare-specific version with BAA), SimplePractice Telehealth, and TherapyNotes Telehealth.

Standard Zoom, FaceTime, Google Meet, and Skype are not HIPAA compliant in their default configurations. The HHS enforcement discretion during the pandemic has largely ended, so do not assume these are still acceptable.

AI Tools — The New Frontier

AI tools are increasingly entering the therapy practice workflow — from AI-assisted note-taking to AI receptionists. HIPAA applies to all of them if they handle PHI.

For any AI tool that processes patient information, you need the same things you need from any other vendor: a signed BAA, clarity on how data is stored and processed, understanding of whether data is used to train AI models (it should not be, if it contains PHI), and documentation of your compliance assessment.

Some AI receptionist platforms, including Harbor, are built with HIPAA-conscious architecture from the ground up, meaning they are designed to handle PHI appropriately and can enter into BAAs with your practice. Others are general-purpose tools that were not designed with healthcare in mind. Always ask.

The BAA Checklist

Before using any tool that will touch patient information, confirm the following. Does the vendor offer a BAA? Have you signed the BAA before using the tool? Does the vendor's BAA cover all the services you are using? Is the BAA accessible and filed with your compliance documentation?

A signed BAA does not guarantee that a vendor is secure. But the absence of one is a clear HIPAA violation.

Practical Recommendations

For a solo therapy practice that wants to stay compliant without overcomplicating things, here is a straightforward setup.

Use Google Workspace or Microsoft 365 with a BAA for email. Use your EHR's built-in features for scheduling, reminders, and patient messaging wherever possible. Use a HIPAA-compliant telehealth platform for video sessions. Use a HIPAA-compliant messaging tool (or your EHR) for any text communication involving PHI. For any new tool — AI or otherwise — confirm the BAA is in place before entering any patient data.

When in Doubt

HIPAA compliance is not optional, but it also does not require perfection. The regulations expect "reasonable" safeguards, not absolute security. Document your efforts, use vendors who sign BAAs, train yourself on best practices, and consult your professional liability insurer or a healthcare compliance attorney if you have specific questions.

The goal is to protect your patients' information with the same care you bring to their treatment. The tools are available to do this. It is simply a matter of choosing the right ones.

H

Harbor Team

Harbor

More from the blog

Why Patients Don't Leave Voicemails (And What to Do About It)

62% of callers hang up when they reach your voicemail. Understand the psychology behind why patients don't leave messages and what your practice can do about it.

5 Ways to Grow Your Therapy Practice Without Spending More on Marketing

You don't always need more marketing to grow your therapy practice. Five operational improvements that increase revenue from the patients already trying to reach you.

Ready to stop missing calls?

Join therapy practices that never miss a new patient again.

Get Started →