Are mental health practices subject to HIPAA?

Yes. Licensed therapists, psychologists, psychiatrists, and counseling practices that transmit health information electronically are covered entities under HIPAA. The Privacy Rule, Security Rule, and Breach Notification Rule apply, with specific scrutiny for psychotherapy notes which receive heightened protection.

What email-specific HIPAA risks do mental health practices face?

The dominant risks are unencrypted PHI transmission, vendor-impersonation wire fraud, patient phishing using PHI obtained from a breach, and credential theft against the practice's email account leading to PHI exposure. Solo and small practices typically lack the security operations to detect any of these quickly.

Are psychotherapy notes treated differently?

Yes. Psychotherapy notes receive heightened protection under HIPAA's Privacy Rule, including separate authorization requirements for most disclosures. Storage and transmission of psychotherapy notes by email should be avoided. If transmission is necessary, encryption is effectively mandatory, and the practice should document the risk assessment.

What is the realistic email security budget for a solo therapy practice?

About $40 to $80 per month covers a meaningful baseline: a HIPAA-compliant email provider with a Business Associate Agreement, MFA on all accounts, structural inbox filtering, basic awareness training, and cyber insurance. Larger practices add encrypted-portal billing systems and per-user filtering.

Does Rythm work with HIPAA-compliant email setups?

Rythm operates on top of Gmail and Outlook (including their HIPAA-eligible Workspace and Microsoft 365 plans). Rythm scans incoming mail in memory and discards content immediately. Rythm does not store, transmit, or process PHI in a way that creates a HIPAA business-associate relationship. Practices should still have a BAA with their actual email provider.

Email Security for Mental Health Practices

Solo therapists and small mental health practices handle PHI under HIPAA without IT teams. Here is the realistic 2026 email defense.

Mental health practices sit at a difficult intersection of HIPAA compliance, small-business operational reality, and a threat landscape that increasingly targets healthcare providers specifically. Solo therapists, small group practices, and community mental health centers all face the same structural problem: full HIPAA obligations with limited resources to address them.

This post is the realistic email security guide for the typical mental health practice in 2026, focused on what actually works at the scale most practices operate at.

The HIPAA Context

Mental health professionals who transmit health information electronically are covered entities under HIPAA. In 2026, this includes essentially all licensed therapists, psychologists, psychiatrists, and counseling practices, because insurance billing, electronic prescriptions (psychiatry), patient-portal communication, and electronic record-keeping all qualify as electronic transmission.

The compliance scope includes the Privacy Rule (rules on use and disclosure of PHI), the Security Rule (administrative, physical, and technical safeguards for electronic PHI), and the Breach Notification Rule (60-day reporting obligations when PHI is exposed).

For mental health specifically, the Privacy Rule provides heightened protection for psychotherapy notes, which are the personal notes a clinician keeps to document the contents of conversation during a counseling session. These notes are separate from the rest of the medical record and require separate written authorization for most disclosures. Storage and transmission practices for psychotherapy notes should be more conservative than for the rest of the record.

What Email Risks Actually Look Like

Three patterns are most common in mental health practices.

Vendor-impersonation wire fraud. A practice manager receives an email purporting to be from a billing service, an EHR vendor, or a contractor, asking to update wire instructions for an upcoming invoice. The email looks routine. The wire goes to the attacker’s account. Loss is typically four to five figures per incident. The pattern is identical across small healthcare practices regardless of specialty. We covered the broader pattern in wire fraud email scams: an industry-by-industry breakdown.

Patient phishing using breached PHI. Healthcare data breaches in adjacent organizations (hospitals, insurance companies, EHR vendors) feed attacker datasets that are then used to target patients with personalized phishing. The patient receives an email purporting to be from their provider, referencing real appointment details (which the attacker obtained from a breach), and asking the patient to click a link or pay a balance to a fraudulent account. The provider has nothing to do with the attack but is sometimes blamed for it.

Credential phishing against the practice’s email account. The practice’s email is the gateway to client communication, billing, and EHR access. An attacker who phishes a clinician’s credentials gains visibility into PHI by reading the inbox, can send messages from the clinician’s identity, and can sometimes pivot into the EHR or billing system if SSO is in use.

The first two are the higher-probability events for most small practices. The third is the higher-impact event when it happens.

What HIPAA Reasonably Requires

The Security Rule’s standards are framed as “addressable” or “required,” with addressable standards permitting documented alternative approaches when the primary approach is not reasonable. For a small mental health practice, the realistic interpretation:

Encryption of PHI in transmission. Outbound email containing PHI should be encrypted. Most small practices accomplish this by using a HIPAA-eligible email provider (Workspace Business with BAA, Microsoft 365 with BAA) with TLS encryption in transit, or by using a secure-portal system for patient communication. Direct unencrypted email of PHI to a patient is generally not considered reasonable.

Access controls. Only authorized personnel should access email accounts that handle PHI. MFA on all email accounts, role-appropriate access (e.g., billing staff do not need clinician inboxes), prompt removal of access on offboarding.

Audit logging. Records of email access should be available. Microsoft 365 and Workspace both provide adequate logging for small practices.

Risk assessment. A documented risk assessment, periodically updated, explains the practice’s specific email-related risks and the controls in place to address them. The Office for Civil Rights examines this document in any post-breach review.

Breach notification. PHI exposure must be reported within 60 days. Most small practices delegate this to their cyber insurance carrier or HIPAA compliance consultant.

What Actually Reduces Risk

A combination of structural and procedural defenses works better than either alone. The realistic stack for a solo or small practice:

HIPAA-compliant email provider with BAA. Workspace Business or Microsoft 365 Business with a signed Business Associate Agreement. The BAA defines the provider’s HIPAA obligations and is required for the provider to handle PHI on the practice’s behalf.

MFA on all email accounts. Hardware-key MFA (YubiKey or similar) on the clinician’s primary account is the highest-impact single control. App-based MFA on all secondary accounts. Password-only access to email handling PHI is no longer reasonable.

Verification protocols for wire transfers and payment changes. Any vendor wire-update request, bank-detail change, or unusual payment instruction is verified by a phone call to a number the practice manager already has, not a number from the email. This single procedure prevents most successful wire fraud.

Structural inbox filtering. A filter that reduces the volume of unsolicited mail reaching the inbox is high-impact for the small practice that does not have a dedicated person triaging email. Less noise means more attention available for the messages that matter, including the suspicious ones. Rythm sits at this layer; we covered the broader concept in what is an email paywall.

Patient communication via portal. Most modern EHRs include a patient portal with secure messaging. Routing routine patient communication through the portal reduces the volume of PHI that flows by email at all.

Awareness training, lightly. Annual HIPAA training is required and most practices already do it. Specific training on the wire-fraud and credential-phishing patterns is more valuable than generic HIPAA video modules.

Cyber insurance. A cyber rider on the practice’s professional liability policy covers most small-incident scenarios. Verify the policy’s wire-fraud sub-limit, the social-engineering coverage, and the breach-response service.

A Note on Psychotherapy Notes

Psychotherapy notes deserve a separate paragraph because the heightened protection under HIPAA’s Privacy Rule means that email transmission of these notes is rarely reasonable. The realistic approach is to store psychotherapy notes within the EHR system or on practice-controlled local storage, never to email them, and to maintain strict separation between psychotherapy notes and the rest of the medical record.

If transmission is unavoidable (e.g., a court-ordered subpoena), the transmission method should be the most conservative reasonable option (encrypted file delivery via a secure portal, not unencrypted email), and the practice should document the risk assessment and the rationale for the chosen method.

What Rythm Does and Does Not Do

Rythm sits at the inbox layer on top of Gmail or Outlook (including the HIPAA-eligible Workspace and Microsoft 365 plans). Rythm scans incoming mail in memory, detects whether the sender is on the practice’s guest list, and either delivers the message or files it into a separate folder for review. Unknown senders are asked for a small cover charge that, if paid, settles directly to the practice’s Lightning wallet.

Rythm does not store email content. Tokens, when present, are detected and melted in memory and never written to persistent storage. We covered the architecture in non-custodial architecture.

Rythm is not a HIPAA business associate. Rythm does not handle PHI in any way that would require a BAA. The practice’s BAA is with the email provider (Microsoft or Google), and Rythm operates as an inbox-layer filter that does not transmit, store, or process PHI on the practice’s behalf.

What Rythm changes for a mental health practice is the volume of unsolicited mail reaching the practice manager and the clinicians. Vendor-impersonation wire fraud at scale, mass cold outreach from healthcare-targeted lead-gen vendors, and the general noise of being on a small-practice mailing list ecosystem all decrease meaningfully when unknown senders have to pay a small cover charge to reach the inbox.

What Rythm does not do is replace HIPAA-compliant email infrastructure, encryption of PHI in transit, the BAA with the email provider, the verification protocols for wire transfers, or any of the procedural defenses that the Security Rule reasonably requires. Rythm is a structural filter on the volume side, not a substitute for the compliance program.

A Specific Honest Note

Mental health practices have hard email security obligations and limited resources to address them. We are not pretending Rythm solves the full HIPAA compliance problem. Rythm reduces the volume of unsolicited mail reaching the inbox, which is one of several controls that meaningfully reduce risk in a small practice without an IT operation.

The combination of HIPAA-compliant provider, MFA, verification protocols, structural inbox filtering, and cyber insurance covers the realistic threat surface for most small practices. Each layer is worth what it costs.

For other small-practice industry guides, see healthcare practice email security and email security for dental offices. For the broader frame on how Rythm fits, see the security overview. Rythm is $1.65 per month, cancel anytime.