Fact-checked by the digital reach solutions editorial team
Quick Answer
As of July 2025, therapists and mental health coaches use HIPAA-compliant secure messaging platforms — such as SimplePractice, TheraNest, and Signal — to protect client communications. These tools use end-to-end encryption and must meet federal HIPAA standards enforced by the HHS Office for Civil Rights, which issued over $135 million in penalties between 2020 and 2024.
Secure messaging for therapists is not optional — it is a federal legal requirement under the Health Insurance Portability and Accountability Act (HIPAA), which mandates that any electronic protected health information (ePHI) be transmitted through encrypted, access-controlled channels. According to the HHS HIPAA Security Rule, covered providers must implement technical safeguards including encryption and audit controls for all digital client communications.
With telehealth now accounting for a significant share of mental health appointments, the stakes for getting digital communication right have never been higher.
What Makes a Messaging Platform HIPAA-Compliant?
A platform qualifies as HIPAA-compliant when it provides end-to-end encryption, signs a Business Associate Agreement (BAA) with the provider, and maintains audit logs of all data access. Without these three elements, no messaging app — regardless of marketing claims — meets federal standards.
Standard consumer apps like standard SMS, Gmail, and Facebook Messenger do not qualify. They lack BAA provisions and may store unencrypted message data on third-party servers. The Office for Civil Rights (OCR) at HHS has issued guidance clarifying that providers using non-compliant platforms can face civil monetary penalties starting at $100 per violation, escalating to $50,000 per violation for willful neglect.
The Role of Business Associate Agreements
A BAA is a legally binding contract between a healthcare provider and a technology vendor. It obligates the vendor to handle ePHI according to HIPAA rules. Platforms like SimplePractice, TheraNest, and Spruce Health all offer BAAs as part of their service agreements, making them viable options for licensed therapists and mental health coaches operating under HIPAA jurisdiction.
Key Takeaway: HIPAA-compliant messaging requires end-to-end encryption, a signed BAA, and audit logging. Penalties for non-compliance reach $50,000 per violation under HHS enforcement rules — making platform selection a legal, not just technical, decision.
Which Platforms Do Therapists Actually Use for Secure Messaging?
The most widely adopted secure messaging tools in mental health practice are purpose-built EHR platforms with integrated messaging, not general-purpose chat apps. SimplePractice, TherapyNotes, TheraNest, and Spruce Health dominate the market for licensed therapists in the United States.
For mental health coaches — who may not always be classified as HIPAA-covered entities — platforms like Signal and Proton Mail are popular because they offer strong encryption without requiring a clinical infrastructure. However, coaches who handle any data resembling ePHI should still consult legal counsel about their obligations. If you are exploring encrypted messaging setup for the first time, understanding the baseline technical requirements is a critical first step before choosing any platform.
| Platform | BAA Available | Encryption Standard | Best For | Starting Price (2025) |
|---|---|---|---|---|
| SimplePractice | Yes | AES-256 | Licensed therapists | $29/month |
| TherapyNotes | Yes | AES-256 + TLS | Group practices | $49/month |
| Spruce Health | Yes | End-to-end | Client communication hub | $24/month |
| Signal | No | Signal Protocol (E2E) | Mental health coaches | Free |
| TheraNest | Yes | AES-256 | Solo and group practices | $39/month |
Key Takeaway: Purpose-built platforms like SimplePractice ($29/month) and TherapyNotes include BAAs and AES-256 encryption out of the box. General apps like Signal offer strong encryption but do not provide the BAA required under HIPAA for licensed providers.
How Does Secure Messaging Protect Client Privacy in Practice?
Secure messaging for therapists protects client privacy through three technical layers: encryption in transit, encryption at rest, and role-based access controls. Encryption in transit prevents interception during transmission; encryption at rest protects stored messages on servers; and access controls ensure only authorized staff can read client records.
Beyond encryption, compliant platforms provide automatic session timeouts, multi-factor authentication, and audit logs that record who accessed which message and when. According to the HHS HIPAA Security Rule technical safeguards, covered entities must implement these controls or document a risk-based reason for not doing so.
“Therapists often underestimate that even a single unencrypted text message containing a client’s name and appointment time constitutes a potential HIPAA violation. The standard is not about intent — it is about the technical capability of the channel used.”
Many practices also configure their messaging platforms to send appointment reminders and intake forms through the same secure channel. This reduces the risk of accidental disclosure that occurs when staff members use personal phones or unsecured email for routine client contact. For practitioners who also manage broader digital security hygiene, learning how to set up two-factor authentication adds an additional protective layer to any login-based platform.
Key Takeaway: Compliant platforms apply at least 3 distinct technical safeguards — encryption in transit, encryption at rest, and access controls. The HIPAA Security Rule requires all covered entities to document their technical safeguard decisions regardless of platform choice.
Is Secure Messaging for Therapists Different From What Coaches Need?
Yes — the requirements differ significantly based on legal classification. Licensed therapists (LCSWs, LMFTs, psychologists, psychiatrists) are HIPAA-covered entities and must use fully compliant platforms with signed BAAs. Mental health coaches are typically not covered entities unless they work within a healthcare organization that is.
That distinction does not mean coaches can be careless. Many states have their own digital privacy laws — California’s CMIA (Confidentiality of Medical Information Act) and New York’s SHIELD Act, for example — that impose data protection obligations even on non-HIPAA entities. Coaches who handle sensitive client disclosures about mental health, trauma, or medication are strongly advised to adopt HIPAA-level standards voluntarily.
When Coaches Should Treat Messaging as HIPAA-Adjacent
If a coach refers clients to licensed clinicians, shares session notes with psychiatrists, or operates within a wellness platform that partners with insurers, they may inadvertently become a business associate under HIPAA. In those cases, the same BAA and encryption requirements apply. Reviewing secure alternatives to mainstream messaging apps can help coaches identify tools that meet a higher privacy bar without full clinical infrastructure.
Key Takeaway: Licensed therapists face mandatory HIPAA compliance for all client messaging. Mental health coaches may fall under state laws like California’s CMIA or become business associates if they exchange data with HIPAA-covered clinical partners, triggering equivalent obligations.
What Are the Best Practices for Secure Client Messaging in Mental Health?
The most effective practices combine technology with protocol. Choosing a compliant platform is step one; training staff, setting policies, and auditing usage regularly are equally important. The American Psychological Association (APA) and the National Board for Certified Counselors (NBCC) both publish technology guidance recommending written informed consent before using any digital communication channel with clients.
Key operational practices include:
- Obtain written client consent specifying which platforms will be used for communication.
- Never send clinical content — diagnoses, session summaries, medication references — via standard SMS or email.
- Enable automatic message expiration or archiving settings where the platform allows.
- Conduct annual risk assessments as required by the HIPAA Security Rule.
- Train all staff — including administrative and billing personnel — on acceptable use policies.
Practices that automate client communication workflows reduce both compliance risk and administrative burden. Research on automated messaging for client response time shows that structured workflows cut response delays significantly — a benefit applicable to therapy practices managing high appointment volumes. Separately, practices should be aware that phishing attacks targeting healthcare providers have grown more sophisticated; reviewing current phishing tactics is a practical step for any clinic relying on digital communication.
Key Takeaway: Best practice requires written informed consent before any digital client communication, per guidance from the American Psychological Association’s telepsychology guidelines. Annual HIPAA risk assessments and staff training are non-negotiable compliance requirements for all covered entities.
Frequently Asked Questions
Is it legal for a therapist to text a client?
Standard SMS texting is not HIPAA-compliant and should not be used for clinical content. Therapists can text clients only if using a HIPAA-compliant messaging platform that encrypts messages and is covered by a signed Business Associate Agreement with the provider.
What is the best secure messaging app for therapists in 2025?
SimplePractice and TherapyNotes are the most widely used HIPAA-compliant platforms for licensed therapists in 2025. Both offer end-to-end encryption, BAAs, integrated scheduling, and client portals. The best choice depends on practice size and workflow needs.
Can mental health coaches use WhatsApp with clients?
WhatsApp does not offer a BAA and is not HIPAA-compliant, making it unsuitable for licensed therapists handling ePHI. Mental health coaches who are not HIPAA-covered entities may use it, but face risks under state privacy laws and professional ethics codes that recommend higher standards.
What happens if a therapist violates HIPAA by using unsecured messaging?
Penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million for repeated violations of the same type, according to HHS enforcement guidelines. Violations can also trigger state licensing board investigations and civil lawsuits from affected clients.
Do secure messaging platforms for therapists also handle telehealth video?
Many do. SimplePractice, TheraNest, and TherapyNotes all include integrated HIPAA-compliant video calling alongside their secure messaging features. This consolidates client communication into a single compliant environment, reducing the risk of staff using non-compliant alternatives for convenience.
Does secure messaging for therapists require client consent?
Yes. The APA and NBCC both recommend — and many state licensing boards require — that therapists obtain written informed consent before using any electronic communication channel with clients. Consent should specify the platform, its limitations, and the expected response time.
Sources
- U.S. Department of Health and Human Services — HIPAA Security Rule Overview
- HHS Office for Civil Rights — Business Associate Agreements
- HHS — HIPAA Security Rule Technical Safeguards
- American Psychological Association — Guidelines for the Practice of Telepsychology
- National Board for Certified Counselors — Policy on Distance Counseling
- HHS — Guidance on Business Associates Under HIPAA
- HHS OCR — HIPAA Breach Reporting Tool and Enforcement Data