Email Tips for Clinicians

This article is part of an online course: Digital and Social Media Ethics for Psychotherapists for 8 CE credits

Email Tips for Clinicians

Nearly everyone uses email nowadays. I would guess anyone who is reading this right now has an email account. While many clinicians avoid social networking sites such as Twitter, Facebook, or LinkedIn they may still use email to keep in touch with family or to access email lists and exchange notes with colleagues.

Those who publish their email addresses with their office information are likely to see more clients using email as the point of initial contact, even if it is their intention to dissuade clients from using email as part of treatment. Some others may be comfortable with ongoing use of email as a way to quickly convey appointment changes to clients or even to send files or documents that are related to treatment.

If email has been or will be a part of your clinical practice, there are some important factors to consider.

Initial Contact

A new challenge for clinicians who are visible in social media is that many clients are obtaining clinicians’ email addresses and using them as a point of initial contact. Very often these emails may contain specific and extensive information along with requests for professional advice or information. Clinicians should be very careful in responding to such queries as their response can unintentionally initiate a therapist-client relationship. Giving any advice or offering diagnostic information can be perceived by a prospective client as beginning a treatment relationship. Sometimes the client sending such emails may reside in another state or another country and may not even be appropriate for our practice. I typically respond to such queries with a simple note. I also take care to delete the quoted text of the original email, in the event that someone else has access to it:

I am legally and ethically unable to provide psychological advice,
diagnoses, or assessments via email to people who are not my

If you have concerns you wish to discuss, you may wish to consider
contacting a therapist who lives in your area and scheduling an
appointment to discuss these matters with them.

Bear in mind that situations involving initial emails may be stickier if the individual sends information related to intent to harm self or others. Choosing whether and how to reply in cases like this should involve consultation and may entail locating crisis resources in the client’s location.

Software Security

Recent privacy flaps such as what happened with Google Buzz illustrated for me how important it is to use an encrypted and secure email address if you plan to exchange any email with patients. Digitally signed and encrypted email can be exchanged on sites like ciphersend or hushmail, and some offer secure forms that you can add to your website so that client data is protected. Be sure that this is the email address you put on your cards, website, and any public information. Also, if you are having mail notification sent to another email account to alert you that you have a message on a secure site, select the option that does not show the sender’s name/address in the forwarded mail. This ensures that you are not advertising secure mail and then having client data sent to a non-secure site which would be misleading.

If you have clients who want to use email to send you anything, have them come up with a password that you can use to encrypt each message. This can easily be included on your intake form. Each client should have their own unique password that only you and them know. Clients may also want to create their own secure address on one of these sites if they wish to bypass the password step and exchange secure messages with you.

If you are advertising use of secure email, and you use any web-based referral sites which mask your email address but allow clients to email you from the site, be sure you have linked all these business-related services to your secure email address to avoid security loopholes and being misleading to clients. Do the same if you use sites like PayPal or other credit card payment sites which are sending you information related to the people you treat. And be aware that email sent from data forms on these non-secure sites will compromise privacy. If you use any kind of VOIP messaging service which sends voicemail messages to your email account (sometimes with names/numbers attached to messages), also make sure you’ve selected a secure email address to which they are sent. In essence, clean up all of your various points of contact to be sure that all information related to clients goes to a secure account.

If you are someone who has used another email address with clients and you are transitioning to a service that offers encryption or more secure email, make sure you remove all client names and emails from your former email account so the names are not stored in your contact list. Remind clients to do the same for your old email address.

Lastly, it’s good to be cautious when responding to email from accounts where email was forwarded. Some sites, such as Google, have occasionally exposed the forwarded email address even when you have chosen reply to show  the originating address. If you are writing from an email address you’d prefer to keep personal, it may be safer to log out and log into the appropriate email account to respond to some messages.

Hardware Security

It goes without saying that if you are downloading emails to your computer or accessing them via a mobile phone, then you should at the very least be logging out of sites when you are done reading messages and using a password on your phone or computer at login or wakeup to prevent others from accessing these accounts.

Be aware that cellphones and laptops are frequently lost or stolen. Encrypting messages or other client data is an important way to protect any client data stored on these devices in the event of loss or theft. If you keep a separate laptop at work, don’t leave it on your desk after hours. Instead, store it in a locked file cabinet.

Be cognizant that we do not just have to be concerned about what happens on our end with messages to clients, but we should also be protective of what may happen on the client end. Even with protections in place, emails can be viewed by system admins or others in an office. If your client is in a public place and leaves her computer unattended, it is possible that anyone walking by may read your message.

Spouses or significant others may also have access to a client’s computer or cellphone which may contain email messages. This is another reason to keep disclosure of sensitive material out of emails, even when security measures are taken. A confidentiality notice in email is also a good reminder to clients about being conscientious about the use of electronic communication.

Social Networking Sites

Do not use the same email address you give your clients when you create accounts on social networking sites. You can post your practice email address publicly, but if you want to avoid popping up as a “suggested” friend or contact to your clients on these sites, create a different email address for logging into these sites. I also include in my own policies that clients who see or find me on such sites should never use the direct message systems on any of these sites to contact me, as they are not secure. Messages sent and received on these sites may also become a part of the legal record of treatment and may need to be incorporated into the client’s chart.

Shared Email Lists

If you are a member of any email list, there is the potential for one or more clients to also be on the same email list. These could be either personal or professional lists. Social circles do overlap, and cultural and community interests easily draw people together and make the world a smaller place. What this means on the Internet is that it is also very possible that you may discover you are on a shared email list with one of your clients or with others who know or are closely related to one or more of your clients.

Given these possibilities, you may have to choose carefully at times which email address you want to use and how much you care to disclose about your personal life on such lists. There are pros and cons for different approaches.

If you are using the email list for personal support, community, or socializing, you may prefer not to use your professional email account–but this opens up the possibility that your personal email may be discovered or shared with those you didn’t want to have it. On the other hand, sticking to your professional email address for all types of interactions on the Internet may make you identifiable as a clinician in places you’d prefer not to be identified, and you may not wish to publish personal things on the Internet with your professional name.

Some prefer one email address for all interactions while others feel that having a personal email and a professional email address makes for stronger branding and less blurring of personal and professional roles. Clearly, this is something to be thought through and your choice will depend upon your own comfort, as will the amount of personal sharing you’re comfortable doing on places where your messages may be accessed or archived.


It is appropriate to make clear and explicit policies for whether and how you use email in clinical care. You should put a statement about this in your policy forms. Clients should be informed about how long it typically takes you to respond to email messages, and they should be informed that email is not appropriate to communicate emergency situations to you. If you do not wish to have clients emailing you for any purpose, then do not put your email address on your website or business cards. If you allow email in specific cases, make this clear.

My own policy states that I prefer to only use email for business items such as changing appointments and it also notes that all emails sent and received are printed and placed in the client’s file. It should be noted that many practitioners feel that it is only essential to document emails that reference clinical material, and there are varying views and practices on whether administrative emails (e.g., schedule changes) should be documented.

Non-Confidential Exchanges

Some may prefer to continue to use non-secure email for professional exchanges that are non-confidential in nature, including listserv use, research, or exchanges with other clinicians. If you decide to use secure email, you can always retain less secure account for non-confidential exchanges. Just be careful not post or publicize this email address on business cards or other public listings and make sure your colleagues know not to give it out to clients.


Drude, K, & Lichstein, M. Psychologists Use of E-mail with Clients: Some Ethical Considerations. (2005) The Ohio Psychologist. Retrieved April 28, 2010 from

Kolmes, K. (2010) Google Buzz alarms a psychotherapist. Retrieved April 28, 2010 from

Recupero, P.R. E-mail and the Psychiatrist-Patient Relationship. J Am Acad Psychiatry Law, December 1, 2005; 33(4): 465 – 475. Retrieved, April 28, 2010 from

Taube, D.O. (in press). Confidentiality for California psychotherapists (pp. 68 – 108).

Zur, O. (2010). I Love These E-Mails, or Do I? The Use of E-Mails in Psychotherapy and Counseling. Retrieved month/day/year from

© 2010 Keely Kolmes, Psy.D.

To cite this page: Kolmes, K. (2010) Email tips for clinicians. Retrieved month/day/year from

3 Responses to “Email Tips for Clinicians”

  1. uberVU - social comments

    Social comments and analytics for this post…

    This post was mentioned on Twitter by drkkolmes: Email Tips for Clinicians: My new blog post. Information about security & social networking….

  2. Jen

    Thank you for posting the information. I am trying to find out if I am HIPAA compliant if I were to have first time client’s download my intake packets from my website, and email them back to me completed with their PHI. I do have the business Hushmail and I talked to them about the encryption. They said it would be encrypted only if I use the security question/answer response with that person. My question is, would I still be in compliance if I were to post a disclaimer on my website the risks of sending back the completed forms as it would be unencrypted. They always have the option of printing the forms and bringing them with them to their first appointment or filling them out when they get there. Thank you for any feedback. Jen

    • drkkolmes

      I would suggest you NOT have patients email completed forms back via unencrypted email. You would not be HIPAA compliant if you did that. I’d suggest clients bring them in, use U.S. postal mail, or create their own free hushmail account for the purpose of sending them back encrypted. Having clients waive rights to privacy is certainly one way to manage the risk on your end, but it is asking them to give up privacy on their end. We all make different choices with our practices, but if you are inclined to put patient privacy as your highest priority, then just have them bring them in or ONLY send back via their own encrypted hushmail account. If they don’t have an account with hushmail, the encryption only goes one way (unless they use a hush form, which at this time, does not allow attachments).

Leave a Reply