By Ofer Zur, Ph.D.
For an earlier version of this article in pdf-printable format Zur, O. (2008)
I Love These Emails, or Do I? The use of emails in psychotherapy and counseling. New Therapist 57, September/October, p. 23-25.
I checked my emails the other day and saw that a client wanted to change his appointment for the following week. I swiftly responded affirmatively. Next I shot off an email to a client asking her whether or not she could change her appointment the next Monday from 10 am to noon. Within seconds she responded with a one-word response, “Yes.” A couple of months ago I discovered that I needed to be out of town the following week due to a family emergency. In one swoop I sent a single email to a couple of dozen people (using Bcc not CC so their identities and email addresses remain private), telling them that I would be out of town the next week, I would neither be available by phone nor by email during that time, giving them names and phone numbers of my emergency back-ups, and asking them to let me know if they could make the same day and same time appointment for the week after.
Don’t you like these emails? I do! They are simple, quick and effective. Long gone are the days where we play phone tag with clients; when we need to start the phone conversation with “How are you?” only to listen to a long winded response; hear long back-and-forth scheduling messages; get busy phone lines, get put on hold, deal with overworked, low paid, irritated receptionists or operators. These emails have saved us-therapists time and energy so we can focus on what is important. Many of us-therapists love the flexibility allowed in receiving and sending emails from our computers, Blackberrys or iPhones during working and non-working hours, from the office, living room, beach, boat, another country, or… from whenever or wherever.
Realizing how helpful emails can be, many therapists have started giving their email addresses to their clients, including them on their business cards and posting them on our professional Websites. After all, they can save time and spare us from long, wasteful phone conversations.
Then, I woke up the other day to a short email from a depressed client: “Doc, I cannot take it any longer!!!!!” I noticed it was send at 2 AM. Now what am I to do? Send an email, call the patient back, call her listed emergency contact (not a good idea, it’s her toxic mother), call the local crisis team or 911, or …?
Another morning, I got an email from a client who was so excited about her ‘break through’ dream the night before, how it relates to our therapy, and apparently I was in it. Scrolling down the email I noticed it was several pages long. Even though I was aware of the clinical significance of the dream, I did not have the leisure or desire to spend half an hour reading her dream that morning. She felt deeply offended and disvalued when, during the next session, she realized that I had not taken the time to read her ‘break through’ dream analysis.
Later on that very night, I checked my email and saw an email from a client which started with: “I know we ran out of time, but there was just one more important thing I wanted to tell you.” He proceeds to write an insightful email, in essence extending the session by about 20 minutes. We neither have an agreement that he would pay for reading time nor would it fit within his rather tight budget.
A young woman had gotten into a fight with her best girlfriend, who is the topic of discussion during many of our sessions. She wrote: “I am so upset, can you believe that she told me ……” She went on to express her distress and rage in a long-winded email. She got furious with, what she called, the “dismissive” response of “I am so sorry about the fight with your friend. Let’s discuss it further when we meet this week.”
Many therapists report that clients often ask them “quick” questions via “brief” emails, such as “My mother is coming over tonight, should I bring up with her what we discussed in our last session about my brother molesting me?” or “I met this girl, she seems perfect and I am panicked. Do you have any quick advice? We have a date later on tonight.”
Email, like any technology, has at least two sides, if not more. Like a hammer it can be constructive and helpful or can be misused and be destructive. In this era, where social networking takes much of many people’s leisure (and often non-leisure time), there is an expectation that anyone with an email address is instantly available and responsive, 24/7, therapists included.
We used to check our phone messages regularly or have phone message services page us. Now we need to be on the lookout for emails from depressed, suicidal or homicidal, or existentially depleted or spiritually lost clients. Emails were supposed to make our lives easier, not harder. Then come the obvious questions, what if the client committed suicide a day after she sent her “end of the rope” email to me; how to deal with the disappointed client whose elaborate description of her dream went unread; or with the furious young women who felt dismissed because I did not reply with a lengthy supportive email, like her best girlfriend would have done.
The main issue has become what is the proper use of email in psychotherapy? To add to the complexity, there are several legal, ethical, and clinical questions that are related to emailing our clients.
The main question is how do we deal with clients who expect us to respond quickly and/or read lengthy and numerous emails between sessions? The answer lies in the communication between our clients and us. We must be clear about our parameters in regard to general use of emails, time, frequency, etc. While our Office Policies should attend to these issues, personal communication is likely to be much more effective in bringing clarity to the email dilemma. This issue is not likely to be resolved in one conversation. With some clients who rely heavily on online social networking, it is likely to be a continuous dialogue about expectations, disappointments, and boundaries.
If you are ready to engage in dialogue and treatment via email in conjunction with face-to-face therapy, state this to your clients. In this case you many need to inform them how you charge, if you do, for such e-services. Do you charge per email, per minute, or other ways? I suspect that most therapists prefer to use emails primarily for administrative purposes and only at special times for distinct clinical purposes. In this case I would explain it verbally either in the first session or when the right time comes. Using email for clinical or therapeutic exchanges could be seen as performing telemental health services. Your licensing board or state law may require special considerations for such services or may even limit them. Consider consulting with your licensing board and state professional organization on applicable rules and laws.
Our Office Policies and Informed Consent to Treatment (see form #1 at Clinical Forms) that we give to each and every client at the beginning of therapy should have a section on policies regarding emails. This section should discuss issues of privacy, confidentiality, security, availability, response time, content, emergencies, etc. An example of such a paragraph is:
EMAILS, CELL PHONE, TEXTS, COMPUTERS AND FAXES:
Note: Make sure that this section reflects your setting, situation, and practice, as well as the laws in the state you are licensed in and practice in and your licensing board regulations. It is very important to be aware that computers and unencrypted emails, texts, and e-fax communications (which are part of the clinical records) can be rather easily accessed by unauthorized people and, hence, can compromise the privacy and confidentiality of such communications. Emails, texts, and e-faxes, in particular, are vulnerable to such unauthorized access due to the fact that servers or communication companies may have unlimited and direct access to all emails, texts and e-faxes that go through them. While data on (therapist’s name)’s laptop is encrypted, emails, texts and e-faxes are not. It is always a possibility that e-faxes, texts, and emails can be sent erroneously to the wrong address and computers. (therapist’s name)’s laptop is equipped with a firewall, a virus protection and a password, and he backs up all confidential information from his computer on a regular basis onto an encrypted hard-drive. Also, be aware that phone messages are transcribed and sent to (therapist’s name) via unencrypted emails. Please notify (therapist’s name) if you decide to avoid or limit, in any way, the use of email, texts, cell phones calls, phone messages, or e-faxes. If you communicate confidential or private information via unencrypted emails, texts or e-faxes or via phone messages, (therapist’s name) will assume that you have made an informed decision, will view it as your agreement to take the risk that such communication may be intercepted, and he will honor your desire to communicate on such matters. Please do not use texts, emails, voice mails, or faxes for emergencies.
Other Views on Email and Informed Consent Following the 2013 HIPAA Changes
Some experts interpret the 2013 HIPAA Omnibus Rule to say that a portion of the above informed consent paragraph, where it asks clients to “Please notify (therapist’s name)…” if they wish to avoid or limit emails, texts, cell phone calls, phone messages, and e-faxes, is no longer permitted under HIPAA. They say that clients must proactively request such services themselves (“opting in”), rather than being expected to tell their therapist that they want to avoid or limit such services (“opting out.”) According to these experts, the text of the informed consent would need to offer such services to clients who want them, rather than requiring clients to ask for them to be avoided or limited, in order for the clinician to maintain HIPAA compliance.
- Clients Have the Right to Receive Unencrypted Emails Under HIPAA: “…clients could not be required to accept the emails nor could they be required to ‘opt out’ of receiving them.”
Other experts state that fully disclosing how the therapist uses these communication media and providing the option to avoid or limit their use could be seen as sufficient indication that the client wishes to receive the communications. This so long as the client is also informed of the risks of using these media to transmit their sensitive information, as the above example paragraph does in its first sentences.
There are a number of other questions that come up in relation to emails between therapists and clients.
- If I give my email address to my clients, must I check my emails often?
The fact that you give your email address to your clients does not obligate you to check often or even weekly. What is important is that you provide your clients with written information and verbal communication about how frequently you check your email, if you respond to emails, and what are your general policies regarding emails (see details in the body of the article).
- Does using email make you automatically a Covered Entity by HIPAA, which means you must be HIPAA Compliant?
Different experts may give different answers to this question. In my opinion, exchanging email with clients is likely to mean that you have to be HIPAA compliant, if you are not already, as HIPAA is the standard of care in the United States for security and privacy. (Becoming HIPAA Compliant is not that hard; check our HIPAA Compliance Kit & HIPAA Forms or Online HIPAA Course for CE Credit Hours.)
- What about confidentiality and privacy?
Confidentiality and privacy are applied to emails in the same ways that they are applied to any other verbal or written exchanges between psychotherapists and clients.
- Must emails be encrypted?
The question of email is complex and controversial. Some argue that at the present time, emails between therapists and clients do not need to be encrypted, as long as clients are informed about the vulnerability of emails being read by unauthorized people and they elect to use email. (For more details, see above note about Office Policies and the next question.
There seems to be so much confusion and misunderstanding around the issues of whether email must be encrypted or not. Let me try to shed some light on this issue.
The 2013 HHS-HIPAA regulations refer to the idea that covered entities are permitted or allowed to send clients unencrypted emails and texts, which may include confidential information, if the client requests and agrees to such unencrypted digital communication after he/she has been advised of the risks (i.e., informed consent.)
Additionally, many experts believe that it is necessary for covered entities to conduct and document an analysis regarding different email or text communication options in regard to cost, risk, applicability, suitability, security, etc.
If the covered entity’s (i.e., therapist’s) analysis proves that encryption turns out to be too expensive and difficult to implement due to the covered entity’s size (i.e., solo private practice) and capabilities, and seems to add little value to the overall security of PHI, then HIPAA allows the covered entity to forego encryption, after the client has been informed of the risks. It is important to remember that HIPAA regulations are scaled. That means that solo practitioners or small operations are expected to implement and invest much less than larger operations, such as large clinics and hospitals.
It is required by HIPAA that the covered entities must document their analysis and decision making process.
The omnibus, 1/23/2013 version, states:
As clarified in the preamble to the Omnibus Rule, if an individual requests that a copy of his or her PHI be sent via unencrypted email, then a covered entity is permitted to do so, as long as the covered entity has advised the individual of the risks and the individual still prefers the unencrypted email.
We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual. (p. 5634)
- What is an email signature and what may it look like?
An email signature goes at the end of the email. It can be set automatically. Make sure that every email to a client or patient includes an electronic signature that covers issues, such as confidentiality and security. Following is a sample of such an email signature:
Notice of Confidentiality: This email, and any attachments, is intended only for use by the addressee(s) and may contain privileged or confidential information. Any distribution, reading, copying or use of this communication and any attachments by anyone other than the addressee, is strictly prohibited and may be unlawful. If you have received this email in error, please immediately notify me by email (by replying to this message) or telephone (707-xxx-xxxx), and permanently destroy or delete the original and any copies or printouts of this email and any attachments.
It is important to be aware that email communication can be relatively easily accessed by unauthorized people and hence can compromise the privacy and confidentiality of such communication. Emails, in particular, are vulnerable to such unauthorized access due to the fact that servers have unlimited and direct access to all emails that go through them. A non-encrypted email, such as this, is even more vulnerable to unauthorized access. Please notify Dr. X if you decide to avoid or limit, in any way, the use of email. Unless I hear from you otherwise, I will continue to communicate with you via email when necessary or appropriate. Please do not use email for emergencies. While I check my phone messages frequently during the day when I am in town, I do not always check my emails daily.
Web Site: xx
Remember that some experts state that, under HIPAA, clients must provide informed consent before their therapist can send them emails, as stated above under “Other Views on Email and Informed Consent Following the 2013 HIPAA Changes.” The above email signature would be suitable for inclusion regardless of your approach to client consent for email, however.
Guidelines To Using Email With Clients
The subject and discussion about the role of email in therapy is common, relatively new, unsettled, and very complex. There are a few things that therapists can do to keep clients informed, increase therapeutic effectiveness, and help protect themselves from board complaints and other liabilities.
- Clarify to yourself your thoughts and feelings regarding email communication with clients. What are your preferences, your limits, etc.?
- If you are considering using emails as an adjunct to therapy, make sure you adhere to HIPAA’s standards of confidentiality, as they are the standard of care for security and privacy. Your may also consider consulting with your licensing board or knowledgeable professionals about the legalities of telemental health by email under your board and in your state.
- Discuss the issue of email communications with clients, when relevant, in the first session. Learn from them about their expectations and clarify your expectations and boundaries. Continue the dialogue as clinically and ethically necessary throughout the course of therapy.
- Make sure that your office policies include a section on the use of emails.
- If you are conducting tele-health, follow state laws, relevant codes of ethics, and have a separate informed consent, which is required in some states, such as California.
- Make sure your computer has a password, virus protection, firewall, and back up system. For information on computer security, see: Security for Computers & Mobile Devices.
- Make sure that each email includes an electronic signature that covers issues such as confidentiality and security.
- For additional ideas regarding email protocol, go to: