Best Email Marketing for Therapy Practices 2026: HIPAA-Compliant Options

This review contains affiliate links. We may earn commission when you click and purchase. We're independent of the products we review. See our full disclosure →

Email marketing for therapy practices is the category most likely to result in an inadvertent HIPAA violation if the operator doesn’t understand the two distinct use cases involved. Most therapy practices need two kinds of email: PHI-involving email (appointment reminders, intake form delivery, post-session communications, anything referencing a specific client or clinical relationship) which requires a HIPAA Business Associate Agreement with the email vendor, and non-PHI marketing email (newsletters to a general subscriber list, lead nurturing for prospective clients, business announcements) which doesn’t require a BAA because no protected health information is being transmitted. Confusing the two use cases is how HIPAA violations happen.

We synthesized G2 + Capterra peer reviews from therapy-practice operators running each platform (sample ≥25 verified-purchase reviews per platform with 6+ months of ownership), supplemented by clinician community sources (r/therapists, r/socialwork, r/psychotherapy aged-account threads filtered for email-and-HIPAA discussions), HHS HIPAA compliance documentation, each vendor’s published BAA terms and pricing pages, and a representative solo-to-5-clinician therapy practice profile. This roundup ranks the five email platforms most-considered by US therapy-practice operators in 2026 against that profile, identifies the PHI-versus-non-PHI use case split that decides everything, and matches each platform to the email use case it actually fits.

Why you should trust us

We don’t run a lab. We don’t have a clinical practice or test caseload running every email platform in parallel. What we have is a systematic methodology for synthesizing the work of the people who do: G2 and Capterra peer reviews from therapy-practice operators with 6+ months of platform ownership, HHS HIPAA compliance documentation, vendor BAA terms and pricing pages, clinician community sources (r/therapists, r/socialwork, r/psychotherapy, private clinician Facebook groups), trade press coverage on therapy-practice tech (Behavioral Health Business, Mental Health Tech News), and HIPAA-specialist legal commentary on email-vendor BAA scope. We present that synthesis through our 5-criteria weighted framework with a HIPAA compliance hard gate: any platform marketed as “HIPAA-compliant” without a clearly published BAA available to standard-tier customers gets flagged as misleading. Where vendor claims and clinician experience diverge, we say so.

Concretely, we evaluate each platform on:

• HIPAA compliance posture: Is a BAA available, on which tiers, and what does it cover? Vague “HIPAA-compliant” marketing without a clear BAA is treated as a hard fail.
• Fit-for-use-case: Does the platform fit PHI-involving email, non-PHI marketing email, or both?
• Pricing transparency: Is the per-user or per-contact pricing honest about scaling cost at typical practice headcount?
• Recipient experience: How does the email arrive to the recipient (transparent encryption, secure portal, password-protected)? Does the friction kill engagement?
• Integration coverage: Does the platform integrate with the practice management software (SimplePractice, TherapyNotes) where client lists or appointment data live?

One honesty note: Brevo is currently an affiliate partner of ours. The recommendation for Brevo is specifically for the non-PHI marketing email use case where Brevo is genuinely the right tool. For PHI-involving email, we recommend Paubox, Hushmail, MailHippo, or ProtonMail Business explicitly even though none of those are affiliate partners. The HIPAA-compliance dimension is too important to compromise on for affiliate revenue.

What “HIPAA compliant email for therapists” actually requires

Before any platform comparison: HIPAA compliant email for therapists is not a product feature you turn on, it is a combination of four things the vendor and the practice both have to put in place. A disclaimer at the bottom of an email does not make the email compliant, and HHS does not recognize disclaimers as a substitute for the underlying safeguards. The four requirements:

This table is the floor for HIPAA compliant email for therapists. Vendors that meet all four (with the BAA actually signed, not just “available on enterprise”) include Paubox, Hushmail for Healthcare, MailHippo, ProtonMail Business, Google Workspace (with a signed BAA and proper Vault configuration), and Microsoft 365 (with a signed BAA and proper compliance configuration). Vendors that do NOT meet the floor on standard tiers, no matter how secure they otherwise appear, include Brevo, Mailchimp, ConvertKit, and most consumer email-marketing platforms; those are appropriate for non-PHI marketing email only.

BAA-included reference: at a glance

The split is sharp: the BAA-included vendors handle PHI lawfully but are not built as marketing platforms. The marketing platforms (Brevo, Mailchimp, Kit) handle non-PHI campaigns at scale but are not PHI-safe on standard tiers. Most therapy practices need both kinds of email and the two-platform setup is the honest answer; the rest of this guide is which platform fits which side.

The critical distinction: PHI vs non-PHI email

Before any platform comparison, the practice operator must understand which use case the email falls under. This is the question that decides everything else.

PHI-involving email (requires HIPAA BAA with the vendor):

• Appointment reminders to specific clients
• Intake form links to specific clients
• Post-session communications referencing the session
• Billing communications referencing services rendered
• Any email content that confirms a specific person is your client
• Any email content that references diagnosis, treatment plan, or clinical information
• Group reminders to a class of clients (e.g., “Reminder: group therapy session tomorrow”) because the recipient list itself reveals clinical relationships

Non-PHI marketing email (does NOT require HIPAA BAA):

• Newsletter to a public subscriber list (not patient list)
• Lead nurturing sequences for prospective clients who haven’t yet become patients
• Educational content broadcast to general audience
• Business announcements (new location, new clinician hired)
• Marketing emails about services the practice offers, sent to people who opted in to marketing communications without becoming patients

The rule of thumb per HHS guidance: if the email content (including recipient list membership) reveals that the recipient is a patient of yours, it’s PHI. If the email is going to a general subscriber list where being on the list doesn’t reveal patient status, it’s non-PHI.

Most therapy practices need BOTH kinds of email. SimplePractice and TherapyNotes handle the PHI side natively (appointment reminders, intake forms) under each platform’s existing BAA. The marketing side requires a separate platform: Brevo or Mailchimp for non-PHI marketing, Paubox or Hushmail if the practice needs PHI email outside SimplePractice/TherapyNotes.

How we sourced this comparison

This comparison synthesizes aggregated owner reports across two practice profiles representative of the buyer base:

• Profile A (solo therapist, 20-50 active clients, OON-heavy or cash-pay): Uses SimplePractice or similar for PHI workflow (appointment reminders + intake forms under SimplePractice’s BAA), wants a separate marketing email platform for newsletter to a general subscriber list and lead-nurturing for prospective clients.
• Profile B (2-5 clinician group practice, 100+ active clients, in-network billing + marketing): Uses TherapyNotes or SimplePractice for PHI workflow, needs both higher-volume marketing email AND occasional PHI-involving email outside the practice management software (e.g., announcing a clinician’s departure to specific clients, which is PHI).

Across G2 and Capterra owner reports filtered for these profile shapes (sample ≥15 reviews per profile per platform with 6+ months of ownership), the convergent data covers four dimensions: BAA terms clarity, recipient-side experience friction, integration coverage with practice management software, and total cost at typical practice email volume.

Brevo Email Marketing: best for non-PHI marketing email

Brevo Email Marketing↗ is the convergent recommendation for the non-PHI marketing email use case at therapy-practice scale. The Free tier covers up to 100,000 contacts with 300 emails/day, which fits most solo-therapist and small-group-practice marketing email needs at $0. Paid tiers from $9/month scale with send volume rather than contact count.

HIPAA posture (read this carefully): Brevo offers HIPAA BAAs on Enterprise tier or via custom contractual arrangements per Brevo’s published documentation. Standard plans (Free, Marketing, Sales) do NOT come with BAAs and are NOT HIPAA-compliant for PHI use cases. Brevo at standard tiers is NOT a HIPAA-compliant platform, full stop. Use Brevo only for non-PHI marketing email where no protected health information is being transmitted.

Wins at: Non-PHI newsletter to a general subscriber list, lead-nurturing sequences for prospective clients, business announcements to non-patient audiences. Cost-effective at typical therapy-practice marketing-email volumes. Generous Free tier covers most solo therapists indefinitely.

Loses at: ANY PHI-involving email use case. If the practice needs to send appointment reminders, intake form links, or any client-identifying communication outside SimplePractice/TherapyNotes, Brevo is the wrong tool. Use Paubox or Hushmail with BAA in place for those use cases.

The honest editorial position: most therapy practices’ email marketing needs (newsletter, leads, announcements) are non-PHI and Brevo fits them well at low cost. For PHI use cases, Brevo at standard tiers is not the answer. The practice typically runs two platforms: SimplePractice/TherapyNotes for PHI-under-existing-BAA + Brevo for non-PHI marketing email + (optionally) Paubox/Hushmail for PHI email outside the practice management software.

For the deep dive on Brevo Email Marketing specifically including the broader feature set, see our Brevo for Personal Trainers review on TrainerVerdict; the analysis applies equally to therapy practices.

Paubox: best for PHI-involving email with transparent encryption

Paubox is purpose-built for HIPAA-compliant email with a Business Associate Agreement included by default on all paid plans per Paubox’s published BAA documentation. The differentiator from other HIPAA email platforms is the recipient experience: Paubox uses encryption-in-transit (TLS encryption with HIPAA-compliant infrastructure) that delivers email to the recipient’s inbox looking like normal email, no recipient login required.

HIPAA posture: BAA included by default on all paid plans ($29/month and up). Encryption-in-transit model per Paubox documentation. Audit logs, access controls, and HIPAA-required technical safeguards in place.

Pricing: $29/month for Paubox Email Suite Standard (250 emails/month per user). $59/month for Plus (1,000 emails/month per user). $129/month for Premium (unlimited emails, plus advanced features). Per-user pricing, so a 3-clinician practice on Standard runs $87/month.

Wins at: Therapy practices that need PHI-involving email outside SimplePractice/TherapyNotes (departure announcements to specific clients, supervision communications, referral confirmations). Practices where recipient engagement matters (Paubox’s transparent encryption means clients are more likely to actually read the email versus needing to log into a secure portal). HIPAA-conscious operators who want BAA-default rather than BAA-as-upgrade.

Loses at: Marketing email (Paubox is built for transactional PHI email, not campaign management; no segmentation, no drip sequences for marketing). Cost-sensitive operators (per-user pricing scales linearly).

The decision rule: Paubox fits when PHI-involving email outside SimplePractice/TherapyNotes is a real workflow need. For most solo therapists where SimplePractice’s transactional email handles all PHI workflows, Paubox may be unnecessary overhead.

Hushmail for Healthcare: best for PHI email with secure web forms

Hushmail for Healthcare offers HIPAA-compliant email with BAA included on Healthcare plans per Hushmail’s published documentation. The platform sends encrypted email that arrives at the recipient with a notification to log into a secure portal to view the encrypted content (recipient-portal model rather than Paubox’s transparent encryption). The differentiator is the secure web forms feature: intake forms that submit encrypted directly to the practice, which Paubox doesn’t match natively.

HIPAA posture: BAA included on Healthcare Starter ($10/user/month) and above per Hushmail’s documentation. Encrypted email + secure web forms + custom branding.

Pricing: Healthcare Starter at $10/month per user (3 users minimum = $30/month). Healthcare Premier at $70/month per user adds advanced features. For a 3-clinician practice on Healthcare Starter, $30/month all-in.

Wins at: Therapy practices that want HIPAA-compliant email plus secure web forms in one platform (intake forms, consent forms, screening questionnaires submitted encrypted). Smaller practices where the lower per-user cost beats Paubox’s higher per-user starting point. Practices comfortable with recipient-side portal-login friction.

Loses at: Practices where recipient experience is paramount (the portal-login friction reduces engagement on non-critical messages per convergent owner reports). Marketing email (same caveat as Paubox, not built for campaign management).

The decision rule: Hushmail fits when secure web forms are operationally meaningful AND the recipient-portal friction is acceptable. For pure email use cases without web forms, Paubox’s transparent encryption wins on recipient engagement.

MailHippo: HIPAA email marketing with BAA

MailHippo is the closest thing to “HIPAA-compliant email marketing” in this list. The platform combines transactional HIPAA-compliant email (with BAA) plus basic email marketing capabilities (campaign builder, segmentation, automation) targeted at healthcare providers including therapy practices.

HIPAA posture: BAA included on paid plans per MailHippo’s documentation. Encrypted email + marketing capabilities.

Pricing: Plans from approximately $39/month for entry tier covering 1,000 messages, scaling with volume. Pricing is less transparent than Paubox or Hushmail (often demo-quoted), so verify current pricing directly with the vendor.

Wins at: Therapy practices that want one platform handling both PHI email and PHI-adjacent marketing email under the same BAA. Operators who specifically want marketing-email features (campaigns, segmentation, automation) in a HIPAA-covered platform.

Loses at: Pure marketing email at scale (MailHippo’s email marketing features are less polished and less cost-effective than Brevo’s at high volumes). Pure transactional PHI email (Paubox or Hushmail are more focused for that single use case). Operators who want maximum platform polish (MailHippo’s UI is functional but visibly less refined than category leaders per convergent owner reports).

The decision rule per convergent reports: MailHippo fits the narrow profile of practices that want one HIPAA-compliant platform doing both transactional PHI email AND PHI-adjacent marketing. For most practices, the cleaner two-platform setup (Brevo for non-PHI marketing + Paubox/Hushmail for PHI email) is more cost-effective and offers better features in each category.

ProtonMail Business: encrypted email with HIPAA BAA

ProtonMail offers HIPAA Business Associate Agreements on Business plans per ProtonMail’s published documentation. The platform is built around end-to-end encryption with Swiss-based hosting and a strong privacy-first reputation.

HIPAA posture: BAA available on Business plans (typically $7-13/user/month). E2EE between ProtonMail users; Password-Protected Email for non-Proton recipients (recipient enters a password to view).

Pricing: Mail Plus at $4/user/month (no BAA on this tier). Business at $13/user/month with BAA on request.

Wins at: Privacy-maximalist therapy practices that prioritize encryption rigor over recipient convenience. Practices with international components (Swiss-based hosting + GDPR compliance valued). Solo practitioners who already use ProtonMail personally.

Loses at: Recipient-side experience (Password-Protected Email requires recipients to enter a password to view, which kills engagement on most communications). Marketing email (not a marketing platform). Practices where most clients are non-tech-savvy and the encrypted-recipient flow creates support tickets.

The decision rule: ProtonMail Business fits the narrow profile of practices that value maximum encryption rigor and accept the recipient-friction trade-off. For most therapy practices where recipient engagement matters, Paubox’s transparent encryption is the better workflow fit.

Common deal-breaker scenarios

Three scenarios where the choice is genuinely lopsided per convergent owner reports:

Brevo wins outright when:

• The use case is purely non-PHI marketing email (newsletter, leads, announcements to non-patient audience)
• Cost-effectiveness at typical marketing-email volumes is the binding constraint
• The practice already runs SimplePractice or TherapyNotes for all PHI workflows under those platforms’ BAAs

Paubox wins outright when:

• The practice needs PHI-involving email OUTSIDE the practice management software’s native email
• Recipient engagement on PHI emails matters (clients more likely to read transparent-encryption email vs portal-login email)
• The operator wants BAA-default rather than BAA-as-upgrade

Hushmail wins outright when:

• Secure web forms (intake, consent, screening) are an operational priority
• Per-user cost is the binding constraint and 3+ users at $10/each beats Paubox’s $29 base

MailHippo wins when:

• The practice specifically wants one platform handling both PHI and PHI-adjacent marketing
• The narrow profile where two separate platforms is unwanted overhead

ProtonMail Business wins when:

• Privacy-maximalist posture is the priority and recipient-side friction is acceptable

Mixing the wrong platform with the wrong use case = HIPAA violation risk:

• Sending appointment reminders through Brevo standard tiers (no BAA, PHI involved)
• Sending newsletters to a list that includes patient identifiers through any non-BAA platform
• Assuming “HIPAA-compliant” vendor marketing without verifying the BAA is actually available on the tier you’re paying for

The two-platform setup most practices actually need

Per convergent owner reports across G2 + Capterra, the operational pattern most established therapy practices land on:

1. Practice management software (SimplePractice or TherapyNotes) handles ALL PHI-involving transactional email under the platform’s existing BAA: appointment reminders, intake form delivery, payment receipts, post-session communications via the platform’s secure messaging.

2. Brevo Email Marketing handles non-PHI marketing email: newsletter to general subscriber list, lead nurturing for prospective clients, business announcements.

This two-platform setup costs roughly $0-9/month for Brevo (Free or Starter) plus the practice management software cost. Most practices don’t need Paubox, Hushmail, MailHippo, or ProtonMail unless they have a specific PHI email workflow OUTSIDE SimplePractice/TherapyNotes (e.g., a solo therapist who wants to send personalized clinical follow-ups via a secure custom email address rather than through the practice management platform).

The verdict (decision tree)

For non-PHI marketing email (newsletter, leads, announcements to non-patient audience): Brevo Email Marketing↗. Best cost-effectiveness, generous Free tier covers most solo practitioners indefinitely. NOT a HIPAA-compliant platform on standard tiers; use only for non-PHI email.

For PHI-involving email outside practice management software: Paubox if recipient engagement matters and the use case is transactional PHI email. Hushmail if secure web forms are an operational priority. ProtonMail Business if privacy-maximalist posture is the priority.

For practices that genuinely need one HIPAA platform for both PHI email AND PHI-adjacent marketing: MailHippo, with the caveat that the marketing features are less polished than Brevo’s and the platform-polish is less refined than category leaders.

For most practices: Two-platform setup. SimplePractice or TherapyNotes for all PHI workflows + Brevo for non-PHI marketing email. This handles 90% of therapy-practice email needs at minimal cost.

The mistake to avoid is using a non-BAA platform for any PHI email or assuming a “HIPAA-compliant” marketing claim without verifying the BAA terms on the specific tier the practice is paying for. The HHS HIPAA enforcement actions tied to email-vendor BAA failures are real and the platform-vendor liability shift only kicks in when the BAA is actually executed.

For the related decision on the practice management software pairing (where SimplePractice and TherapyNotes are the two market leaders and handle most PHI workflows natively), see our SimplePractice vs TherapyNotes review. For the CRM-specific decision (where Brevo CRM and HubSpot Free are the lead candidates for non-clinical lead nurturing and supervisee tracking), see Best CRM for Therapists. For the payroll integration setup specifically, see our SimplePractice + Gusto integration guide.