Is Your Client Chat Actually Safe, or Just Pretending to Be?

In the world of therapy, communication with clients is sacred. We assume that when a client sends a message in confidence, the platform protects it like a vault. But in reality, that vault may have a hidden window. Many professionals turn to widely-used email services like Gmail for convenience—and convenience is fine—but convenience doesn’t always equal security.

Take Gmail in the generative-AI era. Google says business accounts aren’t used to train its models without permission, but personal Gmail is a different story. When AI features like Smart Compose or summaries are triggered, the email content “may be stored and used to improve Google’s AI models”. Which means your client’s private words—their concerns, their history, their pain—could end up processed for purposes far beyond simply delivering an email.

The Hidden Risk

The hidden risk is that most “everyday” communication tools were never designed for therapeutic privacy in the first place. They look harmless, they feel convenient, and they lull you into thinking everything is locked down. But behind the scenes, your client’s messages can move through systems that scan, classify, or repurpose content for things totally unrelated to care. Even if it’s automated, even if it’s “for improving features,” it’s still exposure. And in therapy, exposure of client communication—even accidental, even indirect—is a breach of trust you can’t afford.

• WhatsApp
  While WhatsApp provides end-to-end encryption, it is not HIPAA compliant. The platform does not offer a Business Associate Agreement (BAA), nor does it provide the administrative, auditing, and data-handling controls required for clinical communication.

• iMessage
  iMessage is encrypted but lacks HIPAA compliance. Backups may be stored in iCloud, and there are no audit logs or role-based controls to ensure protected communication in a therapeutic context.

• Gmail and Standard Email Providers
  Traditional email is not end-to-end encrypted. Personal Gmail accounts may also have content processed when AI features are used. Without a BAA and additional safeguards, email does not meet clinical privacy or compliance standards.

• Facebook Messenger / Instagram Direct Messages
  These platforms are not end-to-end encrypted by default (and in some cases not at all) and are built primarily for personal communication. They do not satisfy HIPAA, data-minimization, or clinical confidentiality requirements.

• SMS / Standard Text Messaging
  SMS is unencrypted and vulnerable at multiple points in the transmission chain. It offers no protections suitable for sensitive healthcare communication.

• Telegram
  Telegram’s standard chats are not end-to-end encrypted. While “secret chats” offer encryption, the platform does not provide HIPAA compliance or required administrative safeguards.

• Slack / Discord
  These platforms are designed for workplace collaboration or community communication, not patient interaction. They lack HIPAA compliance, end-to-end encryption, and necessary privacy controls.

The Real Fix: How to Keep Client Communication Truly Private

The solution is to stop relying on tools that were built for casual chatter and start using systems that actually respect clinical confidentiality. Therapists should look for platforms offering true end-to-end encryption so messages can’t be intercepted or scanned on their way through the internet. They should verify HIPAA compliance, not just as a marketing badge, but through strict data-handling rules that prevent content from being reused, analyzed, or fed into any training pipeline. When a platform is built specifically for therapeutic communication, privacy isn’t an optional feature—it’s the foundation. That’s the only way to make sure client data stays exactly where it belongs: between you and the person who trusted you with it.

Our solution to all your privacy issues

We at Vybz Health designed our communication system specifically for the level of confidentiality required in mental healthcare. All client messages are protected through secure, compliant data handling practices that prevent unauthorized access, scanning, or secondary use. No conversations are processed for AI training, advertising, or feature improvement. Every interaction stays within a controlled environment built for clinicians, with strict privacy safeguards, protected infrastructure, and clear boundaries around how data is stored and managed. This approach ensures that sensitive client communication remains private, secure, and used only for the purpose of care.

Every message is exchanged through our privacy-focused client portal, which requires a one-time passcode sent directly to the client’s mobile device for access. This ensures that only the intended client can view their communication. On the clinician’s side, accounts are protected with strong authentication measures and strict access controls, preventing unauthorized access and maintaining the integrity of client records. Together, these safeguards create a secure environment where sensitive conversations stay protected and accessible only to the people who are meant to see them.

We built Serene to ensure privacy is never compromised, so every therapist can communicate with confidence knowing their clients’ trust is protected.

Stay tuned for more privacy-focused features coming soon to Serene by Vybz Health.