A mid-sized ABA practice · high part-time headcount · communication-heavy, email-light
This is the story of a mid-sized ABA practice that went looking for an easy win and found a line item it had simply stopped questioning: a paid email mailbox for every behavior technician on the roster. We've kept them anonymous, but the math — and the compliance trap underneath it — will be familiar to anyone who has scaled a practice past a couple dozen front-line staff.
First, the obvious question: why do behavior techs have email at all?
Nobody ever decided BTs needed email. It accreted. You spin up the practice on Microsoft 365 or Google Workspace because the owner and BCBAs need it, the wizard asks how many users, and "everyone gets an account" is the path of least resistance. Onboarding paperwork goes to an inbox. The occasional all-staff announcement goes to an inbox. So every new hire gets a mailbox, and it becomes invisible furniture.
But look at what a behavior tech's day actually involves. They're in homes and clinics, on their feet, running sessions. Their real communication is fast and mobile: "running late," "client cancelled," a quick question to the supervising BCBA, a heads-up to a parent. That happens by text and phone — not by composing an email. For most BTs, the company mailbox is a place announcements go to die.
The part that turns a small bill into a real liability: HIPAA
Here's where it stops being just a cost question. The moment a staff email touches a client's name alongside anything about their care — a scheduling note that says "running late to a session," a parent reply, a quick question about a kiddo's program — that mailbox is now handling Protected Health Information (PHI). And under HIPAA, any system that handles PHI on your behalf has to be covered by a Business Associate Agreement (BAA), with the encryption, access controls, audit logging, and retention that implies.
And it's subtler than most practices realize — this isn't only about accidental leaks. For a behavioral-health provider, a client's name on its own is enough. A subject line like "New message from [client name]," sitting in an email preview, a lock screen, or a mail-server log, already discloses that this specific person is a client — and that treatment relationship is itself PHI, no care details required. The compliant pattern is a generic "you have a new secure message — log in to view," never the name in an exposed email.
That single fact quietly rules out the cheapest option entirely:
- Free, personal email — gmail.com, outlook.com, yahoo — is off the table. Consumer accounts do not come with a BAA. The provider will not sign one for them. So the instant a tech uses a personal Gmail for anything client-related, you have a HIPAA violation, full stop. (This is why "just have them use their own email" is not a shortcut — it's a breach waiting for an audit.)
- HIPAA-compliant email means a paid business tier with a BAA in place. Microsoft includes its BAA by default — through the Online Services Data Protection Addendum on its paid commercial plans, no separate signing. Google will cover Google Workspace too, but only after an admin reviews and accepts the BAA in the Admin console, and only for the services on Google's covered list (Gmail is included; third-party add-ons aren't). Either way, the free tier was never the compliant tier.
So what does compliant email actually cost?
Once you accept that every PHI-touching mailbox has to sit on a paid, BAA-covered plan, the per-seat math gets real — multiplied across a big, high-churn front-line roster. Current US list prices:
OptionPer user / monthBAA available?OK for PHI?
Personal Gmail / Outlook.com / Yahoo (free)$0
NoNo — non-compliant
Microsoft 365 Business Basic$6.00Yes — Microsoft BAA, by defaultYes, if configured
Google Workspace Business Starter$7.00Yes — admin accepts BAAYes, if configured
Microsoft 365 Business Standard$12.50YesYes
Google Workspace Business Standard$14.00YesYes
Microsoft 365 Business Premium$22.00YesYes
Microsoft figures are annual-commitment list prices; Google figures are list (billed monthly — an annual commitment runs ~16% less). Verify current pricing at publish.
Take a practice with 60 front-line techs. At the cheapest compliant tier, that's roughly 60 × $6 × 12 ≈ $4,300 a year just for mailboxes most of those techs barely open. Land on a mid tier and you're closer to $9,000 a year. And that's before the costs that never show up on the invoice.
The hidden costs nobody lines up against the invoice
- Turnover tax — and it's enforced. Direct-care turnover in this field runs high (industry benchmarks put it in the ~44–65% range a year), so a large share of your front-line roster churns annually. Every hire is a mailbox to provision, license, and secure; every departure is access to revoke and data to retain. This isn't hypothetical: in December 2024, federal regulators fined one practice about $1.19 million — in part for failing to cut off a former workforce member's access to electronic health information and failing to review its activity logs. Every missed offboarding is a former employee who may still be able to reach client information.
- Configuration and oversight. "Has a BAA" is not the same as "is compliant." Someone has to actually accept the BAA, restrict which services it covers, enforce encryption and access policy, and be able to produce an audit trail. That's real IT/compliance time, per mailbox, forever.
- The visibility hole. When client communication is scattered across dozens of individual mailboxes, the practice can't actually see it. Ask "what did we tell this family last month?" and the answer is sitting in one tech's inbox — or it left with them.
What that gap actually costs
$1.19 million
The penalty federal regulators imposed on one practice in December 2024 — in part for failing to cut off a former workforce member's access to electronic health information, and failing to review its activity logs. That's the exact offboarding-and-audit hole that scattered staff email creates, priced in dollars.
What they tried first
The usual moves: shop cheaper email tiers, consolidate to shared mailboxes, tighten the offboarding checklist. It trimmed the bill and the risk at the margins. But it never answered the question underneath: why am I buying — and securing, and policing — a PHI-capable inbox for a role whose real communication is message and phone?
How Wilma helped: stop renting the channel you don't use
They were already running on Wilma, and realized the communication their techs actually do was already covered — inside the same platform that holds their clinical and billing records:
- Secure messaging for staff-to-staff and BCBA coordination, tied to the right client record — not scattered across personal inboxes.
- A business phone line with IVR — calls ring through to the phones staff already carry, with recording and transcription, so there's a real company number and a logged call without buying desk phones or a separate VoIP plan per person.
- SMS for the fast, practical back-and-forth (reminders, "on my way," parent notifications) that was happening over text anyway — now captured, not lost on a personal device.
With those carrying the load, the practice made a deliberate call: front-line techs no longer needed a paid, PHI-capable email seat. Announcements and documents moved into Wilma's messaging and existing systems, and the per-seat email spend — and the compliance surface — for that whole group went away.
"We weren't taking something away from our team. We stopped paying to secure a tool they didn't use — because the tools they do use were already in Wilma, and already covered." — Operations lead
Why this is actually safer than giving techs email
This is the part that surprised the owner. Cutting BT email didn't just save money — it shrank the risk:
- PHI stays inside one HIPAA-grade platform — the same one already trusted with the clinical and billing record, covered by the BAA Wilma signs as standard with every customer — instead of being sprayed across dozens of inboxes you don't fully control.
- Offboarding is one switch, not a scavenger hunt. When a tech leaves, access ends inside the platform. There's no lingering mailbox, no "did we remember to revoke that?" A former employee's personal Gmail, by contrast, you never controlled and can never close.
- There's an actual record. Communication on the client record is access-controlled and auditable — you can answer "who said what to this family, and when," which is exactly what you can't do when it's buried in someone's personal sent folder.
Full visibility — and why that's care, not surveillance
Bringing communication into Wilma gives leadership something email never did: a complete, organized view of client communication across the practice. It's worth being precise about what that is and isn't. This is not about reading your staff's private lives or monitoring people — it's that communication about a client belongs on that client's record, the same way a session note does. When a parent asks what was discussed, when a new BCBA picks up a case, when an audit asks for documentation, the practice can answer because the information lives with the client, not in a departed tech's inbox. That's continuity of care and clean compliance — the same reason you keep session notes, applied to conversations.
An important note on doing this responsibly
How you have staff communicate for work is a policy decision with legal and HR dimensions, and it isn't one-size-fits-all. Some states have specific rules about reimbursing employees for the use of personal property (like a personal phone) for company work. This practice made its own choice based on its own legal guidance. Wilma gives you the communication tools; how you deploy them, and how you handle device and reimbursement policy, is yours to decide with your own advisors. Wilma takes no responsibility for those policy choices.
The results
- Paid, PHI-capable email seats for front-line techs eliminated — recurring spend removed, not just discounted (on a 60-tech roster, roughly $4–9K/year depending on tier)
- The compliance surface shrank: fewer mailboxes to BAA, secure, audit, and offboard
- One platform to revoke on departure — no orphaned inboxes after a high-churn year
- Client communication consolidated where it belongs — on the client record, visible and auditable
The names are hidden. The pattern isn't: a lot of practices are paying to secure a PHI-capable channel their front-line staff barely use — while already owning a safer one. This is the same move as bringing billing in-house: when the platform does the work, you stop paying for the gaps.
Frequently asked questions
Isn't free email like Gmail fine for my behavior techs?
Not for anything client-related. Personal/free accounts (gmail.com, outlook.com) don't come with a Business Associate Agreement, and the provider won't sign one. The moment a tech's email includes a client's name with anything about their care, that's PHI — and a free account holding PHI is a HIPAA violation. Compliant email means a paid business plan with a signed BAA.
What exactly makes staff email a HIPAA problem?
Any system that handles PHI on your behalf has to be covered by a BAA, with encryption, access controls, audit logging, and retention. A scheduling note like "running late to a session," a parent reply, or a question about a kiddo's program all count as PHI. So every PHI-capable mailbox has to be on a paid, BAA-covered, properly-configured plan — not the free tier.
It's just a client's name, not medical details — is that really PHI?
Yes — and it's the part most practices miss. For a behavioral-health provider, the name is the disclosure: it reveals that a specific, named person is your client, and that treatment relationship is itself individually identifiable health information. You don't have to say a word about their care for it to count. So an unencrypted notification like "New message from [client name]" — sitting in a subject line, an email preview, a lock screen, or a mail-server log — is already a PHI exposure, not just an accidental one. The compliant pattern is the generic "You have a new secure message — log in to your portal to view," with no name and no content. In Wilma that conversation lives on the secure portal behind login, so the name and the message never sit in an exposed email.
If email needs a BAA, why are phone calls and faxes fine?
Because of HIPAA's "conduit exception." A carrier that only carries a message in transit — a phone company carrying a call, a fax going down a phone line — is treated as a mere conduit: it moves the information without storing it or routinely looking at it, so it doesn't need a BAA. Email is different because providers store your messages on their servers — that's maintaining PHI, not just transporting it — which is why a free mailbox can't hold it without a signed BAA. The line is transient transport vs. storage: the moment a service keeps the PHI (cloud/e-fax, recorded calls and voicemail, email), it needs a BAA. That's also why secure messaging on the client record — not personal email — is the clean fit. (General compliance posture, not legal advice.)
How much does HIPAA-compliant email actually cost?
Compliant tiers start around $6–7/user/month (Microsoft 365 Business Basic, Google Workspace Business Starter) and run $12–22 for higher tiers. For a 60-tech roster that's roughly $4,300–$9,000/year just for mailboxes most techs barely open — before the hidden costs of provisioning, securing, auditing, and offboarding a high-turnover roster.
Isn't bringing messages into Wilma just surveillance of my staff?
No — it's the same principle as a session note. Communication about a client belongs on that client's record so the practice has continuity of care and a clean audit trail. It's not about monitoring people's private lives; it's being able to answer "what did we tell this family?" — which is exactly what you can't do when it's buried in one tech's personal inbox.
What happens to all that access when a tech quits?
With email, every departure is a mailbox to find and revoke, plus a personal Gmail you never controlled and can't close. That gap is enforced: in December 2024, regulators fined one practice ~$1.19M partly for not cutting off a former worker's access and not reviewing activity logs. In Wilma, access ends inside the platform in one step — no orphaned inboxes, no "did we remember to revoke that?" after a high-churn year.
Do my techs lose anything by not having email?
In practice, no — because email wasn't how they communicated. Their day runs on fast, mobile messaging and phone: schedule changes, parent updates, quick BCBA questions. Wilma covers those with secure messaging, a business line, and SMS, all tied to the client record. Announcements and documents move into the platform and existing systems.
Is Wilma's communication actually HIPAA-ready?
Yes. Communication in Wilma lives inside the same HIPAA-grade platform already trusted with your clients' clinical and billing records — access-controlled, audited, and covered by the BAA Wilma signs as standard with every customer. That's the point: it's PHI-ready by default, not scattered across personal inboxes that aren't.