Skip to content
The Security Editor

Sharing securely

Sharing sensitive documents with your accountant, lawyer, or doctor

You have to share tax returns, legal filings, and medical records with people who need them. Those people often aren't technical. A practical guide to sending sensitive documents to professionals — what's safe enough, what isn't, and how to push back when their workflow is insecure.

By Alex Trustwell 7 min read beginner
On this page
  1. Who needs what
  2. The ladder of options
  3. Best: the professional’s secure portal
  4. Good: encrypted email or E2EE provider
  5. Acceptable: password-protected PDF over email
  6. Acceptable (for non-sensitive parts): cloud storage share links
  7. Not acceptable: plain email attachment
  8. Specific scenarios
  9. Sending tax records to your accountant
  10. Sending documents to your lawyer
  11. Sending medical documents to a provider
  12. Sending wire instructions for real estate
  13. When to push back on the professional
  14. A realistic household workflow

At some point every year, you send your tax returns to your accountant. Or your will to your lawyer. Or a medical test result to a specialist. These are specifically the documents you would least want to leak, and they have to move between you and a professional who may or may not have thought hard about security.

There is no single “safe way” that works for everybody. There is a ladder of options, and knowing where each recipient sits on that ladder is the skill.

Who needs what

Different professions have different expectations and regulatory obligations. The short version:

  • Medical providers (doctors, dentists, therapists, specialists) are bound by HIPAA in the US. They should have a secure portal or secure email tool. Their email address at a major health system is often not HIPAA-compliant by itself.
  • Lawyers are bound by attorney-client privilege and, in most US jurisdictions, by ABA Formal Opinion 477R, which requires them to use “reasonable efforts” to protect client confidentiality in electronic communications. They should have a secure portal or know what encryption is.
  • Accountants and tax preparers handle information that is both regulated (tax records are protected under US federal law, and IRS Publication 4557 requires safeguards) and attractive to fraudsters. They should have a secure portal for document exchange, especially during tax season.
  • Financial advisors similarly handle regulated information and should have a secure portal.
  • Real estate agents handle information that can enable wire fraud (bank details, closing documents). Real-estate wire fraud is a billion-dollar annual industry specifically because this channel is underprotected.

The common thread: regulated professionals should have a purpose-built document-exchange tool. If yours doesn’t, that is itself a signal worth paying attention to.

The ladder of options

Best: the professional’s secure portal

Most modern professional practices use a client portal — a dedicated tool designed for secure document exchange. Examples:

  • Accountants: Canopy, TaxDome, Intuit Link, Liscio, Content Snare, SmartVault.
  • Lawyers: Clio, MyCase, PracticePanther, Filevine.
  • Medical: patient portals from their EHR vendor (MyChart for Epic, FollowMyHealth, athenahealth, eClinicalWorks).
  • Financial advisors: Advyzon, Orion, their firm’s Schwab/Fidelity portal.

These tools are built for the job. They typically offer:

  • Encrypted document storage.
  • Access logs showing who viewed what.
  • Per-user access (you don’t see other clients’ documents).
  • Often, document-specific share links with expiry.

When the professional has one, use it. It’s what you’re paying for. Sending via email even when the portal exists is a surprisingly common pattern and undoes the whole reason for the portal.

Good: encrypted email or E2EE provider

If the professional doesn’t have a portal but understands encryption, a few options work:

  • ProtonMail or Tutanota — if you both have accounts, emails are end-to-end encrypted automatically. Proton Mail also offers password-protected emails to non-Proton recipients (you set a password, they decrypt in-browser with it — give them the password through a different channel).
  • S/MIME or PGP — if they actually have a key. Rare in most professions outside technology; assume no unless they say yes.
  • A shared E2EE cloud folder (Proton Drive, Tresorit) — create a shared folder, give them access, upload documents there. Can work if you’re willing to create an account on their side.

Acceptable: password-protected PDF over email

If the professional has no secure portal and no encryption, the fallback pattern that actually works:

  1. Create the PDF. If creating it yourself, generate it directly; if scanning, scan at 300 dpi for text.
  2. Password-protect it with AES-256. See password-protected PDFs done right.
  3. Email the PDF.
  4. Text or call the recipient with the password. Do not put the password in the email itself.

This is a workable floor. It is not the best tool; it is the tool that works with any recipient, and it is considerably better than unencrypted email.

For documents that are sensitive but not maximally so, sending a time-limited, password-protected share link via Google Drive / OneDrive / Dropbox is reasonable:

  • Share to a specific email, not “anyone with the link”.
  • Set an expiry (7–30 days).
  • Set a link password; send via SMS or Signal.

This is what the expiring-links article covers in detail.

Not acceptable: plain email attachment

Sending an unencrypted PDF of your tax return, medical record, signed contract, or bank statement as an email attachment is not a safe default. Email passes through multiple servers in transit, is stored on both sender and recipient servers for years, is indexed by those providers, may be read by corporate filters, and shows up in backups and archives indefinitely.

Plain email is fine for non-sensitive correspondence. It is the wrong channel for documents containing the information a fraudster would buy.

Specific scenarios

Sending tax records to your accountant

  • First choice: their portal. During tax season, this should be set up and ready.
  • Second choice: a password-protected PDF over email with the password by SMS.
  • Don’t: email the PDF unprotected. Don’t email them your driver’s license or Social Security card as a photo attachment — use their portal specifically for identity documents.

Sending documents to your lawyer

  • First choice: their client portal (Clio, MyCase, etc.). Most practices of any size have one now.
  • Second choice: a shared E2EE folder (Proton Drive, Tresorit) that both of you have access to. Works well for ongoing matters.
  • Third choice: password-protected PDF + password via phone.
  • Don’t: send unprotected PDFs, especially signed agreements or anything with bank details.

Sending medical documents to a provider

  • First choice: their patient portal (MyChart etc.). Most providers have one and many let you upload documents.
  • Second choice: their secure messaging, which the practice often has even when the portal’s document upload is limited.
  • Third choice: fax, unironically. Yes, fax is insecure, but for a one-off transmission to an office whose only secure channel is fax, it is what it is. Don’t send by email if the office isn’t HIPAA-configured for email.
  • Don’t: unprotected email attachments.

Sending wire instructions for real estate

  • First choice: a pre-agreed channel set up at the start of the transaction (the title company’s portal, or a known secure email setup).
  • Always: verify by voice call to a phone number you already have on file. Never use a number from an email.

When to push back on the professional

Sometimes the professional is the weak link. If your lawyer emails you an unencrypted PDF of your will and asks you to email it back signed, that’s a signal. Push back politely:

  • “Do you have a secure portal? I’d prefer to use it for the signed copy.”
  • “Could we use a password-protected PDF for the return trip?”

Most professionals appreciate this. The ones who don’t are often the ones who most need it — clients raising the issue is often what drives practices to adopt a portal.

If they cannot accommodate basic security, that’s relevant information about the practice’s general discipline. It’s a fair thing to consider when choosing professionals for sensitive work.

A realistic household workflow

For most readers, the workable pattern is:

  1. For each recurring professional (accountant, lawyer, family doctor), use their portal when they have one. Log in once, bookmark, know the password.
  2. Keep a saved template in your password manager titled “Default secure-send procedure for [Professional]” with the URL, your login, and how you usually send them things.
  3. Default to password-protected PDF + SMS for professionals without a portal.
  4. Escalate to E2EE channels (Proton Drive, Tresorit, Signal) for genuinely sensitive one-off documents.

Doing this once per professional relationship, at the start of the engagement, means the security work is mostly upfront and the year-to-year handling is a small habit. Every year of returns you send through the portal instead of as an email attachment is a year’s worth of exposure that didn’t happen.

Sources

  1. AICPA — Trust Services Criteria (TSP Section 100)
  2. American Bar Association — Formal Opinion 477R on Email and Electronic Communications
  3. HHS — HIPAA and Email
  4. CISA — Secure Communications Products