HIPAA has rendered an opinion about appointment reminders: they state that, so long as clients have the ability to opt out of reminders, and so long as the nature of the appointment is not specified, appointment reminders may be sent unencrypted. This is "special dispensation" because, in the opinion of HIPAA, the utility of reminder messages outweighed the very slight disclosure of information contained in the reminder. Our reminder messages are carefully worded to disclose as little information as possible: they only contain the client's first name, and do not specify the nature of the appointment.
Emails must contain a return address: it is not possible to send an email without one. However, in the text of the email reminder, clients are given your web address and phone number, and are told "Note: appointments should not be canceled or rescheduled via email."
Clients are not restricted from sending PHI through regular email: the HIPAA rules apply only to us. They are free to send any information they wish through any channel they choose to use. We are permitted to send unencrypted emails to them, provided the message contains no PHI.
One trick that I have mentioned in HIPAA workshops that I have conducted is: be vague. For example, if a client writes you and says, "I want to schedule a therapy appointment with you for Wednesday at 5:00 p.m." they are sending you PHI (the exact time of an appointment). So, you can't reply with their text included in your reply email; YOU would then be transmitting PHI. However, you CAN erase the text, set the appointment for them, and reply only "OK, I will see you then. Call me if you have questions." Note that your reply does not mention anything about an appointment, or the nature of your relationship, so it is OK to send via regular email.