SendMeDocs
Collecting Sensitive Documents Without Another Client Portal
Your clients already juggle logins for their bank, payroll provider, tax software, your portal, and a dozen other services. Each new account is more friction — and the consistent feedback from practitioners is that clients engage more when they don't need another password.
Here's how to collect sensitive documents — tax records, medical files, legal paperwork — securely, without adding yet another login to your clients' lives.
The portal problem
Client portals solve a real problem: secure file transfer. Email attachments aren't encrypted. Google Drive links can be shared with anyone. Dropbox needs its own account.
But portals create a new problem: adoption. A portal only works if your client actually uses it. When login friction is high enough, many clients just email their documents instead — and now you're managing two channels, which is worse than one.
The firms with the highest compliance rates use magic links — unique URLs that let the client upload without a username or password. Click a link, see the checklist, upload, done.
How magic links work
- You create a document request — a list of items you need
- The system generates a unique, unguessable URL
- Your client gets it via email or SMS
- They click the link and see exactly what you're asking for
- They upload files, fill in fields, and submit
- The link expires after a set period
The security model is the same as a password reset link: possession of the URL is the authentication. The URL is long enough to be unguessable, delivered over a secure channel to a known address, and time-limited. Banks use this approach for document collection. Healthcare systems use it for patient intake. Government agencies use it for secure forms.
Email or SMS? Email is the default — clients expect it, you can include a personal message, and it's visible across devices. SMS gets much higher open rates and works well for clients who are bad at email, but the message is shorter. For initial multi-item requests: email. For quick follow-ups on a single missing document or nudging a non-responsive client: SMS. Best combo: send the initial request by email, follow up by text.
Security — in plain language
Your clients' documents need real protection. Here's what to look for in any tool:
Encrypted in transit and at rest. When your client uploads a file, it should be encrypted during the transfer and where it's stored. This is what HIPAA and IRS Publication 4557 require. If a tool doesn't do both, skip it.
Upload-only links. The magic link lets clients put files in. It should never let them — or anyone else — get files out. Viewing and downloading are restricted to authenticated users in your organization.
Links expire. An open-ended upload link is a standing invitation. Set expiration based on your workflow.
How long should the link stay active? Tax documents where the client has everything: 2–3 weeks. New client onboarding where they're gathering documents from multiple sources: 30–60 days. Urgent compliance requests: 7–14 days. If the link expires before they're done, you'll have to resend — so err slightly longer rather than re-issuing links.
Access is logged. Every view and download should be recorded — who accessed what, when. This matters for compliance (HIPAA, IRS Pub 4557, state privacy laws) and it protects you if a client ever questions how their documents were handled.
What about forwarded links? If your client forwards the link to their spouse or assistant, that person gets upload access too. This is by design — same as handing someone a paper form to fill out. The security boundary is the delivery channel (email or SMS to a known address), not the link itself.
Do you need a BAA? If you collect any of these from patients: medical records, insurance info, treatment notes, intake forms, prescriptions, or anything a patient would expect their doctor to keep private — yes. A Business Associate Agreement is a legal requirement under HIPAA, not optional.
If you only collect tax documents, corporate filings, employment records, financial statements — you don't need one. Still requires encryption and access controls, but it's not protected health information.
Not all tools offer BAAs, and some hide it behind enterprise pricing. If you're a small healthcare practice, check BAA availability and cost before you commit.
How the options compare
| Method | Security | Client effort | Your overhead |
|---|---|---|---|
| Email attachments | Low — unencrypted, persists in inboxes | None | High — scattered across threads |
| Shared drive (Google, Dropbox) | Medium — depends on sharing settings | Medium — needs an account | Medium |
| Client portal with login | High | High — account creation, passwords | Medium |
| Magic link upload | High | Low — click and upload | Low |
Setting up your first request
Before you send anything, one decision that affects completion rates more than anything else:
Required vs. optional items: Only mark items required if you literally cannot proceed without them. W-2 for a tax return: required. Charitable donation receipts: optional. When everything is required, clients can't submit until they have it all — slower, but guarantees completeness. When most things are optional, they submit faster but you may need to follow up. Sweet spot: required for what you can't work without, optional for everything else.
For template structure, field types, and how to minimize follow-up questions, see Building Your Document Collection Process.
What to look for in a tool
- No client account required. If clients have to register, you've reinvented the portal problem.
- Item-level requests. Your client should see a checklist, not an empty upload box.
- Automatic reminders. So you're not manually nudging everyone.
- Mobile-friendly upload. Most clients will open the link on their phone. They need to be able to snap a photo and upload directly.
- Encryption at rest and in transit. Non-negotiable for sensitive documents.
- BAA available if you handle patient data. Not gated behind enterprise pricing.
- File expiration / auto-deletion. Documents shouldn't sit around forever.
For what the upload experience actually looks like from your client's side, see What Your Clients See.
Getting started
- Pick a tool. SendMeDocs checks every box above — pay-as-you-go at $0.50/request with a self-serve BAA on any plan. Content Snare, SafeSend, Financial Cents, and the portals in TaxDome and Canopy are other options worth evaluating.
- Build your first template. Start with whatever request type you send most often.
- Send to a small batch. 5–10 clients. See what questions come back and refine your descriptions.
- Give your clients a heads-up. "You'll get an email from us with a link to upload your documents. Just click the link — no account needed." One sentence prevents confusion.
For the full seasonal workflow — when to send, due dates, reminder strategy, and handling stragglers — see How to Stop Chasing Clients for Documents.