Alberta's Health Information Act (HIA): what therapists need to know about email
If you’re a therapist or psychologist practising in Alberta, your email containing health information is governed by the Health Information Act, not Ontario’s PHIPA. HIA applies to “custodians” of health information, and if you provide health services in Alberta, that includes you. This guide covers what HIA requires for email, where Gmail falls short, and what makes Alberta’s requirements different from Ontario’s.
Who is a “custodian” under HIA?
The Health Information Act defines a custodian under section 1(1)(f) as a broad category that includes health services providers who are regulated members under the Health Professions Act. Psychologists regulated by the College of Alberta Psychologists (CAP) are custodians. So are physicians, nurses, social workers, and other regulated health professionals.
This matters because HIA’s obligations attach to the custodian, not the organization.
If you’re a solo psychologist, you’re personally responsible for meeting HIA’s requirements for every system that touches health information, including your email. That includes you.
If that sounds like a lot of weight for a solo practice, you’re not wrong. But most of these obligations come down to documentation, not technical complexity.
A note on scope: CAP is expanding to regulate counselling therapists in Alberta. When that expansion takes effect, more practitioners will fall under the custodian definition and HIA’s obligations will apply to them as well. We’ve published a full guide to CAP’s practice standards for email and electronic communication and a detailed look at CAP expanding to regulate counselling therapists that covers the expansion timeline, HIA obligations, and what counselling therapists can do now to prepare.
Ontario’s PHIPA uses a similar concept (“health information custodian”) but defines it differently. The parallel is useful for therapists who see clients in both provinces, but the statutory definitions aren’t interchangeable.
What HIA requires for email containing health information
Security safeguards (HIA s.60)
Section 60 of the HIA creates the general duty: custodians must protect health information against theft, loss, unauthorized access, unauthorized copying, tampering, and any other form of unauthorized use or disclosure.
The Health Information Regulation (s.8) specifies how that duty should be met: through administrative, technical, and physical safeguards. For email, this means encryption. The Office of the Information and Privacy Commissioner of Alberta (OIPC) hasn’t published a prescriptive list of encryption standards for email, but the general principle across Canadian health privacy law is that opportunistic TLS alone is unlikely to meet the reasonable safeguard standard when the content is health information.
What reasonable safeguards look like in practice for email:
- Encryption in transit that doesn’t depend on the recipient’s email provider cooperating. Default TLS is a start, but it isn’t guaranteed.
- Encryption at rest for stored email containing health information. Standard Gmail storage doesn’t provide per-message encryption that prevents the email provider from accessing the content.
- Access controls that limit who can read the email to authorized individuals. Strong authentication (two-factor at minimum) on the account that sends and receives health information.
The standard scales with the sensitivity of the information. Health information from therapy sessions is among the most sensitive categories. The OIPC has consistently held that more sensitive information requires stronger safeguards.
Privacy impact assessments (HIA s.64)
Here’s where Alberta diverges from Ontario. Before you start using any new system that handles health information (including your email), section 64 of the HIA requires you to prepare a privacy impact assessment (PIA) and submit it to the OIPC. Not file it for your own records. Submit it.
If you adopted Google Workspace for your practice and didn’t submit a PIA to the OIPC, there may be a gap worth assessing.
The OIPC Alberta’s PIA requirements are stricter than Ontario’s in two ways:
- Mandatory submission. In Ontario, the IPC recommends PIAs but doesn’t require submission. In Alberta, you must submit the completed PIA to the OIPC. No exceptions.
- Prior review. The OIPC reviews submitted PIAs and may raise concerns before you implement the system. In Ontario, you complete the PIA for your own records.
We have a privacy impact assessment template that covers the core structure, though it was written for Ontario’s PHIPA framework and will need substantial adaptation for Alberta’s OIPC submission requirements. Alberta’s PIA process requires mandatory submission to the OIPC, analysis of cross border data flows, and addressing Alberta specific risk factors that the Ontario template doesn’t cover. We plan to publish an Alberta specific PIA guide.
Consent to disclosure under HIA (s.34)
Consent under HIA works differently than you might expect if you’re coming from Ontario’s framework. Section 34 sets out the requirements for written or electronic consent to disclosure. Sections 35 and 36 address discretionary disclosure without consent and disclosure of registration information, respectively.
The consent framework is different from PHIPA’s in important ways. HIA uses deemed consent more broadly than PHIPA. Deemed consent means the law treats consent as given based on the circumstances, without requiring a signed form. Under HIA, consent to collect health information is deemed when the individual provides the information voluntarily and the collection is reasonably necessary for the provision of a health service. This is broader than PHIPA’s implied consent rules for collection.
For email specifically, the question is whether sending health information by email falls within the scope of the consent the client provided. HIA doesn’t have an explicit email consent provision. The safe approach is the same as in Ontario: obtain clear authorization before sending health information by email, document that authorization, and make sure the client understands the risks.
The practical difference is that HIA’s deemed consent provisions cover more ground for in-person clinical interactions, but email communication with health information still requires explicit attention. The client must know that email is being used, understand what information will be communicated, and have the opportunity to withdraw consent.
Data handling and retention
CAP’s Standards of Practice require psychologists to retain health information records for a minimum of 10 years from the date of the last entry for adult records, or until the individual reaches age 18 plus 10 years for minors. The HIA itself doesn’t specify a minimum retention period for clinical records, though s.41 requires custodians to maintain records of disclosures for 10 years following the date of disclosure.
For therapists using Gmail, this means:
- Don’t delete client emails containing health information before the applicable retention period expires.
- Have a retention policy that accounts for email records. Gmail’s default behaviour is to keep everything, which satisfies the retention minimum but doesn’t address the disposition requirement.
- Disposition after retention. When the retention period ends, the general duty under s.60 to protect health information throughout its lifecycle extends to secure destruction. For email, secure destruction means permanently deleting the email and any backups, not just moving it to the trash.
Most therapists don’t have a formal email retention policy. Worth fixing. If you’re using Gmail as part of your practice, building one is part of your obligations under HIA and CAP’s standards.
Is Gmail HIA compliant?
No, not by default. Based on our analysis of s.60’s safeguard requirements and the Health Information Regulation’s safeguard categories, Gmail’s default configuration falls short of what HIA expects for health information. The analysis parallels what we found for Ontario’s PHIPA.
The specific gaps:
- Encryption is opportunistic. Gmail’s TLS depends on the recipient’s server. Health information requires reliable encryption, not conditional.
- No HIA specific agreement from Google. Google offers a HIPAA BAA (US law), but nothing equivalent for Alberta’s HIA. Some practitioners sign the HIPAA BAA for the additional contractual protections it provides, but it’s a US legal instrument and doesn’t address HIA’s requirements. Consult a privacy professional for guidance on appropriate custodian agreements.
- No PIA submission. Google Workspace doesn’t come with a completed PIA. You’re responsible for preparing and submitting your own PIA to the OIPC.
And Gmail’s admin logs don’t track what health information was sent to whom, which means you have no communication level audit trail.
You can reduce the gaps by configuring admin security settings, disabling AI features, and maintaining manual documentation.
But the core limitations remain.
How HIA compares to Ontario’s PHIPA
If you see clients in both Ontario and Alberta, or if you’re considering expanding your practice across provincial lines, here’s how the two frameworks compare for email:
For the side by side breakdown including BC PIPA, see our provincial privacy law comparison.
| Requirement | HIA (Alberta) | PHIPA (Ontario) |
|---|---|---|
| Encryption | Reasonable safeguards required under s.60 and Health Information Regulation s.8 | Reasonable steps under s.12(1), including encryption as a technical safeguard |
| Consent model | Deemed consent used more broadly for collection; disclosure consent requirements in s.34 | Express consent is the safe standard for email containing health information |
| Data residency | Not mandated, but OIPC considers it a factor in PIAs | Not mandated, but IPC considers it a risk factor |
| Privacy Impact Assessment | Mandatory PIA with OIPC submission before system implementation | Recommended by IPC but not mandatory; no submission required |
| Breach notification | s.60.1: notification to affected individuals as soon as practicable | s.12(2): notification to individual at first reasonable opportunity |
| Retention | 10 years (CAP Standards of Practice; varies by regulatory college) | 10 years (College of Registered Psychotherapists of Ontario standard; varies by regulatory college) |
The practical takeaway: Alberta’s PIA requirement is the biggest difference. If you’re practising in Ontario, you should have a PIA on file but you don’t need to submit it to anyone. In Alberta, the OIPC expects to receive it before you start using the system.
BC’s PIPA adds a third set of requirements for therapists using Gmail, with different rules around cross border data transfers and notification obligations. Our Gmail compliance guide touches on PIPA briefly, but for full BC coverage, see our PIPA guide for therapists.
For a complete comparison of PHIPA, HIA, and PIPA, see our cross provincial overview (coming soon). For a deeper look at how these frameworks will converge as provincial regulation evolves, see our cross provincial comparison hub (coming soon).
CAP and the expanding scope of HIA
The College of Alberta Psychologists is preparing to regulate counselling therapists in addition to psychologists. This regulatory expansion will bring more practitioners under the definition of “custodian” in HIA s.1(1)(f).
For counselling therapists in Alberta who aren’t currently regulated by CAP, this means:
- HIA’s full set of obligations will apply to you, including the PIA requirement.
- If you’re already using Gmail for client communication, you’ll need to prepare and submit a PIA to the OIPC.
- Your existing consent processes will need to meet HIA’s requirements for consent to disclosure.
The timeline for this expansion isn’t finalized. For an overview of what CAP’s current practice standards require for email and digital communication, see our guide to CAP practice standards for Alberta therapists.
What to do next
If you’re an Alberta therapist using Google Workspace, start with the admin console security settings guide. The settings are the same regardless of province. Then review the AI features guide to address the consent gap around AI processing.
The one step that’s unique to Alberta: your PIA. If you haven’t completed and submitted one to the OIPC, that’s the gap with the most regulatory exposure. Our PIA template covers the structure, though you’ll need to adapt it for Alberta’s OIPC submission requirements.
For the encryption and audit trail gaps that remain after configuration, there are a few directions to consider. You could switch to a provider with stronger built in encryption (like ProtonMail), add a third party encryption layer to your current Gmail setup, or explore tools like Curio that aim to add automatic encryption and a Canadian audit trail to your existing workflow. The right approach depends on your practice size, technical comfort, and which gaps carry the most risk for your situation.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
