If you’re a therapist in private practice in BC, your email containing client information is governed by the Personal Information Protection Act (PIPA). Not Ontario’s PHIPA. Not the federal PIPEDA. Not Alberta’s HIA. PIPA.

And PIPA works differently from those other laws in ways that matter for your email setup.

BC is the only major province without a health specific privacy statute. Ontario has PHIPA. Alberta has HIA. BC has PIPA, which covers all personal information in the private sector, health information included. That means the same law that governs how a retailer handles customer data also governs how you handle therapy session notes sent by email.

This guide covers what PIPA requires for therapist email, where the gaps show up in practice, and why November 2027 is a date worth paying attention to.

Who does PIPA apply to?

PIPA applies to private sector organizations in British Columbia that collect, use, or disclose personal information in the course of commercial activity. If you run a private therapy practice in BC, that includes you.

This is a broader scope than what therapists in Ontario or Alberta face. Ontario’s PHIPA applies specifically to “health information custodians” (hospitals, physicians, regulated health professionals). Alberta’s HIA similarly targets “custodians” of health information. Those laws were written for healthcare.

PIPA wasn’t. It was written for the private sector generally. Health information doesn’t get a separate category or special protection under PIPA. Your client’s therapy notes receive the same legal treatment as a customer’s purchase history at a retail store, at least in terms of the statutory framework. The Office of the Information and Privacy Commissioner for BC (OIPC) has interpreted PIPA’s requirements more strictly when the information is sensitive (and health information from therapy is about as sensitive as it gets), but that interpretation comes through enforcement, not the text of the statute.

So what does PIPA actually require for email?

PIPA requirements for therapist email

Reasonable security arrangements (s.34)

Section 34 of PIPA is the core obligation: “An organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.”

One sentence. No prescriptive list of technical requirements. No encryption mandate. Just “reasonable security arrangements.”

What counts as reasonable depends on context, and the OIPC has been clear that sensitivity matters. In multiple orders, the Commissioner has held that organizations handling sensitive personal information (health, financial, employment history) must implement stronger safeguards than those handling less sensitive data. Therapy session content, intake assessments, treatment plans: these sit at the high end of the sensitivity scale.

For email, reasonable security arrangements for health information likely include:

Encryption in transit that doesn’t depend on the recipient’s server cooperating (Gmail’s TLS is opportunistic and conditional)
Access controls that restrict who can read the email to authorized individuals (strong authentication, two factor at minimum)
Protection against unauthorized copying or modification (standard Gmail doesn’t offer per message controls here)

The OIPC hasn’t published a prescriptive encryption standard for email. But the pattern across Canadian privacy law is consistent: opportunistic TLS alone is unlikely to meet the reasonable safeguard standard when the content is health information from therapy sessions. We found the same gap when we analyzed whether Gmail is PHIPA compliant in Ontario and when we looked at Alberta’s Health Information Act requirements.

PIPA’s consent framework is spread across four sections, and it’s more flexible than what Ontario therapists deal with under PHIPA.

Section 6 establishes the baseline: an organization must not collect, use, or disclose personal information without consent, except as permitted by the Act.

Section 7 defines what does not constitute consent (coerced consent, bundled consent that goes beyond what’s reasonable).

Section 8 is where it gets interesting. PIPA allows implied consent where the collection, use, or disclosure is “for a purpose that would be considered obvious to a reasonable person” and the individual voluntarily provides the information. For in person therapy, this covers a lot of ground. The client walks in, provides their information, and the purpose is obvious.

Email is murkier. Is it obvious to a reasonable person that their therapist will send health information by email? That the email content will be stored on servers outside Canada? That encryption depends on the recipient’s email provider? Probably not. The safer approach: explicit consent for email communication containing personal information, documented and specific.

Section 9 gives individuals the right to withdraw consent at any time, on reasonable notice. You must inform the client of the likely consequences of withdrawal and you can’t prohibit withdrawal.

In practice, this means your intake process should include a clear explanation of how email will be used, what information will be communicated, and the client’s right to opt out of email communication entirely.

Notification of collection (s.10)

Section 10 requires that before or at the time you collect personal information, you must disclose the purposes for collection to the individual. On request, you must also provide the name or title and contact information for someone who can answer questions about the collection.

For therapists using email, this means your intake forms and privacy notices should explain:

That personal information may be communicated by email
The purposes for which email communication is used (scheduling, clinical updates, referral coordination)
That the individual can ask questions about how their information is handled

This isn’t optional. It’s a statutory requirement that applies before collection begins.

The cross border data question

Here’s where BC practitioners sometimes get confused, and where PIPA differs from what you may have heard about other provincial laws.

PIPA does not mandate Canadian data storage for private sector organizations.

If you’ve read about BC’s strict data residency rules, you’re probably thinking of the Freedom of Information and Protection of Privacy Act (FOIPPA), which applies to public bodies (government, public universities, health authorities). FOIPPA does restrict cross border storage and disclosure. PIPA doesn’t.

Our analysis of Gmail and PHIPA noted this distinction. Ontario’s PHIPA doesn’t mandate Canadian storage either, though the IPC considers it a risk factor. Alberta’s HIA takes a similar approach.

That said, PIPA s.34’s reasonable security requirement doesn’t give you a free pass on cross border data flows. The OIPC has indicated that storing personal information in a jurisdiction with weaker privacy protections or no rule of law introduces risk factors that an organization must address under s.34. Gmail stores email content on servers in the United States. The US has no federal private sector privacy law equivalent to PIPA, and US government access to data held by American companies is governed by different legal standards than Canadian law provides.

None of this makes Gmail illegal under PIPA. But it does mean:

You should document that email content is stored outside Canada
You should assess the risks of that cross border storage
You should inform clients (per s.10’s notification requirement and the consent framework in s.6 through s.9) that their information may be stored outside Canada
You should be able to demonstrate that your overall security arrangements are reasonable given those risks

The practical question isn’t “is this allowed?” It’s “can I defend this as reasonable if the OIPC investigates?” For health information from therapy sessions stored on US servers with opportunistic encryption, that’s a harder argument to make than most therapists realize.

No mandatory breach notification (yet)

One area where PIPA offers less protection than you might expect: breach notification.

PIPA does not currently require private sector organizations to notify affected individuals or the OIPC when a privacy breach occurs. Notification is voluntary. Compare this to Alberta’s HIA, which requires notification as soon as practicable under s.60.1, or Ontario’s PHIPA, which requires notification at the first reasonable opportunity under s.12(2).

The OIPC has recommended voluntary notification when a breach creates a real risk of significant harm. And failing to notify could factor into whether your security arrangements are considered “reasonable” under s.34 after the fact. But there’s no statutory obligation to notify.

This may change. BC’s privacy legislation is periodically reviewed, and mandatory breach notification has been discussed in previous legislative reviews. For now, best practice is to notify even though it’s not required. And if you’re building your compliance documentation anyway (which you should be), adding a breach response plan costs you an afternoon, not a week.

Preparing for CHCPBC psychotherapy regulation

This is the part that makes the next 18 months matter for BC therapists.

The Health Professions and Occupations Act (HPOA) comes into force on April 1, 2026. “Psychotherapist” becomes a protected title under the College of Health and Care Professionals of BC (CHCPBC) on November 29, 2027.

Between now and November 2027, CHCPBC will develop practice standards for psychotherapists. These standards will almost certainly address digital communication, email, and record keeping. CHCPBC already has a practice support document (PS01) for psychologists on email and electronic media that requires informed consent before electronic transmission of patient information, encryption or password protection for electronic communications, and treatment of electronic communications as part of the practice record.

When psychotherapy practice standards arrive, they’ll likely follow a similar pattern. Ontario’s CRPO already has Standard 3.4 on electronic practice that covers these topics. CHCPBC will likely look at what’s working in Ontario and Alberta when drafting their own standards.

What this means for you right now: the therapists who will have the easiest time meeting CHCPBC’s new standards are the ones who already have documented email practices, consent processes, and security arrangements. If you build that foundation now, the transition in 2027 becomes an update to existing documentation rather than a scramble to create it from scratch.

The timeline is tighter than it looks. November 2027 is when regulation starts. Practice standards need to be developed, consulted on, and finalized before that date. CHCPBC will publish drafts for consultation, and practitioners who already have email documentation in place will be better positioned to respond meaningfully to those consultations.

We’ll publish a detailed guide to CHCPBC’s psychotherapy regulation and what it means for digital communication as the standards develop.

How PIPA compares to PHIPA and HIA

If you see clients across provincial lines, or if you’re comparing notes with colleagues in Ontario or Alberta, here’s how the three frameworks stack up for email:

For the full side by side breakdown, see our provincial privacy law comparison.

How PIPA compares to PHIPA and HIA
Requirement	PIPA (BC)	PHIPA (Ontario)	HIA (Alberta)
Type of law	General private sector	Health specific	Health specific
Who it applies to	Private sector organizations	Health information custodians	Custodians of health information
Canadian data storage mandate	No	No (risk factor, not mandate)	No (risk factor, not mandate)
Encryption requirement	”Reasonable security arrangements” (s.34)	“Reasonable steps” (s.12(1))	“Safeguard” duty (s.60)
Consent framework	Implied consent where purpose is obvious (s.8); explicit recommended for email	Express consent is the safe standard for email with PHI	Deemed consent broader for collection; explicit for email recommended
Privacy Impact Assessment	Not required under PIPA	Recommended by IPC, not mandatory	Mandatory, must submit to OIPC before implementation
Breach notification	Not mandatory (voluntary)	Mandatory at first reasonable opportunity (s.12(2))	Mandatory as soon as practicable (s.60.1)
Professional regulation (psychotherapy)	CHCPBC, starting Nov 29, 2027	CRPO (established)	CAP (expanding to counselling therapists)

The practical takeaway: PIPA gives less prescriptive guidance than PHIPA or HIA, which means you have more flexibility but also less clarity on what “reasonable” means for your specific situation. The absence of a health specific statute means the OIPC interprets general private sector rules for healthcare contexts. That interpretation has been protective of health information, but it happens through enforcement decisions, not the statute itself.

For a complete comparison of all three frameworks, we’re developing a provincial privacy law comparison for therapists and a Canadian email privacy laws by province overview (coming soon).

Frequently asked questions

Does PIPA require Canadian data storage for therapist email?

No. PIPA does not mandate that personal information be stored in Canada. That requirement exists under FOIPPA (BC’s public sector privacy law), not PIPA (the private sector law). However, PIPA s.34 requires reasonable security arrangements, and the OIPC considers cross border storage a risk factor. You should document that email content is stored outside Canada, assess the risks, and inform clients.

Is Gmail compliant with BC PIPA?

Not by default. Gmail’s opportunistic TLS encryption, lack of per message encryption controls, and absence of a communication level audit trail create gaps relative to PIPA s.34’s reasonable security standard. You can reduce the gaps through admin configuration, but the structural limitations remain. See our full Gmail and PHIPA analysis for a detailed breakdown of similar gaps.

When does psychotherapy regulation start in BC?

The Health Professions and Occupations Act comes into force on April 1, 2026. “Psychotherapist” becomes a protected title under CHCPBC on November 29, 2027. Between those dates, CHCPBC will develop practice standards covering email and digital communication requirements for psychotherapists.

How is PIPA different from PHIPA for therapist email?

PIPA is a general private sector law; PHIPA is health specific. PIPA doesn’t have health information categories, mandatory breach notification, or a PIA requirement. The OIPC interprets PIPA more strictly for sensitive information like health data, but that interpretation happens through enforcement, not the statute. See the comparison table above for a section by section breakdown.

What to do next

If you’re a BC therapist using Google Workspace, start with the same admin console configuration that applies regardless of province. Our Google Workspace admin security settings guide covers every setting. Then review the guide to disabling AI features that process email content without client consent.

After configuration, focus on documentation:

Consent. Add email communication to your intake consent process. Explain what information will be sent by email, that email content may be stored outside Canada, and the client’s right to withdraw consent.
Notification. Update your privacy notice to meet s.10’s requirement for disclosure of collection purposes before or at the time of collection.
Risk assessment. Document your assessment of the cross border data storage risk. You don’t need to submit a PIA to the OIPC (that’s Alberta), but having one on file demonstrates reasonable diligence.

The gaps that remain after all of that: reliable encryption that doesn’t depend on the recipient’s server, a communication level audit trail, and automated consent tracking. Those are structural limitations of Gmail, not configuration problems.

Curio’s compliance infrastructure runs on Canadian servers in Montreal and Toronto. Automatic encryption and a Canadian audit trail for every send. Join the waitlist.

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.

BC PIPA and therapist email: privacy obligations for BC practitioners

Who does PIPA apply to?