Can Canadian therapists email clients? PHIPA consent explained
- Yes, Canadian therapists can email clients under PHIPA
- Express consent is required for any email containing PHI
- Your consent form must cover six specific elements
- HIPAA rules do not apply to Ontario therapists
- Consent requirements vary by province
Yes, with conditions. PHIPA does not ban email. But if you’re sending email that contains personal health information (PHI), you need express consent from the client, encryption on the message, and an audit trail of the send. Consent is the piece most therapists miss.
What this guide covers:
- The difference between implied consent and express consent under PHIPA
- When express consent is required for email
- What your consent form must include (six elements)
- Why HIPAA guidance doesn’t apply in Ontario
- How consent rules differ across provinces
This guide is Ontario and PHIPA specific. Alberta’s Health Information Act and BC PIPA have their own consent frameworks, and we cover those separately. If you haven’t read our full breakdown of PHIPA email requirements, start there.
Why do Canadian therapists keep finding the wrong answer?
Google this question. Go ahead.
Nine out of ten results are American. Paubox writes about HIPAA email consent. SimplePractice answers from a HIPAA angle. The problem? PHIPA is not HIPAA. The consent rules are different in ways that will actually change what you do tomorrow morning.
Under HIPAA, providers can email for treatment, payment, and operations without prior written consent (45 CFR 164.506). The US framework assumes implied consent for a wide range of clinical communications. Ontario doesn’t work that way. And if you’re relying on a US blog post, you’re following the wrong rules.
PHIPA requires express, knowledgeable consent before you send PHI by email. Not implied. Not assumed. The client needs to understand what they’re agreeing to, know the risks, and have the option to say no.
This guide gives you the Canadian answer.
Implied consent vs express consent under PHIPA
PHIPA recognizes two kinds of consent. Which one applies determines whether you can send that email.
What is implied consent?
Under PHIPA, implied consent applies within the “circle of care” (s.20). When a health information custodian receives PHI from a client for the purpose of providing care, consent to collect, use, or disclose that information within the circle of care is assumed, unless the client has withdrawn it.
The circle of care covers other custodians involved in the client’s treatment: your referring physician, a consulting psychiatrist, a pharmacist filling a prescription. Information flows between these providers under implied consent because the client came to you expecting coordinated care.
But here’s the distinction people miss. The circle of care governs who can access the information. Not how it gets transmitted.
Email introduces channel specific risks. Messages can be intercepted, forwarded, read on shared devices, stored on servers outside Canada. Those risks exist regardless of who’s in the circle of care, and implied consent doesn’t cover them.
What is express consent?
Express consent under PHIPA (s.18) is a specific, informed agreement to a particular use or disclosure of PHI. For consent to be valid, it must be knowledgeable: the individual must understand the purpose, and it must be reasonable to believe they know they can give or withhold consent.
It can be verbal or written. For email, written is better. Not because PHIPA demands it in writing, but because you need a record you can produce if the Information and Privacy Commissioner of Ontario (IPC) asks about your consent practices.
When do you need express consent for email?
Whenever you send an email that contains PHI. Full stop.
The test: does this email identify the client and relate to their health, care, or treatment? If yes, express consent is required before you hit send.
A scheduling email that says “Confirming our appointment on Thursday at 3” and nothing else? Probably fine under implied consent, because it doesn’t contain PHI on its own. But “Confirming our session to discuss your anxiety management plan on Thursday at 3” does contain PHI. It links the client’s identity to a health condition and treatment.
The grey area is narrow. When in doubt, get express consent. The IPC is more likely to ask “where’s the consent form?” than “did this email technically contain PHI?”
What does your consent form need to include?
PHIPA s.18 sets the standard for knowledgeable consent, and the College of Registered Psychotherapists of Ontario (CRPO) reinforces this through Standard 3.4 on Electronic Practice. Between the two, your consent form needs six elements.
Consent form checklist for email communication:
- What the client is consenting to: email communication containing personal health information
- The specific risks of email: interception during transmission, other people accessing the client’s device or inbox, accidental forwarding, the permanent nature of email records
- What encryption is in place: be honest about your actual setup (TLS, encrypted portal, a product like Curio). If your encryption has gaps, say so
- The client’s right to revoke consent at any time: verbally or in writing
- Alternative communication methods available: phone, secure portal, in person, postal mail
- How email records will be stored and for how long: linked to your records retention policy
For the actual language you can copy into your intake forms, see our consent form templates.
Now, CRPO adds something PHIPA doesn’t spell out. Standard 3.4.2 requires informed consent for electronic communication, and the accompanying guidance specifies that clients must understand the potential risks of the technology and what safety and privacy protections are in place before consenting. Your consent form can’t be a wall of legal text they initial without reading. You need to explain the risks in plain language.
A form that says “I consent to electronic communication” won’t cut it. It has to name the risks. It has to name the alternatives.
HIPAA vs PHIPA: why the US answer does not apply
If you’ve been reading US resources on therapist email, here’s where you got the wrong answer.
| HIPAA (US) | PHIPA (Ontario) | |
|---|---|---|
| Email for treatment | Permitted under implied consent for treatment, payment, and operations (45 CFR 164.506) | Express consent required for email containing PHI (s.18) |
| Consent type for clinical email | No prior written consent required for treatment communications | Knowledgeable consent required; written form recommended |
| Risk disclosure | Recommended but not required for treatment email | Required under CRPO Standard 3.4 |
| Revocation | Patient can request restriction (provider doesn’t have to agree) | Client can withdraw consent at any time and the custodian must stop |
| Channel specific consent | Not required for email specifically | Recommended because email introduces channel specific risks |
The US framework starts from a permissive default: providers can communicate for treatment purposes, and email is just another channel. PHIPA starts from a protective default: the client must knowingly agree to each use and disclosure, and email’s risks must be disclosed.
That’s a structural difference. Not a detail.
Do consent requirements change across provinces?
Ontario isn’t the only province with consent rules for email. If you see clients across provincial lines, or you’re thinking about relocating, the rules change.
| Province | Law | Consent approach | Key sections |
|---|---|---|---|
| Ontario | PHIPA | Express consent for PHI in email; knowledgeable consent standard | s.18, s.20 |
| Alberta | HIA | Express consent for most disclosures outside the affiliate relationship | s.34-37 |
| BC | PIPA | Consent required for collection, use, and disclosure of personal information | s.6-9 |
Alberta’s HIA consent requirements differ from PHIPA in several ways. HIA has stricter Privacy Impact Assessment requirements, and the consent provisions in s.34-37 use different language than PHIPA’s “knowledgeable consent” standard. BC PIPA’s consent obligations under sections 6-9 apply to personal information broadly, not just health information, which changes the scope of what needs consent.
One thing worth tracking: BC’s College of Health and Care Professionals of BC (CHCPBC) will begin regulating psychotherapy on November 29, 2027. When that happens, BC therapists will face new professional standards on top of PIPA’s requirements.
If you see clients in multiple provinces, the consent requirements of each province may apply. We’ll cover cross provincial email privacy laws in detail next month, and a future post on telehealth consent across provincial lines will address the specific case of virtual sessions with out of province clients.
FAQ
Can therapists email clients under PHIPA?
Yes. PHIPA does not prohibit email. But any email containing personal health information requires express consent from the client, encryption of the message, and a record of the communication. Consent must be knowledgeable under PHIPA s.18, meaning the client understands the risks and alternatives.
What consent is required for therapist email under PHIPA?
Express consent is the safe standard for any email containing PHI. The consent must be knowledgeable (PHIPA s.18): the client must understand what they’re consenting to, the risks of email, and that they can refuse or withdraw consent. Written consent is recommended for your records.
What is the difference between implied and express consent?
Implied consent applies within the circle of care (PHIPA s.20) for treatment purposes between health information custodians. Express consent (PHIPA s.18) is a specific, informed agreement to a particular use, disclosure, or communication channel. For email containing PHI, express consent is the safer standard because it covers the channel specific risks.
Do I need a consent form for email?
Yes. PHIPA s.18 requires knowledgeable consent, and CRPO Standard 3.4 requires that clients understand the risks and benefits of electronic communication. A written consent form covering six elements (what the client is consenting to, risks, encryption, revocation rights, alternatives, and record storage) is the best way to demonstrate compliance. See our consent form templates for copy paste language.
Does implied consent cover sending emails to my clients?
Not when those emails contain PHI. Implied consent under PHIPA s.20 covers the use and disclosure of PHI within the circle of care for treatment. It does not address the specific risks introduced by email as a transmission channel. Express consent is the recommended standard for email containing PHI.
Curio handles encryption. You handle consent.
Two of the four PHIPA email requirements, split down the middle. Curio encrypts every outbound email from your Gmail and logs every send in a Canadian audit trail. Your consent form covers the informed agreement piece. Together, that closes two of the biggest gaps Ontario therapists face when trying to email clients about their care.
Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group: Google Workspace for Canadian Therapists.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
