CAP practice standards for Alberta therapists: email and digital communication
- CAP sets practice standards that apply to email with clients
- CAP’s standards are general but create binding obligations for members
- HIA adds mandatory encryption (s.60) and PIAs (s.64) on top of CAP
- CAP is expanding to include counselling therapists under these requirements
The College of Alberta Psychologists (CAP) regulates professional conduct for psychologists in Alberta. If you’re a registered psychologist, CAP’s practice standards govern how you communicate with clients, including over email. But CAP’s standards don’t exist in isolation. Alberta’s Health Information Act (HIA) adds a separate layer of legal obligations on top.
This guide covers both: what CAP expects for digital communication, and where HIA fills in the gaps that CAP leaves open.
If you’re already familiar with HIA email requirements for therapists, this post focuses on the professional college side of the equation.
Who does CAP regulate?
CAP regulates psychologists and provisional psychologists in Alberta. Registration with CAP means you’re bound by its Standards of Practice, practice guidelines, and Code of Ethics. CAP is expanding its mandate to include counselling therapists under changes to the Health Professions Act.
Right now, CAP’s jurisdiction covers psychologists and provisional psychologists. If you hold registration with CAP, you’re subject to its Standards of Practice, its practice guidelines (including the Use of Technology guideline), and the Canadian Code of Ethics for Psychologists.
That scope is expanding. Alberta is bringing counselling therapists under CAP’s regulatory umbrella. When that transition completes, the same practice standards that currently apply to psychologists will apply to counselling therapists as well. For the full timeline and what the expansion means for counselling therapists’ email, see our guide on CAP’s counselling therapist regulation.
What does registration mean for your email? It means CAP’s practice standards apply to every channel you use to communicate with clients. Email included. And it means HIA’s obligations apply to you as a custodian of health information, regardless of how your practice is structured.
CAP practice standards for digital communication
CAP’s approach to digital communication sits across two documents: the Standards of Practice and the Use of Technology practice guideline (approved September 1, 2024).
Standards of Practice
CAP’s Standards of Practice set baseline expectations for professional conduct. They cover informed consent, confidentiality, record keeping, and competence. None of these standards are email specific, but all of them apply when you use email to communicate with clients.
CAP’s Standards of Practice require psychologists to protect confidentiality of client information (Standard 12), obtain informed consent for services (Standard 3), and maintain and retain records of professional activities (Standard 7). These obligations extend to every communication channel, including email.
For example, Standard 12 (confidentiality) applies to email just as it does to paper files. If you send an email containing a client’s health information without adequate safeguards, you’re potentially in violation of both CAP’s standards and HIA.
Use of Technology guideline
The Use of Technology guideline is where CAP gets more specific. Updated in September 2024, it covers telepsychology, technology and informed consent, and social media.
On electronic communication with clients, the guideline expects psychologists to:
- Obtain informed consent that addresses the risks and limitations of electronic communication
- Use technology that provides adequate confidentiality protections
- Maintain records of electronic interactions as part of the clinical record
- Consider whether electronic communication is appropriate for the specific clinical situation
Here’s what’s worth noting about CAP’s approach: it’s principles based, not prescriptive. CAP doesn’t tell you which email service to use or specify an encryption standard. It says you need “adequate confidentiality protections” and leaves the technical details to you.
How this compares to CRPO Standard 3.4
If you’ve read about CRPO electronic practice standards, you’ll notice a difference in specificity. CRPO’s Standard 3.4 is 12 pages of detailed requirements covering secure electronic communication, informed consent specific to electronic practice, and documentation obligations. It names categories of technology, specifies what consent must cover, and requires professional liability insurance to explicitly cover electronic services.
CAP’s guidelines are shorter and more general. They set the direction without mapping every step. That gives Alberta psychologists more flexibility, but it also means you’re responsible for filling in the technical details yourself, or looking to HIA for the specifics.
How HIA adds to CAP requirements
CAP sets professional practice standards. HIA sets legal requirements. Both apply simultaneously to Alberta psychologists who handle health information. Where CAP says “use adequate confidentiality protections,” HIA section 60 specifies that custodians must take reasonable steps to protect health information against threats to security, loss, and unauthorized access.
CAP tells you to protect client confidentiality in digital communication. HIA tells you how, or at least sets the legal floor.
Two HIA sections matter most for email.
HIA s.60: security safeguards
Section 60 of the Health Information Act requires custodians to take reasonable steps to maintain administrative, technical, and physical safeguards that protect the confidentiality of health information. It also requires safeguards against threats to security, loss of health information, and unauthorized access, use, disclosure, or modification.
For email, this means:
- Health information sent by email should be encrypted (OIPC Alberta has recommended encryption for diagnostic, treatment, and care information sent electronically)
- Your email system needs protections against unauthorized access (strong passwords, two factor authentication at minimum)
- You need a plan for what happens when something goes wrong (breach response)
HIA s.60 doesn’t name a specific encryption standard. But “reasonable steps” is measured against what’s available and practical, and in 2026, email encryption is both.
HIA s.64: mandatory Privacy Impact Assessment
HIA section 64 requires custodians to submit a Privacy Impact Assessment (PIA) to the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta) before implementing any information system that collects, uses, or discloses individually identifying health information. This includes email systems. The PIA must be submitted before implementation, not retroactively.
Section 64 is where Alberta’s requirements go further than most provinces. If you’re implementing a new email system (or making changes to an existing one that handles health information), you must submit a PIA to OIPC Alberta before you start using it.
Not after. Before.
The PIA documents what health information your system collects, how it’s used, who has access, and what safeguards are in place. OIPC Alberta reviews it and provides comments. This is a legal requirement under HIA, not a best practice suggestion.
For a deeper walkthrough of the PIA process, see the privacy impact assessment template (coming soon).
Where the two layers overlap
| Requirement | CAP source | HIA source | Which controls? |
|---|---|---|---|
| Informed consent for electronic communication | Use of Technology guideline | HIA s.34 (consent) | Both apply; HIA sets the legal floor |
| Confidentiality safeguards | Standard 12 + Use of Technology | HIA s.60 (security safeguards) | HIA is more specific |
| Record keeping for email | Standard 7 + Use of Technology | HIA s.56 (record retention) | Both apply; CAP’s 10 year minimum for adult records applies alongside HIA |
| Privacy Impact Assessment | Not required by CAP | HIA s.64 (mandatory PIA) | HIA only; CAP has no equivalent |
The short version: CAP sets the professional standard. HIA sets the legal standard. When they overlap, you follow both. When HIA goes further (as with the PIA requirement), HIA controls.
Practical steps for Alberta therapists
These steps address both CAP’s practice standards and HIA’s legal requirements. If you’re a psychologist registered with CAP and you use email to communicate with clients, all four apply.
Step 1: Review your email encryption against HIA s.60
Check whether your email encrypts messages containing health information. Standard Gmail uses opportunistic TLS, which means encryption depends on the recipient’s server supporting it. There’s no guarantee. HIA s.60 requires “reasonable steps” to protect health information, which means you need a system where encryption isn’t left to chance.
Look at your current setup and ask: if a client’s health information is in this email, is it encrypted end to end or at minimum through a secure portal? If the answer is no, or “it depends,” that’s the gap.
Step 2: Complete and submit a PIA to OIPC Alberta
If you’re using Google Workspace (or any email system) to handle health information and haven’t submitted a PIA, this is the most time sensitive step. HIA s.64 requires the PIA before implementation, which means if you’ve been using the system without one, you’re already behind.
OIPC Alberta provides PIA guidance and templates on their PIA resources page. The submission goes to OIPC for review and comment.
Step 3: Document consent for electronic communication
CAP’s Use of Technology guideline expects informed consent that specifically addresses electronic communication. This is separate from your general consent for services. The consent should cover:
- What electronic channels you use (email, video, messaging)
- The risks of each channel (email may not be fully encrypted, messages could be misdirected)
- Alternatives to electronic communication
- The client’s right to withdraw consent
Keep the signed consent in the client’s clinical record. Both CAP’s record keeping standards and HIA require this documentation to be accessible and retained.
Step 4: Set up an audit trail for email containing health information
Create a log that tracks email communications involving health information. At minimum, record the date, recipient, subject or purpose, and whether the email contained individually identifying health information.
CAP’s Standards of Practice require adequate records of professional activities. HIA’s accountability provisions expect custodians to demonstrate compliance. An audit trail satisfies both.
If you’re maintaining this manually (a spreadsheet, a note in the client file), it works but it’s tedious. It’s also the kind of task that gets skipped when you’re between sessions.
How CAP compares to CRPO and CHCPBC
Alberta isn’t the only province with college level practice standards that affect email. Here’s how CAP’s approach sits alongside the other two major regulatory bodies for psychotherapy and psychology.
For the underlying provincial privacy law layer each college standard sits on top of, see our provincial privacy law comparison.
| College | Province | Electronic practice standard | Specificity | Status |
|---|---|---|---|---|
| CRPO | Ontario | Standard 3.4 (Electronic Practice) | High: 12 pages, specific consent requirements, technology categories, insurance requirements | Active |
| CAP | Alberta | Use of Technology guideline | Moderate: principles based, defers technical specifics to HIA | Active (updated Sept 2024) |
| CHCPBC | BC | TBD | TBD: psychotherapy regulation begins Nov 29, 2027 | Pending |
CRPO’s electronic practice standards are the most detailed of the three. CRPO names what “secure electronic communication” means, specifies what informed consent for electronic practice must include, and requires professional liability coverage to explicitly cover electronic services. If you practice in both Ontario and Alberta, CRPO’s standards are the stricter set.
The College of Health and Care Professionals of BC (CHCPBC) will begin regulating psychotherapists on November 29, 2027. What their electronic practice standards will look like is still unknown. BC practitioners using email for health information are currently governed by BC’s Personal Information Protection Act (PIPA) on the legal side, with no college level electronic practice standard yet in place.
For a broader look at how provincial email privacy laws across Canada compare, including the privacy legislation that sits beneath each college’s standards, see the cross provincial guide.
What this guide doesn’t cover
A few things that fall outside the scope of this post:
- Google Workspace admin console settings for Alberta: the technical configuration steps for locking down your Google Workspace are covered in separate guides, not here
- HIA breach notification requirements: HIA has specific breach reporting rules (including mandatory notification to OIPC Alberta). Those deserve their own treatment.
- CAP’s expanded scope timeline: the details of when and how counselling therapists will come under CAP regulation are still developing. We’ll cover that in a dedicated post when the timeline firms up.
- Telehealth and video communication: CAP’s Use of Technology guideline covers telepsychology in addition to email. This post focuses on the email and digital communication requirements only.
This is an Alberta specific guide. If you practise in Ontario, start with CRPO electronic practice standards. If you practise across provinces, the cross provincial email privacy guide covers the overlap.
Key takeaways
- CAP Standards 3, 7, and 12 (consent, records, confidentiality) apply to email communication with clients
- The Use of Technology guideline (Sept 2024) adds expectations for informed consent and confidentiality in electronic communication
- HIA s.60 requires encryption safeguards; HIA s.64 requires a PIA before implementing any system handling health information
- Alberta is the only province that mandates a PIA submission before email system implementation
- CAP’s standards are principles based; HIA provides the legal specifics
Curio’s compliance infrastructure is built for Canadian privacy law, including Alberta’s HIA. Automatic encryption and a Canadian audit trail, every time you hit send. Join the waitlist. Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
