BC counsellor preparing email practices ahead of CHCPBC psychotherapy regulation in November 2027
british-columbia chcpbc bc-pipa psychotherapy

CHCPBC email standards for BC counsellors before 2027

Gabriel Borges 13 min read

Updated

Key takeaways

  • On November 29, 2027, psychotherapy becomes a designated health profession in BC regulated by the College of Health and Care Professionals of BC (CHCPBC), and “psychotherapist” becomes an exclusive title. This is done by B.C. Reg. 131/2025 bringing Part 10 of the Health Professions and Occupations Act (HPOA) into force; psychotherapy itself is not made a restricted activity.
  • CHCPBC has not yet published a psychotherapy specific electronic practice or email standard. Until it does, your email obligations come from BC PIPA and your current professional body.
  • BC’s Personal Information Protection Act (PIPA) s.34 already requires you to protect client information with appropriate safeguards. For sensitive mental health records, that means encrypting email.
  • Breach notification in BC’s private sector is voluntary, not mandatory. The OIPC recommends notifying when there is a real risk of significant harm.
  • Build a PIPA aligned email setup now and the 2027 transition becomes a review instead of a scramble.

If you’re a counsellor in BC, you’ve probably heard that psychotherapy is about to become a regulated title. That part is true. What’s less clear is what it means for the everyday stuff, like the email you send a client to confirm an appointment or follow up after a hard session.

Here’s the honest answer up front: CHCPBC hasn’t written the email rulebook yet. There is no published psychotherapy specific electronic practice standard you can read today. So if you’re waiting for a CHCPBC document that tells you exactly how to handle email, you’ll be waiting past 2027.

That doesn’t leave you without obligations, though. The privacy law already applies. And the safest move is to get your email in order now, on the rules that exist, so the college’s eventual standard is something you meet rather than chase.

This is the companion to our broader CHCPBC psychotherapy regulation guide and the CRPO vs CAP vs CHCPBC email comparison. Where those map the full regulatory picture, this one stays narrow: what to do with your inbox before November 2027.

What changes on November 29, 2027

B.C. Reg. 131/2025 brings Part 10 of the Health Professions and Occupations Act (HPOA) into force on November 29, 2027, the date psychotherapy becomes a designated health profession and “psychotherapist” becomes an exclusive title. After that, the profession comes under the College of Health and Care Professionals of BC (CHCPBC), the body that already regulates psychologists and several other health professions in the province.

Regulation brings a few things with it: a registration requirement, a code of conduct, and a complaints and discipline process. A client who feels their information was handled carelessly will have a college to bring that concern to.

What regulation does not bring, at least not yet, is a published standard telling counsellors how to encrypt or store email. CHCPBC is moving toward harmonized practice standards across the professions it regulates, but the psychotherapy specific electronic practice standard isn’t out. So the question for your inbox isn’t “what does the new standard say.” It’s “what already applies, and what is the new standard likely to expect.”

The rules that already govern your email

Two layers govern how you handle client information in BC, and only one of them is changing in 2027.

The first layer is the privacy law: BC’s Personal Information Protection Act (PIPA). It applies to you as a private practice counsellor right now, regardless of college status. The second layer is your professional body’s standards. Today that’s often BCACC for clinical counsellors. After November 2027, CHCPBC standards layer on top for regulated psychotherapy.

The privacy law is the floor. Your college can raise the bar above it. Both apply at once.

What BC PIPA requires

PIPA s.34 requires organizations to protect personal information by making “reasonable security arrangements” against unauthorized access, collection, use, disclosure, or disposal. The standard scales with sensitivity. Mental health records sit at the high end of that scale.

For email, a reasonable arrangement for records this sensitive means encryption: protecting the message in transit so it can’t be read as it travels, and protecting it at rest so a stored copy isn’t sitting in plain text. PIPA doesn’t hand you a checklist of products. It holds you to an outcome.

One point worth being precise about, because it gets misreported: BC PIPA does not mandate that you store client data in Canada. There’s no data residency rule in the private sector law. What exists is a strong market and professional expectation that sensitive health information stays on Canadian infrastructure, plus the practical reality that Canadian hosting keeps your records out of reach of foreign disclosure demands.

What BCACC expects now

If you’re a Registered Clinical Counsellor with BCACC, the virtual practice and digital technologies standard (Standard 7) already speaks to electronic communication. It requires express and informed consent for virtual services, covering the tools you use and the potential risks, and it expects risk management activities so that the technology and the security of the service are sound.

Notice the language. The standard talks about consent, risk, and security. It expects you to think the security question through and to bring the client into that decision. That’s the same shape the College’s standards take for psychologists. The legacy CPBC Code of Conduct set this out explicitly for telepsychology until it was retired on April 1, 2026; the harmonized CHCPBC Ethics and Practice Standards that now apply carry general duties to safeguard information and protect client privacy, without the older telepsychology specific wording about informing clients of threats to confidentiality.

So even though no document says the literal word in a CHCPBC psychotherapy standard, the direction is consistent across BC’s existing professional standards: secure the channel, and tell the client how.

What CHCPBC is likely to expect

Predicting an unpublished standard is guesswork, and I’m not going to dress it up as fact. But there’s a reasonable basis for what a psychotherapy electronic practice standard will probably look like, because CHCPBC already regulates psychologists under a Code of Conduct, and BC’s other counselling bodies have published virtual practice standards.

Across those existing standards, three expectations show up consistently:

  1. Secure the channel for sensitive communication. Existing CHCPBC and BCACC standards reference security of information related to the technology used. A psychotherapy standard built in the same tradition will expect counsellors to use secure methods for client email, not ordinary unprotected email.
  2. Get informed consent for electronic communication. Both the BCACC virtual practice standard and the College’s existing code already require this. It would be unusual for a new standard to drop it.
  3. Keep documentation. The College’s code addresses record retention and expects consent to be recorded, and seven years is the common benchmark for clinical records in BC. A psychotherapy standard is unlikely to drop a documentation expectation.

If you build your email practice around those three now, you’re building toward where the standard is most likely to land, not away from it.

How to prepare your email before 2027

Here’s the practical part. Six steps, in the order that makes sense to do them.

1. Confirm your regulatory path

Check whether your title and scope fall under the November 29, 2027 regulation, and what body covers you in the meantime. A clinical counsellor registered with BCACC and a counsellor preparing for CHCPBC registration have slightly different starting points, but the email work is the same.

2. Make BC PIPA your baseline today

Don’t wait for CHCPBC. PIPA s.34 already requires appropriate safeguards, and for mental health email that means encryption. Treating PIPA as your floor means you’re compliant now and ahead of the college standard later.

3. Encrypt outbound client email

This is the one that catches people. Standard Gmail uses TLS when the receiving mail server supports it, so a message can travel encrypted. But TLS is opportunistic, it isn’t guaranteed end to end, and the stored copy in your mailbox isn’t encrypted in a way that satisfies a safeguard for sensitive data on its own.

You have a few options. You can route sensitive messages through a secure portal where the client logs in to read them. You can use an email tool that encrypts the message body and logs the send. Or you can switch providers entirely, though that means migrating off the email you already use.

This is the gap Curio is built to close. Curio makes your existing Gmail encrypted for Canadian mental health privacy law: every outbound message is automatically encrypted, and every send is logged in a Canadian audit trail hosted in Montreal and Toronto. You keep Gmail. The encryption and the record happen at runtime, without you remembering to do anything. It’s email infrastructure, not a portal you have to teach clients to use.

To be clear about what that does and doesn’t cover: Curio encrypts outbound email and maintains the audit trail. It isn’t a substitute for legal or compliance advice, and it doesn’t make a blanket “PHIPA compliant” claim, since BC counsellors are governed by PIPA, not PHIPA, and full compliance always depends on your whole practice.

Tell each client, in plain terms, how you’ll communicate by email, what the risks are, and what the secure option is. Record that you had the conversation and the date they agreed. The BCACC virtual practice standard already requires this for virtual services, and the College’s code expects consent to be documented in the practice record.

A short addendum to your intake paperwork handles this. It doesn’t need to be a separate ceremony.

5. Keep a record you could show a regulator

Once a college exists, a complaint becomes possible. The best protection is being able to demonstrate, after the fact, that an email was sent securely and that the client consented. Seven years is the common retention benchmark for clinical records in BC, so whatever you keep, keep it that long.

An audit trail that logs each send is the cleanest version of this. The documentation a regulator would ask for already exists in the record, rather than depending on you to have written a note each time.

6. Review again closer to November 2027

When CHCPBC publishes its psychotherapy electronic practice standard, read it against what you’ve built and close any gaps. If you’ve done steps one through five, that review is short.

Where this gets complicated

A few honest limitations, because the clean version above hides some edges.

Multi province practice. If you see clients in BC and another province, BC PIPA isn’t the only law in play. A client physically in Ontario may pull PHIPA into the picture; a client in Alberta may pull in HIA. Email crossing provincial lines can also engage PIPEDA. The full provincial picture is its own topic, covered in our PHIPA vs HIA vs BC PIPA guide.

The breach question. People often assume a privacy breach in BC triggers a mandatory report. For the private sector, it doesn’t. BC’s mandatory breach notification regime applies to public bodies under FOIPPA, not to private practice counsellors under PIPA. The OIPC recommends notifying affected individuals when a breach poses a real risk of significant harm, and following that recommendation is good practice, but there’s no private sector statutory duty as of 2026. Don’t let anyone sell you on a deadline that isn’t in the law.

The standard could differ from the prediction. Everything in the “what CHCPBC is likely to expect” section is informed inference from existing BC standards, not a published rule. Treat it as a reasonable preparation strategy, not a guarantee. When the actual standard lands, it governs.

When a privacy or compliance question affects a real client situation, especially one involving a possible breach or a complaint that crosses provincial lines, talk to a privacy professional or your professional liability advisor. This article gets you oriented; it doesn’t replace advice on your specific facts.

Frequently asked questions

Does CHCPBC require encryption for counsellor email?

CHCPBC has not published a psychotherapy specific email or electronic practice standard, so there’s no CHCPBC rule that names encryption for counsellors yet. The obligation today comes from BC PIPA s.34, which requires appropriate safeguards for personal information. For sensitive mental health records, that effectively means encrypting email.

When does psychotherapy become regulated in BC?

Psychotherapy becomes a designated health profession in BC on November 29, 2027, when Part 10 of the Health Professions and Occupations Act is brought into force by B.C. Reg. 131/2025, with the College of Health and Care Professionals of BC (CHCPBC) as the regulator and “psychotherapist” as an exclusive title. After that date, registration, a code of conduct, and a complaints process apply.

Is standard Gmail enough for BC counsellor email?

Standard Gmail sends over TLS when the receiving server supports it, but TLS is opportunistic and the stored copy isn’t encrypted in a way that satisfies a safeguard for sensitive data on its own. For mental health email, add encryption for the message body and a secure record, or use a portal.

Do I have to report a privacy breach to the OIPC in BC?

Not as a private practice counsellor. BC PIPA does not require private sector breach notification. The OIPC recommends notifying affected individuals when a breach poses a real risk of significant harm. The mandatory regime applies only to public bodies under FOIPPA, not private practice.

Does BC PIPA require me to store client data in Canada?

No. BC PIPA contains no data residency mandate for the private sector. There’s a strong professional and market expectation that sensitive health information stays on Canadian infrastructure, and Canadian hosting carries real practical benefits, but the law itself doesn’t require it.

Start before the deadline writes the rules for you

You don’t have to wait for CHCPBC to tell you how to handle email. The privacy law already does, and the direction the college will likely take is already visible in the standards BC has today. Get encryption, consent, and documentation in place now, and November 2027 is a review you breeze through.

If you want the encryption and the audit trail handled without leaving Gmail, join the Curio waitlist.

This content is for informational purposes only and does not constitute legal advice. Privacy regulations and college standards vary by province and are subject to change. Verify current requirements with the College of Health and Care Professionals of BC and the Office of the Information and Privacy Commissioner for BC.

Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.

Coming soon

Gmail encryption, built for Canadian therapists.

Join the waitlist →

Share this article

Related posts

CHCPBC psychotherapy regulation timeline showing key dates from HPOA in force to November 2027

CHCPBC psychotherapy regulation: what BC therapists need to prepare for by 2027

BC psychotherapist title protection timeline with email compliance preparation checklist

Psychotherapist protected title in BC: what it means for your email practice

Shield with check mark representing layered privacy safeguards across provinces

Telehealth across provincial lines: privacy compliance for Canadian therapists

Side by side comparison of Canadian provincial health privacy laws for therapists

PHIPA vs HIA vs BC PIPA: a therapist's guide

Community

Join the community

Connect with Canadian therapists navigating Google Workspace compliance.

Join on Facebook