Client communication templates: PHIPA compliant disclaimers and consent forms

PHIPA requires consent before you communicate personal health information (PHI) electronically. For routine treatment communications within the circle of care, implied consent is generally sufficient. Express documented consent is specifically required for higher risk activities like AI processing of PHI, cross border disclosure, and non treatment uses. College standards across Ontario reinforce this: clients need to understand how their information is handled, what risks exist, and what alternatives are available. Most therapists know this. Few have standardized language for it.

The result is a patchwork. Some therapists copy disclaimers from American HIPAA templates that don’t reference PHIPA. Others use vague statements like “this email is confidential” without addressing consent, risks, or withdrawal rights. Some skip disclaimers entirely because they’re not sure what to include.

This post provides four templates you can adapt for your practice today. All copy paste ready. Each one is formatted as a blockquote so you can copy the text directly. Below each template, you’ll find an explanation of what each clause does and why it’s included.

These are starting points, not legal documents. Adapt them to your practice, your college’s requirements, and your clients’ needs.

Template 1: email confidentiality disclaimer

This goes in your Gmail signature. It appears at the bottom of every outgoing email. A disclaimer doesn’t create a legal shield on its own, but it serves two practical functions: it notifies recipients that the email may contain protected information, and it documents that you took a reasonable step to communicate the limits of email as a channel. Two versions follow: a short one for routine correspondence and a longer one for practices that want more explicit coverage.

If you haven’t configured your Gmail signature yet, the process takes about two minutes. Go to Gmail > Settings > See all settings > General > Signature. If you manage multiple accounts through Google Workspace, you can also set a default signature through the admin console. Our admin console security settings guide walks through the broader configuration.

Short version

CONFIDENTIALITY NOTICE: This email may contain personal health information that is privileged and confidential, intended only for the named recipient(s). If you have received this message in error, please notify the sender immediately, delete the message, and destroy any copies. Unauthorized use, disclosure, or distribution is prohibited. Email communication is not fully secure. If you have concerns about receiving information by email, please contact the sender to arrange an alternative method.

Long version

CONFIDENTIALITY NOTICE: This email and any attachments may contain personal health information (PHI) as defined under the Personal Health Information Protection Act, 2004 (PHIPA). This information is privileged, confidential, and intended only for the named recipient(s).

If you are not the intended recipient, you are hereby notified that any review, use, disclosure, copying, or distribution of the contents of this message is prohibited. Please notify the sender immediately by replying to this email and then permanently delete the original message and any copies.

Email is not a fully secure communication method. Information transmitted via email may be intercepted, altered, or accessed by unauthorized parties. The sender cannot guarantee the confidentiality of information sent by email. If you prefer a more secure communication method, please contact the sender directly.

What each clause covers

The confidentiality statement establishes that the email contains protected information and names the legal framework (PHIPA). This is relevant because PHIPA s.12(1) requires health information custodians to take reasonable steps to ensure PHI is protected against theft, loss, and unauthorized use or disclosure.

The misdirected email instruction tells unintended recipients to delete the message. While this isn’t legally enforceable against a stranger, it demonstrates that you took reasonable steps to protect the information, which matters if a privacy complaint is filed with the Information and Privacy Commissioner of Ontario (IPC).

The security limitation disclosure is the most important clause. It tells recipients that email isn’t fully secure. This manages expectations and supports your position that the client was informed of the risks before choosing to communicate via email.

Template 2: consent for electronic communication

This is a standalone form you give clients before exchanging PHI over email, text, or any electronic channel. PHIPA s.18(5) establishes that consent must be knowledgeable: the client needs to know the purposes of the collection, use, or disclosure, and that they may give or withhold consent.

Hand this form to clients during intake, or send it as a PDF attachment before your first electronic exchange. Store the signed copy in the client’s file.

CONSENT FOR ELECTRONIC COMMUNICATION OF PERSONAL HEALTH INFORMATION

Practitioner/Practice Name: ********____********

Client Name: ********____********

Date: ********____********

Purpose: This form documents your consent to communicate personal health information (PHI) electronically. Electronic communication includes email, text messaging, video conferencing, and any other digital method used to transmit information.

1. What electronic communication means for your care

Electronic communication allows us to exchange information related to your care more conveniently, including appointment scheduling, session follow ups, clinical documents, and administrative correspondence. However, electronic communication carries risks that do not exist with in person or telephone communication.

2. Risks of electronic communication

• Email and text messages may be intercepted, altered, or accessed by unauthorized parties during transmission or storage.
• Messages may be stored on servers outside of Canada, where different privacy laws apply.
• Messages may be read by your email provider, internet service provider, or other third parties with access to your device.
• Emails sent to a wrong address cannot be recalled.
• Your employer may have the right to access emails sent to or from a work email address.
• Messages may remain on your device and could be seen by others who have access to it.

3. Safeguards in place

This practice uses the following measures to protect your information during electronic communication:

• [List measures relevant to your practice, such as: encryption in transit, password protected attachments, secure email add on, avoiding PHI in subject lines, etc.]

4. Alternatives to electronic communication

You may choose to receive all communications by telephone, regular mail, or in person. Choosing not to consent to electronic communication will not affect the quality of your care.

5. Your rights

• You may withdraw this consent at any time by notifying your practitioner in writing. Withdrawal takes effect from the date of notification and does not apply retroactively.
• You may specify limits on what types of information may be communicated electronically (for example, appointment reminders only, no clinical content).
• You have the right to access your personal health information. For details on how to make an access request, see our information access policy.

6. Consent

I, ********__********, have read and understand the above information. I understand the risks and benefits of electronic communication. I consent to the use of electronic communication for the following purposes:

[ ] Appointment scheduling and reminders

[ ] Sharing of clinical documents (assessments, treatment plans, summaries)

[ ] Session follow up communication

[ ] Billing and administrative correspondence

[ ] All of the above

Client Signature: ********__******** Date: **__**

Practitioner Signature: ********__******** Date: **__**

Why each section matters

Section 1 provides context. Consent isn’t valid under PHIPA if the person doesn’t understand what they’re agreeing to.

Section 2 lists specific risks rather than vague warnings. “Email may be intercepted” is more useful than “there are risks.” Specificity supports the “knowledgeable” requirement in PHIPA s.18(5).

The safeguards section is left as a fill in because safeguards vary by practice. If you use encryption on your Gmail, say so here. If you don’t, list what you do have (TLS in transit, password protected attachments, etc.). Honesty here protects you more than overstatement.

The alternatives section isn’t a formality. If alternatives aren’t offered, consent can be challenged as coerced. The IPC has been clear that consent must be voluntary, and voluntary means the person had a genuine option to say no without consequences to their care.

Section 5 addresses withdrawal rights, which PHIPA s.19 guarantees. It also references information access rights, which are covered under PHIPA s.52 and addressed in more detail in our post on client record access requests.

Section 6 uses checkboxes so clients can consent to specific types of communication. A client might be comfortable with appointment reminders over email but prefer that clinical documents be shared in person. Granular consent respects client autonomy and is stronger from a regulatory standpoint.

Template 3: intake form language

These questions slot into your existing intake form. They document the client’s electronic communication preferences from day one, which avoids the common problem of exchanging PHI by email for months before realizing you never obtained consent. Intake is the natural moment for this conversation. The client is already reviewing policies and signing forms. Adding electronic communication preferences takes 30 seconds and saves a retroactive scramble later.

ELECTRONIC COMMUNICATION PREFERENCES

We may communicate with you electronically for certain aspects of your care. Electronic communication (email, text) is convenient but not fully secure. Please indicate your preferences below.

Preferred email address for communication: ********____********

[ ] I understand that email is not a fully secure method of communication and that information sent by email may be intercepted or accessed by third parties.

Please indicate which types of communication you consent to receiving electronically:

[ ] Appointment reminders and scheduling changes

[ ] Invoices and receipts

[ ] General administrative communication (office policies, forms, holiday closures)

[ ] Clinical communication (session notes, treatment plans, assessment results)

[ ] I do not consent to any electronic communication. Please contact me by: [ ] Phone [ ] Mail

Data retention: Records of electronic communications related to your care will be retained in accordance with our retention policy and applicable regulatory requirements.

Withdrawal: You may change these preferences at any time by notifying your practitioner.

Client Signature: ********__******** Date: **__**

Integration notes

Separate clinical from administrative consent. This distinction matters. A client who consents to appointment reminders hasn’t consented to receiving assessment results by email. The checkbox format makes this explicit.

The “I understand that email is not fully secure” checkbox is load bearing. It documents that the client was informed of the risk before consenting. Without it, a client could reasonably claim they didn’t understand the limitations.

Reference your retention policy. PHIPA s.13(1) requires health information custodians to retain and dispose of records securely and in accordance with prescribed requirements. Having a written retention policy is a practical way to demonstrate this compliance. Mentioning it here connects the client’s consent to your broader information management practices. If you’re still developing your retention approach, our post on email retention policies for Ontario therapists covers the regulatory requirements.

Template 4: telehealth consent for Google Meet sessions

If you conduct sessions over Google Meet, you need a separate consent process that addresses the specific risks of video conferencing. This template covers data processing, third party involvement, and recording disclosures.

This is particularly relevant given the IPC’s position on AI processing of health information. Google Meet includes features like noise cancellation, auto captioning, and “Take notes for me,” all of which process audio content. If you haven’t disabled these features, your clients should know they exist. Our guide on disabling AI features in Google Workspace covers how to turn them off.

CONSENT FOR TELEHEALTH SESSIONS VIA VIDEO CONFERENCING

Practitioner/Practice Name: ********____********

Client Name: ********____********

Date: ********____********

1. Technology used

This practice uses Google Meet, provided through Google Workspace, for video based telehealth sessions. Google Meet transmits audio and video data over the internet using encrypted connections.

2. Third party involvement

Google LLC provides the video conferencing infrastructure. Google’s servers may process and temporarily store session data, including audio, video, and chat messages sent during the meeting. Google’s data centres that serve Canadian users may be located outside of Canada, including in the United States.

[If your organization has signed Google’s HIPAA Business Associate Amendment, include this paragraph. If not, remove it.] This practice has signed Google’s HIPAA Business Associate Amendment, which imposes contractual data handling obligations on Google. However, this is a US based agreement and does not provide the same protections as a Canadian data processing agreement.

3. Recording disclosure

[ ] Sessions will NOT be recorded.

[ ] Sessions MAY be recorded for the following purpose: ********____********

If sessions are recorded, recordings will be stored in Google Drive with restricted access permissions. Recordings will be retained for **__** and then permanently deleted. You will be notified before any recording begins, and you may decline recording without affecting your care.

4. AI and automated features

Google Meet may include automated features such as noise cancellation, live captions, and AI powered note taking. These features process audio content in real time.

[ ] All AI and automated processing features have been disabled for this practice’s Google Workspace account.

[ ] The following AI features remain active: ********____********

5. Risks specific to telehealth

• Internet connections may be interrupted, causing delays or disconnections during sessions.
• Other people in your physical location may overhear your session if you are not in a private space.
• Your internet service provider may be able to determine that you connected to a video session, though the content is encrypted.
• Security vulnerabilities in your device, network, or software could potentially expose session content.

6. Your responsibilities

• Join sessions from a private location where you will not be overheard.
• Use a personal device rather than a shared or employer provided device when possible.
• Keep your device’s operating system and browser up to date.
• Do not record sessions without the practitioner’s written consent.

7. Alternatives

In person sessions are available as an alternative to telehealth. Telephone sessions may also be arranged. Choosing not to consent to telehealth will not affect the quality of your care.

8. Consent

I have read and understand the above information. I consent to participating in telehealth sessions using Google Meet under the conditions described.

Client Signature: ********__******** Date: **__**

Practitioner Signature: ********__******** Date: **__**

Key points about this template

Section 2 names Google directly. PHIPA s.18(5) requires that consent be knowledgeable. The client should know which company processes their data, not just that “a third party provider” is involved.

While the IPC’s January 2026 guidance focuses on AI scribes, the same principle (that consent is generally required for AI processing of health information) is relevant to any automated feature that touches session content. That’s why section 4 addresses AI features explicitly. Check the box that matches your configuration. If you’ve followed our guide to disabling AI features, check the first box.

Section 6 places responsibilities on the client. This is often overlooked. The therapist can control their own environment, but the client’s end of the connection is the client’s responsibility. Documenting this sets appropriate expectations.

How to use these templates in practice

Templates are only useful if they’re integrated into your workflow. Here’s how to put each one to work.

Setting up the email disclaimer

Open Gmail > Settings > See all settings > General, scroll to the Signature section, and paste the short or long version of Template 1. If you use multiple sending addresses, create a signature for each one. The signature applies automatically to new messages and replies.

For Google Workspace accounts with multiple users, you can enforce a default signature through the admin console under Apps > Google Workspace > Gmail > Compliance > Append footer. This ensures every outgoing email from your practice includes the disclaimer, even if a staff member changes their individual signature.

Storing signed consent forms

Store signed consent forms in Google Drive within a folder structure that maps to client files. Create a top level folder called something like “Client Consent Forms” with a subfolder for each client. Set sharing permissions to Restricted so only you (and any authorized staff) can access the files.

If you accept consent forms digitally (signed PDFs returned by email, for example), save them directly to the client’s folder. If you collect paper forms, scan them and upload the scans.

The critical point: consent documentation needs to be retrievable. If a college or the IPC asks to see a client’s consent for electronic communication, you should be able to locate it in under a minute. A consistent folder structure in Drive makes this possible. For more on securing your Drive configuration, see the sharing permissions section in our admin console guide.

Documenting verbal consent

Sometimes a signed form isn’t practical. A new client calls, you discuss their care plan, and they verbally agree to email communication. PHIPA does not require written consent in all cases, but it does require that consent be documented.

When you obtain verbal consent, create a brief note in the client’s file that includes:

• The date and time of the conversation
• What was discussed (risks of email, alternatives offered)
• What the client consented to (appointment reminders, clinical communication, etc.)
• Any limitations the client specified

This note should be saved alongside other consent documentation in the client’s folder. Follow up with a written consent form at the next opportunity, but don’t delay communication while waiting for a signature.

Reviewing and updating consent

Consent isn’t a one time event. Review consent documentation when:

• Your practice changes email providers or adds new communication tools
• You begin offering telehealth when you previously didn’t
• A client requests changes to their communication preferences
• Regulatory requirements change (new college guidance, IPC orders, PHIPA amendments)

A reasonable cadence for routine review is annually, at a natural touchpoint like a treatment plan review or annual intake update. When you do update a template, keep a dated copy of the previous version. If a complaint is filed, you may need to show which version of the consent form was in effect at a given point in time.

What these templates do not cover

These templates address common PHIPA requirements for electronic communication consent. They are not complete compliance solutions, and they don’t replace legal advice specific to your practice.

Regulatory variation. Different colleges have different practice standards. The College of Registered Psychotherapists of Ontario (CRPO), OCSWSSW (referenced here for completeness, though outside our primary research scope), and the College of Psychologists of Ontario each publish their own expectations for record keeping, consent, and electronic communication. The templates above are aligned with PHIPA’s general requirements, but you should check your own college’s standards for additional obligations.

Provincial differences. These templates reference PHIPA, which is Ontario legislation. If you practice in British Columbia (PIPA), Alberta (HIA), or another province, different health privacy laws apply. The principles of informed consent and reasonable safeguards are common across jurisdictions, but the statutory references, specific requirements, and enforcement bodies differ. Have someone familiar with your province’s legislation review any template before you put it into use.

A disclaimer doesn’t encrypt your email. A consent form doesn’t create an audit trail. These templates document that you informed clients and obtained their agreement, which is one part of compliance. The technical side (encryption, access controls, audit logging) is separate. Our PHIPA email requirements guide addresses that.

There’s also the client’s end to consider. You can control your own systems, but if a client uses a shared computer, an employer provided email address, or an unsecured network, your safeguards only protect one side of the conversation. The consent form acknowledges this, but it doesn’t eliminate the risk.

Retention and disposal. The templates mention retention briefly, but they don’t constitute a retention policy. PHIPA s.13(1) requires secure retention and disposal of PHI records, and your college likely specifies minimum retention periods for clinical records (typically 10 years from the last interaction, or 10 years after a minor client turns 18). Our post on email retention policies goes deeper into this topic.

These templates give you a defensible starting point. They document that you considered electronic communication risks, informed your clients, and obtained their consent. That puts you ahead of most practices. Not the finish line, but a real start. Templates are one layer in a larger compliance structure, and they work best alongside proper technical safeguards and ongoing attention to regulatory changes.

---

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

---

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.