Is your client portal PHIPA compliant? A 12 point checklist
Updated
A vendor’s website says their client portal is “fully PHIPA compliant.” A second vendor says “bank level encryption.” A third has a HIPAA badge and a paragraph about being “secure and confidential.” You’re a solo therapist in Ontario trying to decide which one is safe to put your clients’ session notes into, and none of those phrases tells you what you actually need to know.
Here’s the problem. “PHIPA compliant” is not a certification. No regulator issues a PHIPA seal, no audit body stamps a portal as approved, and a vendor writing the words on a marketing page does not make them true. Under PHIPA, the obligation sits with you, the health information custodian, not with the software you buy.
That sounds heavier than it is. It just means you need a way to evaluate a portal yourself instead of trusting the label. This is that evaluation: twelve specific things to check, each scored, so you can tell the difference between a portal built for Canadian health privacy law and one wearing the words.
This piece is Ontario and PHIPA. If you practise in Alberta or BC, the structure of the questions holds but the statute references change, so start with the province by province comparison and then come back to this checklist with your own law in mind.
Key takeaways
- “PHIPA compliant” is not a certification any regulator issues. Under PHIPA s.17(1), the health information custodian, not the portal vendor, is accountable for personal health information in its custody or control.
- A portal does not make you compliant. Your information practices, consent process, and breach response do that work (PHIPA s.10(2), s.12, s.18). The portal is one tool inside those practices.
- Score a portal on twelve points: encryption in transit and at rest, access controls, audit logging, where data is stored, the written agreement, breach notification support, consent handling, retention and export, authentication, vendor sub-processors, transparency, and Canadian privacy fit.
- A portal storing data outside Canada is not automatically a PHIPA violation. PHIPA does not mandate Canadian data residency; it requires reasonable safeguards (s.12(1)) and accountability for cross-border handling.
- Email is not a portal. They solve different problems, and a secure portal does not make your everyday email PHIPA aligned.
What does “PHIPA compliant” actually mean for a client portal?
Start here, because the phrase causes most of the confusion.
“PHIPA compliant” is not a status a product can hold on its own. PHIPA is a law that governs the conduct of a health information custodian, the regulated professional or organization that has custody or control of personal health information. A client portal is a tool the custodian uses. The portal can support compliance or undermine it, but compliance is a property of your practice, not of the software.
In plain terms: the College of Registered Psychotherapists of Ontario (CRPO) registers you, PHIPA binds you, and the buck stops with you. A vendor can build excellent privacy and security into a portal. They cannot become your compliance.
PHIPA makes this explicit. Under PHIPA s.17(1), a custodian is responsible for personal health information in its custody or control, and may permit an agent (which can include a service provider operating a portal on your behalf) to handle that information only under defined conditions. You remain accountable for what your agent does with it. That single section is why a checklist matters more than a badge.
So when a portal says “PHIPA compliant,” read it as marketing shorthand for “we have built features that help you meet your obligations.” Then verify which features, and whether they hold up. The twelve points below are how you do that.
How to score the checklist
Each of the twelve points gets one of three scores:
- 2 points if the portal clearly meets it and you can verify the claim (documentation, a contract clause, a setting you can see).
- 1 point if it partially meets it, or meets it but you can’t independently confirm it.
- 0 points if it doesn’t meet it, or the vendor can’t or won’t answer.
Twenty four points is the ceiling. There’s no official pass mark, because PHIPA doesn’t set one. But the scoring forces a specific judgment on each dimension instead of a vague overall impression. A portal scoring 20 plus with no zeros on the encryption, audit, and accountability points is a defensible choice. A portal with zeros on those points is one you’d want to think hard about, whatever its total.
A note before you start. Score honestly. A 1 you can’t verify is not a 2. The whole value of this exercise is replacing “the website said so” with “I checked.”
The 12 point PHIPA portal checklist
1. Encryption in transit
The portal must encrypt personal health information while it moves between your client’s device, your device, and the portal’s servers. The current baseline is TLS 1.2 or TLS 1.3 over HTTPS. This protects data on the wire from interception.
What to check: the portal loads over HTTPS with no certificate warnings, and the vendor documents TLS 1.2 or higher. This is table stakes; a portal that fails here fails the whole exercise.
Score it 2 only if the vendor states the TLS version. “We use encryption” without a version is a 1, because you can’t tell whether it’s current or a decade out of date.
2. Encryption at rest
Data sitting in the portal’s database and file storage must be encrypted at rest, typically with AES-256. Encryption in transit protects the journey; encryption at rest protects the stored copy if a server, backup, or disk is compromised.
What to check: the vendor states that stored data and backups are encrypted, and ideally names the standard (AES-256 is the common one). Ask specifically about backups, because an encrypted database with unencrypted nightly backups is a gap that slips past most buyers.
This maps directly to your PHIPA s.12(1) duty to take reasonable steps to protect personal health information against theft and loss. A stolen unencrypted backup is exactly the scenario s.12(1) is about.
3. Access controls and least privilege
Who at the vendor can see your clients’ information, and under what conditions?
A well built portal restricts access so that vendor staff cannot read client content in the clear during normal operations, and any administrative access is logged and limited to what’s necessary. For a group practice, you also want role based access on your side, so a receptionist sees scheduling but not clinical notes.
What to check: ask the vendor directly whether their staff can read stored client messages and files, and what controls govern that access. A vendor that has thought about PHIPA will have a clear answer. Vagueness here is a 0.
4. Audit logging
The portal must keep an audit log recording who accessed which record and when. Under PHIPA, a custodian must be able to account for access to personal health information, and an audit trail is the practical mechanism. The log should capture logins, record views, edits, and disclosures, and you should be able to retrieve it.
This is one of the points where a portal can genuinely earn its keep. If a client asks who has looked at their file (a right that flows from PHIPA’s access and accountability provisions), the audit log is your answer. If the IPC ever reviews a complaint, the audit log is part of how you show what happened.
What to check: confirm the portal logs access events, that the log is tamper resistant, and that you can actually pull a report. A log that exists but you can’t access is half a feature.
5. Where is the data stored?
This is the point most therapists ask about first, and the one most often misunderstood. So let’s be precise.
PHIPA does not require that personal health information be stored in Canada. There is no data residency mandate in PHIPA. A portal that stores data on US or EU servers is not, for that reason alone, a PHIPA violation. What PHIPA requires is reasonable safeguards (s.12(1)) and that you, the custodian, remain accountable for the information wherever it is handled (s.17).
That said, where data lives still matters to your evaluation, for two reasons. First, data stored in another country may be subject to that country’s laws, including lawful access by foreign authorities, and a careful custodian weighs that in the risk assessment. Second, some clients care a great deal where their mental health records sit, and you may field the question.
What to check: ask where data is stored and processed, including backups. Canadian hosting is a point in a portal’s favour and worth a 2 if confirmed. Non Canadian hosting is not an automatic 0; score it 1 if the vendor is transparent about location and you’ve judged the safeguards reasonable, and reserve 0 for a vendor that won’t tell you.
Don’t let a “Canadian data residency” claim do more work than it should, in either direction. It’s one factor in a safeguards analysis, not the whole of PHIPA compliance. We’ve seen vendors lean on it as if it settles the question. It doesn’t.
6. The written agreement
Here’s a point that has nothing to do with the software and everything to do with PHIPA.
When a service provider handles personal health information on your behalf, PHIPA s.17 treats them as your agent and keeps you responsible for what they do with it. A written agreement that sets out how they will protect that information and what they may and may not do with it is how you discharge part of that accountability. PHIPA makes such an agreement strictly mandatory only for a health information network provider (a provider supplying services to two or more custodians to enable electronic disclosure among them) under O. Reg. 329/04 s.6(3); for an ordinary single-practice service provider it is strongly recommended IPC practice rather than a black-letter requirement. Either way, you want it in place. The agreement is not paperwork for its own sake.
What to check: does the vendor offer a data processing agreement, a business associate style agreement adapted for Canada, or equivalent contractual terms covering safeguards, permitted use, breach notification to you, and what happens to data when you leave? A vendor selling to Canadian health custodians should have this ready. If they only offer a generic terms-of-service with no privacy obligations to you, that’s a meaningful gap.
Score a 2 only if you can actually get the agreement and it addresses your PHIPA obligations, not just the vendor’s liability limits.
7. Breach notification support
A breach will eventually touch one of your tools. The question is whether the portal helps you meet your obligations when it does.
Under PHIPA s.12(2), if personal health information is stolen, lost, or used or disclosed without authority, the custodian must notify the affected individual at the first reasonable opportunity and tell them they may complain to the Information and Privacy Commissioner of Ontario. Certain breaches must also be reported to the IPC under PHIPA s.12(3) and O. Reg. 329/04 s.6.3. A portal supports this by detecting and telling you about a security incident promptly, so your clock starts when it should.
What to check: will the vendor notify you of a security incident affecting your data, and how quickly? Is that commitment in the written agreement (point 6)? A portal that detects a breach but tells you three weeks later has put you in breach of your own duty to act at the first reasonable opportunity.
For the steps you’d take when a breach does happen, the PHIPA breach response guide for therapists walks through the first 24 hours and the IPC reporting decision.
8. Consent handling
PHIPA runs on consent, and a portal touches consent in ways most buyers never think to check.
Under PHIPA s.18, a custodian generally needs consent to collect, use, or disclose personal health information, and for electronic communication with clients, express consent is the careful standard. A portal can help by recording that a client agreed to use it, what they agreed to, and when. It can also hurt, by quietly enabling features (text notifications, third party integrations) that move client information in ways the client never agreed to.
What to check: does the portal let you capture and store the client’s consent to electronic communication, and does it avoid turning on data-sharing features without explicit setup? Read the default settings, not just the marketing. Defaults are where consent quietly leaks.
9. Retention, export, and deletion
What happens to your clients’ data while you use the portal, and on the day you leave it?
PHIPA expects custodians to retain records appropriately and to be able to produce them, and you remain responsible for those records until custody passes to another authorized person. If you can’t export your clients’ information in a usable format, or if leaving the portal means losing access to records you’re legally obligated to keep, the portal has created a compliance problem rather than solving one.
What to check: can you export client records (messages, files, notes) in a standard format on demand? What is the vendor’s data retention and deletion policy, and does it let you meet your own retention obligations? What happens to your data if the vendor shuts down or you cancel? A portal you can’t leave cleanly is a liability.
10. Authentication and account security
A portal is only as secure as the way people log into it.
Strong authentication matters on both sides. You want multi factor authentication available for your own account and your staff’s, because a stolen password to a portal full of clinical records is a breach waiting to happen. For clients, you want a sign-in process that’s secure without being so awkward that they email you their notes instead, which defeats the purpose.
What to check: is multi factor authentication available (ideally required) for clinician accounts? How does the portal handle client authentication, password resets, and inactive sessions? Score a 2 for MFA on clinician accounts plus sensible session handling; a portal with no MFA option for the people holding the keys to every record is hard to justify in 2026.
11. Vendor sub-processors and the chain of trust
Your portal vendor almost always relies on other companies: a cloud host, an email-sending service, an analytics tool. Each one is a place your clients’ information might travel.
Because PHIPA s.17 keeps you accountable for personal health information in the hands of your agents, the vendor’s own sub-processors become part of your risk picture. You don’t need to audit Amazon’s data centres. You do need to know the chain exists and that the vendor manages it responsibly.
What to check: does the vendor disclose its sub-processors (the third parties it shares data with to run the service)? Does the written agreement bind those sub-processors to equivalent protections? A vendor that can’t name who else touches your data can’t really tell you it’s protected.
12. Transparency and Canadian privacy fit
The last point is a judgment call, and it’s the one that ties the other eleven together.
Does the vendor speak to Canadian health privacy law at all, or only to US HIPAA? A portal built and marketed for the US market may be perfectly secure and still leave you doing the translation work yourself, because its consent flows, its agreements, and its breach commitments are written for a different statute. A vendor that references PHIPA, names the IPC, and understands the custodian relationship is one that has done some of that work for you.
What to check: read the vendor’s privacy and security documentation with a Canadian eye. Do they acknowledge provincial health privacy law? Will they sign an agreement that reflects your PHIPA obligations rather than only US frameworks? Transparency, a willingness to answer hard questions in writing, and genuine fit with Canadian law earn the last 2 points.
How do I add up the score and decide?
You’ve scored twelve points out of a possible 24. Now read the pattern, not just the total.
| Score range | What it suggests | What to do |
|---|---|---|
| 20-24, no zeros on points 1, 2, 4, 6, 7 | Strong fit. The portal meets the core safeguards and the accountability points. | Defensible choice. Keep your scoring notes on file as part of your due diligence record. |
| 14-19 | Workable but with gaps. | Identify the low-scoring points and decide whether they’re dealbreakers or things you can mitigate in your own practices. |
| Below 14, or any zero on points 1, 2, 4, 6, or 7 | Material concern. The portal is missing something PHIPA leans on. | Don’t rely on the marketing label. Either resolve the gap with the vendor in writing or look elsewhere. |
The five points that carry the most weight (encryption in transit, encryption at rest, audit logging, the written agreement, and breach notification support) aren’t arbitrary. They map to the parts of PHIPA a regulator looks at after something goes wrong: were there reasonable safeguards (s.12(1)), could you account for access, and did you have your agent relationship in order (s.17)? A high total with a zero on one of those is a flag, not a pass.
Keep the filled-in checklist. If a client or the IPC ever asks how you chose your tools, a dated evaluation showing you assessed the portal against PHIPA is exactly the kind of diligence that matters. That documentation is worth as much as the score itself.
Is a client portal even the right tool? (Email vs portal)
Worth pausing here, because a lot of therapists reach for a portal to solve a problem a portal doesn’t quite solve.
A client portal is good at structured, contained interaction: sharing documents, booking, intake forms, messages that live inside one secured system. It’s less good at the thing therapists actually do most, which is ordinary back-and-forth email. Clients don’t want to log into a portal to ask whether you can move Thursday’s session. They email you. And that email, sitting in your Gmail, is where the everyday PHIPA exposure actually lives.
A client portal and encrypted email solve different problems. A portal contains interaction inside a secured system; encrypted email protects the everyday messages clients send you outside any portal. A secure portal does not make your regular email PHIPA aligned, and a portal you’ve vetted to 24 out of 24 does nothing for the intake summary you accidentally send to the wrong address from your inbox.
So the honest answer is that for many solo practices the question isn’t only “which portal,” it’s “do I need a portal, or do I need my existing email to be safe, or both?” If most of your client contact is email, vetting a portal while leaving your inbox in plain text is fixing the smaller problem. For where Gmail itself falls short, see is Gmail PHIPA compliant.
Where Curio fits, and where it doesn’t
To be straight with you: Curio is not a client portal, and this checklist isn’t a setup to sell you one. Curio is email infrastructure. It encrypts every outbound email automatically and logs every send in a Canadian audit trail, working with the Gmail you already use.
That solves the email side of the problem, the wrong-address send and the compromised inbox, not the portal side. If your practice genuinely needs structured document exchange and a client-facing message centre, a portal is the right tool, and you should run it through the twelve points above. If your real exposure is everyday email, that’s the gap Curio is built to close.
We mention it because the two get conflated all the time. “I have a secure portal” and “my client email is encrypted for PHIPA” are different statements, and a practice can be true on one and exposed on the other. If you want to see whether your current email setup leaves you exposed, join the Curio waitlist.
What this checklist doesn’t cover
A few honest limits.
This is informational content, not legal advice. Choosing a tool that handles personal health information is a real compliance decision, and if you’re unsure whether a portal’s safeguards are reasonable for your practice, a short conversation with a privacy professional is worth far more than it costs.
The checklist also doesn’t replace the vendor’s own security documentation or a SOC 2 or equivalent report, if one exists. A serious vendor will have third party security attestations, and reading them (or having someone read them) goes deeper than twelve yes-or-no questions can.
And it’s Ontario specific. The twelve dimensions translate across provinces, but the statute references don’t. An Alberta custodian is working under HIA, a BC counsellor under PIPA, and the consent, safeguard, and breach rules differ. If you practise outside Ontario, or see clients who live in another province, the province by province comparison is the place to start before you apply this to your own situation.
Frequently asked questions
Is “PHIPA compliant” a real certification for software?
No. There is no PHIPA certification, seal, or approval body for software. PHIPA governs the conduct of health information custodians, not products. When a portal advertises itself as “PHIPA compliant,” that’s a marketing claim about its features, not a regulatory status. Evaluate the features yourself.
Does a client portal have to store data in Canada to be PHIPA compliant?
No. PHIPA does not mandate Canadian data residency. It requires reasonable safeguards under s.12(1) and that the custodian remain accountable for personal health information wherever it’s handled (s.17). Canadian hosting is one favourable factor in a safeguards assessment, not a requirement, and not the whole picture.
Who is responsible if my portal vendor has a breach, me or the vendor?
Both, in different ways. Under PHIPA s.17(1), you, the custodian, remain accountable for personal health information your agent handles, so you carry the duty to notify affected clients and, where required, the IPC. The vendor carries its own obligations to you under your written agreement, which is why that agreement matters.
Can I use a US client portal as a Canadian therapist?
Often yes, but with care. A US-built portal can meet PHIPA’s safeguard expectations, but its consent flows, agreements, and breach commitments are written for HIPAA, so you’ll need to confirm they fit your PHIPA obligations and get an agreement that reflects Canadian law. Score it on transparency and Canadian fit (point 12).
Do I need both a client portal and encrypted email?
It depends on how your practice communicates. A portal contains structured interaction; encrypted email protects the ordinary messages clients send your inbox. If most client contact is email, securing your email may matter more than a portal. Many practices that handle real volumes of both end up needing each for its own job.
What’s the most important point on the checklist?
There isn’t a single one, but five carry the most weight: encryption in transit, encryption at rest, audit logging, the written agreement, and breach notification support. They map to what PHIPA looks at after an incident: reasonable safeguards (s.12(1)), accounting for access, and your accountability for an agent (s.17). A zero on any of those is a flag.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with the Information and Privacy Commissioner of Ontario and consult a qualified privacy professional for your specific situation.
Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a client portal, and it is not a substitute for professional legal or compliance advice.
Sources
- Personal Health Information Protection Act, 2004 (Ontario), full text
- PHIPA, SO 2004, c 3, Sch A (CanLII, current consolidation including s.17 custodian and agent provisions)
- Report a health privacy breach, Information and Privacy Commissioner of Ontario
- O. Reg. 329/04, general regulation under PHIPA (s.6.3 mandatory breach reporting circumstances)
- A Privacy Management Handbook for Small Health Care Organizations, IPC of Ontario (2025)
Coming soon
Gmail encryption, built for Canadian therapists.
