CRPO electronic practice standards: what they mean for your email
Updated
- CRPO Standard 3.4 requires secure electronic communication, informed consent for electronic channels, and documentation of all electronic client interactions
- These requirements layer on top of PHIPA and apply to every email containing client information
- Standard 3.4’s informed consent for electronic communication is separate from general PHIPA consent
- Treatment related email correspondence must be included in the clinical record
- Your professional liability insurance must explicitly cover electronic services
CRPO Standard 3.4 requires Ontario registered psychotherapists to use secure electronic communication, obtain informed consent specific to electronic practice, and document all electronic client interactions. These requirements layer on top of PHIPA and apply to every email you send that contains client information.
You’re a registered psychotherapist in Ontario. You already know about PHIPA email requirements. But PHIPA isn’t the only rulebook that governs your inbox.
The College of Registered Psychotherapists of Ontario (CRPO) publishes its own practice standards, and Standard 3.4 covers electronic practice. It’s 12 pages of regulatory language that covers telehealth, electronic records, and electronic communication. Most therapists skim it during registration and never look at it again.
That’s a problem, because Standard 3.4 adds requirements that PHIPA doesn’t address directly. This guide translates the standard into specific email actions.
What is CRPO Standard 3.4?
CRPO Standard 3.4 is the electronic practice standard published by the College of Registered Psychotherapists of Ontario. It governs how registrants use communications technology (telephone, text, email, video calling) to provide assessment or treatment. The standard requires that registrants adhere to all professional standards whether practice is electronic, in person, or hybrid.
Standard 3.4 sits within the “Client-Therapist Relationship” section of CRPO’s practice standards. It doesn’t replace PHIPA. It builds on top of it.
Think of it this way: PHIPA tells you what the law requires for protecting health information. Standard 3.4 tells you what your college expects when you deliver therapy through technology. The two overlap, but Standard 3.4 reaches into areas that PHIPA leaves to professional judgment.
For email specifically, Standard 3.4 creates three obligations: secure communication, informed consent for electronic channels, and documentation of electronic interactions. Each one affects how you set up and use your email.
What Standard 3.4 requires for email
Secure electronic communication
CRPO Standard 3.4 requires registrants to “take reasonable steps to ensure that the technology employed is secure, confidential, and appropriate given the needs of the client.” For email, this means encryption that protects message content both in transit and at rest.
The standard uses the phrase “secure, confidential, and appropriate.” It does not define what counts as technically secure. CRPO’s Implementing Electronic Practice resource article provides more direction: registrants should consider whether their communication tools protect information from unauthorized access.
So what does “secure” mean for your email in practice?
Standard email (Gmail, Outlook) uses TLS encryption in transit. That covers the “in transit” piece when both sender and recipient support TLS. But TLS alone doesn’t protect emails at rest on the server, and it doesn’t cover situations where the recipient’s email provider doesn’t support TLS.
The practical interpretation, consistent with both CRPO’s guidance and PHIPA’s safeguard requirements under s.12(1), is that you need encryption that protects client information regardless of the recipient’s email setup. That means either end to end encryption or a secure portal fallback for messages containing personal health information (PHI).
If you’re currently using Gmail without an encryption layer, your setup likely falls short of what Standard 3.4 expects. For a deeper look at the Gmail gap, see is Gmail PHIPA compliant.
Informed consent for electronic communication
CRPO Standard 3.4 requires registrants to “obtain informed consent from clients regarding the use of electronic communication media in the provision of services.” This consent is separate from general PHIPA consent for collecting and using health information. It must address the specific risks of electronic communication, including the limitations of confidentiality over email.
This is where Standard 3.4 goes further than most therapists realize. You may already have PHIPA consent for email in place, covering consent to collect, use, and disclose PHI. Good. But CRPO wants a second layer.
The electronic communication consent must be informed. That word “informed” is doing real work here. Your client needs to understand:
- What electronic communication channels you’ll use (email, text, video)
- The specific risks of each channel (email can be intercepted, forwarded, or stored on insecure devices)
- The limitations of confidentiality when communicating electronically
- What alternatives exist (in person, phone, secure portal)
- That they can withdraw consent for electronic communication at any time
A generic “I consent to receiving emails” checkbox won’t satisfy this. The consent needs to demonstrate that the client understood the risks before agreeing. CRPO’s guideline specifically flags this: consent must be “knowledgeable,” meaning the client grasped what they were consenting to.
If you need consent form language that covers both PHIPA and CRPO requirements, the client communication templates include versions you can use directly.
Documentation standards
CRPO Standard 3.4 requires registrants offering modalities involving written communication (including email) to “include copies of correspondence and treatment-related communication in the clinical record.” This creates a documentation obligation that goes beyond PHIPA’s general record keeping requirements.
This requirement catches therapists off guard. If you email a client about scheduling, that’s administrative. But if an email touches on treatment (a check in about symptoms, a homework assignment, a crisis response), Standard 3.4 says it belongs in the clinical record.
The question is how. Most therapists don’t have a system for capturing email content into their clinical records. Some copy and paste into their EHR. Some print emails to PDF. Some don’t capture them at all.
At minimum, you need an audit trail that logs what was sent, when, and to whom. The manual audit log for client records template walks you through setting this up in Google Sheets. It’s not automated, but it covers CRPO’s documentation expectation until you have something better in place.
Where Standard 3.4 goes beyond PHIPA
| Requirement | PHIPA | CRPO Standard 3.4 |
|---|---|---|
| Encryption / security safeguards | Required under s.12(1): “reasonable steps” to protect PHI | Required: technology must be “secure, confidential, and appropriate” |
| Consent for electronic communication | Not specifically required (consent covers collection, use, disclosure of PHI) | Required: informed consent specific to each electronic channel, including risks and alternatives |
| Documentation of electronic communications | General record keeping under s.10 | Specific: treatment related email correspondence must be included in clinical record |
| Competency in electronic practice | Not addressed | Required: registrants must maintain competency in the technologies they use |
| Professional liability coverage | Not addressed | Required: insurance must cover electronic services before treating clients electronically |
PHIPA is the floor. Standard 3.4 adds height.
The most significant addition is the informed consent requirement for electronic communication itself. PHIPA covers consent to collect, use, and disclose personal health information. Standard 3.4 adds consent for the communication channel. You need both.
Here’s why that matters in practice: a therapist who has a signed PHIPA consent form but no electronic communication consent form has a gap. If a client later complains about a privacy issue with email, the PHIPA consent covers the fact that you collected their health information, but it doesn’t demonstrate that they understood and accepted the risks of email as the communication method.
Competency, insurance, and documentation specificity
CRPO expects you to understand the technology you’re using, not just turn it on and hope for the best. And your professional liability insurance needs to explicitly cover electronic services. If you started offering telehealth during COVID and never checked your policy, check it before your next electronic session.
Documentation specificity is another gap worth noting. PHIPA’s record keeping requirements under s.10 are general. Standard 3.4 names email explicitly. If you exchange treatment related emails with a client, those emails (or logs of them) need to be in the clinical record. PHIPA wouldn’t necessarily flag a missing email log during an audit. CRPO might.
Practical steps for compliance
Here are six steps to bring your email setup in line with Standard 3.4. Each one addresses a specific requirement from the standard.
Step 1: Review your current email setup against encryption requirements
Check whether your email encrypts messages containing PHI. If you use Gmail or Outlook without an encryption layer, the answer is likely no. Compare your setup against what both PHIPA and Standard 3.4 require for secure electronic communication.
What to look for: Does your email encrypt messages in transit? Does it protect content if the recipient’s server doesn’t support TLS? Is there a fallback (like a secure portal) for sensitive messages?
Step 2: Create an electronic communication consent form
Draft a consent form that covers Standard 3.4’s requirements. The form should explain which electronic channels you use, the risks of each channel, the limits of confidentiality, available alternatives, and the client’s right to withdraw consent.
This form is separate from your general PHIPA consent. You can combine them into one document, but both sets of requirements need to be addressed. The client communication templates include a starting point.
Step 3: Document your electronic practice policies
Write down your policies for using technology in your practice. Standard 3.4 expects that you’ve thought through how you use electronic tools, not just that you use them. Cover which tools you use, why, how you protect client information in each one, and what you do when something goes wrong.
Step 4: Add email disclaimers to client facing messages
Include a confidentiality notice on emails that may contain or reference PHI. The disclaimer should remind the recipient that email may not be fully secure and direct misdirected messages to be deleted. This doesn’t fix an encryption gap, but it demonstrates awareness of the risk and satisfies part of Standard 3.4’s “appropriate” technology requirement.
Step 5: Set up an audit trail for email communication
Create a log that tracks treatment related email correspondence. Standard 3.4 requires that this correspondence be part of the clinical record. The manual audit log for client records template gives you a Google Sheets based approach. Log the date, recipient, subject, and whether the email contained PHI.
Step 6: Review CRPO’s electronic practice guideline
Read the full CRPO Electronic Practice Guideline and the Standard 3.4 page on crpo.ca. This guide covers the email specific requirements, but Standard 3.4 also addresses telehealth, video calling, and electronic records. The full document gives you the complete picture.
How CRPO compares to CAP and CHCPBC
CRPO isn’t the only provincial college that sets expectations for electronic communication. The College of Alberta Psychologists (CAP) and the College of Health and Care Professionals of BC (CHCPBC) have their own standards, each shaped by their province’s privacy law.
For the underlying provincial privacy law layer each college standard sits on top of, see our provincial privacy law comparison.
| College | Province | Privacy law | Electronic practice standard | Status |
|---|---|---|---|---|
| CRPO | Ontario | PHIPA | Standard 3.4: detailed electronic practice requirements including secure communication, informed consent, and documentation | Active |
| CAP | Alberta | HIA | Practice standards address electronic communication but without CRPO’s level of specificity for email | Active |
| CHCPBC | BC | PIPA (BC) | Psychotherapy regulation begins November 29, 2027. Digital communication standards expected as part of the regulatory framework | Pending (2027) |
If you practice in Alberta, CAP’s approach differs from CRPO’s. CAP has practice standards that cover electronic communication, but they don’t include the same level of specificity for email that CRPO Standard 3.4 does. Alberta therapists also operate under HIA rather than PHIPA, which changes the consent framework. We’ll cover that in detail in a companion piece on CAP practice standards for Alberta therapists (publishing later this month).
If you’re in BC, CHCPBC’s psychotherapy regulation doesn’t take effect until November 29, 2027. Once it does, expect digital communication standards as part of the new regulatory framework. Preparing early gives you a head start. The upcoming piece on CHCPBC psychotherapy regulation will cover what BC therapists need to prepare for.
For the full picture on how privacy laws differ across provinces, see email privacy laws across Canada.
FAQ
Does Standard 3.4 apply to all email or just email with PHI?
Standard 3.4 applies to all electronic communication used in the provision of psychotherapy services. The encryption and security requirements are most relevant when email contains personal health information, but the consent and documentation requirements apply to your electronic communication practices as a whole.
Is PHIPA consent enough or do I need separate CRPO consent?
You need both. PHIPA consent covers the collection, use, and disclosure of personal health information. CRPO Standard 3.4 requires separate informed consent for the use of electronic communication channels. The Standard 3.4 consent must address the specific risks of electronic communication, alternatives available, and the client’s right to withdraw.
What happens if I don’t comply with Standard 3.4?
CRPO can investigate complaints related to practice standard violations. Non compliance with Standard 3.4 could result in remedial measures, conditions on your registration, or disciplinary proceedings. That said, CRPO’s approach tends to be educational first. The risk isn’t just regulatory action. If a privacy breach occurs and your setup doesn’t meet Standard 3.4, the gap becomes evidence that you didn’t take “reasonable steps.”
Can I use regular Gmail and still meet Standard 3.4?
Regular Gmail (without an encryption layer) does not meet the “secure, confidential, and appropriate” technology requirement in Standard 3.4 for emails containing personal health information. Gmail uses TLS encryption in transit, but this does not protect email content at rest or when the recipient’s email provider doesn’t support TLS. An encryption layer or secure portal fallback is needed.
Where can I read Standard 3.4 directly?
The full text is on CRPO’s website at crpo.ca/practice-standards. CRPO also publishes an Implementing Electronic Practice resource article with practical guidance.
What this doesn’t cover
Standard 3.4 addresses more than email. Telehealth platforms, video calling security, cross border practice, and electronic clinical records all fall under its scope. This guide focused on the email requirements because that’s where most registered psychotherapists have the biggest gap between what they’re doing and what the standard expects.
If you’re looking for broader guidance on Ontario privacy law and email, start with the PHIPA email requirements guide. For consent specifically, the PHIPA consent for email guide walks through what PHIPA requires before you layer Standard 3.4 on top.
Curio encrypts every email and logs each send in a Canadian audit trail, addressing Standard 3.4’s security and documentation requirements. Join the waitlist.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations and college practice standards are subject to change. Verify current requirements with CRPO and consult a qualified privacy professional for your specific situation.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
