CRPO vs CAP vs CHCPBC: comparing college email requirements across Canada
- Ontario (CRPO), Alberta (CAP), and BC (CHCPBC) each set college level standards for how therapists handle email and digital communication
- CRPO has the most detailed electronic practice standard (Standard 3.4), CAP covers digital communication through a Use of Technology guideline, and CHCPBC is still developing psychotherapy specific standards ahead of November 2027
- All three colleges require encryption, informed consent, and documentation for electronic communication, but the specificity of those requirements varies
- Each college’s standards layer on top of the provincial privacy law (PHIPA, HIA, or PIPA), creating two separate sets of obligations
You’ve read the privacy law guides. You know the Personal Health Information Protection Act (PHIPA) covers Ontario, the Health Information Act (HIA) covers Alberta, and the Personal Information Protection Act (PIPA) covers BC. But the privacy law isn’t the only rulebook governing your inbox.
Each province also has a regulatory college that publishes its own practice standards for therapists. Those standards address electronic communication, and they don’t all say the same thing. CRPO in Ontario dedicates an entire standard to electronic practice. CAP in Alberta covers technology use through a separate guideline. CHCPBC in BC is still building the regulatory framework for psychotherapists who won’t be regulated until November 2027.
This guide compares all three side by side. If you’ve already read the individual deep dives on CRPO electronic practice standards, CAP practice standards for Alberta, or CHCPBC psychotherapy regulation, this is the piece that ties them together.
The comparison table
| Dimension | CRPO (Ontario) | CAP (Alberta) | CHCPBC (BC) |
|---|---|---|---|
| Full name | College of Registered Psychotherapists of Ontario | College of Alberta Psychologists | College of Health and Care Professionals of BC |
| Who they regulate | Registered Psychotherapists (RP) | Psychologists; expanding to counselling therapists | 9 professions currently; psychotherapists joining Nov 29, 2027 |
| Electronic practice standard | Standard 3.4 (Electronic Practice), dedicated 12 page standard | Use of Technology guideline (Sept 2024), general practice standard | Harmonized practice standards in development; no psychotherapy specific standard yet |
| Standard specificity | High. Addresses electronic communication, telehealth, electronic records, and liability insurance in detail | Moderate. Covers telepsychology, informed consent for technology, confidentiality, and social media | Developing. Existing standards for other professions provide general technology guidance |
| Encryption requirement | Technology must be “secure, confidential, and appropriate” for client needs | Safeguards consistent with HIA s.60; reasonable security for electronic communication | Existing standards reference “reasonable security”; psychotherapy specific requirements pending |
| Consent for electronic communication | Required. Separate informed consent for electronic channels, beyond general PHIPA consent. Must cover: channels used, risks, limits of confidentiality, alternatives, right to withdraw | Required. Informed consent covering risks of electronic communication, available alternatives, and right to withdraw at any time | Existing consent requirements cover information collection and disclosure; psychotherapy specific electronic consent requirements pending |
| Documentation requirements | Treatment related email correspondence must be part of the clinical record. Electronic practice policies must be documented | Record keeping standards expect documentation of communications containing health information. Audit trail expected | Documentation requirements for currently regulated professions apply; psychotherapy specific requirements pending |
| Audit trail expectations | Email correspondence that is part of treatment must be logged as part of the clinical record | CAP and HIA both expect accountability documentation for health information handling | Not yet specified for psychotherapists |
| Privacy law layer | PHIPA (Personal Health Information Protection Act, 2004) | HIA (Health Information Act, R.S.A. 2000) | PIPA (Personal Information Protection Act, S.B.C. 2003) |
| Breach notification | Mandatory under PHIPA s.12(2), “at first reasonable opportunity” | Mandatory under HIA s.60.1, “as soon as practicable” | Mandatory under PIPA when breach creates “real risk of significant harm” |
| PIA requirement | Recommended by IPC Ontario; not mandatory to submit | Mandatory under HIA s.64; must be submitted to OIPC Alberta before implementation | Not required under PIPA for private sector |
| Regulation maturity for psychotherapy | Established. CRPO has regulated psychotherapists since 2015 | Established for psychologists. Expanding to counselling therapists | Psychotherapy regulation begins November 29, 2027 under the Health Professions and Occupations Act (HPOA) |
For the underlying provincial privacy laws each college standard sits on top of, see our provincial privacy law comparison.
Where the three colleges agree
The specific language differs across provinces, but the direction is consistent: all three colleges expect therapists to protect electronic communication.
Encryption. None of the three colleges use the word “encryption” explicitly in their practice standards. CRPO says “secure, confidential, and appropriate.” CAP says “safeguards.” CHCPBC’s existing standards reference “reasonable security.” But all three privacy commissioners have interpreted these phrases to include encryption as a technical safeguard when the information is sensitive. Health information qualifies.
Consent before electronic communication. All three colleges expect you to get consent before communicating with clients electronically. The detail of that consent varies (more on that below), but the principle is shared: clients should know you’re using electronic channels, understand the risks, and agree to it.
Documentation. Each college expects that your email practice leaves a trail. CRPO is the most prescriptive here (email as part of the clinical record), but CAP and CHCPBC both expect you to demonstrate accountability through documentation.
Deference to provincial privacy law. None of these colleges replace the privacy law. They add to it. CRPO’s Standard 3.4 builds on PHIPA. CAP’s guidelines build on HIA. CHCPBC will build on PIPA. The privacy law is the floor. The college raises it.
Where they differ
The differences come down to specificity, scope, and timing.
CRPO: the most detailed standard
CRPO is the only college of the three with a standalone electronic practice standard. Standard 3.4 runs 12 pages and covers four areas: secure technology, informed consent for electronic channels, professional liability insurance for electronic services, and information about technology used in the therapeutic relationship.
The informed consent requirement under Standard 3.4 goes further than “get consent.” It’s a multi element process that must cover which electronic channels you use, the risks of each, limits of confidentiality in electronic communication, available alternatives, and the client’s right to withdraw consent. This is separate from general PHIPA consent for the collection, use, and disclosure of health information.
Standard 3.4 also requires that treatment related email correspondence be part of the clinical record. If you email a client about a session time and the email references their treatment, it goes in the file.
For the full breakdown: CRPO electronic practice standards.
CAP: general standards with a technology guideline
CAP doesn’t have an electronic practice standard at the same level of detail as CRPO. Instead, CAP publishes a Use of Technology practice guideline (updated September 2024) that covers telepsychology requirements, informed consent for technology use, confidentiality in electronic communication, and social media.
CAP’s informed consent for electronic communication follows a similar pattern to CRPO: clients must understand the risks, know their alternatives, and have the right to withdraw. But the guideline is less prescriptive about exactly what that consent document must contain.
Where CAP gets more prescriptive than CRPO is on the privacy law side. HIA’s mandatory PIA requirement (s.64) means Alberta psychologists must complete and submit a Privacy Impact Assessment to the Office of the Information and Privacy Commissioner of Alberta (OIPC) before implementing any new system for health information. CRPO has no equivalent mandatory submission requirement.
CAP is also expanding its regulatory scope. Counselling therapists in Alberta will come under CAP regulation, which means more practitioners will need to meet both CAP practice standards and HIA email requirements.
For the full Alberta guide: CAP practice standards for Alberta.
CHCPBC: building the framework
CHCPBC is in a different position than CRPO and CAP. Psychotherapists aren’t regulated in BC yet. The Health Professions and Occupations Act (HPOA) designates November 29, 2027 as the date psychotherapy regulation begins under CHCPBC.
CHCPBC currently regulates nine other professions (including psychologists, occupational therapists, and physical therapists) and is working on harmonized practice standards that will apply across all regulated professions. The goal is one set of standards instead of the seven legacy sets currently in use.
What does this mean for psychotherapists? The practice standards that will apply after November 2027 don’t exist yet in their final form. CHCPBC’s existing standards for other professions address technology use and security obligations in general terms, but there is no published psychotherapy specific electronic practice standard comparable to CRPO’s Standard 3.4.
Until November 2027, BC therapists who aren’t members of another regulated health profession follow PIPA alone. After 2027, CHCPBC will add a college layer on top. Based on the direction of the harmonized standards work, those standards will cover electronic communication, but the specifics haven’t been finalized.
For more on the BC timeline: CHCPBC psychotherapy regulation and psychotherapist protected title in BC.
Which privacy law sits under each college
Your college standard doesn’t replace the privacy law. It layers on top.
| College | Privacy law | Key security section | Relationship |
|---|---|---|---|
| CRPO (Ontario) | PHIPA | s.12(1): “reasonable steps” to protect PHI | Standard 3.4 adds electronic practice requirements beyond PHIPA’s general obligation |
| CAP (Alberta) | HIA | s.60: safeguard duty + Health Information Regulation | CAP’s Use of Technology guideline supplements HIA’s prescriptive requirements, including the mandatory PIA (s.64) |
| CHCPBC (BC) | PIPA | s.34: “reasonable security arrangements” | College standards (once finalized for psychotherapists) will add profession specific requirements on top of PIPA’s general obligation |
The two layer model works the same way in each province. The privacy law creates the legal floor: encrypt, safeguard, get consent, notify on breach. The college standard raises the bar for your specific profession: document your electronic practice policies, get informed consent specific to electronic channels, keep email correspondence in the clinical record.
If you’ve already read the privacy law comparison across Canada, that post covers the first layer. This post covers the second.
What this means for your email setup
Regardless of which college you’re registered with (or will be registered with in 2027), the practical requirements converge on the same set of actions.
Encryption is non negotiable across all three provinces. The legal language varies, the interpretation doesn’t. If your email contains health information, it needs encryption that you control. Gmail’s default TLS encryption is not sufficient because it depends on the recipient’s server configuration.
Consent documentation needs to cover electronic communication specifically. A general privacy notice isn’t enough for any of the three colleges. You need a separate consent process for electronic channels. CRPO is the most detailed about what that consent must include (five elements). CAP and CHCPBC are less prescriptive, but the expectation is the same: clients should know how you’ll communicate electronically, what the risks are, and that they can opt out.
Your email needs an audit trail. CRPO is explicit: treatment related email goes in the clinical record. CAP expects documentation of health information handling. The audit trail isn’t optional in any province.
Alberta practitioners: don’t skip the PIA. This is the biggest practical difference between the three provinces. If you’re a CAP registrant using Gmail for health information, you need a PIA submitted to the OIPC before implementation. Not after. Ontario recommends PIAs but doesn’t mandate submission. BC doesn’t require them under PIPA for private sector.
BC practitioners: start documenting now. You have until November 29, 2027 before CHCPBC starts regulating psychotherapists. Use the time. Build your electronic communication policies, set up your consent documentation, get your encryption in place. When the college standards land, you’ll be updating existing documentation instead of starting from scratch.
Frequently asked questions
Which college regulates psychotherapists in Ontario?
The College of Registered Psychotherapists of Ontario (CRPO) regulates Registered Psychotherapists (RP) in Ontario. CRPO’s Standard 3.4 sets the electronic practice requirements for these registrants, including email.
Does CAP regulate counselling therapists?
CAP is expanding to include counselling therapists under its regulatory scope. Currently, CAP regulates psychologists in Alberta. When counselling therapists are regulated under CAP, they will need to meet the same practice standards and HIA obligations that psychologists follow.
When does CHCPBC start regulating psychotherapists?
November 29, 2027, under the Health Professions and Occupations Act (HPOA). Until that date, BC therapists who aren’t members of another regulated health profession follow PIPA without a college layer on top.
Do I need to follow both my college standards and my provincial privacy law?
Yes. The privacy law (PHIPA, HIA, or PIPA) is the legal floor. Your college standards add profession specific requirements on top. Both apply simultaneously. For example, an Ontario registered psychotherapist must meet PHIPA’s s.12(1) obligation to take reasonable steps to protect PHI and CRPO Standard 3.4’s requirement for secure electronic communication, informed consent for electronic channels, and documentation of email correspondence as part of the clinical record. The college standard never replaces the privacy law. It adds to it.
Curio’s compliance infrastructure handles the encryption layer across all three provinces, covering PHIPA, HIA, and BC PIPA. Your Gmail stays the same. Join the waitlist.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
