Email privacy laws across Canada: what therapists in Ontario, Alberta, and BC need to know
Updated
- Three provincial laws govern therapist email in Canada: PHIPA (Ontario), HIA (Alberta), and PIPA (BC)
- All three require encryption for health information, but use different legal language and enforcement mechanisms
- Alberta is the only province that mandates a Privacy Impact Assessment before using email for health information
- Gmail does not meet any of these laws’ requirements in its default configuration
- Your college of registration adds a second layer of obligations on top of the privacy law
Three provinces. Three privacy laws. Three sets of rules for how you handle client email. If you’re a therapist in Canada, the law that applies to your email depends on where you’re registered to practice, not where your client lives, not where your server is, and not where you’re sitting when you hit send.
Canada does not have a single national health privacy law for private sector therapists. Ontario’s Personal Health Information Protection Act (PHIPA), Alberta’s Health Information Act (HIA), and British Columbia’s Personal Information Protection Act (PIPA) each set their own rules for how health information must be handled electronically. Federal privacy law (PIPEDA) fills the gaps when provincial law doesn’t apply, but for most therapists practicing within a single province, the provincial statute is what governs their email.
This guide covers what each law requires, where they overlap, and where they don’t. If you’ve already read the province specific guides for PHIPA email requirements for therapists, Alberta’s Health Information Act for therapists, or BC PIPA and therapist email, this is the piece that connects them.
Which law applies to your email?
The answer depends on your provincial college registration.
| Province of registration | Applicable law | Key statute |
|---|---|---|
| Ontario | PHIPA (Personal Health Information Protection Act) | S.O. 2004, c. 3, Sched. A |
| Alberta | HIA (Health Information Act) | R.S.A. 2000, c. H-5 |
| British Columbia | PIPA (Personal Information Protection Act) | S.B.C. 2003, c. 63 |
| Multiple provinces | All applicable provincial laws | Most restrictive standard applies |
| No provincial health law applies | PIPEDA (federal) | S.C. 2000, c. 5 |
If you’re a Registered Psychotherapist with the College of Registered Psychotherapists of Ontario (CRPO), PHIPA applies. If you’re regulated by the College of Alberta Psychologists (CAP), HIA applies. If you practice in BC, PIPA applies until the College of Health and Care Professionals of BC (CHCPBC) begins regulating psychotherapists in November 2027, at which point additional obligations will follow.
What if your client is in a different province than you? The requirements of both provinces may apply. That question gets complicated fast, and we’ll cover it in detail in a future guide on telehealth across provincial lines.
PHIPA (Ontario)
PHIPA is Canada’s most detailed provincial health privacy law. It applies to health information custodians in Ontario, a category that includes Registered Psychotherapists (RP) registered with CRPO. Under PHIPA s.12(1), custodians must take “reasonable steps” to protect personal health information (PHI) against theft, loss, and unauthorized access. The Information and Privacy Commissioner of Ontario (IPC) interprets “reasonable steps” to include encryption as a technical safeguard.
PHIPA’s consent framework for email is express consent. If you’re emailing PHI, you need your client’s documented agreement that they understand the risks and consent to this communication channel. We’ve covered the PHIPA consent requirements for email in detail, including the six elements your consent documentation should address.
Breach notification is mandatory. Under s.12(2), you must notify affected individuals “at the first reasonable opportunity” when PHI is compromised.
For the complete Ontario guide, including Gmail specific analysis: PHIPA email requirements for therapists and is Gmail PHIPA compliant.
HIA (Alberta)
Alberta’s Health Information Act applies to custodians, a category defined under HIA s.1(1)(f) that includes regulated health professionals providing health services. Psychologists regulated by CAP are custodians. Section 60 creates the safeguard duty: protect health information against theft, loss, unauthorized access, copying, modification, and disposal. The Health Information Regulation adds specific categories of administrative, technical, and physical safeguards.
Alberta’s biggest difference from Ontario? The mandatory Privacy Impact Assessment. Under HIA s.64, custodians must prepare a PIA and submit it to the Office of the Information and Privacy Commissioner of Alberta (OIPC) before using any new system that handles health information. Not after. Before.
If you’re an Alberta psychologist using Gmail for health information and you haven’t submitted a PIA, you’re already non compliant regardless of your encryption setup.
HIA’s consent model uses deemed consent more broadly for collection within the circle of care, but disclosure consent under s.34 has its own requirements. Breach notification is mandatory under s.60.1, requiring notification “as soon as practicable.”
For the complete Alberta guide: Alberta’s Health Information Act for therapists.
BC PIPA (British Columbia)
BC’s Personal Information Protection Act is a general private sector privacy law, not a health specific statute like PHIPA or HIA. It applies to all private sector organizations in BC that collect, use, or disclose personal information. Therapists in private practice fall under PIPA. Section 34 is the core obligation: “An organization must protect personal information in its custody or under its control by making reasonable security arrangements.”
Because PIPA isn’t health specific, it doesn’t have health information categories, mandatory PIA requirements, or the same level of prescriptive guidance you find in PHIPA or HIA. The Office of the Information and Privacy Commissioner for BC (OIPC) interprets the “reasonable security” standard more strictly when the information is sensitive (health data qualifies), but that interpretation happens through enforcement decisions, not the statute itself.
PIPA’s consent framework (s.6 through s.9) allows implied consent where the purpose of collection would be “obvious to a reasonable person” under s.8. For in person therapy, this covers a lot. For email, explicit consent is the safer approach.
Breach notification under PIPA is mandatory. Organizations must notify the OIPC and affected individuals when a breach creates a real risk of significant harm. The OIPC uses this obligation as part of assessing whether your security arrangements were “reasonable” under s.34.
PIPA also does not mandate Canadian data storage. This is a common point of confusion. The Canadian data residency requirement some therapists have heard about comes from BC’s Freedom of Information and Protection of Privacy Act (FOIPPA), which applies to public bodies, not private practices.
If you’re evaluating email options, we’ve also compared Google Workspace, Microsoft 365, and ProtonMail for Canadian therapists.
For the complete BC guide: BC PIPA and therapist email.
Side by side comparison
| Requirement | PHIPA (Ontario) | HIA (Alberta) | PIPA (BC) |
|---|---|---|---|
| Encryption | ”Reasonable steps” (s.12(1)); IPC interprets as including encryption | ”Safeguard” duty (s.60); Health Information Regulation specifies technical safeguards | ”Reasonable security arrangements” (s.34); OIPC expects safeguards appropriate to sensitivity |
| Consent for email | Express consent is the safe standard for email containing PHI | Deemed consent broader for collection; disclosure consent required under s.34 | Implied consent allowed under s.8 where purpose is obvious; explicit recommended for health data |
| Data residency | No statutory requirement for Canadian storage | No statutory requirement for Canadian storage | No statutory requirement under PIPA (FOIPPA requires it for public bodies only) |
| Breach notification | Mandatory, “at first reasonable opportunity” (s.12(2)) | Mandatory, “as soon as practicable” (s.60.1) | Mandatory when breach creates “real risk of significant harm”; notify OIPC and affected individuals |
| Privacy Impact Assessment | Recommended by IPC; not mandatory to submit | Mandatory submission to OIPC before implementation (s.64) | Not required under PIPA |
| Scope | Health specific law; applies to health information custodians | Health specific law; applies to custodians under s.1(1)(f) | General private sector law; applies to all organizations |
| Regulatory college | CRPO (College of Registered Psychotherapists of Ontario) | CAP (College of Alberta Psychologists) | CHCPBC (College of Health and Care Professionals of BC; psychotherapy regulation starts Nov 2027) |
For the deeper hub including statute citations, enforcement frameworks, and college overlays, see our PHIPA vs HIA vs BC PIPA hub.
The pattern that emerges: all three provinces require encrypted email for health information, but they arrive there through different legal frameworks. Alberta is the most prescriptive (mandatory PIA). Ontario is the most detailed on health information handling. BC gives the most flexibility but also the least health specific guidance.
What about PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private sector privacy law. For most therapists practicing within a single province, PIPEDA does not directly apply because PHIPA, HIA, and PIPA are each deemed “substantially similar” to PIPEDA within their respective provinces.
PIPEDA becomes relevant in specific situations:
- Cross border practice. If you treat clients in provinces without substantially similar legislation, PIPEDA may apply.
- Commercial activity across provincial lines. If you operate a practice that crosses provincial boundaries commercially (not just treating the occasional out of province client), PIPEDA may govern some of your data handling.
- Federal jurisdiction. Certain federally regulated activities fall under PIPEDA regardless of province.
For the practical question of “what happens when my Ontario client moves to BC?” or “I’m registered in Alberta but seeing a client in Saskatchewan,” the answer gets complicated. We’ll cover cross provincial and telehealth compliance in a dedicated guide on telehealth across provincial lines.
The short version: when in doubt, apply the most restrictive standard.
What your college adds on top of the law
Privacy law sets the floor. Your professional college adds height.
Each provincial college has its own practice standards for electronic communication, and these can go further than what the privacy statute requires. Where the law says “reasonable steps” or “reasonable security arrangements,” your college may specify exactly what that looks like in clinical practice.
- CRPO (Ontario): Standard 3.4 covers electronic practice for Registered Psychotherapists. It requires secure electronic communication, informed consent specific to electronic channels, and documentation of electronic practice policies. For the full breakdown, see CRPO electronic practice standards.
- CAP (Alberta): The College of Alberta Psychologists has practice standards for psychologists that address electronic communication and record keeping. CAP is also expanding its scope to regulate counselling therapists, which will bring more practitioners under HIA custodian obligations. For the full breakdown, see CAP practice standards for email.
- CHCPBC (BC): Psychotherapy regulation in BC doesn’t begin until November 29, 2027. Until then, BC therapists who aren’t members of another regulated health profession rely on PIPA alone. After 2027, CHCPBC practice standards will add a college layer comparable to what CRPO provides in Ontario.
This means a therapist registered with CRPO has two layers to address: PHIPA (the law) and CRPO Standard 3.4 (the college requirement). An Alberta psychologist has HIA plus CAP practice standards. A BC therapist currently has PIPA alone, but that will change.
Frequently asked questions
Which privacy law applies to my therapist email?
It depends on your province of registration. Ontario therapists registered with CRPO fall under PHIPA. Alberta psychologists registered with CAP fall under HIA. BC therapists fall under PIPA. If you hold registration in multiple provinces, the requirements of each applicable law apply. When provincial health privacy law doesn’t apply (rare for regulated therapists), the federal PIPEDA governs.
Do all three provinces require email encryption for health information?
Yes. All three provincial laws require security measures that, in practice, mean encryption for email containing health information. PHIPA s.12(1) requires “reasonable steps.” HIA s.60 requires “safeguards.” PIPA s.34 requires “reasonable security arrangements.” Each province’s privacy commissioner interprets these obligations to include encryption as a technical safeguard when the information is sensitive, and health information qualifies.
What if my client is in a different province than I am?
The requirements of both your province and your client’s province may apply. There is no single authoritative answer because Canadian privacy law was not designed for cross provincial telehealth. The safest approach is to apply the most restrictive standard from either province. For example, if you’re registered in BC (where PIAs aren’t required) but treating an Alberta client, you may need to comply with HIA’s PIA requirements. Cross provincial compliance will be covered in a future guide.
Is Gmail compliant with any of these provincial laws?
Not in its default configuration. Gmail does not provide end to end encryption, a Canadian audit trail, or built in consent management. These gaps exist regardless of which province you practice in. PHIPA, HIA, and PIPA each require security measures that Gmail’s standard setup does not meet for health information. For a detailed analysis of where Gmail falls short, see our guide on whether Gmail is PHIPA compliant. The core issues (opportunistic TLS encryption, US data storage, no communication level audit trail) apply across all three provinces.
Curio’s compliance infrastructure handles encryption and audit trail for Canadian health privacy law, covering PHIPA, HIA, and BC PIPA. Your Gmail stays the same. Join the waitlist.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
