Hushmail vs Gmail for Canadian therapists: an honest comparison
- Hushmail offers dedicated encrypted email with Canadian servers at $16.99 CAD/month
- Default Gmail does not meet PHIPA, HIA, or PIPA encryption standards
- Adding an encryption layer to Gmail avoids email migration entirely
- Hushmail has the edge on Canadian data residency for email content
- Gmail with encryption keeps your Google Workspace workflow intact
- Neither option covers every requirement; the right choice depends on your practice
Most Canadian therapists already use Gmail. It’s where their calendar lives, where their Drive files sync, where their video calls happen. Hushmail’s pitch is to leave all of that behind and switch to a dedicated encrypted email provider.
That’s a real option. But it’s not the only one.
If you search “Hushmail vs Gmail” right now, every result on page one is Hushmail’s own marketing. There’s no independent comparison written from the perspective of a Canadian therapist who actually uses Google Workspace. This is that comparison.
We’re evaluating Hushmail, default Gmail, and Gmail with an encryption layer against what PHIPA, HIA, and PIPA actually require. No vendor is going to come out looking flawless here, including Curio.
Quick comparison table
| Feature | Hushmail | Gmail (default) | Gmail + encryption layer |
|---|---|---|---|
| Encryption method | Built in (OpenPGP + TLS) | TLS only (server to server) | TLS probe + encrypted portal fallback |
| Pricing | $16.99 CAD/month | Included with Google Workspace ($8 CAD/month) | Google Workspace + encryption layer fee |
| Email content on Canadian servers | Yes (Vancouver and Calgary) | No (US/global data centers) | No (email routed through Gmail’s servers) |
| Compliance infrastructure in Canada | Yes | No | Depends on provider (Curio: yes, Montreal/Toronto) |
| PHIPA alignment | Strong (encryption + IMA) | Weak (TLS alone insufficient) | Moderate to strong (encryption + audit trail, no consent engine at V0) |
| Email migration required | Yes | N/A | No |
| Google Calendar/Drive/Meet integration | No | Yes | Yes |
| Learning curve | New interface, new workflow | None | Minimal (runs in background) |
| Encrypted forms | Yes (built in) | No | Varies by provider |
| Audit trail | Yes | No | Depends on provider (Curio: yes, Canadian hosted) |
What Hushmail gets right
Hushmail has been providing encrypted email since 1999 and has served healthcare practitioners for well over a decade. Credit where it’s due.
Their servers are in Vancouver and Calgary, which means email content stays on Canadian soil. For therapists whose risk assessment or college requirements prioritize Canadian data residency for the email itself (not just the compliance infrastructure), this matters.
They provide a signed Information Manager Agreement (IMA) that spells out their obligations for handling your client data. If you’ve ever tried to get a Business Associate Agreement from Google, you know how different this experience is. Hushmail built the IMA for Canadian practitioners specifically.
Their encrypted web forms are genuinely useful. Intake forms, questionnaires, consent documents: all handled through the same encrypted channel as your email. For a solo practitioner who doesn’t want to bolt together four different tools, that’s a real selling point.
And the product works. You send an email. It gets encrypted. The recipient opens it through a secure portal or decrypts it with their own key. It does what it says. Hushmail has been through regulatory scrutiny and has a track record that newer products haven’t built yet.
Pricing
$16.99 CAD/month for a solo practitioner. $20.99 CAD/month for an additional admin account. Group practices with five or more users start at $34.99 CAD/month.
For context, that’s roughly the same as a Google Workspace Business Starter subscription ($8 CAD/month) plus a coffee. You lose the Google ecosystem, but you get purpose built encrypted email with Canadian data residency baked in.
Where Hushmail falls short for some therapists
The core tradeoff: Hushmail requires you to leave Gmail.
That sounds minor on paper. It’s not. Not if your practice depends on Google Workspace. If your practice runs on Google Workspace, migrating to Hushmail means:
- New email address (or setting up forwarding, which introduces its own compliance risks)
- Every client who has your current email gets a “please update my address” notice
- Google Calendar, Google Drive, and Google Meet stop being integrated with your email
- A new interface to learn, new mobile app to configure, new workflow to build habits around
For therapists who only use email and nothing else from Google, migration is straightforward. For therapists whose entire practice management runs through Google Workspace, the switching cost is high. And it’s not just about your own adjustment. Your clients also need to update your email address in their contacts, which means some will inevitably keep emailing the old address.
Compliance content gaps
There’s another gap worth noting. Hushmail’s compliance content focuses on PIPEDA (the federal law), not the provincial health privacy statutes that actually govern most therapists. Their Canadian healthcare page references PIPEDA but doesn’t walk through PHIPA s.12(1) obligations in Ontario, HIA s.60 requirements in Alberta, or PIPA s.34 provisions in BC.
This doesn’t mean Hushmail fails to meet those requirements. Their encryption likely satisfies the “reasonable safeguards” test across all three provinces. But if you’re looking for guidance on how the product maps to your specific provincial law, you’ll need to do that analysis yourself. And if your college asks you to demonstrate compliance with a specific section of PHIPA or HIA, Hushmail’s marketing materials won’t give you that mapping.
No CRPO (College of Registered Psychotherapists of Ontario) Standard 3.4 alignment guidance either. Ontario psychotherapists working through CRPO’s electronic practice standards won’t find a ready-made compliance mapping from Hushmail.
Gmail without encryption: the compliance gap
If you’re using Gmail right now and sending client emails without an encryption layer, there’s a gap.
Gmail’s default TLS encryption only works when the receiving server also supports TLS. If the recipient’s email provider doesn’t, the message transmits in plaintext. Under PHIPA s.12(1), HIA s.60, and PIPA s.34, this falls short of the “reasonable safeguards” and “reasonable security arrangements” these statutes require for personal health information.
Beyond the encryption gap: no Canadian audit trail, no encrypted portal fallback for recipients on servers that don’t support TLS, and no formal documentation that proves you took reasonable steps to protect the email.
The evidence gap
That last point is the one therapists overlook. The PHIPA email requirements aren’t just about encrypting the message. They’re about demonstrating that you had a system in place. Default Gmail gives you no evidence of what protections were applied to a specific email on a specific date. If the IPC comes asking, “what safeguards were in place when you sent this email on March 15?” you have no answer.
We covered this in full in our guide on whether Gmail is Gmail PHIPA compliant. The short version: Gmail is a good email product. It’s not configured for Canadian health privacy law out of the box.
Gmail with encryption: the third option
There’s a middle path that didn’t exist a few years ago. Instead of leaving Gmail, you add an encryption layer on top of it. The idea: keep your existing Google Workspace setup, but make the email component meet Canadian health privacy requirements.
Curio is one product that does this. Here’s what it does at V0, stated without overclaiming.
Curio encrypts every outbound email automatically. The encryption engine probes the recipient’s server for TLS support. If TLS is available, the message sends encrypted over TLS. If not, the recipient gets a link to a secure portal where they read the message on Canadian infrastructure. Every send is logged in a Canadian audit trail hosted on GCP in Montreal and Toronto.
No migration. No new email address. No loss of Google Calendar, Drive, or Meet integration. Your Gmail stays the same. The encryption runs in the background.
From a workflow perspective, there’s nothing new to learn. You compose an email in Gmail exactly like you always have. Curio handles the encryption decisions at send time without any manual steps from you.
Honest limitations
Now the honest limitations.
Email content still touches US servers. Gmail routes messages through Google’s infrastructure, which includes data centers outside Canada. Curio’s compliance infrastructure (the audit trail, the encryption engine, the portal) runs in Canada. But the email content itself passes through Gmail before Curio processes it. If your risk assessment requires email content to stay on Canadian servers end to end, this is a gap that Hushmail doesn’t have.
No consent engine at V0. Curio encrypts and logs. It doesn’t manage consent. If you need a system that tracks which clients have consented to email communication and enforces different handling based on that consent, you’ll need to manage consent documentation separately for now.
No lock box directive support. PHIPA’s lock box provisions (allowing patients to restrict which providers in their circle of care can see specific records) aren’t supported. This is a V1+ feature.
Those are real limitations. For therapists evaluating encryption options, they matter. We include them here because a comparison that hides the downsides of its own product isn’t a comparison. It’s an ad.
How to decide
There’s no universal right answer here. The best choice depends on what your practice looks like today.
If you don’t use Google Workspace, Hushmail is worth evaluating. You’re not giving up an integrated ecosystem. You get Canadian data residency for email content, built in encrypted forms, and an IMA out of the box. The migration cost is low because there’s no ecosystem to leave behind.
If you use Google Workspace and want to keep it, an encryption layer is the compliance path that doesn’t require migration. You keep your calendar, your Drive, your video calls. You add encryption and a Canadian audit trail. The tradeoff is that email content still routes through Google’s servers. For most therapists whose primary concern is meeting the “reasonable safeguards” test under PHIPA, HIA, or PIPA, this tradeoff is acceptable. For therapists whose risk assessment demands full Canadian data residency for email content, it’s not.
If Canadian data residency for email content is a hard requirement (based on your own risk assessment, your college’s guidance, or your Privacy Impact Assessment), Hushmail has the edge at V0. Curio’s compliance infrastructure is Canadian hosted, but the email content itself passes through Gmail. At V0, there’s no way around this for Gmail based solutions.
Other factors
If you need encrypted forms alongside encrypted email, Hushmail bundles this. With Gmail plus an encryption layer, you’d need a separate forms solution. Whether that matters depends on how you handle intake. If you already use a dedicated forms tool (or your practice management software handles intake), the bundled forms aren’t a differentiator.
If price is the deciding factor, Hushmail at $16.99 CAD/month replaces Gmail entirely. Gmail with an encryption layer means paying for Google Workspace plus the encryption layer, which costs more in total. But the “cost” of migration (time, client disruption, lost integrations) isn’t on the invoice. Factor both.
If you practice across provinces, review the email privacy laws by province guide. The encryption requirements are functionally similar across PHIPA, HIA, and PIPA, but the consent and breach notification frameworks differ. Your email solution needs to work within whichever province’s law is most restrictive for your situation.
Document your decision
Whatever you choose, document the decision. Write down what you evaluated, why you chose the option you did, and what residual risks you accepted. This isn’t busywork. If your college or the Information and Privacy Commissioner of Ontario (IPC) ever audits your privacy practices, a documented decision shows you made a considered choice rather than a default one.
A one page memo to yourself is enough. “I evaluated Hushmail and Gmail with encryption. I chose [X] because [Y]. The residual risk I accepted is [Z].” Date it, file it with your practice policies. Done.
Pan-Canadian note
This comparison focuses on what Hushmail vs Gmail means for therapists across Canada, but the provincial details matter. Whichever option you choose, your obligations vary by province of registration.
Ontario therapists: PHIPA s.12(1) requires reasonable safeguards for personal health information. CRPO Standard 3.4 adds electronic practice requirements. See the full PHIPA email requirements breakdown.
Alberta therapists: HIA s.60 requires security safeguards, and HIA s.64 mandates a Privacy Impact Assessment before adopting new systems for health information. Alberta’s requirements include a PIA step that Ontario and BC don’t mandate. See the Alberta HIA email requirements guide.
BC therapists: PIPA s.34 requires reasonable security arrangements. BC’s breach notification obligations are mandatory when a breach creates a real risk of significant harm. Psychotherapy regulation through the College of Health and Care Professionals of BC (CHCPBC) begins November 29, 2027, which will add another layer of obligations. See the BC PIPA email privacy guide.
For a full cross provincial comparison of Google Workspace, Microsoft 365, and ProtonMail for therapists, we built that too.
The bottom line
Hushmail is a solid product with real strengths: Canadian servers, built in encrypted forms, a signed IMA, and close to two decades in healthcare email. If you’re not tied to Google Workspace, it deserves serious consideration.
But if your practice runs on Gmail, Calendar, Drive, and Meet, switching means more than changing your email. It means rebuilding workflows, updating every client, and losing the integrations you rely on daily.
Adding an encryption layer to Gmail is the third option. It’s not perfect either. Email content still routes through US servers, and features like consent management aren’t available yet at V0. But it gets your Gmail encrypted and audited in Canada without asking you to start over.
The honest answer is that both approaches involve tradeoffs. The question is which tradeoffs matter more for your practice, your province, and your risk tolerance.
Pick the option that fits what your practice actually looks like today. Not the one that looks best on a feature comparison chart. Not the one another therapist recommended in a Facebook group. The one that matches your workflow, your province, and your risk assessment.
Key takeaways
- Hushmail offers Canadian data residency for email content, built in encrypted forms, and a signed IMA, but requires leaving Gmail
- Default Gmail does not meet PHIPA, HIA, or PIPA requirements for therapist email
- Adding an encryption layer to Gmail keeps your Google Workspace workflow intact while adding encryption and a Canadian audit trail
- Curio’s V0 limitations include email content routing through US servers, no consent engine, and no lock box directive support
- Document whichever decision you make, including the tradeoffs you accepted
Curio makes your Gmail encrypted for Canadian mental health privacy law. No migration. No new tools. Join the waitlist.
Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
