Is Gmail PHIPA compliant? What Canadian therapists need to know

No, Gmail isn’t PHIPA compliant by default. If you’re a therapist in Ontario using Gmail or Google Workspace to communicate with clients, your current setup likely has gaps that PHIPA requires you to address. This guide covers what PHIPA actually requires for email, where Gmail falls short, what you can do about it, and what limitations remain even after you make changes.

What does PHIPA require for email?

PHIPA doesn’t ban email. Section 12(1) of the Personal Health Information Protection Act requires health information custodians to take “reasonable steps” to ensure that personal health information (PHI) in their custody is protected against theft, loss, and unauthorized use or disclosure.

The Information and Privacy Commissioner of Ontario (IPC)‘s guidance on safeguards has consistently interpreted “reasonable steps” to include administrative, technical, and physical safeguards. For email, that translates into four requirements:

1. Encryption. Email containing PHI must be protected in transit and, ideally, at rest. The IPC has consistently interpreted “reasonable steps” to include encryption as a technical safeguard.

2. Consent. Clients must understand and agree to electronic communication before you send PHI by email. PHIPA distinguishes between implied and express consent, and for email containing PHI, express consent is the safe standard.

3. Audit trail. You need a record of what PHI was communicated, when, and to whom. This isn’t the same as Gmail’s admin audit log, which tracks login activity and admin actions, not the content of clinical communications.

4. Access controls. Only authorized individuals should be able to access PHI. For email, this means strong authentication on the account that sends and receives client communications.

These four requirements form the framework for evaluating any email tool. Gmail meets some of them partially. It doesn’t meet all of them by default.

Where Gmail falls short of PHIPA requirements

Encryption

Gmail encrypts email in transit using TLS (Transport Layer Security). When you send an email from Gmail, it’s encrypted between Google’s servers and the recipient’s email provider, provided the recipient’s server also supports TLS. Most major email providers do.

The gap is that TLS is opportunistic, meaning it only works if both sides support it. If the recipient’s server doesn’t support TLS, Gmail sends the message unencrypted. Gmail shows a red lock icon when a recipient’s server doesn’t support TLS, but it doesn’t block the message from sending. There’s no way to enforce TLS for every message.

For PHI, opportunistic encryption isn’t sufficient. Not even close. PHIPA’s “reasonable steps” standard requires that encryption be reliable, not conditional on the recipient’s infrastructure. A therapist can’t guarantee that every client, insurance provider, or referring physician uses an email service that supports TLS.

Gmail’s Confidential Mode adds a layer of access control (expiration dates, passcodes), but it isn’t end to end encryption. Google can still access the content. The message isn’t encrypted at rest in a way that prevents Google from reading it. And while Confidential Mode lets the sender choose an expiration period (from 1 day to 5 years), the access controls it provides are not a substitute for encryption.

Data residency considerations

Where does your client’s intake email actually live? On Google’s global infrastructure. For most Google Workspace editions, email data is distributed across data centres in the United States and the European Union. Even with Google Workspace’s data region settings (available on Business Standard and above, which is Google’s mid tier paid plan), the controls apply to primary data at rest, not to all copies, backups, or processing locations.

PHIPA doesn’t mandate Canadian data residency the way some other provincial laws do. Ontario takes a risk based approach: storing data outside Canada isn’t automatically a violation, but it’s a factor you must address in your risk assessment and Privacy Impact Assessment. The IPC has noted that cross border data transfers introduce additional risks, including exposure to foreign government access requests. Express consent is required for cross border disclosure of PHI.

This isn’t a binary pass or fail. It’s a consideration you must document and justify.

Audit trail

Say the IPC contacts you about a complaint. They want to know what PHI you sent to a specific client and when. Gmail’s admin audit log won’t help. It tracks account activity (logins, settings changes, admin actions), not the content or recipients of your clinical communications. It’s designed for IT administrators managing a Google Workspace domain, not for therapists responding to a privacy investigation.

It doesn’t produce a report you can hand to the IPC during a breach investigation. PHIPA requires that you be able to demonstrate your safeguards, and Gmail doesn’t generate the kind of communication level audit trail that demonstrates compliance.

Maintaining this record manually is possible (see our manual audit log guide), but manual processes depend on consistency over time, and consistency is difficult to sustain alongside clinical work. That inconsistency is exactly what “reasonable steps” is designed to address.

Consent documentation

A client agrees to email communication during your first session. Six months later, the IPC asks for proof of that consent. Gmail won’t produce it. It doesn’t track whether a client has agreed to electronic communication, what the scope of that consent covers, or when consent was obtained.

Consent is the therapist’s responsibility, separate from the email tool. Gmail won’t help you here. The absence of any consent management feature means you must build and maintain a separate consent process. In practice, many therapists handle this on paper or skip it entirely. Our client communication templates include a consent form specifically designed for electronic communication of PHI that you can adapt for your practice.

Can you make Gmail PHIPA compliant?

You can reduce the gaps, but you can’t close all of them through configuration alone. Here’s what you can do:

1. Configure your Google Workspace admin security settings. Review every security relevant setting in your admin console. This includes enforcing two-factor authentication, signing the HIPAA BAA (the closest Google offers to a health data agreement), and configuring data region settings if your edition supports them. We wrote a setting by setting walkthrough that covers this in detail. Budget 30 to 45 minutes. You only need to do this once.

2. Disable AI features. Google Workspace includes several AI features that process the content of your email: Smart Compose, Smart Reply, Gemini summaries, and more. The IPC’s January 2026 guidance on AI scribes in healthcare establishes that consent is generally required for AI processing of health information. While that guidance specifically addresses clinical AI scribes, the same reasoning likely applies to email AI features that process PHI without client consent. If you haven’t obtained that consent, these features create a compliance gap. Our guide on disabling AI features walks through every toggle.

3. Use email disclaimers. Add email disclaimers to inform clients about the limitations of email communication. A disclaimer doesn’t make email compliant, but it’s part of demonstrating reasonable steps. Include the limitations of email encryption, the possibility that messages may be stored outside Canada, and the client’s right to choose an alternative communication method.

4. Maintain a manual audit log. Until an automated solution is available, keep a manual audit log of client communications containing PHI: who you emailed, when, and the general nature of the content. Our guide includes a Google Sheets template you can set up in 30 minutes.

5. Enable Confidential Mode selectively. Gmail’s Confidential Mode adds expiration and passcode protection. The sender can choose an expiration period from 1 day to 5 years, and recipients can’t forward or download the message. But it isn’t true encryption, and Google still has access to the content. Use it as an additional layer, not a replacement for encryption.

6. Complete a Privacy Impact Assessment. The IPC recommends that health information custodians complete a PIA before implementing any new system that processes PHI. Most therapists haven’t done one. Our PIA template for Google Workspace walks through every section in about 60 to 90 minutes.

These steps reduce your risk. They don’t eliminate it. The fundamental gaps (opportunistic TLS, no communication level audit trail, no consent management, data stored outside Canada) remain even after you configure everything correctly.

What about Google Workspace’s HIPAA BAA?

Google offers a HIPAA Business Associate Amendment for Google Workspace. This is a contractual commitment under HIPAA, the US health privacy law. Signing it is worth doing because it commits Google to specific data handling obligations, but it doesn’t make Google Workspace PHIPA compliant.

Three things the BAA doesn’t address:

1. Canadian privacy law. The BAA is a HIPAA instrument. HIPAA is a US federal law. PHIPA is an Ontario provincial law. They have different requirements, different enforcement mechanisms, and different definitions of key terms. Signing a HIPAA BAA doesn’t satisfy PHIPA obligations.

2. Data residency. The BAA doesn’t require Google to store your data in Canada. Data region settings in Google Workspace are a separate configuration, and even those don’t guarantee all copies and processing stay within Canadian borders.

3. Audit trail requirements. The BAA doesn’t add a communication level audit trail for email. It commits Google to making certain logs available, but those logs are admin level, not clinical communication level.

HIPAA compliance and PHIPA compliance aren’t interchangeable. They’re different laws with different requirements, and a product that meets one doesn’t automatically meet the other.

What other provinces require

PHIPA applies in Ontario. If you see clients in other provinces or are considering expanding your practice, the requirements change.

Alberta’s Health Information Act (HIA) has similar encryption requirements to PHIPA, but it’s stricter in one important way: Alberta requires custodians to complete a Privacy Impact Assessment and submit it to the Office of the Information and Privacy Commissioner of Alberta (OIPC) before implementing any new system that handles health information. That includes email. Read our full guide to Alberta HIA email requirements for therapists.

British Columbia’s Personal Information Protection Act (PIPA) takes a different approach to cross border data transfers. PIPA does not mandate Canadian data storage for private sector organizations, and cross border transfers are allowed. Unlike BC’s public sector law (FOIPPA), which mandates Canadian storage for public bodies, PIPA doesn’t contain a blanket residency requirement.

That said, PIPA requires you to notify clients if their personal information will be transferred outside Canada for processing and to take reasonable steps to protect it. In practice, these obligations push most therapists using Gmail toward Canadian hosting anyway. Our PIPA guide for therapists covers BC specific requirements in detail.

For a complete walkthrough of what PHIPA requires for email, see our PHIPA email requirements guide. For a full comparison of how PHIPA, HIA, and PIPA apply to therapist email, we’re working on a cross provincial overview (coming soon).

Frequently asked questions

Is Gmail PHIPA compliant?

No, not by default. Gmail provides TLS encryption in transit, but it doesn’t meet all of PHIPA’s requirements for safeguarding personal health information. The gaps include opportunistic (not guaranteed) encryption, no communication level audit trail, no consent management, and data stored primarily in the United States. You can reduce the gaps through configuration (admin security settings, disabling AI features, maintaining a manual audit log), but you can’t eliminate them entirely within Gmail’s native capabilities.

Can I use Gmail as a therapist in Canada?

Yes, but with additional safeguards. You need to configure your Google Workspace admin settings correctly, sign the HIPAA BAA, disable AI features that process email content, maintain a manual audit log, and complete a Privacy Impact Assessment. Even with these steps, gaps remain. The IPC has not issued a blanket prohibition on Gmail for health information custodians, but the burden is on the custodian to demonstrate that their safeguards are reasonable.

What encryption does PHIPA require for email?

PHIPA s.12(1) requires “reasonable steps” to protect PHI, which the IPC has interpreted to include encryption as a technical safeguard. For email, reasonable steps means more than relying on Gmail’s default TLS, because TLS is opportunistic and depends on the recipient’s email provider supporting it. The IPC hasn’t published a specific encryption standard, but the expectation is that encryption should be reliable and not dependent on factors outside the custodian’s control.

Does Google have a PHIPA compliance agreement?

No. Google offers a HIPAA Business Associate Amendment for US health privacy law. There’s no equivalent agreement for PHIPA. The HIPAA BAA is worth signing because it commits Google to specific data handling obligations, but it doesn’t satisfy Ontario’s PHIPA requirements. It’s a US legal instrument designed for US health privacy law.

What to do next

If you haven’t locked down the rest of your admin console, start with the full security settings guide. Then work through the AI features guide. Between those two guides and this post, you’ll have covered the most important configuration steps for a Canadian therapy practice on Google Workspace.

The gaps that remain after configuration: reliable encryption, automated audit trail, consent management. No amount of admin console toggling can close them.

Tools like Curio aim to address the encryption and audit trail gaps by adding automatic encryption and a Canadian audit trail to your existing Gmail workflow. Consent management remains a gap you’ll need to solve through your own intake process. Other approaches include switching to a provider with built in encryption — like Hushmail or ProtonMail (see our Hushmail vs Gmail comparison for a detailed breakdown written for Canadian therapists) — or adding a third party encryption layer to your current setup. The right choice depends on your practice size, technical comfort, and which gaps matter most for your situation.

---

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

---

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.