Rubber stamp on legal compliance document representing PHIPA regulatory review of Paubox
paubox phipa compliance encryption therapists hia pipa

Is Paubox PHIPA compliant? Why US email encryption falls short in Canada

Gabriel Borges 10 min read
  1. Paubox is not PHIPA compliant. Their own blog confirms this.
  2. Paubox stores all data on US servers with no Canadian data center option
  3. No Canadian audit trail, no PHIPA framework alignment, no provincial compliance infrastructure
  4. Paubox is built for HIPAA, which does not map directly to Canadian health privacy law
  5. Canadian therapists using Paubox must document cross-border data transfer risks in a Privacy Impact Assessment

Paubox is one of the most recognized names in healthcare email encryption. If you’ve researched encrypted email for your practice, you’ve probably seen it recommended in American healthcare forums, HIPAA guides, and G2 reviews.

Here’s the problem: Paubox is built for HIPAA. And HIPAA is not PHIPA. If you’ve already looked into whether Gmail itself is PHIPA compliant, you know that email encryption for Canadian therapists is a different question than email encryption for American ones.

Paubox acknowledges this themselves. Their own blog post on PHIPA compliance discusses the relationship between the two frameworks but does not claim PHIPA compliance. For Canadian therapists searching “is Paubox PHIPA compliant,” the answer is no. This guide explains why, what the specific gaps are, and what to evaluate instead.

What Paubox does well

This is not an attack on Paubox. It’s a US product doing US healthcare compliance well. That deserves acknowledgment.

Paubox holds HITRUST CSF certification, which is the gold standard for US healthcare security frameworks. They offer zero-step email encryption for Gmail and Microsoft 365, meaning recipients don’t need to log into a portal or take any action to read encrypted messages. For US providers subject to HIPAA, this is a strong offering.

Their approach to encryption is genuinely good. Paubox checks whether the recipient’s server supports TLS. If it does, the email sends encrypted. If it doesn’t, the message routes through Paubox’s own encrypted delivery system. The sender does nothing differently. The recipient usually doesn’t either.

For American healthcare organizations that need HIPAA compliant email without changing their workflow, Paubox delivers. They’ve been operating since 2015, serve thousands of healthcare organizations, and their compliance track record in the US market is solid.

The product isn’t the problem. The jurisdiction is.

Why is Paubox not PHIPA compliant?

Paubox is not PHIPA compliant for three specific reasons: (1) all data is processed and stored on US servers, (2) there is no Canadian audit trail infrastructure, and (3) there is no alignment with PHIPA’s privacy framework or any Canadian provincial health privacy statute.

Let’s walk through each.

No Canadian data storage

Paubox’s infrastructure is entirely US based. Email processing, data storage, encryption keys, audit logs: all on US servers. There is no Canadian data center option. There is no way to keep your data within Canadian borders when using Paubox.

For a US healthcare provider subject only to HIPAA, this doesn’t matter. HIPAA does not require domestic data storage.

But Canadian health privacy law treats cross-border data transfer as a risk factor that must be evaluated. Under PHIPA email requirements, health information custodians must take reasonable steps to protect personal health information (s.12(1)). Storing that information exclusively on foreign servers is not a prohibition, but it triggers documentation obligations and must be justified through a privacy impact assessment.

No Canadian audit trail

When you send an email through Paubox, the encryption event is logged on Paubox’s US infrastructure. That log shows what was encrypted and when. But it’s stored on US servers, subject to US law, and accessible under US legal process (including the CLOUD Act).

A Canadian audit trail means: encryption events logged on Canadian servers, subject to Canadian law, accessible under Canadian legal frameworks, and demonstrably within the jurisdiction of the Information and Privacy Commissioner of Ontario (IPC) or equivalent provincial authority.

Paubox doesn’t provide this. If the IPC requests documentation of your email safeguards, your audit trail lives on servers in another country, under another country’s legal framework.

No PHIPA framework alignment

HIPAA and PHIPA share some conceptual ground (both require safeguards for health information), but the specifics diverge. PHIPA has different consent requirements, different breach notification obligations, different definitions of personal health information, and different enforcement mechanisms. A product that satisfies HIPAA’s administrative, physical, and technical safeguard requirements does not automatically satisfy PHIPA s.12(1)‘s “reasonable steps” test. The two statutes ask different questions and define compliance differently.

Paubox’s compliance documentation, BAA templates, and security controls are designed for HIPAA. There is no PHIPA equivalent. No Canadian service agreement. No documentation mapping Paubox’s controls to PHIPA s.12(1) obligations. No alignment with CRPO Standard 3.4 or any other Canadian regulatory body’s practice standards. If your college asks how your email encryption meets their electronic practice requirements, Paubox has no documentation to point to.

What is the data residency gap?

What is the data residency gap?
FeaturePauboxCanadian alternative
Data processing locationUSCanada
Audit trail locationUSCanada
Applicable law for stored dataUS (CLOUD Act, Patriot Act)Canadian (PIPEDA, provincial statutes)
IPC jurisdiction over stored dataNoYes
Privacy Impact Assessment requiredYes (cross-border)Depends on province (Alberta: yes)
PHIPA s.12(1) alignment documentationNoneAvailable

Data residency is not a binary pass/fail under Canadian health privacy law. PHIPA does not explicitly prohibit storing health information outside Canada. Neither does Alberta’s Health Information Act (HIA). BC’s Personal Information Protection Act (PIPA) takes a similar position.

But all three provinces treat cross-border storage as a risk factor that must be addressed.

How each province treats cross-border storage

In Ontario, the IPC has stated that health information custodians must consider the risks of storing personal health information in jurisdictions where Canadian privacy protections may not apply. In BC, the Office of the Information and Privacy Commissioner treats cross-border storage as relevant to the BC PIPA reasonable security standard under s.34. In Alberta, the OIPC considers data location in its review of Privacy Impact Assessments under HIA s.64.

The question isn’t “is it illegal to use Paubox in Canada?” It isn’t. The question is whether relying exclusively on US infrastructure meets the “reasonable” standard your provincial privacy commissioner would apply. And whether you can justify that choice if asked.

US encryption vs Canadian compliance infrastructure

Paubox encrypts email. That’s one piece of what Canadian health privacy law requires. But encryption alone is not compliance.

The difference between “email is encrypted” and “email is encrypted for Canadian health privacy law” comes down to four additional components: (1) a Canadian audit trail that documents every encryption event, (2) data processing on Canadian servers subject to Canadian law, (3) alignment with the specific provincial privacy statute governing your practice, and (4) documentation that maps the product’s controls to your obligations under PHIPA, HIA, or PIPA.

Paubox provides component one (encryption) without components two through four. It’s not that their encryption is weak. It’s that encryption alone doesn’t satisfy the broader “reasonable safeguards” test that Canadian provincial statutes apply.

The four components test

Think of it this way. If the IPC asked you to demonstrate the safeguards protecting your client emails, you’d want to show:

  • Every email was encrypted (Paubox does this)
  • Every encryption event was logged in an audit trail you control (Paubox’s logs are on US servers under US law)
  • The infrastructure handling your health information is subject to Canadian privacy oversight (Paubox’s infrastructure is not)
  • Your email system aligns with your obligations under PHIPA, HIA, or PIPA (Paubox has no Canadian compliance mapping)

One out of four isn’t zero. But it’s not enough to call it compliant.

What should Canadian therapists evaluate?

Before choosing any email encryption product, run through this evaluation. It applies whether you’re looking at Paubox, Curio, Hushmail, or anything else.

Canadian email encryption evaluation checklist:

  1. Does the provider store data on Canadian servers?
  2. Is there a Canadian audit trail (encryption events logged in Canada)?
  3. Does the provider offer a service agreement aligned with PHIPA, HIA, or PIPA?
  4. Can you demonstrate to your college (CRPO, CAP, CHCPBC) that the product meets their electronic practice standards?
  5. If data is stored outside Canada, can you document the cross-border transfer justification in a Privacy Impact Assessment?
  6. Is the audit trail subject to Canadian legal jurisdiction (not the CLOUD Act)?
  7. Does the product price in CAD with Canadian billing?

For Paubox specifically, the answers are: no, no, no, no, yes (you’ll need to do this), no, no.

That doesn’t make Paubox a bad product. It makes it a product built for a different country’s compliance requirements.

Pan-Canadian note

These gaps apply regardless of which Canadian province you practice in. Ontario’s PHIPA, Alberta’s HIA, and BC’s PIPA all treat cross-border data storage as a risk factor. All three require demonstrable safeguards. None of them are satisfied by HIPAA compliance alone.

If you practice in Ontario, your obligations under PHIPA s.12(1) and CRPO Standard 3.4 are not met by a HIPAA compliant product that stores data exclusively in the US. The same logic applies in Alberta (HIA s.60, CAP practice standards) and BC (PIPA s.34, with CHCPBC psychotherapy regulation beginning November 29, 2027).

For a full comparison of how email privacy requirements differ by province, see the email privacy laws across Canada guide.

Honest limitations of this analysis

This is a comparison written by a company that competes with Paubox. We’ve tried to be factual and fair, but you should know the bias exists.

Curio’s own V0 has limitations that matter here. Our compliance infrastructure (audit trail, encryption engine, portal messages) runs on Canadian servers in Montreal and Toronto. But email content still routes through Gmail before we process it, which means it touches US servers. We don’t have a consent engine yet. We don’t support lock box directives.

If your requirement is that email content never leaves Canadian servers at any point in the transmission chain, neither Paubox nor Curio at V0 solves that. Hushmail does, because they’re a standalone email provider with Canadian servers. The tradeoff is leaving Gmail entirely.

No option is perfect. The honest answer is that you’re choosing which tradeoffs are acceptable for your practice, your province, and your risk tolerance.

Key takeaways

  • Paubox is not PHIPA compliant and does not claim to be. Their infrastructure is US only.
  • HIPAA compliance does not equal PHIPA compliance. The frameworks share concepts but differ in specifics.
  • Canadian therapists using Paubox must document the cross-border data transfer as a risk factor in their Privacy Impact Assessment.
  • Encryption alone does not satisfy Canadian health privacy requirements. A Canadian audit trail, Canadian data processing, and provincial framework alignment are also required.
  • Evaluate any email encryption product against your specific provincial obligations (PHIPA, HIA, or PIPA) rather than assuming US healthcare compliance transfers to Canada.

Curio’s compliance infrastructure is Canadian. Audit trail and encrypted portal messages hosted in Montreal and Toronto. Automatic encryption for every send. Join the waitlist.

Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.

Coming soon

PHIPA compliant Gmail encryption, built for Canadian therapists.

Join the waitlist →

Share this article

Related posts

Map of Canada showing provinces with different email privacy laws for therapists

Email privacy laws across Canada: what therapists in Ontario, Alberta, and BC need to know

Therapist using digital tools representing CAP electronic communication practice standards

CAP practice standards for Alberta therapists: email and digital communication

Balance scales representing the tradeoffs between Hushmail and Gmail for Canadian therapists

Hushmail vs Gmail for Canadian therapists: an honest comparison

Gavel resting on a law book representing CRPO regulatory standards for electronic practice

CRPO electronic practice standards: what they mean for your email

Community

Join the community

Connect with Canadian therapists navigating Google Workspace compliance.

Join on Facebook