College of Registered Psychotherapists of Ontario (CRPO) Standard 5.6 requires registrants to maintain records of who accessed client information, what they accessed, and when. If you’re a therapist using Google Workspace to store clinical records, you need an audit trail that answers those questions for every interaction with client data. This guide uses Ontario’s CRPO requirements as the reference point, but therapists in Alberta (College of Alberta Psychologists (CAP)) and BC (College of Health and Care Professionals of BC (CHCPBC)) face similar record keeping obligations under HIA and PIPA respectively.

Google Workspace does have built in audit logging. The Admin console’s Reporting section tracks sign ins, file activity, and administrative changes. But it doesn’t produce the kind of structured, client centered access record that CRPO expects. Google’s logs are organized by user action, not by client. They don’t capture “viewed a client’s treatment plan” or “edited intake notes for client #247.” They capture “user opened a Google Doc at 2:14 PM.”

That gap is real. But closing it doesn’t require new software. A well structured Google Sheet, combined with a daily logging habit, gets you compliant with Standard 5.6 in about 30 minutes of setup.

What CRPO Standard 5.6 requires

Standard 5.6 (Record Storage, Security, & Retrieval) falls under the CRPO’s Record Keeping standards. It requires registrants to maintain records in a way that supports an audit trail and protects PHI against unauthorized access. In practice, a reasonable interpretation of “audit trail” under Standard 5.6 includes documenting:

Who accessed the record
What was accessed (the specific record or record type)
When the access occurred
What action was taken (viewing, editing, sharing, or deleting)
Any changes made to the record

This aligns with PHIPA s.12, which requires health information custodians to take reasonable steps to ensure that records of personal health information are protected against theft, loss, and unauthorized use or disclosure. An audit log is one of those reasonable steps.

The standard doesn’t prescribe a specific format. It doesn’t require automated logging. It requires that the log exists, that it’s accurate, and that it’s maintained consistently.

The audit log template

Here’s the structure. Each row represents one interaction with a client record.

The audit log template
Column	Description	Example
Date	Date of access (YYYY-MM-DD)	2026-03-15
Time	Time of access (HH:MM)	14:30
Client ID	Client identifier (name or ID number)	JD-2024-017
Record type	Category of record accessed	Treatment plan
Action	What was done	Edited
Accessed by	Name of person who accessed the record	Gabriel Borges
Details/Notes	Brief description of what changed or why	Updated treatment goals per session discussion

The Action column should use a controlled vocabulary. Stick to these values: Viewed, Created, Edited, Shared, Printed, Deleted, Downloaded. This keeps the log filterable and consistent across months of entries.

The Record type column should also use standardized categories: Intake form, Treatment plan, Session notes, Assessment results, Consent form, Correspondence, Billing record, Referral, Discharge summary. Add categories specific to your practice as needed, but keep the list stable.

Setup walkthrough in Google Workspace

This takes about 30 minutes. You’ll create the spreadsheet, add data validation to enforce consistent entries, protect the sheet from accidental edits, and set up the sharing permissions.

Step 1: create the spreadsheet

Open Google Sheets and create a new spreadsheet. Name it something clear: “Client Record Audit Log – [Your Practice Name].”

Create headers in Row 1 matching the seven columns above: Date, Time, Client ID, Record Type, Action, Accessed By, Details/Notes.

Bold the header row. Freeze it (View > Freeze > 1 row) so it stays visible as the log grows. Small step, but you’ll thank yourself six months in.

Step 2: add data validation for the Action column

Data validation prevents free text inconsistencies. Instead of someone typing “Looked at” one day and “Viewed” the next, the column becomes a dropdown.

Select the entire Action column (click the column letter, then exclude the header cell)
Go to Data > Data validation
Click Add rule
Under Criteria, select Dropdown (from a range) or Dropdown and enter the values: Viewed, Created, Edited, Shared, Printed, Deleted, Downloaded
Under If the data is invalid, select Reject input
Click Done

Repeat this for the Record type column with your standard categories.

Step 3: add data validation for the Date column

Select the entire Date column (excluding header)
Data > Data validation > Add rule
Under Criteria, select Is valid date
Set If the data is invalid to Show a warning
Click Done

This catches typos in dates without blocking entries entirely.

Step 4: protect the sheet structure

This step prevents accidental deletion of columns, reordering, or structural changes that would compromise the log’s integrity.

Go to Data > Protect sheets and ranges
Click Add a sheet or range
Select Sheet (not Range), then choose the current sheet
Click Set permissions
Select Only you or add specific collaborators who should be able to edit

For solo practitioners, this step is about protecting you from yourself. One accidental column deletion could lose months of audit data.

A more rigorous approach: create a second “Archive” sheet in the same workbook. At the end of each month, copy that month’s entries to the Archive sheet, then protect the Archive sheet entirely (no edits allowed, even by you). This creates an append only record that’s harder to tamper with retroactively.

The audit log should be accessible to anyone who needs to log entries, but no one else.

Click Share in the top right
Add collaborators (if you have staff or associates) with Editor access
Set General access to Restricted (only people with explicit access can open it)
Do not share via link

If you’re a solo practitioner, you don’t need to share the sheet with anyone. Keep it restricted to your Google account.

Step 6: create a template row

In Row 2, enter a sample entry to serve as a reference:

This shows the expected format at a glance. Delete it once you’ve logged a few real entries.

Step 7: set up a daily reminder

The log only works if you use it. Set a recurring calendar event at the end of your clinical day (or after your last session) with a 15-minute block titled “Update audit log.” Link the spreadsheet in the calendar event description so it’s one click away.

If you prefer, add it to the beginning of your day instead, logging the previous day’s access while it’s still fresh.

How to use the log daily

The hardest part of manual audit logging isn’t the setup. It’s the habit. Here’s what works in practice.

Pick one time each day to update the log. End of day works for most therapists. Some prefer to log each interaction immediately after it happens. Either approach satisfies Standard 5.6, but the end of day batch is more realistic for busy clinical days.

Log every access, not just edits. If you opened a client’s file to read their treatment plan before a session, that’s a “Viewed” entry. CRPO’s requirement covers access, not just modification. This is the part most therapists underestimate. Reading a file counts. Every time.

Be specific in the Details column, but brief. “Updated treatment goals” is better than “Made changes.” “Reviewed intake form ahead of session” is better than “Looked at file.” You don’t need to reproduce the content of the change, just describe what you did and why.

If your practice uses a client ID system (even a basic one like initials plus year), use that in the log instead of full names. It adds a layer of privacy protection if the spreadsheet is ever accessed by someone who shouldn’t see client names. Keep a separate, protected mapping of Client IDs to names.

Don’t backfill from memory. If you missed logging for a day, note it. Add an entry like: “2026-03-18 – No entries logged this date. Entries for this date reconstructed on 2026-03-19 from calendar and file modification timestamps.” Honesty in an audit log matters more than completeness.

How Google Workspace’s built in audit logging supplements your manual log

Google Workspace does have audit capabilities. They’re useful as a secondary record, and they capture things your manual log can’t.

Path: Admin console > Reporting > Audit and investigation

Here you can view:

Drive log events: when files were created, viewed, edited, downloaded, shared, or deleted. Includes timestamps and user identity.
Gmail log events: message send/receive timestamps, recipients, and delivery status.
Login events: when users signed in, from which IP address, and whether 2FA was used.
Admin events: changes to settings, permissions, and user accounts.

These logs are retained for 6 months by default (longer with Google Vault, if you have it). They’re generated automatically and can’t be altered by users.

Where they fall short for CRPO compliance:

They’re organized by event type and user, not by client. There’s no way to pull up “all access events related to Client X.”
They don’t capture the clinical context. Google knows you opened a file. It doesn’t know which client that file belongs to unless the filename contains the client’s name.
They don’t distinguish between clinical and administrative access. Opening a billing template looks the same as opening a treatment plan.
The reporting interface isn’t designed for export in a format you’d hand to a regulator.

Your manual log fills these gaps. Google’s built in logs provide a verifiable timestamp trail that corroborates your manual entries. Together, they form a stronger record than either one alone.

If you haven’t configured the rest of your admin console security settings, the Google Workspace admin console security settings guide covers the BAA, data regions, 2FA, and sharing permissions in detail.

Laptop displaying a dashboard with data analytics representing audit log tracking

Cross referencing with other compliance requirements

Audit logging doesn’t exist in isolation. It connects to several other compliance obligations:

If you’re communicating with clients over Gmail, those emails are clinical records under CRPO standards. Your audit log should capture when you access or reference email correspondence. For retention timelines and policy setup, see the guide on email retention policies for Ontario therapists.

Client access requests. Under PHIPA s.52, clients have the right to request access to their own records. When a client makes an access request, every step you take to fulfill it should be logged: the request date, what records you reviewed, what you provided, and when. That process is covered in our guide on handling client record access requests under PHIPA.

AI data processing. If you haven’t disabled Google Workspace’s AI features, Smart Compose and Gemini may be processing the contents of your clinical documents. That processing isn’t captured in your manual audit log. While the Information and Privacy Commissioner of Ontario (IPC)‘s January 2026 guidance focuses on AI scribes, the same principle (that consent is generally required for AI processing of health information) is relevant to Google Workspace features like Smart Compose and Gemini. The guide on disabling AI features in Google Workspace walks through every toggle.

Your audit log is one component of the full safeguard requirements under PHIPA s.12. It demonstrates that you’re tracking access to PHI, which is exactly the kind of “reasonable step” the IPC looks for during an investigation. For the full picture of PHIPA email requirements, see the PHIPA email requirements guide.

The honest limitations of manual audit logging

This approach works. Thousands of regulated professionals maintain manual logs for compliance purposes. But it has real limitations that you should understand before relying on it.

It depends on human compliance. If you forget to log an access event, it doesn’t exist in the record. There’s no automated backup. Google’s built in audit logs catch file opens and edits, but they can’t tell you whether you remembered to record that access in your spreadsheet. The log is only as complete as your discipline.

On a day with eight clients, you might have 15 to 25 log entries: viewing session notes before each appointment, updating notes after, checking a treatment plan, reviewing an intake form for a new client. That’s 10 to 15 minutes of logging each day. Over a year, that’s roughly 40 to 60 hours spent on audit log maintenance.

It’s not tamper proof. A Google Sheet can be edited retroactively. Even with sheet protection, the owner can unprotect and modify entries. Google Sheets does have a version history (File > Version history) that shows changes over time, and this provides some evidence of tampering, but it’s not the same as an immutable ledger.

You can’t run a report that says “here are all the files accessed on March 15th that don’t have a corresponding audit log entry.” Reconciling your manual log against Google’s Drive audit log is possible but requires manual comparison, which is its own tedious process.

It doesn’t scale. For a solo practitioner or a small group practice, manual logging is manageable. For a practice with five or more clinicians, the volume of entries, the training required, and the risk of inconsistency start to add up.

These limitations are why automated audit logging tools exist. Solutions like Curio aim to add automatic encryption and a Canadian audit trail to your existing Gmail workflow. Other options include dedicated compliance products or EHR systems with built in audit trails. If the manual approach isn’t sustainable for your practice, it’s worth evaluating what automated alternatives are available for your setup.

Getting started today

You can set up the audit log template in 30 minutes. Here’s the sequence:

Create the Google Sheet with the seven column structure
Add data validation for Action, Record Type, and Date columns
Protect the sheet structure and set sharing to Restricted
Create a monthly Archive sheet with full protection
Set a daily calendar reminder to update the log
Log your first day of entries

The template is imperfect. The process is manual. But having a documented, structured audit trail puts you ahead of the vast majority of practices that have no access logging at all. CRPO Standard 5.6 requires that the record exists. This gets you there.

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.

How to create a manual audit log for client records in Google Workspace

What CRPO Standard 5.6 requires

The audit log template