Canadian Rockies landscape evoking an Ontario-to-Alberta cross-provincial therapist client scenario under PHIPA and HIA
ontario alberta phipa hia cross-provincial

Ontario therapist, Alberta client: a compliance walkthrough

Gabriel Borges 10 min read

Updated

Composite disclosure: Every name, date, and detail in this walkthrough is invented. The therapist, the client, and the practice do not exist. The scenario was assembled from common cross provincial questions that come up in Canadian therapist Facebook groups and from the consent and breach scenarios documented in PHIPA and HIA. No PHI is referenced. This is not legal advice; verify your specific situation with a qualified privacy professional or your provincial regulatory body.

The scenario

A CRPO registered psychotherapist in Toronto, practising solo on Google Workspace, gets an intake email on a Tuesday afternoon. The sender lives in Calgary. She found the therapist through a Psychology Today profile, wants weekly virtual sessions, and asks whether the therapist can see her.

The therapist’s first instinct is the practical one: do I have capacity, do our schedules line up, is the presenting concern within my scope of practice? Those are the right questions to start with. They are not the only ones.

Three questions get added the moment the therapist says yes:

  • Which privacy law actually applies to this client’s file?
  • What does the consent form need to say that it didn’t say yesterday?
  • Does anything change about how the email gets sent?

Here is how that plays out, decision by decision.

Decision 1: Which law applies?

The short version: PHIPA binds you, Alberta PIPA and CAP standards shape the client side, and PIPEDA can reach the cross border transfer. HIA does not attach to you the way the question assumes.

PHIPA (Ontario’s Personal Health Information Protection Act) treats the therapist as a health information custodian based on where the therapist practises. The therapist is in Ontario. The therapist holds the file. PHIPA s.3 captures that relationship, and PHIPA s.12 captures the duty to safeguard the information in it. Nothing about the client living in Calgary removes the therapist from PHIPA.

HIA (Alberta’s Health Information Act) does not attach to this file the way many therapists assume. HIA binds Alberta custodians, and a solo Ontario therapist is not one; HIA’s custodian definition is tied to a designated list of Alberta entities and providers. The client being in Alberta does not switch the governing health privacy statute to HIA. What the client’s location does bring in is Alberta PIPA and CAP standards on the client side, plus a college question about whether you may practise into Alberta, and the client’s expectations and OIPC Alberta’s general interest don’t disappear because you are in another province.

PIPEDA enters when personal information crosses a provincial boundary in the course of commercial activity. Therapy fees paid by an Alberta resident to an Ontario practice qualify. PIPEDA’s reach here is mostly about the transfer of information across the border, not about replacing PHIPA.

The defensible operating posture is the one B-41 lays out in detail: stack the laws and meet the strictest standard on each requirement. Consent, encryption, breach response, retention. Apply the higher bar on each one.

For deeper analysis of how PHIPA, HIA, and BC PIPA interact, see telehealth and cross provincial privacy for Canadian therapists.

The consent form the therapist uses for Ontario clients was built around PHIPA s.18 (consent for collection, use, and disclosure of PHI) and CRPO Standard 3.4 (electronic practice). It covers electronic communication risks, the limits of email confidentiality, what happens in a crisis, and the client’s right to withdraw consent.

For an Alberta client, two things need attention.

First, HIA’s consent model is not identical to PHIPA’s. HIA expects clear, informed, voluntary consent and treats the disclosure of identifying health information with particular care under sections covering consent to disclosure. The wording that satisfies PHIPA does not automatically satisfy HIA. A consent form that names PHIPA in its disclosures should also acknowledge HIA where the client is in Alberta.

Second, PHIPA’s lock box concept (the client’s right to instruct that specific information not be disclosed even within the circle of care) has no direct HIA equivalent. If the Ontario therapist’s consent form mentions lock box rights, it should clarify that those rights are exercised under PHIPA and that Alberta clients have separate withdrawal and consent management rights under HIA.

The practical move is a cross provincial consent addendum that gets attached to the existing form when the client is outside Ontario. T-6 (cross provincial consent addendum) was built for exactly this case. It is available in the May resource library.

Decision 3: What changes about email?

Probably nothing about the encryption layer if the therapist already encrypts every email containing PHI. Probably a lot about what the therapist documents.

PHIPA s.12(1) requires reasonable safeguards. The IPC has been clear in published guidance that for email containing PHI, that means encryption, not just TLS opportunistically. The CRPO’s Standard 3.4 reinforces the duty to use reasonably secure channels for electronic practice.

On the Alberta side, a private practice therapist is not a HIA custodian, so HIA s.60 is not the source of the duty. Alberta PIPA requires reasonable security arrangements, and the CAP practice standards on use of technology set the safeguard expectation for the client side of the file. Encryption is the consensus reading of both, although neither names the technology.

So the encryption requirement does not change. What changes is the audit trail. A cross provincial file needs a record that holds up to scrutiny from more than one direction. The IPC may ask for evidence under PHIPA, and an Alberta complaint could draw OIPC Alberta or CAP attention to how the client side was handled. The therapist’s audit trail should capture send time, recipient, encryption status, and routing for every message in the file, not just messages flagged as sensitive.

Manually maintaining that record on a per email basis is where most solo practices fall down. This is the operational gap tools like Curio close: the audit trail is captured automatically for every outbound email, regardless of jurisdiction. The documentation a regulator would ask for already exists in the file.

Decision 4: Does the therapist need an Alberta PIA?

HIA s.64 requires a privacy impact assessment for new administrative practices and information systems involving Alberta health information. The assessment is submitted to the OIPC Alberta before the system is used.

The honest answer for an Ontario therapist taking on one Alberta client: PIA submission is a known requirement for Alberta custodians implementing new systems. The therapist is not a designated Alberta custodian. The system (Google Workspace) is already in use. The OIPC Alberta has not historically pursued Ontario practitioners for HIA PIA non submission.

The defensible posture, though, is to prepare a PIA addendum that addresses Alberta specific risks for the file: data flow analysis showing where email content travels, encryption measures, retention practices, and breach notification thresholds under HIA. T-4 (Alberta HIA PIA addendum) extends the standard PHIPA PIA with the Alberta specific sections.

This is risk management more than strict statutory compliance. A therapist who can produce a PIA addendum if questioned is in a different position than one who cannot.

Decision 5: What about CAP registration?

College registration is a separate analysis from privacy law. Privacy law follows the therapist’s province of practice. College registration follows the province of the client receiving services, in most provincial regulator interpretations.

The CRPO does not regulate practice outside Ontario in the sense of extending its own jurisdiction. It does, however, expect Ontario registrants to practise within their authorized scope and to comply with the regulatory requirements of any other jurisdiction where they provide services.

The CAP (College of Alberta Psychologists) regulates psychologists in Alberta. As of 2026, CAP is expanding to regulate counselling therapists as well. Whether an Ontario CRPO registered psychotherapist needs CAP registration to see one Alberta client virtually is a question that CAP itself answers, and the answer has shifted as Alberta’s regulatory framework evolves.

The safe move is not to assume. Contact CAP directly before the first session. Document the response. Keep the documentation in the file.

For an overview of how the three provincial colleges differ on email and electronic practice, see CRPO vs CAP vs CHCPBC email requirements.

Decision 6: What if the client moves later?

This is the variation that catches people. A client who started in Calgary moves to Vancouver in October. PHIPA still binds you as the Ontario custodian throughout. What shifts is the client side picture: Alberta PIPA and CAP expectations framed the file while the client was in Alberta, and BC PIPA plus the BC college framework apply now that the client is in Vancouver. The client’s move changes which province’s college rules you confirm, not which health privacy statute binds you.

Three operational steps when this happens:

  1. Re confirm consent in writing. Reference the new applicable provincial regime.
  2. Note the date of relocation in the file. The audit trail should mark which messages were sent while the client was in Alberta and which after the move to BC, so the client side context for each message is clear.
  3. Check whether the highest standard you were already applying still covers the new jurisdiction. In most cases yes. In edge cases (BC has its own breach notification thresholds and consent expectations), a quick review of the consent addendum is worth the half hour.

The cross provincial consent addendum is built to handle this without rewriting the consent form from scratch each time.

What this scenario does not solve

A few honest limits.

Insurance billing across provincial lines has its own rules and is not a privacy question. Out of country travel by either the therapist or the client introduces residency questions that this walkthrough does not cover. Mandatory reporting obligations vary by province and override consent in specific circumstances — this scenario assumes none of those apply.

If the file involves a minor, a substitute decision maker, or contested custody, the consent analysis gets a lot harder and requires legal advice. Composite scenarios are good for showing the general shape. They are not a substitute for case specific guidance.

Key takeaways

  • PHIPA applies to the Ontario therapist regardless of where the client lives. HIA does not attach to a solo Ontario therapist; the client’s Alberta location brings in Alberta PIPA, CAP standards, and a college registration question instead.
  • The encryption duty does not change across provinces. The audit trail needs to satisfy more than one regulator.
  • Consent forms built for Ontario clients need an Alberta specific addendum. Lock box references in particular need clarification.
  • An Alberta PIA addendum is risk management, not strict statutory obligation for an Ontario practitioner, but a defensible posture if the OIPC Alberta asks.
  • College registration is a separate analysis from privacy law. Ask CAP directly before the first session.

The product mention, kept short

Curio encrypts every outbound email for Canadian mental health privacy law and logs every send in a Canadian audit trail hosted in Montreal and Toronto. For cross provincial files, the documentation a regulator would ask for already exists in the audit trail. Your Gmail stays the same.

Curio is at V0. The product encrypts outbound email and maintains the audit trail. Lock box directive enforcement and full consent management are not built yet. For those, the consent form and the cross provincial consent addendum still do the work.

Join the Curio waitlist if encryption and the audit trail solve a real problem in your practice.

Disclaimer: This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. The scenario above is a composite for educational purposes and does not describe any real therapist or client. Verify current requirements with your provincial regulatory body or a qualified privacy professional.

Coming soon

Gmail encryption, built for Canadian therapists.

Join the waitlist →

Share this article

Related posts

Shield with check mark representing layered privacy safeguards across provinces

Telehealth across provincial lines: privacy compliance for Canadian therapists

Side by side comparison of Canadian provincial health privacy laws for therapists

PHIPA vs HIA vs BC PIPA: a therapist's guide

Map of Canada showing provinces with different email privacy laws for therapists

Email privacy laws across Canada: what therapists in Ontario, Alberta, and BC need to know

A laptop on a desk during a video call, representing a therapist's telehealth session

PHIPA vs PIPEDA for telehealth: when federal law applies

Community

Join the community

Connect with Canadian therapists navigating Google Workspace compliance.

Join on Facebook