You sent a client’s intake summary to the wrong email address. Or your Gmail account got phished and someone read three months of client correspondence. Or a laptop with cached client emails walked out of a coffee shop.

Now what?

The internet will tell you that you have 24 hours. Some of that advice is borrowed from US HIPAA breach rules, which don’t govern an Ontario therapist. Some of it is well-meaning but imprecise. PHIPA, the law that actually applies to you in Ontario, does not set a fixed 24-hour deadline.

That doesn’t mean you have time to spare. It means the real standard is different, and getting it wrong cuts both ways: you can move too slowly, or you can panic and skip the steps that protect you. This guide walks through what PHIPA actually requires, what to do in the first 24 hours as a matter of practice (not statute), and when you must involve the Information and Privacy Commissioner of Ontario.

This is one piece of a larger picture. For how the breach rules differ between provinces, see the PHIPA vs HIA vs BC PIPA therapist guide. This post is Ontario and PHIPA.

Quick answer

PHIPA does not impose a fixed 24-hour breach notification deadline. Under PHIPA s.12(2), you must notify affected individuals “at the first reasonable opportunity.”
Mandatory reporting to the Information and Privacy Commissioner of Ontario (IPC) is required when the breach meets a reporting circumstance in O. Reg. 329/04 s.6.3, and the report is due “at the first reasonable opportunity.”
The “first 24 hours” is practical first-response guidance: contain the breach, document it, and assess the risk of harm. It is not a statutory clock.
You must keep a record of every breach. PHIPA requires custodians to track breaches and report annual breach statistics to the IPC each March 1 (O. Reg. 329/04 s.6.4); retaining your records well beyond that is sound practice.

What counts as a PHIPA breach?

A PHIPA breach is the theft, loss, or unauthorized use or disclosure of personal health information held by a health information custodian. Under PHIPA s.12(1), a custodian must take reasonable steps to protect personal health information; s.12(2) sets the duty to notify when those protections fail.

For a solo therapist, “personal health information” is almost everything you handle: a client’s name attached to the fact that they’re your client, session notes, intake forms, appointment times, billing tied to a diagnosis. PHIPA defines it broadly.

The everyday breaches that involve email

A breach isn’t only a dramatic hack. The everyday version is more common, and more likely to involve email.

Here are the kinds of incidents that show up most often:

You autocomplete the wrong “Sarah” and send a treatment summary to a stranger.
You reply-all to a group thread and expose one client’s name to others.
A client’s email account is compromised and your unencrypted messages to them are now readable by an attacker.
Your own Gmail is phished, and someone has read inbound and outbound client mail.

The IPC of Ontario has been explicit that even a brief compromise counts. An email account accessed without authority for as little as an hour is treated as both unauthorized use and unauthorized disclosure of any personal health information in it. The duty to notify follows from that.

Here’s the part most therapists miss. The breach happened the moment access was lost, not the moment you noticed.

Your clock for “first reasonable opportunity” starts at discovery, but the harm may have been accumulating before then. That’s the case for encryption that travels with the message, which we’ll come back to.

Is there really no 24-hour PHIPA deadline?

Correct. There is no 24-hour statutory deadline in PHIPA. This trips up a lot of careful, conscientious therapists, so it’s worth being exact about where the number comes from and what the law actually says.

PHIPA sets two timing standards, neither of which is 24 hours:

Notifying the affected individual: “at the first reasonable opportunity” (PHIPA s.12(2)).
Reporting to the IPC of Ontario: also “at the first reasonable opportunity” (O. Reg. 329/04 s.6.3(3)), when a mandatory reporting circumstance applies.

So where does “24 hours” come from? Three places, mostly.

US HIPAA breach commentary that floats into Canadian search results. Cyber-insurance policies that contractually require you to notify your insurer within a set window. And internal incident response playbooks that pick 24 hours as a sensible operational target.

All three can be reasonable. None of them is the standard set by PHIPA s.12(2).

“First reasonable opportunity” is a flexible test, and that flexibility runs against you, not for you. The IPC has found custodians should notify even while an IPC review is ongoing, rather than waiting for the dust to settle. Treating “first reasonable opportunity” as “whenever I get around to it” is exactly how a manageable incident becomes a finding against your practice.

So the honest framing is this. There’s no 24-hour rule, but the first 24 hours still matter enormously, because that’s when you contain the damage and build the record that protects you. The next section is that 24-hour window, framed as practice, not statute.

The first 24 hours: a practical response timeline

This is operational guidance, not a legal deadline. The goal in day one is to stop the bleeding, capture the facts, and set up the decisions you’ll make next.

The first 24 hours: a practical response timeline
Window	What to do	Why it matters
First hour	Contain: reset passwords, revoke access, recall the email if possible, lock the account	Limits the scope of unauthorized access before it widens
Hours 1-4	Document: date and time of discovery, what PHI was involved, how many clients, suspected cause	PHIPA requires breach record-keeping; memory fades fast
Hours 4-12	Assess: does this create a real risk of significant harm to affected clients?	Drives both your notification content and your IPC reporting decision
Hours 12-24	Decide: who must be notified, whether O. Reg. 329/04 s.6.3 triggers mandatory IPC reporting	Sets your obligations for the days that follow

A few notes on each.

Containment comes first

Containment beats everything in hour one. If a wrong-address email can still be recalled, recall it. If an account is compromised, reset the password and end active sessions before you do anything else.

You can document a contained breach calmly. You can’t undo an hour you spent writing notes while the attacker was still inside.

Document discovery time and scope

Documentation is not optional, and it’s your evidence. Write down what you knew and when.

If the IPC ever asks how you responded, contemporaneous notes are the difference between a practice that took the breach seriously and one that scrambled. Note the discovery time specifically, because that’s where “first reasonable opportunity” is measured from.

Assess the risk of harm

The risk-of-harm assessment is where mental health context raises the stakes. A leaked appointment time is one thing. A leaked therapy note naming a diagnosis, an abuse history, or suicidal ideation is far more sensitive, and the sensitivity of the information weighs directly into both your duty to notify and your IPC reporting decision.

Don’t downplay it because the breach was small in volume. One record can carry significant risk.

When must you report a breach to the IPC of Ontario?

Notifying your client and reporting to the IPC are two separate obligations. You almost always owe the client notice. You owe the IPC a report only when the breach meets one of the mandatory circumstances set out in O. Reg. 329/04 s.6.3.

You must report a PHIPA breach to the IPC of Ontario when it falls into one of those circumstances. These include personal health information that was stolen, used or disclosed without authority by someone who knew or ought to have known they lacked authority, or that, after an initial loss or unauthorized use, was or will be further used or disclosed without authority. A pattern of similar breaches and breaches that trigger a disciplinary or regulatory consequence are also reportable, as is any breach the custodian determines is significant given its sensitivity, the volume of information, and the number of individuals affected. When a circumstance applies, report at the first reasonable opportunity.

Six questions that flag a reportable breach

In plain terms, ask yourself a few questions when you assess the breach.

Was the information stolen (a stolen laptop, a phished account drained by an attacker)? That’s reportable. Was it used or disclosed by someone who knew they shouldn’t have access? Reportable. After the first incident, is the information likely to be used or disclosed again without authority, for example because it’s now circulating? Reportable.

Is this the latest in a pattern of similar breaches in your practice? Reportable. Will the breach lead to a regulatory or disciplinary consequence, such as a CRPO matter? Reportable. And stepping back, is the breach significant on its own terms, weighing the sensitivity of the information, how much was involved, and how many clients it touched? If so, it’s reportable too.

When in doubt, report

If you’re unsure whether a circumstance applies, the safer reading is to report. The IPC has published its own guidance on reporting breaches, and there’s no penalty in the regulation for reporting a breach that turned out to be borderline. There is real exposure in failing to report one that wasn’t.

One distinction worth holding onto, because it causes genuine confusion across provinces. PHIPA’s mandatory reporting to the IPC is a health-sector obligation specific to health information custodians in Ontario.

Don’t import the rules from other provinces’ private-sector regimes here; if you also see clients in another province, the breach analysis there is separate. This post is Ontario only.

What about enforcement? Has the IPC actually penalized anyone?

Yes, and this is where the abstract becomes concrete. The administrative monetary penalty power was added to PHIPA effective January 1, 2024, and on August 27, 2025 the IPC issued PHIPA Decision 298, the first decision to actually impose a penalty under that framework.

It marked a shift from a regime that historically leaned on orders and guidance to one that can attach a financial penalty to a custodian’s conduct.

We’ve covered that ruling in depth in what PHIPA Decision 298 means for your practice. The short version for breach response: the existence of administrative monetary penalties raises the cost of mishandling personal health information, and a documented, prompt breach response is part of how a custodian demonstrates the diligence that matters when the IPC reviews a matter.

We’re deliberately not going to put a dollar figure on your hypothetical breach. Penalty amounts depend on the specific facts the IPC weighs, and projecting a number for your situation would be guesswork dressed up as advice.

The honest takeaway is narrower and more useful: enforcement with financial consequences now exists, and the quality of your response is part of what gets weighed.

What goes in the notification to your client?

When you notify an affected client, the notice has a required floor and a sensible ceiling. The floor is what PHIPA demands. The ceiling is what good practice and a therapeutic relationship call for.

A PHIPA breach notice to an affected individual must, at minimum, state that their personal health information was involved in a breach and inform them of their right to make a complaint to the Information and Privacy Commissioner of Ontario (PHIPA s.12(2)).

Beyond that minimum, a notice that holds up well usually covers what happened in plain language, what specific information was involved, what you’ve done to contain it, what the client can do to protect themselves, and how to reach you with questions.

You know these clients. A breach notice is a clinical communication as much as a legal one, and the tone matters.

What a notice should not do is bury the IPC complaint right or minimize the breach to protect yourself. Both read as defensiveness, and both can make a borderline IPC review worse.

If you’d rather not draft this from scratch in the middle of an incident, we’ve built a breach response template you can keep on file and fill in when you need it. The point of having it ready is that day one of a breach is the worst possible time to be writing a notice letter from a blank page.

How encrypted email changes your breach exposure

Here’s the connection most breach guides skip. The single most common breach vector for a solo therapy practice is email, and the most common email breach is the wrong-recipient send or the compromised account.

Whether either becomes a reportable, harm-causing breach depends heavily on one thing: was the message readable by the wrong person? For the underlying expectations, see the PHIPA email requirements for therapists.

The wrong-address send

Think about the wrong-address send. If the message was sent in plain text, the stranger who received it can read the client’s name, the subject line, and the body. That’s an unauthorized disclosure of personal health information, and depending on the content, a meaningful risk of harm.

If the message was encrypted so that only the intended, verified recipient could open it, the same misdirected email is far less likely to expose anything. The wrong recipient gets a message they can’t read.

The compromised account

The same logic applies to a compromised account. An attacker in a mailbox full of plain-text client correspondence has read everything. An attacker in a mailbox where outbound client mail was encrypted to the recipient has a much thinner haul.

Encryption does not prevent every breach, and it does not remove your duty to assess and respond. What it does is reduce the likelihood that a misdirected or intercepted message exposes readable personal health information, which directly affects your risk-of-harm assessment and, in turn, your notification and IPC reporting obligations.

Where Curio fits

This is the gap Curio is built to close. Curio encrypts every outbound email automatically and logs every send in a Canadian audit trail, working with your existing Gmail. You don’t change how you send mail.

When the wrong-address send happens (and across enough sends, it eventually does), the message wasn’t sitting in plain text. And if the IPC ever asks what safeguards were in place, the audit trail is the documentation, not a memory you reconstruct after the fact.

To be precise about what that does and doesn’t do: encryption and an audit trail are safeguards under PHIPA s.12(1). They don’t make a practice “PHIPA compliant” on their own, and they don’t replace your breach-response obligations. They lower the odds that an everyday email mistake becomes a reportable breach with a real risk of harm.

If you want to see whether your current setup leaves you exposed, join the Curio waitlist.

What this guide doesn’t cover

A few honest limits.

This is informational content, not legal advice. A real breach with real clients deserves a real conversation with a privacy lawyer or a knowledgeable compliance professional, especially when the risk-of-harm assessment is genuinely close. The cost of one consultation is small next to the cost of mishandling a reportable breach.

It also doesn’t cover the cross-provincial case. If you’re an Ontario therapist seeing a client who lives in Alberta or BC, more than one privacy law may bear on the breach, and the analysis gets more involved. Start with the cross-provincial therapist guide and get specific advice for your situation.

And it doesn’t replace your own incident response plan. The best time to decide who you call and what you do is before a breach, not during one. Use the timeline above to draft your own one-page plan and keep it where you’ll find it under stress.

Key takeaways

PHIPA has no fixed 24-hour breach notification deadline. The statutory standard is notifying affected individuals “at the first reasonable opportunity” (s.12(2)) and reporting mandatory breaches to the IPC, also “at the first reasonable opportunity” (O. Reg. 329/04 s.6.3(3)).
The first 24 hours still matter as practice: contain the breach, document discovery time and scope, and assess the risk of harm.
You must report to the IPC of Ontario when the breach meets one of the reporting circumstances in O. Reg. 329/04 s.6.3(1). These include theft, knowing unauthorized use or disclosure, further unauthorized use, a pattern of similar breaches, a regulatory or disciplinary consequence, and any breach the custodian considers significant given its sensitivity, the volume of information, and the number of individuals affected.
Keep records sufficient to file your annual breach statistics with the IPC by March 1 (O. Reg. 329/04 s.6.4). PHIPA sets no fixed retention period; the “24 months” figure comes from PIPEDA, not PHIPA.
The PHIPA administrative monetary penalty power took effect January 1, 2024, and PHIPA Decision 298 (issued August 27, 2025) was the first decision to impose one, raising the stakes of a poor response. A prompt, documented response is part of demonstrating diligence.
Automatic email encryption reduces the chance that an everyday email mistake becomes a reportable, harm-causing breach.

Frequently asked questions

Does PHIPA require breach notification within 24 hours?

No. PHIPA does not set a 24-hour deadline. Under s.12(2), you must notify affected individuals “at the first reasonable opportunity.” The 24-hour figure usually comes from US HIPAA commentary or cyber-insurance contracts, not from PHIPA itself. The first day still matters for containment and documentation.

When do I have to report a breach to the IPC of Ontario?

You must report to the IPC when the breach meets a circumstance in O. Reg. 329/04 s.6.3, such as theft of personal health information, unauthorized use or disclosure by someone who knew they lacked authority, further unauthorized use after an initial loss, a pattern of similar breaches, a breach with a regulatory consequence, or any breach you determine is significant. Report at the first reasonable opportunity.

Do I have to tell my client about every breach?

In nearly all cases, yes. PHIPA s.12(2) requires notifying affected individuals at the first reasonable opportunity when their personal health information is stolen, lost, or used or disclosed without authority. The notice must inform them of their right to complain to the IPC.

IPC reporting is a separate question with its own threshold.

What information goes in a PHIPA breach notice?

At minimum, the notice must state that the client’s personal health information was involved in a breach and inform them of their right to complain to the IPC of Ontario. Good practice adds plain-language detail: what happened, what information was involved, how you contained it, and how the client can reach you.

Does encrypting my email mean I won’t have a breach to report?

Not automatically. Encryption is a safeguard, not a guarantee, and it doesn’t remove your duty to assess and respond. What it does is lower the chance that a misdirected or intercepted email exposes readable personal health information, which affects your risk-of-harm assessment and your reporting obligations.

How long do I have to keep records of a breach?

PHIPA requires custodians to keep records of breaches, and under O. Reg. 329/04 s.6.4 you must give the IPC an annual statistical report of breaches each March 1. PHIPA itself sets no minimum retention period for breach records (the “at least 24 months” figure people cite comes from the federal PIPEDA breach regulations, not PHIPA). As a practical matter, keep your breach log, your risk assessment, your notifications, and any IPC correspondence together, so you can demonstrate how you responded if the IPC reviews the matter.

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with the Information and Privacy Commissioner of Ontario and consult a qualified privacy professional for your specific situation.

Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice.

Sources

PHIPA breach notification for therapists: what to do in the first 24 hours