PHIPA email requirements for therapists: the complete 2026 guide
Most therapists in Ontario don’t set out to violate PHIPA. What happens is quieter than that. You open your laptop, type a reply to a client, hit send. The email travels through Google’s servers, probably encrypted, probably stored somewhere in the United States, and lands in your client’s inbox without any record that you could produce in a privacy investigation.
That send just triggered half a dozen PHIPA obligations. And unless you’ve configured your setup specifically for those obligations, there are gaps.
The Personal Health Information Protection Act (PHIPA) governs how health information custodians in Ontario handle personal health information (PHI). If you use email to communicate with clients, PHIPA has specific requirements for encryption, consent, audit trails, and breach notification. This guide covers all of them, with section references, IPC guidance, and the practical steps you can take right now.
Other provinces have their own rules: Alberta’s Health Information Act has stricter PIA requirements, and BC PIPA treats cross border data storage as a risk factor under s.34. This guide is Ontario and PHIPA specific.
Who does PHIPA apply to?
PHIPA defines “health information custodian” under section 3. The definition covers a wide range of health professionals, but here’s what matters for therapists: if you’re a Registered Psychotherapist (RP) registered with the College of Registered Psychotherapists of Ontario (CRPO), you are a health information custodian under PHIPA.
That means the full set of PHIPA obligations applies to you personally. Not to your clinic. Not to your EHR vendor. To you.
This trips up a lot of people. You might assume that using a corporate Google Workspace account, or practising within a group practice, shifts the responsibility to the organization. Under PHIPA, the custodian is the individual health care practitioner, and the obligations follow the custodian.
This includes everything from how you store client files to how you send a two-sentence email confirming a session time (if that email, combined with the recipient’s identity, reveals that someone is receiving therapy). PHIPA’s definition of PHI is broad: any identifying information about an individual that relates to their physical or mental health, health care history, or eligibility for health coverage. A client’s name in an email subject line? That alone isn’t PHI. But that name combined with a therapy appointment time in the body? It is.
Worth knowing: PHIPA is provincial, not federal. It applies in Ontario. Alberta has the Health Information Act (HIA). BC has the Personal Information Protection Act (PIPA). PIPEDA fills in where no provincial equivalent exists. We’re covering Ontario here, but if you see clients across provincial lines, the picture gets more complicated. We’ll publish a full cross provincial comparison later this spring.
What PHIPA requires for therapist email
Encryption requirements (s.12(1))
Section 12(1) of PHIPA requires health information custodians to take “reasonable steps” to ensure PHI is protected against theft, loss, and unauthorized use or disclosure. The Information and Privacy Commissioner of Ontario (IPC) has consistently interpreted “reasonable steps” to include encryption as a technical safeguard.
PHIPA doesn’t name a specific encryption standard. There’s no line in the statute that says “use AES-256” or “TLS 1.3 minimum.” What the IPC has said, across multiple guidance documents and decisions, is that the safeguards must be proportionate to the sensitivity of the information. Mental health records are among the most sensitive categories of PHI. The bar is high.
So what counts as encryption for PHIPA purposes?
The IPC’s guidance on safeguards references three categories: administrative safeguards (policies, training), technical safeguards (encryption, access controls), and physical safeguards (locked offices, screen positioning). For email, the technical safeguard that gets the most attention is encryption, and that’s where Gmail’s default setup runs into trouble.
Gmail uses TLS (Transport Layer Security) to encrypt email in transit between servers. When both the sending and receiving servers support TLS, the message is encrypted between them. The problem: TLS is opportunistic. If the recipient’s email provider doesn’t support TLS, Gmail sends the message unencrypted and doesn’t tell you it happened.
For PHI, that’s a problem. You can’t guarantee that every client, insurance company, or referring physician uses an email service that supports TLS. And “reasonable steps” almost certainly means more than hoping the other side cooperates.
There’s also the question of encryption at rest. Gmail encrypts stored messages on Google’s servers, but Google holds the keys. That means Google can access the content, and so can law enforcement with a valid legal process. For most business email, this is a non-issue. For mental health records, it’s a consideration that should appear in your risk assessment.
The IPC hasn’t issued a blanket ruling on Gmail specifically, but the logic of their guidance points one direction: encryption that depends on factors outside your control is hard to defend as a “reasonable step.”
We covered this in detail in our analysis of whether Gmail is PHIPA compliant. The short answer: not by default.
Consent requirements (s.18, s.20)
PHIPA distinguishes between implied consent and express consent. For most in-person clinical interactions, implied consent covers the collection and use of PHI within the “circle of care.” But email sits outside that default.
When you send PHI by email, you’re disclosing it through a channel that introduces risks the client may not anticipate: potential storage outside Canada, opportunistic encryption, and the possibility of interception. Section 18 sets out the rules for consent, and section 20 addresses the conditions for implied consent.
The safe standard for email containing PHI is express consent. The client should know that email will be used, understand what information might be sent, understand the risks involved, and have the option to choose a different communication method. We’ve built PHIPA compliant communication templates that include consent forms designed specifically for this.
CRPO’s Standard 3.4 (more on that below) reinforces this by requiring “informed consent” for electronic communication.
The consent must be documented. A verbal “sure, you can email me” during an intake session isn’t enough if the IPC asks for proof six months later. You need a signed (or electronically acknowledged) consent form that covers what information will be communicated by email, the specific risks of email (opportunistic encryption, cross border storage, the possibility of interception), and the client’s right to withdraw consent or choose a different communication method at any time.
How often does consent need to be renewed? PHIPA doesn’t specify a renewal period, but best practice is to revisit it when circumstances change: a new email provider, a change in what information you communicate electronically, or a client request. We’ll go deeper on PHIPA consent requirements for email in a dedicated post.
Audit trail requirements
PHIPA doesn’t use the phrase “audit trail.” But section 12(1)‘s “reasonable steps” requirement, combined with the IPC’s guidance on demonstrating compliance, means you need records. The ability to show what you did and when is part of how the IPC evaluates whether your safeguards are reasonable.
If the IPC contacts you about a complaint, you need to show what PHI you communicated, when, and to whom. Gmail’s admin audit log tracks account activity (logins, settings changes), not the content or recipients of individual email messages. It’s an IT tool, not a compliance record. There’s no screen in the Google admin console that produces a report of “all emails containing PHI that this user sent in Q3.”
We built a manual audit log template that you can set up in about 30 minutes using Google Sheets. It works. But manual processes depend on you remembering to log every relevant email, every time, for every client. Consistency over months and years is the hard part. I’ve talked to therapists who kept perfect logs for three months and then slowly stopped, usually around the time their caseload picked up.
Breach notification (s.12(2))
When PHI is stolen, lost, or accessed without authorization, section 12(2) requires the custodian to notify affected individuals “at the first reasonable opportunity.”
What counts as a breach in the email context? A few scenarios:
- You send an email containing PHI to the wrong recipient.
- An email with PHI is sent without encryption (because the recipient’s server didn’t support TLS, and you didn’t know).
- Your email account is compromised and an unauthorized person accesses client communications.
- A ransomware attack encrypts your email data, making it unavailable. (The IPC has ruled that ransomware encryption of servers constitutes unauthorized “use” under PHIPA, even if the attacker never viewed the data.)
The notification must include a statement that the individual can file a complaint with the IPC. PHIPA doesn’t prescribe a specific format: you can notify by phone, in writing, or in person. But you must notify, and the clock starts running the moment you become aware.
What does this look like in practice? Say you realize on a Tuesday afternoon that you sent a session summary to the wrong email address last week. You need to notify the affected client, document what happened, and consider whether to report the breach to the IPC. Our guide on the client record access request process covers related obligations around client access to their own records, which often comes up alongside breach situations.
Since January 1, 2024, the IPC also has the power to issue administrative monetary penalties for PHIPA violations: up to $50,000 for individuals and $500,000 for organizations (Ontario Regulation 329/04). These penalties target severe violations, not honest mistakes, but they signal that PHIPA enforcement has real financial consequences now. For a full analysis of what those penalties mean for solo therapists, see our guide to PHIPA administrative monetary penalties and Decision 298.
Privacy Impact Assessments
The IPC recommends that health information custodians complete a Privacy Impact Assessment (PIA) before implementing any system that processes PHI. For email, this means before you start using Google Workspace (or any email tool) for client communications.
Most therapists skip this step. In our experience, this is one of the largest gaps in solo practice compliance. It’s not that therapists don’t care. It’s that nobody told them a PIA was expected. If you trained before 2020, your graduate program almost certainly didn’t cover it. The IPC’s PIA guidelines walk through the process, and we’ve published a privacy impact assessment template adapted for therapists using Google Workspace. It takes about 60 to 90 minutes to complete.
What goes in a PIA? At minimum: a description of the information flows (what PHI moves through your email, from where, to where), the risks you’ve identified (cross border storage, opportunistic encryption, AI processing), the safeguards you’ve put in place, and any residual risks you’ve accepted. It’s a structured way of saying: I looked at this, I thought about it, and here’s what I decided.
In Ontario, you complete the PIA and keep it on file. You don’t need to submit it to the IPC (unlike Alberta, where OIPC submission is mandatory before you implement the system). But having a completed PIA demonstrates that you assessed the risks, which strengthens your “reasonable steps” argument if the IPC ever comes asking.
Data residency considerations
Where does your email data live? If you’re on Google Workspace, the answer is: on Google’s global infrastructure, with primary storage typically in the United States and the European Union. Even Google’s data region settings (available on Business Standard and higher) only control primary data at rest, not all copies, backups, or processing locations.
Here’s where Ontario differs from some other jurisdictions. PHIPA takes a risk based approach to data residency. Storing PHI outside Canada isn’t automatically a violation. But the IPC has noted that cross border transfers introduce additional risks, including exposure to foreign government access under laws like the US CLOUD Act.
What “reasonable” means: you need to document the cross border transfer in your PIA, obtain express consent from clients for the cross border disclosure of their PHI, and satisfy yourself that the protections at the other end are adequate.
Contrast this with BC’s PIPA, where the rules around cross border data transfers are more prescriptive. And contrast with Alberta’s HIA, where the OIPC examines cross border data flows as part of the mandatory PIA review.
Data residency isn’t a binary pass or fail under PHIPA. It’s a risk factor you must address.
CRPO’s interpretation: Standard 3.4
PHIPA sets the legal floor. CRPO’s Practice Standard 3.4 on Electronic Practice adds requirements on top of it.
Standard 3.4 has seven sub-standards. Among the most relevant for email: registrants must (1) adhere to all professional standards whether practising in person or electronically, (2) obtain informed consent for the use of electronic communication, (3) take reasonable steps to ensure technology is secure and confidential, and (4) verify their professional liability insurance covers electronic services. The remaining sub-standards cover jurisdictional licensing compliance, including written correspondence in the clinical record, and prohibiting reliance on computer-generated assessments alone.
The second point is where most therapists have gaps. “Informed consent” under Standard 3.4 means the client understands what electronic communication involves, its limitations, and its risks. A generic intake form that mentions “electronic communication” in a list of 40 items probably doesn’t meet this standard. The consent should be specific, documented, and revisitable.
CRPO’s Electronic Practice Guideline expands on the standard and is worth reading alongside it. We plan to publish a detailed breakdown of CRPO’s electronic practice standards and what they mean for your email setup next month.
The third component (“reasonable steps to ensure technology is secure”) mirrors PHIPA s.12(1). But CRPO adds the expectation that security be appropriate “given the needs of the client.” That’s a clinical judgment, not just a technical one. A client with a high risk profile (shared household, controlling partner, safety concerns) may need stronger protections than your default setup provides. You might need to avoid email entirely for some clients, or use a portal based communication method that doesn’t leave messages sitting in an inbox someone else could access.
This is where the Sage’s expertise becomes relevant: PHIPA gives you the legal floor, CRPO raises the bar, and clinical judgment determines where each individual client sits relative to both.
Practical steps for your Gmail setup
These steps won’t make Gmail PHIPA compliant. (We’ve explained why in our Gmail compliance analysis.) But they close some gaps and demonstrate that you’re taking “reasonable steps,” which matters under both PHIPA s.12(1) and CRPO Standard 3.4.
1. Configure your Google Workspace admin security settings. Enforce two-factor authentication, sign the HIPAA BAA, review every security relevant toggle. Our Google Workspace admin security settings guide walks through each one. Budget 30 to 45 minutes. You do it once.
2. Understand encryption and its limits. Gmail’s TLS encrypts email in transit when the recipient’s server supports it. Confidential Mode adds expiration dates and passcode access. Neither constitutes end to end encryption. Neither prevents Google from accessing the content. They’re layers, not solutions. Knowing the limits helps you explain them to clients when obtaining consent, and it’s information you’ll need for your PIA.
3. Disable AI features that process email content. Smart Compose, Smart Reply, Gemini summaries. The IPC’s January 2026 guidance on AI scribes in healthcare establishes that consent is generally required for AI processing of health information. The same reasoning applies to email AI features processing PHI without client consent. Our guide on disabling AI features covers every toggle.
4. Create consent forms for electronic communication. Document express consent from each client before sending PHI by email. Include the risks, the limitations, and the client’s right to withdraw consent. Our PHIPA compliant communication templates include a consent form you can adapt.
5. Set up a manual audit log. Track which clients you emailed, when, and the general nature of the content. Our manual audit log template uses Google Sheets and takes 30 minutes to configure. The hard part isn’t setup. It’s the discipline of logging consistently over time.
6. Complete a Privacy Impact Assessment. Document the risks of your email setup: cross border data storage, opportunistic encryption, AI processing. Our PIA template walks through every section. Allow 60 to 90 minutes.
An honest assessment of where this leaves you: better than doing nothing. Worse than a purpose built solution. The fundamental gaps (opportunistic TLS, no automated audit trail, no consent management, data stored outside Canada) remain even after you configure everything correctly.
Beyond Ontario: how other provinces compare
PHIPA applies in Ontario. If you practice in other provinces or plan to, the requirements change.
For the side by side breakdown across all three provinces, see our provincial privacy law comparison.
| Requirement | PHIPA (Ontario) | HIA (Alberta) | PIPA (BC) |
|---|---|---|---|
| Encryption | Reasonable steps (s.12(1)), IPC interprets as including encryption | Reasonable safeguards (s.60), OIPC expects encryption for sensitive health information | Reasonable security (s.34), OIPC BC expects safeguards appropriate to sensitivity |
| Consent | Express consent safe standard for email PHI | Deemed consent broader for collection; disclosure consent required (s.34) | Consent required; notification for cross border transfers |
| Privacy Impact Assessment | Recommended by IPC, not mandatory to submit | Mandatory PIA with OIPC submission before implementation (s.64) | Not mandatory under PIPA; recommended |
| Data residency | Risk based approach, not mandated | Not mandated, but OIPC considers in PIA review | PIPA doesn’t mandate Canadian storage; FOIPPA (public sector) does |
| Breach notification | At first reasonable opportunity (s.12(2)) | As soon as practicable (s.60.1) | No mandatory notification; OIPC recommends voluntary notification |
Alberta’s HIA is stricter on PIAs. BC PIPA takes a different approach to cross border data. PIPEDA applies to interprovincial practice. We’ll publish a full email privacy law comparison across Canadian provinces in April.
PHIPA enforcement: what happens if you don’t comply
For years, PHIPA enforcement was mostly complaint driven. The IPC would investigate, issue an order, and the custodian would comply. Financial penalties weren’t in the picture.
That changed on January 1, 2024.
The IPC can now issue administrative monetary penalties under PHIPA: up to $50,000 per individual, $500,000 per organization. Where a contravention results in economic gain, penalties can exceed those caps in proportion to the benefit. The regulation targets severe violations, not technical glitches or one-off honest mistakes. But the existence of financial penalties changes the calculus.
Even without AMPs, a privacy complaint creates real consequences. IPC investigations consume time and energy. Orders become public record. For CRPO registrants, a privacy failure can trigger professional standards processes on top of the IPC complaint. That’s two regulatory processes running simultaneously, each with their own timelines, documentation requirements, and possible outcomes.
The risk isn’t just financial. It’s reputational. And for solo practitioners, reputational damage is existential in a way it isn’t for a hospital or large clinic.
Compliance isn’t theoretical anymore. We’ll cover the administrative monetary penalty framework in detail in May.
Frequently asked questions
What does PHIPA require for therapist email?
PHIPA requires health information custodians to take “reasonable steps” to protect PHI (s.12(1)), which the IPC interprets to include encryption, consent documentation, audit trails, and breach notification procedures. For email, this means encryption that doesn’t depend on the recipient’s infrastructure, express consent from clients, a record of PHI communications, and a plan for breach response.
Is Gmail PHIPA compliant?
No. Gmail provides TLS encryption in transit, but it’s opportunistic, meaning it only works when the recipient’s server cooperates. Gmail has no communication level audit trail, no consent management, and stores data primarily in the US. You can reduce the gaps through configuration, but you can’t eliminate them within Gmail’s native capabilities. Read our full analysis.
What encryption is required under PHIPA?
PHIPA s.12(1) requires “reasonable steps” to protect PHI. The IPC interprets this to include encryption as a technical safeguard. No specific encryption standard is mandated, but the expectation is that encryption be reliable and not dependent on factors outside the custodian’s control. Opportunistic TLS, which depends on the recipient’s email server, is unlikely to meet this standard for sensitive mental health information.
Do I need express consent to email clients under PHIPA?
Express consent is the safe standard. PHIPA allows implied consent for certain collection and use within the circle of care, but email introduces risks (cross border storage, opportunistic encryption) that clients should understand before agreeing. CRPO Standard 3.4 reinforces this by requiring informed consent for electronic communication.
What is CRPO Standard 3.4?
Standard 3.4 is CRPO’s practice standard for electronic practice. It requires registrants to obtain informed consent for electronic communication, take reasonable steps to ensure technology is secure and confidential, and verify their professional liability insurance covers electronic services. It builds on PHIPA’s requirements and adds a clinical judgment component: security measures should be appropriate to the client’s needs.
Curio makes your Gmail encrypted for PHIPA. Automatic encryption and a Canadian audit trail, every time you hit send. No migration, no new tools to learn. Join the waitlist.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
