PHIPA privacy impact assessment template for Google Workspace
The Information and Privacy Commissioner of Ontario (IPC) recommends that health information custodians conduct a privacy impact assessment (PIA) before implementing any new system that processes personal health information. This recommendation appears in the IPC’s Planning for Success: Privacy Impact Assessment Guide, and it’s grounded in PHIPA s.12(1), which requires custodians to take “reasonable steps” to protect PHI.
Most therapists haven’t done one.
This post focuses on PHIPA and the IPC’s guidance for Ontario. If you practise in another province, the principle is the same: Alberta’s HIA, BC’s PIPA, and other provincial health privacy laws all expect custodians to assess privacy risks before adopting new systems. The specifics differ by province, but the PIA framework below adapts to any jurisdiction.
That’s not because the requirement is obscure. It’s because the IPC’s guidance was written for hospitals, regional health authorities, and large clinics with privacy officers on staff. The templates assume you have a project team, a data governance framework, and an existing privacy management program. If you’re a solo therapist running Google Workspace, those templates aren’t just intimidating, they’re irrelevant to how your practice actually works.
This post provides a PIA template built for small therapy practices using Google Workspace. Each section includes what to write, what the IPC expects to see, and common mistakes to avoid. Budget 60 to 90 minutes to complete the whole assessment.
What a PIA is and why it matters
A privacy impact assessment is a structured document that records four things:
- What PHI you collect and why
- How PHI flows through your systems
- What safeguards protect that PHI
- What risks remain after those safeguards are in place
That’s it. A PIA is not a security audit, not a penetration test, not a certification. It’s a written record of your analysis. The IPC uses PIAs to evaluate whether a custodian has met the “reasonable steps” standard in PHIPA s.12(1). If a complaint is filed or a breach occurs, the first question the IPC asks is: what did you do to assess the privacy risks of your systems? Not “did you fix everything.” Just “did you look?”
A completed PIA is your answer to that question.
Under PHIPA s.12(1), health information custodians must take steps that are “reasonable in the circumstances” to protect PHI against theft, loss, and unauthorized use or disclosure. The “reasonable in the circumstances” standard inherently scales with the sensitivity of the information. PHI from therapy sessions is among the most sensitive health information that exists. The IPC has consistently held that higher sensitivity demands stronger safeguards and more thorough documentation.
A PIA also helps you find gaps you didn’t know existed. Most therapists who complete this template discover at least one area where their setup doesn’t match what they assumed.
Section 1: project and system description
This section describes your Google Workspace setup in plain language. The IPC wants to understand what the system is, who uses it, and what it does with PHI.
What to write:
- Your Google Workspace edition (Business Starter, Business Standard, Business Plus, or Enterprise)
- Which Google Workspace apps you use for clinical work (Gmail, Drive, Calendar, Meet, Chat)
- How many users have access (just you, or do you have an administrative assistant, associate therapists, or a billing coordinator?)
- What types of PHI the system processes (session notes, intake forms, appointment details, client contact information, billing records)
- Whether you’ve signed Google’s HIPAA Business Associate Amendment
Keep this section factual. Two to three paragraphs is enough. The IPC doesn’t expect a technical architecture diagram from a solo practice.
Common mistake: Being vague about which apps contain PHI. “I use Google Workspace for my practice” is too broad. Specify: “I use Gmail to communicate with clients about scheduling and occasionally about clinical matters. I use Google Drive to store intake forms and session notes. I use Google Calendar to schedule appointments, with client names visible in event titles.”
Section 2: data flow mapping
This is the section most therapists skip, and it’s the one the IPC cares about most. Data flow mapping answers: where does PHI enter your system, where does it move, and where does it end up?
For a Google Workspace therapy practice, PHI typically flows through these paths:
Gmail: Clients email you to book appointments, ask questions, or share information about their situation. You reply. Those emails contain names, contact information, and sometimes clinical details. Emails are stored on Google’s servers. If you’re on Business Standard or above, you can set a data region (US or Europe). Canada is not an option. Canada is not a data region option, which creates compliance considerations under provincial health privacy laws.
Google Drive: You may store intake forms, consent documents, session notes, treatment plans, or clinical templates. These files live on Google’s servers in the same data region as your email. Files can be shared with other users in your organization, and sharing settings determine who else can access them.
Google Calendar: Appointment entries contain client names, session types, and timing. Calendar data is synced across devices. If you use a booking tool that integrates with Google Calendar, PHI flows from that tool into Calendar.
Google Meet: If you conduct virtual sessions, Meet processes audio and video in real time. Google states that Meet data is encrypted in transit and at rest. Recordings (if enabled) are stored in Google Drive.
What to write: For each app, document what PHI enters it, how it gets there, who can access it, and where it’s stored. A table works well:
| App | PHI types | How PHI enters | Who accesses | Storage location |
|---|---|---|---|---|
| Gmail | Names, contact info, clinical details | Client emails, your replies | You (+ admin if applicable) | Google servers (US/Europe/unspecified) |
| Drive | Session notes, intake forms, consent docs | You create/upload files | You (+ shared users) | Google servers (same region) |
| Calendar | Client names, appointment times, session types | You create events, booking tool syncs | You (+ shared calendars) | Google servers |
| Meet | Audio/video of sessions | Live sessions | You and your client | Transient (recordings in Drive) |
Common mistake: Forgetting about Calendar and Meet. Therapists focus on email and file storage because those feel like “data.” But a calendar full of client names and appointment times is PHI. A recorded Meet session is PHI. Map everything.
Section 3: privacy risk assessment
Now you identify the specific risks. For each data flow you mapped in Section 2, ask: what could go wrong, and how likely is it?
The IPC expects you to consider these categories of risk:
Data residency risk. Google Workspace cannot guarantee Canadian data storage. Data regions offer US, Europe, or No Preference. PHI stored outside Canada may be subject to the PATRIOT Act. The CLOUD Act is broader: it applies to US headquartered companies regardless of where the data is physically stored, meaning data on Google’s servers is potentially accessible to US authorities whether it’s in the US or Europe. PHIPA doesn’t explicitly require Canadian storage, but the IPC has flagged cross border storage as a factor when assessing whether safeguards are “reasonable” under s.12(1).
Encryption risk. Google encrypts data in transit (TLS) and at rest (AES-256). But Google holds the encryption keys. Not you. If a US court orders Google to decrypt, Google must comply. Client side encryption is available on Enterprise Plus, Frontline Plus, and Education editions, but it comes with usability trade-offs that make it impractical for most small practices.
Unauthorized access risk. If your Google account is compromised, an attacker has access to your entire client history: emails, files, calendar, recordings. The primary mitigation is 2 step verification. If you haven’t enforced it, this is a high severity risk.
AI processing risk. Smart Compose, Smart Reply, and Gemini features process email and document content by default. While the IPC’s January 2026 guidance on AI scribes focuses on clinical documentation tools, its principle that consent is “generally required” for AI processing of health information applies to any feature that touches PHI. If you haven’t disabled these features, PHI is being processed by AI systems without client consent. Our guide on how to disable AI features in Google Workspace covers every toggle.
Say you email a client their intake form and they reply with detailed clinical history. Did they consent to that information being stored on Google’s US servers? Did they consent to Google’s AI features scanning it? PHIPA s.18 establishes the framework for consent, including s.18(5) which requires that consent be “knowledgeable” for collection, use, and disclosure of PHI. While implied consent covers many clinical uses, electronic communication of PHI (and AI processing of PHI) may require explicit consent. If you don’t have a documented consent process, this is a consent gap.
Audit trail risk. PHIPA s.12(1) and College of Registered Psychotherapists of Ontario (CRPO) Standard 5.6 both point toward the need for records of who accessed PHI and when. Google Workspace has basic admin audit logs, but these don’t produce the structured, immutable audit trail that regulators expect for clinical records. For more on building a manual audit trail, see our upcoming guide on creating an audit log for client records in Google Workspace.
What to write: For each risk, rate it as low, medium, or high based on likelihood and impact. Be honest. If you haven’t configured data regions, that’s a real gap. If you’re still on Business Starter without 2FA enforcement, say so.
Common mistake: Downplaying risks to make the assessment look better. A PIA is not a marketing document. Its value comes from honesty. The IPC will be more concerned by a PIA that claims zero risks than by one that identifies gaps and explains what you’re doing about them.
Section 4: safeguards assessment
This section documents what you’ve already done to protect PHI. If you’ve followed our Google Workspace admin console security settings guide, you have a head start.
Organize your safeguards into three categories, which mirrors how the IPC structures its own guidance:
Administrative safeguards:
- Privacy policies provided to clients
- Consent forms for electronic communication
- Staff training on PHI handling (if you have staff)
- Incident response procedures
- This PIA itself (completing it is a safeguard)
Technical safeguards:
- 2 step verification enforced for all accounts
- Drive sharing restricted to internal only (or allowlisted domains)
- Calendar sharing set to free/busy only for external viewers
- TLS compliance configured for known clinical domains
- AI features disabled (Smart Compose, Smart Reply, Gemini)
- HIPAA BAA signed with Google
- Data region set (if on Business Standard or above)
- SPF, DKIM, and DMARC configured for your domain
Physical safeguards:
- Devices used to access Google Workspace are password protected
- Screen lock enabled on all devices
- Devices are encrypted (FileVault on Mac, BitLocker on Windows)
- Practice space prevents visual eavesdropping of screens
List each safeguard you have in place, and be specific. “Strong passwords” is too vague. “2 step verification enforced via admin console with authenticator app required” is specific enough. For each safeguard, note when it was implemented and when you last verified it’s still active.
One thing to watch for: listing safeguards you intend to implement rather than safeguards currently in place. Section 4 is about your current state. Section 5 is where you address the gaps.
Section 5: risk mitigation plan
For every medium or high risk identified in Section 3, document what you plan to do about it. This is where the PIA becomes actionable.
Structure each mitigation as:
- Risk: (from Section 3)
- Planned action: (what you’ll do)
- Timeline: (when you’ll do it)
- Residual risk: (what remains after mitigation)
Here’s what a realistic mitigation plan looks like for common Google Workspace gaps:
Data residency: Google does not offer Canadian data regions. Planned action: set data region to United States for jurisdictional certainty, document the decision and rationale, evaluate Canadian hosted alternatives for the most sensitive PHI categories. Residual risk: PHI remains subject to US jurisdiction. This risk cannot be fully mitigated within Google Workspace.
AI processing: Planned action: disable all AI features in admin console per the AI features guide. Timeline: this week. Residual risk: low, once features are disabled. No retroactive deletion of previously processed data is available.
Audit trail: Google Workspace admin logs don’t meet CRPO Standard 5.6 requirements. Planned action: implement a manual audit log process for client record access. Timeline: within 30 days. Residual risk: medium, as manual logging depends on consistent compliance.
Consent: Planned action: create a consent form that specifically addresses electronic communication of PHI, AI processing status, and cross border data storage. Have all current clients sign within 60 days. Include in onboarding for new clients. Residual risk: low, once consent is documented.
Encryption: Google holds encryption keys. Planned action: evaluate client side encryption options for the most sensitive documents. For email, evaluate a compliance layer that provides encryption beyond TLS. Residual risk: medium, as Google’s key management remains outside your control for most data.
What to write: Be realistic about timelines. The IPC understands that small practices can’t fix everything overnight. A mitigation plan with honest deadlines is more credible than one that promises immediate resolution of every gap.
Where therapists get stuck: writing “accept the risk” for everything. Some risk acceptance is reasonable, but the IPC expects to see that you considered alternatives before accepting a risk. For data residency, “we accept this risk” is weaker than “we evaluated Canadian hosted alternatives, determined that switching would disrupt clinical workflows, set the data region to US for jurisdictional clarity, and will reassess when Google offers Canadian data regions.”
Section 6: sign-off and review schedule
A PIA is a living document. The IPC expects it to be reviewed and updated when your systems change.
Record your name and role (e.g., “Gabriel Borges, Health Information Custodian, [Practice Name]”), the date you finished, and a review schedule. At minimum, review annually. Also review when you change Google Workspace editions, add new users, adopt new apps or integrations, or experience a privacy incident. Set a specific next review date (e.g., “March 2027”).
If you have associate therapists or staff, have them review the PIA and sign off. Their acknowledgment demonstrates that the safeguards aren’t just documented but understood by everyone who handles PHI.
The most common failure with PIAs isn’t a bad assessment. It’s completing the PIA and filing it away. Schedule a calendar reminder for your review date. When you review, check whether your Google Workspace configuration still matches what the PIA describes. Settings drift over time, especially after Google Workspace updates.
Putting it all together
Your completed PIA should be five to ten pages. That’s enough to be thorough without being excessive for a small practice. Save it as a PDF in a folder outside of Google Drive (since the PIA itself documents risks with Google’s data handling, storing it on Google’s servers creates a circular dependency). A local encrypted drive or a Canadian hosted cloud storage service works.
Here’s a summary of the six sections:
- Project/system description: what your setup is and what PHI it processes
- Data flow mapping: where PHI goes across Gmail, Drive, Calendar, and Meet
- Privacy risk assessment: what could go wrong, rated by severity
- Safeguards assessment: what protections you already have
- Risk mitigation plan: what you’ll do about the gaps, with timelines
- Sign-off and review schedule: who approved it and when you’ll revisit
What a PIA does not do
A PIA documents your assessment. It does not fix the gaps it identifies.
Completing this template does not make your Google Workspace setup PHIPA compliant. It does not change the fact that Google stores data in the US. It does not encrypt your emails, disable AI features, or create a consent process. Those are separate actions that you still need to take.
What a PIA does is demonstrate due diligence. It shows that you understood the risks, evaluated your options, and made informed decisions. Under PHIPA s.12(1), “reasonable steps” is a contextual standard. The IPC assesses what’s reasonable based on the size of the practice, the sensitivity of the information, and the resources available. A solo therapist isn’t held to the same standard as a hospital. But “I didn’t know” is not a defense that the IPC accepts.
A PIA also doesn’t substitute for the technical work. If your admin console settings are still at default, the PIA will make that painfully obvious. Our admin console security settings guide and PHIPA email requirements guide cover the hands on configuration.
And a PIA doesn’t provide legal advice. This template reflects the IPC’s published guidance and PHIPA’s requirements as of February 2026. If your practice has specific circumstances (multiple locations, cross provincial clients, research activities), consult a health privacy lawyer.
The honest version
The IPC recommends PIAs. Most therapists haven’t done one. The templates available are written for organizations with dedicated privacy teams, and they’re intimidating enough that small practices skip the process entirely.
That’s a problem, because a PIA is one of the most concrete things you can do to demonstrate PHIPA compliance. It costs nothing. It takes 60 to 90 minutes. And it forces you to look honestly at how your practice handles PHI.
You’ll probably find gaps. That’s the point. A PIA with gaps and a plan to address them is infinitely more valuable than no PIA at all.
Start with Section 1 and work through each section in order. Don’t try to make it perfect. The IPC cares about thoroughness and honesty, not polish.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Coming soon
PHIPA compliant Gmail encryption, built for Canadian therapists.
