PHIPA vs HIA vs BC PIPA: a therapist's guide

Canada doesn’t have one health privacy law. It has several. If you’re a therapist in Ontario, PHIPA governs your client email. If you’re in Alberta, it’s HIA. In British Columbia, it’s PIPA (BC). And if you see clients across provincial lines, more than one law may apply at once.

This is a comparison guide. One page, three provinces, every requirement that affects how you handle personal health information by email.

Quick answer

• Ontario therapists are governed by the Personal Health Information Protection Act (PHIPA), s.12(1), enforced by the Information and Privacy Commissioner of Ontario (IPC).
• Alberta therapists are governed by the Health Information Act (HIA), s.60, enforced by the Office of the Information and Privacy Commissioner of Alberta (OIPC Alberta).
• British Columbia therapists are governed by the Personal Information Protection Act (PIPA), s.34, enforced by the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC).
• All three require reasonable safeguards for personal health information sent by email. In practice, that means encryption.
• Federal PIPEDA applies only where no substantially similar provincial law exists. Provincial laws take precedence in Ontario, Alberta, and BC.

Why three laws instead of one?

Health privacy is mostly provincial in Canada. The federal Privacy Commissioner has formally recognized PHIPA, HIA, and BC PIPA as substantially similar to PIPEDA, which means the provincial law governs in each of these jurisdictions.

The practical effect for your practice: the law that applies to your client email is determined by where you practice. If your practice spans provinces, the calculation gets harder. We’ll get to that below.

PHIPA (Ontario): what therapists need to know

The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s health privacy statute. It applies to “health information custodians,” which includes psychotherapists registered with the College of Registered Psychotherapists of Ontario (CRPO) when they collect, use, or disclose personal health information in the course of their practice.

The section that governs email is s.12(1):

Under PHIPA s.12(1), a health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure.

What “reasonable steps” means for email is settled. The IPC’s published guidance treats encryption as the default expectation for any email containing PHI. Plain Gmail without an encryption layer doesn’t meet that bar.

PHIPA also requires:

• Consent for collection, use, and disclosure under s.18. Consent for electronic communication should be documented at intake.
• An audit trail sufficient to demonstrate who accessed what PHI and when. The IPC has called this out in multiple decisions.
• Breach notification at the first reasonable opportunity, with notification to affected individuals and the IPC for breaches that meet the s.12(3) threshold.

Enforcement sharpened on January 1, 2024, when Part V.1 (ss. 61.1 to 61.14) brought administrative monetary penalties into force. AMP amounts are set by regulation under O. Reg. 224/17, with maximums commonly cited at $50,000 for individuals and $500,000 for organizations (verify the current AMP Schedule against IPC publications). PHIPA s.72 offence prosecution caps sit higher at $200,000 individual and $1,000,000 corporate after the 2020 amendments. IPC Decision 298 is the first published AMP analysis under the new framework.

For the full breakdown, see PHIPA email requirements for therapists. For a Gmail-specific analysis, see is Gmail PHIPA compliant. For the AMP enforcement context, see PHIPA administrative monetary penalties.

HIA (Alberta): what therapists need to know

The Health Information Act (HIA) is Alberta’s health information statute. It applies to “custodians,” which includes psychologists registered with the College of Alberta Psychologists (CAP) and, as of CAP’s expansion, registered counselling therapists when they collect, use, or disclose health information.

The section that governs email is s.60:

Under HIA s.60, a custodian must take reasonable steps to maintain administrative, technical and physical safeguards that will protect the confidentiality of health information that is in the custodian’s custody or under the custodian’s control.

OIPC Alberta has been explicit that “reasonable safeguards” includes encryption for email containing health information. Their guidance on email security is more prescriptive than Ontario’s.

Alberta has one requirement Ontario and BC don’t:

Under HIA s.64, a custodian must, at the request of the Commissioner, prepare a privacy impact assessment that describes how a proposed administrative practice or information system relating to the collection, use or disclosure of individually identifying health information may affect the privacy of the individual who is the subject of the information.

In practice, OIPC Alberta expects custodians to submit a Privacy Impact Assessment (PIA) before deploying new systems that handle health information. New email setups, including encrypted email products, fall in scope.

For the full HIA breakdown, see Alberta HIA email requirements for therapists. For CAP’s electronic communication standards, see CAP practice standards for Alberta. For the CAP expansion to counselling therapists, see CAP expanding to counselling therapists.

BC PIPA (British Columbia): what therapists need to know

The Personal Information Protection Act (PIPA) is British Columbia’s private sector privacy statute. It applies to organizations, including psychotherapists in private practice, when they collect, use, or disclose personal information in the course of commercial activity. PIPA covers personal information broadly, which includes the health information therapists handle.

The section that governs email is s.34:

Under BC PIPA s.34, an organization must protect personal information in its custody or under its control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.

OIPC BC’s guidance treats encryption as the standard interpretation of “reasonable security arrangements” for email containing personal information. The Commissioner has also issued specific guidance on cross-border data flows: where personal information moves outside Canada, the organization must assess and document that risk.

A note on data residency. BC PIPA s.34 covers private sector security arrangements. It is not a data residency mandate. The Freedom of Information and Protection of Privacy Act (FOIPPA) imposes a Canadian storage requirement, but FOIPPA applies to public bodies, not private therapy practices. Don’t conflate the two.

Breach notification under BC PIPA is mandatory when a breach creates a real risk of significant harm. The threshold isn’t optional, and OIPC BC has published guidance on what constitutes “significant harm” in a private sector context.

For the full BC PIPA breakdown, see BC PIPA email privacy obligations. For the upcoming college regulation, see CHCPBC psychotherapy regulation. For the protected title context, see psychotherapist protected title in BC.

Side by side comparison

This is the master comparison. Each row is a single dimension; each column is one province.

Side by side comparison

Dimension	PHIPA (Ontario)	HIA (Alberta)	BC PIPA (British Columbia)
Full legislation name	Personal Health Information Protection Act, 2004	Health Information Act (RSA 2000, c H-5)	Personal Information Protection Act, 2003
Key section for email security	s.12(1)	s.60	s.34
Encryption requirement	”Reasonable steps” — IPC guidance treats encryption as default for email containing PHI	”Reasonable safeguards” — OIPC Alberta guidance treats encryption as default	”Reasonable security arrangements” — OIPC BC guidance treats encryption as default
Consent model	Express or implied consent for use/disclosure under s.18; express consent recommended for electronic communication	Knowledgeable consent under HIA Part 4; documented consent expected for electronic communication	Consent required under ss.6-9; opt-in for sensitive personal information
Data residency approach	No specific statutory mandate; IPC expects custodians to assess cross-border risk	No statutory mandate; PIA process considers location of storage	No statutory mandate; OIPC BC guidance treats cross-border transfer as a risk that must be assessed and documented
Breach notification	At the first reasonable opportunity; IPC notification required for breaches meeting s.12(3) threshold	Without unreasonable delay; OIPC notification required for breaches meeting HIA breach reporting threshold	Mandatory when a breach creates a real risk of significant harm
Privacy Impact Assessment	Recommended; not statutorily required	Mandatory under s.64 at Commissioner’s request; OIPC Alberta expects PIAs before new system deployment	Recommended; OIPC BC publishes PIA guidance
Enforcement mechanism	Administrative Monetary Penalties under Part V.1 (ss. 61.1-61.14), in force January 1, 2024; IPC Decision 298 is the first published AMP analysis	OIPC orders, prosecution under s.107 for offences	OIPC orders, prosecution for offences
Maximum penalty	$50,000 (individual) / $500,000 (organization) under PHIPA AMPs	Up to $50,000 (individual) / $500,000 (organization) under HIA s.107	Up to $10,000 (individual) / $100,000 (organization) under PIPA s.56
Relevant college	College of Registered Psychotherapists of Ontario (CRPO)	College of Alberta Psychologists (CAP)	College of Health and Care Professionals of BC (CHCPBC)
College regulation status	Established since 2015	Established; expanding to registered counselling therapists	Psychotherapy regulation begins November 29, 2027

The pattern is consistent across all three provinces:

Every Canadian province with health privacy legislation requires reasonable safeguards for personal health information sent by email, and every provincial regulator interprets that requirement as encryption.

Where the laws diverge is in enforcement teeth, PIA requirements, and consent specificity. Alberta is the strictest on PIAs. Ontario has the most aggressive enforcement framework after the AMPs came into force. BC has the most explicit cross-border guidance.

What your college requires on top of the law

The provincial privacy law is one layer. Your regulatory college is the second. College standards apply alongside the statute, and in some areas they’re more prescriptive than the law itself.

Ontario: CRPO Standard 3.4 (Electronic Practice). This is the most detailed college standard on electronic practice in Canada. It covers email, video, messaging, and record keeping. CRPO expects encrypted email for PHI, documented consent for electronic communication, and an audit trail. See CRPO electronic practice standards for the full breakdown.

Alberta: CAP Practice Standards. CAP has published guidance on digital communication, electronic records, and informed consent for electronic services. With CAP’s expansion to registered counselling therapists, more practitioners now fall under these standards. See CAP practice standards for Alberta.

British Columbia: CHCPBC standards (effective November 29, 2027). The College of Health and Care Professionals of BC will regulate psychotherapy starting in late 2027. Standards are still being finalized, but the framework will likely mirror CRPO’s level of specificity on electronic practice. See CHCPBC psychotherapy regulation.

For a side by side of the three colleges, see comparing college email requirements across Canada.

When multiple laws apply

If you practice in one province and your client lives in another, you may be subject to both privacy regimes. The general framework: the law of the jurisdiction where the custodian or organization is located governs the custodian’s obligations, but the law of the client’s jurisdiction may also apply when the client’s information is collected, stored, or disclosed in that jurisdiction.

Cross provincial telehealth is the most common scenario. An Ontario therapist seeing a client by video in Alberta is operating in both PHIPA and HIA territory. The conservative approach is to apply the higher standard at every decision point: the strictest consent requirement, the strictest PIA expectation, the strictest breach notification timeline.

A dedicated guide on cross provincial telehealth compliance is in the pipeline. Until it’s published, apply the strictest standard at each decision point (consent, PIA, breach notification) across the jurisdictions involved.

What about PIPEDA?

PIPEDA, the federal Personal Information Protection and Electronic Documents Act, sits underneath the provincial regime. It applies in two situations relevant to therapists:

1. Where a province has no substantially similar legislation. Ontario, Alberta, and BC all have substantially similar health or private sector laws, so PIPEDA does not directly govern therapy practice in these provinces.
2. Where personal information crosses provincial or international borders in the course of commercial activity. This is where PIPEDA can apply alongside provincial law.

For therapists practicing within their own province, PIPEDA is rarely the operative law. For therapists with cross-border or cross provincial practice patterns, PIPEDA may apply in addition to the provincial framework. See email privacy laws across Canada for the broader federal-provincial mapping.

Practical steps regardless of province

Whatever your jurisdiction, the same compliance scaffolding applies. These are the steps every Canadian therapy practice should have in place.

1. Identify which law applies to your practice. Determine your province of practice and the provinces your clients are located in. The PHIPA/HIA/BC PIPA columns above and the comparison table give you the per-province rules.
2. Encrypt all email containing personal health information. Required, in substance, by all three provincial laws. Plain Gmail or Outlook without an encryption layer doesn’t meet the standard.
3. Document client consent for electronic communication at intake. Express, written consent is the safest baseline across all three provinces.
4. Maintain an audit trail of email containing PHI. At minimum: who sent what, to whom, when, and whether it was encrypted. This is a regulatory expectation, not a nice-to-have.
5. Complete a Privacy Impact Assessment. Required in Alberta at the Commissioner’s request under HIA s.64, and OIPC Alberta expects PIAs before deploying new health information systems. Recommended in Ontario and BC. Every new email or record-keeping system you adopt should be PIA-assessed.
6. Review your college’s practice standards for electronic communication. CRPO Standard 3.4 in Ontario, CAP standards in Alberta, CHCPBC standards as they come into force in BC.
7. If you see clients in other provinces, assess cross provincial compliance. Apply the strictest standard at each decision point — strictest consent, strictest PIA expectation, strictest breach notification timeline.

Frequently asked questions

Which privacy law applies to my therapist email?

It depends on your province of practice. In Ontario, PHIPA. In Alberta, HIA. In British Columbia, BC PIPA. If you practice across provincial lines, more than one law may apply, and PIPEDA may also enter the picture for commercial activity that crosses borders.

Is PHIPA the same as HIA?

No. PHIPA governs Ontario; HIA governs Alberta. Both require reasonable safeguards for personal health information, and both regulators treat encryption as the standard for email. The differences are in enforcement (PHIPA has Administrative Monetary Penalties; HIA uses OIPC orders), in PIA requirements (required under HIA s.64 at the Commissioner’s request, with OIPC Alberta expecting PIAs before new health information systems go live; recommended under PHIPA), and in consent specificity.

Do all provinces require email encryption for therapists?

All three provincial laws require reasonable safeguards or reasonable security arrangements for personal health information sent by email. Each provincial Commissioner has interpreted “reasonable” to include encryption. Plain unencrypted email containing PHI does not meet the standard in any of the three provinces.

How does HIA differ from PHIPA?

HIA applies to Alberta custodians; PHIPA applies to Ontario custodians. HIA s.64 lets the Commissioner require a Privacy Impact Assessment, and OIPC Alberta expects PIAs before new health information systems are deployed; PHIPA does not impose a parallel requirement. PHIPA introduced Administrative Monetary Penalties in 2024 (up to $500,000 for organizations); HIA enforcement is primarily through OIPC orders and offence prosecution under s.107. Consent frameworks are similar but not identical.

Which law applies if my client moves to another province?

Your obligations as a custodian or organization are governed primarily by the law of your province of practice. The law of your client’s new province may also apply to the collection, use, or disclosure of their information in that jurisdiction. The conservative approach is to apply the stricter standard at every decision point until you’ve confirmed the analysis with a privacy professional.

Does PIPEDA replace provincial privacy laws?

No. PIPEDA applies only where no substantially similar provincial law exists. The federal Privacy Commissioner has recognized PHIPA, HIA, and BC PIPA as substantially similar, so the provincial law governs in those jurisdictions. PIPEDA can still apply to commercial activity that crosses provincial or international borders.

What’s the maximum penalty for a privacy breach in each province?

Under PHIPA, Administrative Monetary Penalties reach $50,000 for individuals and $500,000 for organizations (Part V.1, in force January 1, 2024). Under HIA s.107, prosecution can result in fines up to $50,000 for individuals and $500,000 for organizations. Under BC PIPA s.56, fines reach $10,000 for individuals and $100,000 for organizations.

Do I need a Privacy Impact Assessment before using a new email product?

In Alberta, yes — HIA s.64 makes PIAs mandatory at the Commissioner’s request, and OIPC Alberta expects PIAs before new system deployment. In Ontario and British Columbia, PIAs are recommended rather than mandatory, but they are widely treated as best practice and can reduce regulatory risk if a breach occurs.

Key takeaways

• Three provinces, three laws. PHIPA (Ontario, s.12(1)), HIA (Alberta, s.60), and BC PIPA (British Columbia, s.34) each govern personal health information handled by therapists in their jurisdiction.
• All three require encryption for email containing PHI. Each provincial Commissioner interprets “reasonable safeguards” or “reasonable security arrangements” to include encryption.
• Alberta is unique on PIAs. HIA s.64 lets the Commissioner require Privacy Impact Assessments, and OIPC Alberta expects PIAs before new health information systems go live. Ontario and BC recommend them.
• PHIPA enforcement got sharper in 2024. Administrative Monetary Penalties under Part V.1 (in force January 1, 2024) reach $500,000 for organizations. IPC Decision 298 is the first published AMP analysis.
• College standards add a second layer. CRPO Standard 3.4 in Ontario, CAP practice standards in Alberta, and CHCPBC standards (effective November 29, 2027) in BC apply alongside the statute.
• Cross provincial practice triggers multiple regimes. Apply the stricter standard at each decision point.
• PIPEDA rarely governs in-province therapy practice. Provincial laws take precedence in Ontario, Alberta, and BC.

Curio for therapists across Canada

Curio’s compliance infrastructure handles encryption and a Canadian audit trail for personal health information sent through Gmail. It works the same way whether your practice is governed by PHIPA, HIA, or BC PIPA. Your Gmail stays the same. The compliance layer runs underneath.

Join the waitlist

---

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body (IPC Ontario, OIPC Alberta, OIPC BC) and your professional college.

---

Sources

• Personal Health Information Protection Act, 2004 — s.12(1), s.18, Part V.1 ss. 61.1-61.14 (ontario.ca)
• Health Information Act (Alberta) — s.60, s.64, s.107 (alberta.ca)
• Personal Information Protection Act (BC) — s.34, s.56 (bclaws.gov.bc.ca)
• Information and Privacy Commissioner of Ontario — PHIPA guidance and Decision 298 (ipc.on.ca)
• Office of the Information and Privacy Commissioner of Alberta — PIA requirements (oipc.ab.ca)
• Office of the Information and Privacy Commissioner for British Columbia — cross-border data guidance (oipc.bc.ca)
• College of Registered Psychotherapists of Ontario — Standard 3.4 Electronic Practice (crpo.ca)
• College of Alberta Psychologists — Practice Standards (cap.ab.ca)
• College of Health and Care Professionals of BC — regulation timeline (chcpbc.org)
• Personal Information Protection and Electronic Documents Act (priv.gc.ca)