PHIPA vs PIPEDA for telehealth: when federal law applies
You see clients over video. One lives in Toronto, one just moved to Calgary for a contract, one books sessions from a cabin in BC. Your intake forms, your appointment reminders, your session summaries all move through the same Gmail account. So which privacy law are you actually bound by when that email crosses a provincial line: Ontario’s PHIPA, or the federal PIPEDA?
The honest answer is that most therapists never resolve this, and most of the time it doesn’t bite. But “most of the time” is not a compliance program. If you practise across provincial lines, you should be able to say which statute governs a given email and why.
Here’s the short version, then the decision tree that gets you there.
Quick answer. For a therapist in private practice in Ontario, PHIPA (the Personal Health Information Protection Act, S.O. 2004, c. 3, Sched. A) governs how you handle personal health information. PHIPA is designated “substantially similar” to PIPEDA for the health sector, so federal law steps back for your in province handling. PIPEDA (the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) is the federal statute that applies to commercial activity, and it keeps a foothold over personal information that moves across a provincial or national border in a commercial transfer. Practically, the safeguards you build to (encryption, accountability, breach readiness) are close enough either way that the safer footing is to meet the higher bar and stop trying to litigate which flag flies over each message.
This piece is a cross provincial companion to our PHIPA vs HIA vs BC PIPA comparison, and it builds on the scenario walkthroughs in telehealth across provincial lines. If you want the province by province scenarios (Ontario therapist with an Alberta client, a client who relocates partway through treatment), that companion piece does that job. This one stays on a narrower question: the mechanism that decides when PIPEDA, the federal law, actually applies.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body and a qualified privacy professional.
Why this question is so confusing
Two laws sound like they should cover the same thing, and the relationship between them is not intuitive.
PIPEDA is federal. It reads like it applies to everyone in Canada. PHIPA is provincial and health specific, and it also reads like it covers everything you do with client records in Ontario. Both can’t be the operative law for the same email at the same time, so which wins?
The confusion gets worse because the rule that sorts them out, the “substantially similar” designation, is a piece of administrative machinery that almost no clinical training mentions. A therapist reading PIPEDA’s plain text would reasonably conclude it governs their practice. A therapist reading PHIPA would conclude the opposite. Neither is wrong on the face of the statute. The reconciliation happens in a federal Order in Council that you would only find if you went looking.
There’s also a genuine grey zone underneath all of this. Whether an individual therapist’s core clinical record keeping counts as “commercial activity” in the PIPEDA sense, and exactly how the federal law reaches a single video session that crosses a border, has not been settled cleanly by a court for private practice psychotherapy. So part of the confusion is real, not just a knowledge gap. The decision tree below tells you what the rules say; the limitations section is honest about where the edges are still soft.
The decision tree: which law governs this email?
Work through these in order. Each answer narrows the field. The questions are about the email and the client, not about how you feel about compliance.
Question 1: Are you a health information custodian in a province with a substantially similar health privacy law?
In Ontario, a therapist in private practice who provides health care is a health information custodian under PHIPA, and PHIPA has been designated substantially similar to PIPEDA for personal health information. The federal government has made this designation for Ontario’s PHIPA (the designation is recorded as SOR/2005-399), and for the health information laws of New Brunswick, Newfoundland and Labrador, and Nova Scotia, according to the Office of the Privacy Commissioner of Canada.
If yes, then for the personal health information you collect, use, and disclose within that province, the provincial health law governs and PIPEDA largely steps back. For an Ontario therapist emailing an Ontario client, the answer is PHIPA. Stop here for that email.
If you practise in Alberta or BC, the exemption works the same way but through a general private sector law rather than a health specific one. Alberta’s PIPA and BC’s PIPA have both been designated substantially similar to PIPEDA. For private practice therapists in those provinces, the provincial PIPA is the operative statute for in province handling. (One important scope note for Alberta: private practice therapists there are governed by Alberta PIPA, not by the Health Information Act. HIA reaches a therapist only as an affiliate inside a custodian organization or through an information manager agreement under HIA s.66. We cover this in the PHIPA vs HIA vs BC PIPA comparison.)
Question 2: Does the email involve commercial activity?
PIPEDA applies to organizations that “collect, use, or disclose personal information in the course of a commercial activity,” per the Office of the Privacy Commissioner of Canada. A private therapy practice charging fees is a commercial enterprise in the ordinary sense, so this question is usually answered yes.
This is the question that keeps PIPEDA in the picture at all. If there were no commercial activity, the federal law would have no hook. Because there is, the federal law’s reach is defined by the next question rather than switched off entirely.
Question 3: Does the personal information cross a provincial or national border in that commercial activity?
This is the question that actually decides whether the federal law comes forward. The OPC is direct about it: “All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).”
So the substantially similar designation carves out activity within a province. It does not carve out personal information that moves across a border in a commercial transfer. PIPEDA continues to apply to interprovincial and international transfers even where a province has its own substantially similar law.
For a therapist, the practical trigger is a client in a different province (or country) than where you practise, where client information moves between you across that line. That is the situation telehealth creates constantly.
Where the tree lands
Run those three questions and you get one of two stable answers:
- In province email, in province client. Provincial health or privacy law governs (PHIPA in Ontario, PIPA in Alberta or BC). PIPEDA steps back.
- Cross border email, client in another province or country. Provincial law still governs your conduct as the regulated provider, and PIPEDA keeps a foothold over the cross border transfer of that personal information. Both are in the room.
Notice what the tree does not produce: a clean scenario where PIPEDA replaces PHIPA and you can stop thinking about the provincial law. That case effectively does not exist for an Ontario therapist in private practice. The provincial statute is always your primary obligation; the federal question is about whether a second, overlapping obligation also attaches to a border crossing.
PHIPA and PIPEDA side by side
The two laws share a goal and differ in the details that matter for email. This table is scoped to the points a therapist actually touches when they hit send. Every cell is sourced below.
| Dimension | PHIPA (Ontario) | PIPEDA (federal) |
|---|---|---|
| Statute | Personal Health Information Protection Act, S.O. 2004, c. 3, Sched. A | Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 |
| Who it covers | Health information custodians and their agents | Organizations collecting personal information in the course of commercial activity |
| When it governs a therapist | PHI handled within Ontario by a custodian | Personal information that crosses a provincial or national border in commercial activity |
| Regulator | Information and Privacy Commissioner of Ontario (IPC) | Office of the Privacy Commissioner of Canada (OPC) |
| Breach notice to the individual | At the first reasonable opportunity (PHIPA s.12) | As soon as feasible, where the breach poses a real risk of significant harm |
| Breach report to the regulator | To the IPC in the circumstances set out in regulation | To the OPC where there is a real risk of significant harm (SOR/2018-64) |
| Cross border disclosure | Express consent for disclosure outside Ontario | Permitted under an accountability model with comparable protection |
| Breach record keeping | Records of breaches required | Records of all breaches required, retained 24 months |
A few things stand out. The breach standards are not identical: PHIPA’s notice trigger to the affected individual is “any unauthorized access” handled at the first reasonable opportunity, while PIPEDA’s reporting trigger to the OPC turns on a “real risk of significant harm” assessment. The IPC and the OPC are different regulators with different reporting channels. And both laws expect you to keep a record of breaches whether or not anyone outside needs to be told.
For the full Ontario breach picture, including when a report to the IPC becomes mandatory and what the first-response steps look like, see PHIPA breach notification for therapists.
The practical answer: build to the higher standard
Here is the part that resolves the anxiety. You do not have to win the jurisdiction argument for every email. You have to meet a safeguard bar that satisfies whichever law applies, and that bar is close enough between PHIPA and PIPEDA that one well-built practice clears both.
Stacking the requirements looks like this.
Encrypt email that contains personal health information, in transit and at rest. PHIPA requires a custodian to take reasonable steps to protect PHI against theft, loss, and unauthorized use or disclosure. PIPEDA’s Principle 7 requires security safeguards appropriate to the sensitivity of the information, and health information is treated as inherently sensitive. Encryption is the safeguard both standards point to for email carrying client information. Build to it and the in province question and the cross border question get the same answer.
Handle cross border transfers with accountability, not just hope. When a client is in another province, PIPEDA’s model is that you remain accountable for the personal information even as it moves, and that comparable protection follows it. In practice that means knowing where the information goes, having an arrangement that protects it on the other side, and being able to describe that arrangement. PHIPA points the same direction by requiring express consent for disclosure outside Ontario. Document the cross border handling and you have answered both.
Keep a breach record and know your two reporting paths. Maintain a log of any unauthorized access regardless of severity, because both laws expect the record. Then know that an Ontario breach reports to the IPC in the prescribed circumstances, and a breach caught by PIPEDA reports to the OPC where there is a real risk of significant harm. You are not choosing one path; you are ready for whichever attaches.
Get consent that names the realities of cross provincial care. A consent process that tells the client their information may move across provincial lines, how it is protected when it does, and the limits of electronic communication satisfies the provincial expectation and supports the federal accountability model at the same time. The cross provincial telehealth guide walks through a consent addendum for clients in other provinces.
The throughline is the same one a regulator would use in a review. Nobody asks you to have correctly predicted which statute governs a given message. They ask whether the information was protected, whether you were accountable for it, and whether you were ready to respond if something went wrong. Meet that, and the PHIPA versus PIPEDA question stops being the thing your practice hinges on.
Where Curio fits
If your client email runs through Google Workspace, the safeguard layer is the part you can act on today. Curio encrypts your Gmail for Canadian mental health privacy law: every outbound email is automatically encrypted, and every send is logged in a Canadian audit trail hosted in Montreal and Toronto. Your Gmail stays the same. The compliance infrastructure runs underneath it.
That covers the encryption and accountability bar both PHIPA and PIPEDA point to, without asking you to migrate off the tools you already use. It does not decide the jurisdiction question for you, and it is not a substitute for a privacy professional’s read on your specific cross provincial setup. What it does is make the safeguard the same whether an email stays in Ontario or crosses into Alberta.
Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.
Where the edges are still soft
This is the honest part, and it matters more here than in most compliance pieces.
No Canadian appellate court has squarely resolved how PIPEDA and provincial health privacy law overlap for private practice psychotherapy. The “commercial activity” question, in particular, has more settled answers for large organizations than for a solo clinician’s clinical record keeping. The decision tree above reflects how the Office of the Privacy Commissioner describes the rules and how the substantially similar designation is meant to work. It is not a court ruling on your exact circumstances.
The set of substantially similar designations can also change. Designations are made and reviewed at the federal level, and provincial laws get amended. What is designated today is not guaranteed forever, which is one more reason to build to a durable safeguard standard rather than to a snapshot of the current designation list.
And this piece is deliberately narrow. It does not cover college registration when you treat clients in another province, the province by province scenarios, or the substantive differences between PHIPA, Alberta PIPA, and BC PIPA beyond the points that matter for email in the table. Those live in the cross provincial telehealth guide and the comparison of all three laws. Read this for the federal versus provincial mechanism; read those for the rest of the cross provincial map.
When the stakes are high (a breach that crossed a border, a regulator inquiry, an unusual client arrangement), get advice specific to your situation. The general rule is a starting point, not a ruling.
FAQ
Does PIPEDA or PHIPA apply to my telehealth email in Ontario?
For PHI you handle within Ontario as a health information custodian, PHIPA governs and PIPEDA largely steps back, because PHIPA is designated substantially similar to PIPEDA. PIPEDA keeps a foothold over personal information that crosses a provincial or national border in the course of commercial activity.
When does federal privacy law apply to a Canadian therapist?
PIPEDA applies to commercial activity, and it continues to apply to interprovincial and international transfers of personal information even in provinces with substantially similar laws, per the Office of the Privacy Commissioner. For a therapist, the practical trigger is a client in another province or country with information moving across that border.
What does “substantially similar” mean under PIPEDA?
The federal Governor in Council can designate a provincial privacy law as substantially similar to PIPEDA. When it does, that provincial law governs in province activity instead of PIPEDA. Ontario’s PHIPA carries this designation for the health sector; Alberta and BC carry it through their general private sector PIPA laws.
Do I have to comply with both PHIPA and PIPEDA?
For cross provincial telehealth, both can be in play: provincial law governs your conduct as the regulated provider, and PIPEDA reaches the cross border transfer. Rather than choosing one, build to the higher safeguard standard (encryption, accountability, breach readiness), which satisfies both at once.
Is encryption required under PHIPA and PIPEDA?
Neither statute names a specific technology, but both require safeguards appropriate to the sensitivity of the information. PHIPA requires reasonable steps to protect PHI; PIPEDA’s Principle 7 requires safeguards matched to sensitivity, and health data is treated as inherently sensitive. Encryption is the safeguard both point to for client email.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body and a qualified privacy professional.
Sources
- Office of the Privacy Commissioner of Canada, “PIPEDA requirements in brief”: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/
- Office of the Privacy Commissioner of Canada, “Provincial laws that may apply” (substantially similar designations): https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/02_05_d_15/
- Office of the Privacy Commissioner of Canada, “Questions and Answers regarding the application of PIPEDA, Alberta and British Columbia’s Personal Information Protection Acts”: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/02_05_d_26/
- Personal Health Information Protection Act, S.O. 2004, c. 3, Sched. A: https://www.canlii.org/en/on/laws/stat/so-2004-c-3-sch-a/latest/so-2004-c-3-sch-a.html
- Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5: https://laws-lois.justice.gc.ca/eng/acts/P-8.6/
- Breach of Security Safeguards Regulations, SOR/2018-64: https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/index.html
- Information and Privacy Commissioner of Ontario: https://www.ipc.on.ca
Coming soon
Gmail encryption, built for Canadian therapists.
