What this is
A fillable response plan you fill out once, save where you can find it under pressure, and follow step by step the day something goes wrong. A misdirected email with session notes. A lost laptop. A client portal login that ended up in the wrong inbox. When that happens, the first hour matters, and trying to remember your obligations while your stomach is in knots is not a plan.
This template walks you through five things: contain the breach, assess the risk, notify the people who need to know, report to a regulator where required, and document all of it. The notification and reporting rules differ by province, so each step tells you what changes in Ontario under PHIPA, in Alberta under the HIA, and in BC under PIPA.
One thing to get straight before you start. There is no fixed statutory 24 hour breach deadline in any of these three laws. The 24 hour framing you see online is a sensible first response target, not a legal clock. The actual standards are below, and they matter, so use the real ones.
This is your companion to PHIPA breach notification for therapists: your first 24 hours, which walks an Ontario scenario end to end.
Before you fill it in: what the law actually requires
Print this table or keep it open. It is the part people get wrong.
| Province | Notify the affected individual? | Report to the regulator? | The standard |
|---|---|---|---|
Ontario (PHIPA) | Yes, at the first reasonable opportunity, where PHI is stolen, lost, or used or disclosed without authority (s.12(2)) | Yes, to the IPC where a circumstance in O. Reg. 329/04 s.6.3 applies (for example, further use likely, pattern of breaches, discipline of an agent). Report at the first reasonable opportunity. | ”First reasonable opportunity” for both the individual and the IPC. No fixed hour count. |
Alberta (HIA) | Yes, where there is a risk of harm to the individual, the custodian must notify the individual (s.60.1) | Yes, the custodian must notify the Office of the Information and Privacy Commissioner of Alberta and the Minister of Health where the loss or unauthorized access carries a risk of harm. Notify as soon as practicable. | Triggered by “risk of harm.” The individual, the OIPC, and the Minister are notified. Binds custodians; most private practices fall under Alberta PIPA instead (OIPC report on a real risk of significant harm, s.34.1). |
BC (PIPA) | Recommended, not mandatory. OIPC BC advises notifying affected individuals where there is a real risk of significant harm. | Recommended, not mandatory. There is no private sector statutory duty to report a breach to OIPC BC. | Voluntary. A private practice in BC is not legally required to report, but reporting on real risk of significant harm is the OIPC BC recommended practice. |
A note on BC, because it gets confused constantly. BC’s mandatory breach notification regime that came into force in February 2023 is the public sector FOIPPA s.36.3. It applies to public bodies. It does not apply to a private counselling practice, which is governed by PIPA, where breach notification stays voluntary. Do not tell a client BC law requires you to report when it does not.
The template (copy, paste, fill in once)
Privacy breach response plan
Practice or therapist name: [] Province of practice: [] Applicable law (check): [ ]
PHIPA(ON) [ ]HIA(AB) [ ]PIPA(BC) [ ]PIPEDA(cross border, commercial) Privacy contact (you, or your privacy officer): [name, email, phone] Date this plan was last reviewed: [___]
Step 1: Contain (immediately)
Step 1: Contain (immediately) Field Your entry Date and time you discovered the breach [___] What happened, in one or two sentences [___] What information was involved (names, session notes, contact details, payment, etc.) [___] How many individuals are affected [___] Action taken to stop it (recall the email, disable the login, retrieve the device, change the password) [___] Is the breach still ongoing? [ ] Yes [ ] No Step 2: Assess the risk
Step 2: Assess the risk Field Your entry How sensitive is the information? (mental health PHI is high sensitivity) [___] Who received or accessed it, and can they be trusted to delete or return it? [___] Is there a real risk of significant harm (identity theft, embarrassment, loss of employment, damage to a relationship, safety)? [ ] Yes [ ] No Could the information be used or disclosed further? [ ] Yes [ ] No Risk level (your judgment) [ ] Low [ ] Medium [ ] High Step 3: Notify the affected individual
Step 3: Notify the affected individual Field Your entry Required for your province? (ON: yes at first reasonable opportunity; AB: yes if risk of harm; BC: recommended on real risk of significant harm) [___] Date you notified the individual [___] How you notified them (phone, encrypted email, letter, in person) [___] What you told them: what happened, what information, what you have done, what they can do, how to reach you, and their right to complain to the privacy commissioner [ ] Covered Step 4: Report to the regulator
Step 4: Report to the regulator Field Your entry Does a reporting threshold apply? (ON: O. Reg. 329/04 s.6.3 circumstances; AB: risk of harm; BC: voluntary, no statutory duty) [___] Regulator [ ] IPC Ontario [ ] OIPC Alberta [ ] OIPC BC (voluntary) [ ] Not required Date reported [___] Reference or file number received [___] Step 5: Document and prevent
Step 5: Document and prevent Field Your entry Root cause (what allowed this to happen) [___] Change you are making so it does not recur (encryption, a checklist, a second confirmation before sending) [___] Date you recorded this breach in your breach log [___] Date for a follow up review [___]
How to use it
Fill in the header block now, today, while nothing is wrong. That is the part that saves you later: your province, your applicable law, and your privacy contact never change between breaches, so set them once.
When a breach happens, work top to bottom. Containment first, before you tell anyone anything, because stopping the spread is the one step that gets harder every minute you wait. Risk assessment second, because it decides whether and how you notify.
Keep every completed plan. Even a low risk breach you decided not to report belongs in your breach log, with your reasoning written down. If a regulator ever asks, the documentation a reviewer would look for already exists, dated and reasoned, in your own file.
How to adapt it
Solo practitioner in Ontario: you are almost always a health information custodian under PHIPA, so Step 3 notification is mandatory at the first reasonable opportunity, and you check Step 4 against the O. Reg. 329/04 s.6.3 circumstances. When in doubt on the threshold, the IPC accepts reports it later closes; under reporting is the bigger risk.
Solo practitioner in Alberta: most private practices are not HIA custodians, so Alberta PIPA’s breach duty applies: report to the OIPC Alberta where the breach creates a real risk of significant harm (s.34.1), and the Commissioner can require you to notify affected individuals. Where you do hold health information inside a custodian setting, the HIA path applies instead: the individual, the OIPC, and the Minister of Health are notified on a “risk of harm,” a lower bar than “significant harm,” so it catches breaches that BC’s voluntary standard might not.
Solo practitioner in BC: notification and reporting are both voluntary under PIPA. That does not mean do nothing. Notifying a client on a real risk of significant harm is the OIPC BC recommended practice, and it is usually the right call for trust reasons even where the law does not compel it. Document the decision either way.
Group practice: name one privacy officer in the header block and route all five steps through that person, so two clinicians don’t notify the same client twice or report inconsistently.
Related reading
- PHIPA breach notification for therapists: your first 24 hours
- PHIPA vs HIA vs BC PIPA: a therapist’s guide
- For the Ontario reporting circumstances, see O. Reg. 329/04 s.6.3 under
PHIPA - See OIPC BC’s guidance on responding to a privacy breach
Most breaches in a small practice start the same way: an email containing client information that should have been encrypted, wasn’t. Curio encrypts every client email automatically and logs every send in a Canadian audit trail, so the record of what you sent, and that it was protected, already exists if you ever need it. If you use Gmail, join the Curio waitlist.
Curio is designed to encrypt outbound email and maintain a Canadian audit trail. It is not a substitute for professional legal or compliance advice. Consult a qualified privacy professional for your specific situation.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body and privacy commissioner.