You practise in Ontario. A new client moves to Calgary and wants to keep working with you. Which privacy law governs the email you send them now? Most therapists assume PHIPA follows the practitioner. It does not always work that way. Here is a one page reference for figuring out which Canadian privacy law applies to your therapy email, and where PIPEDA enters the picture.
Which law applies?
Use this decision tree. Pick the branch that matches your practice and client base.
- Practice and clients all in Ontario -> PHIPA governs your email. See the PHIPA email requirements for therapists.
- Practice and clients all in Alberta -> HIA governs your email. See the Alberta HIA email requirements for therapists.
- Practice and clients all in BC -> BC PIPA governs your email. See the BC PIPA email privacy guide.
- Cross provincial practice (clients in more than one province) -> Multiple laws may apply at once. PIPEDA may also apply for commercial activity that crosses provincial lines. The defensible default is the highest standard approach (see callout below). Read the PHIPA vs HIA vs BC PIPA hub for the full picture. A dedicated guide on telehealth across provincial lines is in the pipeline.
If you are unsure which branch you fall into, default to the cross provincial branch. Over-complying is not a regulatory risk. Under-complying is.
Key differences at a glance
| Requirement | PHIPA (Ontario) | HIA (Alberta) | BC PIPA (British Columbia) |
|---|---|---|---|
| Encryption | Reasonable steps to protect PHI in transit; encryption is the de facto standard (s.12(1)) | Required safeguards under s.60; encryption expected for electronic PHI | Reasonable security arrangements under s.34; encryption expected for sensitive personal information |
| Consent model | Implied consent within the circle of care; express consent for disclosures outside it | Express or implied depending on context; lock box (express request to limit use) under s.58 | Express, implied, or deemed consent depending on purpose (s.7-8) |
| Data residency | No mandate; reasonable safeguards required regardless of location | No mandate; reasonable safeguards required | No mandate for the private sector; reasonable security arrangements required (s.34). Note: the data storage rule for public bodies is FOIPPA, not PIPA |
| Breach notification | Notify affected individuals at the first reasonable opportunity; notify IPC for breaches meeting the prescribed circumstances under s.12(3) and O. Reg. 224/17 | Mandatory to OIPC Alberta and affected individuals when there is a risk of harm (s.60.1) | Mandatory to the OIPC and affected individuals when a real risk of significant harm exists |
| PIA requirement | Recommended for new information systems; not statutory | Required under s.64 at the Commissioner’s request; OIPC Alberta expects PIAs before deploying new health information systems | Recommended; not statutory for the private sector |
| Regulatory college | CRPO (College of Registered Psychotherapists of Ontario) | CAP (College of Alberta Psychologists); counselling therapist regulation expanding | CHCPBC (College of Health and Care Professionals of BC); psychotherapy regulation begins November 29, 2027 |
The highest standard approach
When your practice spans more than one province, comply with the strictest applicable requirement on each dimension. In practice, that means: encrypt every email containing PHI, document consent in writing for cross jurisdictional clients, maintain an audit trail of every send, and complete a PIA where any of the applicable provincial regimes require one. This protects you under whichever law a regulator decides to apply.
Next steps
- Read the full hub: PHIPA vs HIA vs BC PIPA for Canadian therapists.
- A dedicated telehealth across provincial lines guide is in the pipeline. Until it publishes, apply the highest standard approach.
- A cross provincial consent addendum template is in the pipeline. Until it publishes, layer the strictest consent language from each applicable province into your intake form.
If you want this layer handled automatically, Curio handles encryption and a Canadian audit trail across all provinces. Join the waitlist.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.