CRPO Standard 3.4 sets the rules for how Ontario registered psychotherapists use electronic communication. This checklist condenses the full Standard 3.4 guide into a working reference you can print, pin to your wall, and check off as you go.
Each item maps to a specific Standard 3.4 obligation. If you’re unsure about any item, the companion guide explains the reasoning behind it.
1. Informed consent
Standard 3.4 requires informed consent for the communication channel itself. This is separate from your PHIPA consent for collecting and using PHI. You need both.
Your electronic communication consent form must cover:
- Channels identified. List every electronic channel you use with clients (email, text, video, secure portal). Each one, named individually.
- Risks disclosed per channel. Explain the specific risks of each channel. For email: interception, forwarding, storage on insecure devices.
- Confidentiality limits stated. Describe where electronic communication can’t guarantee the same confidentiality as in person sessions.
- Alternatives offered. Name what’s available if the client declines electronic communication: phone, in person, secure portal.
- Withdrawal rights documented. State that the client can withdraw consent for electronic communication at any time without affecting their care.
- Consent is “knowledgeable.” The client understood what they agreed to, not just signed a form. CRPO’s word, and it carries weight.
A combined PHIPA + CRPO consent form template is available at /resources/consent-form-template-phipa-crpo.
2. Record keeping
Standard 3.4 goes beyond PHIPA s.10’s general record keeping obligations. Treatment related email must be captured in the clinical record.
- Treatment related emails logged. Any email that touches on symptoms, treatment plans, homework, crisis responses, or session content belongs in the clinical record. Scheduling and billing emails don’t.
- Log entries include key details. Record the date, recipient, subject line, and whether the email contained PHI.
- Correspondence preserved or summarized. Either save the full email (PDF, EHR paste, or archive) or write a clinical note summarizing its content. Pick one method and stick with it.
- Administrative vs. clinical distinction is clear. You need a consistent rule for deciding which emails are treatment related. When in doubt, log it.
The manual audit log template provides a Google Sheets approach for tracking this until you have an automated solution.
3. Competency and insurance
Standard 3.4 expects you to understand the technology you’re using and to be covered if something goes wrong.
- Technology competency documented. You can explain how your email encryption works, what it protects, and what it doesn’t. If you can’t articulate it, that’s a gap.
- Professional liability insurance reviewed. Your policy explicitly covers electronic services. If you started offering telehealth during COVID and never updated your policy, check now.
- Technology assessed for appropriateness. You’ve evaluated whether your email setup is “secure, confidential, and appropriate” per Standard 3.4. Unencrypted Gmail, on its own, does not meet this bar for messages containing PHI.
4. Audit readiness
If CRPO investigates a complaint, your documentation is your defense. These items aren’t explicitly listed in Standard 3.4 as checkboxes, but they’re the practical layer that demonstrates compliance.
- Consent forms are signed and filed. Every client who communicates with you electronically has a signed consent form on file. No exceptions, no retroactive consents.
- Email audit trail is current. Your log of treatment related emails is up to date, not three months behind.
- Electronic practice policies are written down. You have a document (even a short one) that describes how you use technology in your practice, what safeguards are in place, and your protocol for breaches or technical failures.
- Insurance confirmation is accessible. You can produce proof that your liability insurance covers electronic services if asked.
What this checklist doesn’t cover
Standard 3.4 also governs telehealth platforms, video calling security, cross border practice, and electronic clinical records. This reference focuses on email because that’s where the biggest compliance gaps tend to sit. For the full scope, read the companion guide.
Other provinces have comparable requirements. Alberta therapists operate under HIA and the College of Alberta Psychologists (CAP). BC’s College of Health and Care Professionals of BC (CHCPBC) begins regulating psychotherapy on November 29, 2027. If you practise outside Ontario, check your provincial legislation before applying this checklist.
Curio encrypts every email and logs each send in a Canadian audit trail, covering the security, encryption, and documentation items in sections 1 through 4 above. Join the waitlist.
This content is for informational purposes only and does not constitute legal advice. Privacy regulations and college practice standards are subject to change. Verify current requirements with CRPO and consult a qualified privacy professional for your specific situation.