HIA email checklist for Alberta therapists
A working checklist, not a guide. Keep it open beside your email settings and tick each item honestly. It sorts out which Alberta privacy law asks what of your email (Alberta PIPA for most private practices; the Health Information Act in custodian settings) and gathers the answers a privacy impact assessment will need: mandatory for custodians under section 64, smart documentation for everyone else.
For the reasoning behind each item, read the Alberta HIA Privacy Impact Assessment walkthrough. This is the fast pass; the walkthrough is the why.
Before you rely on this: this checklist is informational only. It does not constitute legal advice. It collects no health information; anything you note stays on your side. Verify current requirements with the OIPC of Alberta and your regulatory college.
Section 1: Which law governs you, and the PIA trigger
Start here. If you’re not a custodian, HIA doesn’t bind you the way this checklist’s section headers might suggest. Most Alberta therapists in private practice aren’t: their statute is Alberta PIPA, with CAP standards on top.
- I’ve checked custodian status under HIA s.1(1)(f): custodians are listed entities plus the professions designated in the Health Information Regulation (physicians, registered nurses, pharmacists, dentists and others). Psychologists registered with the College of Alberta Psychologists and counselling therapists are not designated, so in private practice my statute is Alberta PIPA; HIA reaches me when I work inside a custodian organization as an affiliate.
- My email handles individually identifying health information (client names tied to appointments, clinical content, anything that identifies a person and their care).
- I can name the trigger: I’m adopting a new email system, or changing an existing one, in a way that touches health information. In a custodian setting that triggers HIA s.64; in private practice it’s the right moment to document safeguards under PIPA.
- I understand HIA s.64 requires custodians to submit a PIA to the OIPC before the system goes live for health information. In private practice no submission is owed; a PIA is voluntary documentation that answers the same questions.
Section 2: Email safeguards
Section 60 of the HIA requires custodians to keep reasonable administrative, technical, and physical safeguards; Alberta PIPA’s safeguard duty asks the same of a private practice. For email, that’s a short list. Tick what’s true; the blanks are your gaps.
- Outbound email containing health information is encrypted in a way that doesn’t depend on the recipient’s server cooperating (default Gmail TLS is opportunistic, so this is often the first gap).
- Stored email containing health information is protected at rest.
- Two-step verification is on for the account that sends and receives client email.
- Access to the account is limited to people who need it, and I can say who they are.
- I can produce a record of what health information was sent, to whom, and when (standard Gmail admin logs don’t track this at the message level).
- If I use Google Workspace, I’ve checked which AI features are on and turned off the ones that could process client email content. (The Workspace AI features therapists need to turn off guide walks through these.)
Section 3: PIA readiness for OIPC submission
These are the answers a PIA will ask for. Having them ready turns the walkthrough into an hour’s work.
- I’ve mapped the information flow: what’s sent, who sends and receives it, where the message content is stored, and where data leaves Canada.
- I can state plainly that Gmail message content sits on Google’s global infrastructure, with no Canada only region for message bodies, and I’ve noted the safeguards applied on top.
- I’ve listed the residual risks (cross border storage, opportunistic encryption, AI processing) with a specific mitigation for each.
- Where a custodian I work with uses a vendor as an information manager, a written agreement under HIA s.66 is in place, with the contents the Health Information Regulation s.7.2 requires (breach notice duties come separately, from HIA s.60.1).
- I’ve located the current OIPC PIA template and submission method on the OIPC website rather than assuming the process from an old link.
Need the document itself? The Alberta HIA PIA addendum template maps these sections to a Google Workspace deployment in copy and paste form.
Section 4: Consent, retention, and disposition
The administrative half of HIA. Less technical, and quietly overlooked.
- I obtain and document each client’s consent to communicate health information by email, including that they understand the risks and can withdraw consent.
- I have a retention period that covers email forming part of the clinical record (CAP’s Standards of Practice set a 10 year minimum from last contact for psychologists, longer for minors).
- I have a secure disposition plan: permanent deletion including backups when the retention period ends, not just emptying the trash.
- My consent and retention practices are written down somewhere I can point to, not just held in my head.
Reading your results
Count your blanks, then read where they fall.
| Your result | What it means | Next step |
|---|---|---|
| No blanks in Sections 1 and 2 | Strong position. | Move to the PIA walkthrough and document what you’ve built. |
| Blanks in Section 2 | Your technical gaps, and the ones a PIA will flag first. Usually opportunistic encryption and a missing audit record. | Close them before you submit. |
| Blanks in Section 3 | You’re not ready to submit yet. | Gather these first, or the PIA stalls. |
| Blanks in Section 4 | Documentation gaps. Lower urgency than encryption. | Address them anyway; they’re what a PIA documents. |
A clean checklist doesn’t mean a finished PIA. It means you can write one with answers instead of guesses.
Practise across provincial lines? Pair this with the cross provincial compliance quick start, which sorts out which law applies when your clients aren’t all in Alberta.
The two gaps therapists most often can’t close alone are encryption and the audit trail. Curio encrypts outbound client email for Canadian mental health privacy law and logs every send in a Canadian audit trail in Montreal and Toronto, which is what Sections 2 and 3 ask you to document. Join the waitlist if you’d rather those came built in.
This checklist is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with the OIPC of Alberta and your regulatory college before submitting a privacy impact assessment.