Eighteen questions Canadian therapists ask about email under the Personal Health Information Protection Act (PHIPA), Alberta’s Health Information Act (HIA), and BC’s Personal Information Protection Act (PIPA). Each answer stands on its own. Skim, search, or read straight through.
Crisis resources. If a client is in crisis, do not respond by email. Direct them to Crisis Services Canada at 1-833-456-4566 (text 45645) or 988 Suicide Crisis Helpline (call or text 988). Email is not a crisis channel.
Encryption and infrastructure
Is Gmail PHIPA compliant?
Gmail is not PHIPA compliant out of the box. It uses opportunistic TLS, which means client emails can be sent unencrypted if the recipient server does not support TLS. Under PHIPA s.12(1), health information custodians must take reasonable steps to protect personal health information. Opportunistic encryption is not a reasonable step on its own.
Learn more: Is Gmail PHIPA compliant for Ontario therapists?
What encryption does PHIPA require for email?
PHIPA does not name a specific encryption standard. The Information and Privacy Commissioner of Ontario (IPC) interprets s.12(1) to require encryption that is appropriate to the sensitivity of the information. For PHI, that means enforced TLS 1.2+ or end-to-end encryption with a portal fallback when TLS cannot be guaranteed.
Learn more: PHIPA email requirements for therapists
Can therapists email clients under PHIPA?
Yes, therapists can email clients under PHIPA, but with conditions. The client must provide knowledgeable consent after being told the risks of email, the practice must use encryption appropriate to the sensitivity, and the therapist must keep an audit trail of what was sent and to whom. PHIPA does not prohibit email; it requires reasonable safeguards.
Learn more: Can therapists email clients under PHIPA?
Do all provinces require email encryption for therapists?
Effectively yes, though the wording varies. PHIPA (Ontario) requires reasonable safeguards under s.12(1). Alberta’s HIA s.60 requires safeguards proportionate to risk. BC’s PIPA requires reasonable security arrangements under s.34. Federally, PIPEDA Principle 7 requires safeguards. None name a specific standard, but encryption is the accepted floor for PHI in transit.
Learn more: PHIPA vs HIA vs BC PIPA: a therapist’s guide
Is Hushmail better than Gmail for Canadian therapists?
Hushmail offers built-in end-to-end encryption, which Gmail does not. For therapists who want a single-provider solution, Hushmail removes the encryption gap. The trade-off: it forces a provider migration, has no Google Workspace integration, and uses its own audit logging rather than your Workspace audit log. Hushmail is headquartered in Vancouver. Whether it is “better” depends on whether you want to switch providers or keep Gmail and add a compliance layer.
Learn more: Hushmail vs Gmail for Canadian therapists
Is Paubox PHIPA compliant?
Paubox is a US-based email encryption service marketed as HIPAA compliant. It can encrypt email at the gateway, which addresses one PHIPA requirement, but it stores audit logs and metadata on US servers. For Canadian therapists, that creates cross-border data flow concerns under PHIPA s.12(1) reasonable safeguards plus IPC cross-border transfer guidance, and similar reasonable-safeguards duties under HIA and BC PIPA.
Learn more: Is Paubox PHIPA compliant in Canada?
Consent, retention, and recordkeeping
What should a therapist email consent form include?
A PHIPA aligned email consent form should name the practice, describe the purpose of email use, list the risks (interception, misdelivery, unauthorized access on the recipient’s device), state what safeguards are in place, give the client a way to withdraw consent, and be signed and dated. Verbal consent is allowed under PHIPA but harder to defend later.
Learn more: Consent form template for PHIPA + CRPO
How long must therapists retain email records under PHIPA?
PHIPA itself does not set a specific email retention period. CRPO Standard 5.6 requires Ontario psychotherapists to retain client records for at least 10 years after the last interaction (or 10 years after the client turns 18, whichever is later). Email exchanges that are part of the clinical record fall under the same rule. Operational emails can be retained for shorter periods if documented.
Learn more: Email retention policies for Ontario therapists
Can I use my personal email for client communication under PHIPA?
No. A personal email account (gmail.com, outlook.com, yahoo.com) almost certainly fails PHIPA’s reasonable safeguards test. Personal accounts lack admin controls, audit logging, retention policies, and the ability to revoke access if the device is lost. Use a dedicated practice account on Google Workspace, Microsoft 365, or a comparable business email service.
Do therapists need a separate email account for client communication?
Best practice is yes. A dedicated client email account, separate from billing, marketing, and personal correspondence, makes audit trails cleaner, simplifies retention, and reduces the risk that PHI ends up in a thread it should not be in. Some practices use one account per therapist; group practices often use shared aliases with strict access logging.
Provincial differences
What is the difference between PHIPA and PIPEDA?
PHIPA is Ontario’s health-specific privacy law and applies to health information custodians. PIPEDA is the federal commercial privacy law and applies to private-sector organizations across Canada. Where PHIPA applies, it generally takes precedence for PHI. PIPEDA can still apply to commercial activities of an Ontario therapist (for example, marketing) and to interprovincial transfers.
Learn more: Email privacy laws across Canada (Ontario, Alberta, BC)
Does PHIPA apply to therapists in Alberta?
No. PHIPA is Ontario legislation. Alberta therapists are governed by Alberta’s Health Information Act (HIA) for PHI handling and by the Personal Information Protection Act (PIPA Alberta) for commercial activities. The substantive obligations are similar, but section numbers, definitions, and the regulator (OIPC Alberta) differ.
Learn more: Alberta HIA email requirements for therapists
How does HIA differ from PHIPA?
Alberta’s HIA covers a defined list of “custodians” that includes regulated health professionals, while PHIPA’s “health information custodians” list is differently scoped. HIA s.64 requires a privacy impact assessment at the Commissioner’s request, and OIPC Alberta expects PIAs before deploying new health information systems; PHIPA encourages but does not statutorily mandate PIAs. Breach notification timelines and content also differ.
Learn more: PHIPA vs HIA vs BC PIPA: a therapist’s guide
What happens when my client moves to another province?
The privacy law that applies depends on where the therapist practices, not where the client lives. If you are licensed in Ontario and your client moves to Alberta, you are still bound by PHIPA for the records you hold. Cross-border telehealth raises additional questions: provincial college rules, tax residency, and whether you are authorized to practice in the new province.
Learn more: Cross provincial compliance quick start
What is the CHCPBC and when does regulation start?
The College of Health and Care Professionals of British Columbia (CHCPBC) is BC’s amalgamated regulatory college for several health professions. Psychotherapy regulation under CHCPBC is scheduled to begin November 29, 2027. After that date, BC psychotherapists will fall under formal college oversight, which will include privacy, recordkeeping, and consent expectations.
Learn more: CHCPBC psychotherapy regulation in BC (2027)
Regulatory enforcement
What are PHIPA administrative monetary penalties?
PHIPA was amended in 2020 to authorize administrative monetary penalties (AMPs). The IPC can order penalties for contraventions of PHIPA, with caps of $50,000 for individuals and $500,000 for organizations. Decision 298 (2024) was the first IPC decision to actually impose AMPs, signalling that enforcement risk is no longer theoretical for Ontario therapists.
Learn more: PHIPA administrative monetary penalties: Decision 298
What is CRPO Standard 3.4?
CRPO Standard 3.4 is the College of Registered Psychotherapists of Ontario standard governing electronic practice. It requires Ontario psychotherapists to use technology that protects client confidentiality, maintain informed consent specific to electronic communication, and document the technology used. It is the practical bridge between PHIPA’s general safeguards requirement and day-to-day email and telehealth decisions.
Learn more: CRPO electronic practice standards for email
What counts as a privacy breach under PHIPA?
Under PHIPA, a privacy breach is the loss, theft, or unauthorized use, disclosure, or access of PHI. That includes a misdirected email, a lost laptop with client records, or a contractor accessing files without authorization. Custodians must notify affected individuals at the first reasonable opportunity and notify the IPC if the breach meets the prescribed circumstances.
What is a privacy impact assessment?
A privacy impact assessment (PIA) is a structured review of how a new system, process, or vendor handles personal information. It documents what data is collected, where it flows, what risks exist, and what safeguards are in place. Alberta’s HIA s.64 requires PIAs at the Commissioner’s request, and OIPC Alberta expects PIAs before deploying new health information systems; PHIPA strongly encourages them. PIAs are also a useful internal tool when adopting any new email or telehealth product.
Learn more: PHIPA privacy impact assessment template
Is texting a client subject to PHIPA?
Yes. SMS and messaging app conversations that contain PHI are subject to PHIPA’s safeguards requirement, the same as email. SMS has weaker security than encrypted email, no audit trail by default, and stores messages on the carrier and device. If you text clients, get knowledgeable consent, limit content to non-clinical logistics where possible, and document the practice.
Learn more: Can therapists email clients under PHIPA?
How Curio fits in
Curio handles email encryption and maintains a Canadian audit trail for every send, working with your existing Google Workspace. Encryption is automatic at runtime. The audit trail is hosted on Canadian servers in Montreal and Toronto. Your Gmail stays the same; the compliance infrastructure runs underneath.
This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.
Disclaimer. This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body or a qualified privacy professional.