This template is for informational purposes. Review with your regulatory body or legal counsel before use.
Every therapist who emails clients needs a written email policy. Not because it’s fun to write policies, but because PHIPA, HIA, and PIPA all require documented safeguards for personal health information (PHI). A policy turns “I think my email is fine” into “here’s exactly how I protect client information, and here’s what happens if something goes wrong.”
This template gives you a complete internal email policy you can copy into a Word doc, fill in your practice details, and file. It’s written for solo practitioners but includes a staff training section for group practices with two to five clinicians.
The policy below is pan-Canadian. Where Ontario, Alberta, and BC requirements differ, you’ll find variant sections marked by province. Pick the section that matches your jurisdiction, or keep all three if you practise across provincial lines.
Email policy: [Practice Name]
Effective date: [Date]
Last reviewed: [Date]
Applies to: [Your Name / All staff at Practice Name]
Province: [Ontario / Alberta / BC]
1. Scope
This policy governs all email communication containing personal health information (PHI) sent or received by [Practice Name]. It applies to:
- Client communication (scheduling, session follow up, resources, clinical correspondence)
- Inter-provider communication (referrals, consultation notes, shared care)
- Administrative email containing PHI (insurance documentation, receipts linked to service dates and diagnostic codes)
This policy does not cover email that contains no PHI (e.g., general inquiries from prospective clients before intake, vendor correspondence, or professional development communication).
2. Encryption requirements
All outbound email containing PHI must be encrypted in transit. “Encrypted in transit” means the message content is protected between the sender’s mail server and the recipient’s mail server using TLS 1.2 or higher, or delivered through a secure portal.
Minimum standard: TLS 1.2 enforced on all outbound PHI messages. If the recipient’s server does not support TLS, the message must be delivered through an encrypted portal or secure alternative.
Implementation at [Practice Name]: [Describe your encryption setup. Example: “All client facing email is sent through Curio, which verifies TLS support on the recipient’s server and falls back to an encrypted portal when TLS is unavailable.”]
What is NOT considered encrypted: Standard Gmail or Outlook without additional encryption tooling. “Confidentiality notices” in email footers do not constitute encryption.
Provincial context: encryption obligations
Ontario (PHIPA s.12(1)): Health information custodians must take steps that are reasonable in the circumstances to ensure PHI is protected against theft, loss, and unauthorized use or disclosure, and that records are protected against unauthorized copying, modification, or disposal. Encryption is the IPC’s recommended safeguard for email containing PHI.
Alberta (HIA s.60): Custodians must take reasonable steps to maintain administrative, technical, and physical safeguards that protect the confidentiality of health information and the privacy of individuals who are the subjects of that information. Encryption of email containing health information satisfies the technical safeguard requirement.
BC (PIPA s.34): Organizations must protect personal information in their custody or control by making reasonable security arrangements against risks such as unauthorized access, collection, use, disclosure, or disposal. For email containing health related personal information, encryption is considered a reasonable security arrangement.
3. Retention periods
Email records containing PHI are retained for the period required by applicable provincial legislation, regulatory body guidelines, and any contractual obligations.
Retention schedule at [Practice Name]:
| Record type | Minimum retention | Authority |
|---|---|---|
| Client communication (adults) | [___] years from last contact | [Provincial regulation + college guidance] |
| Client communication (minors) | [___] years after the client turns 18 | [Provincial regulation + college guidance] |
| Consent records | Duration of therapeutic relationship + retention period | [Provincial regulation] |
| Breach documentation | [___] years from date of breach | [Provincial regulation] |
Provincial minimums
Ontario: CRPO requires therapists to retain client records for 10 years from the date of last contact (or 10 years after a minor turns 18). PHIPA does not prescribe a specific retention period but requires custodians to have a written retention policy.
Alberta: CAP requires psychologists to retain records for 10 years from last contact. HIA s.64 and the Health Information Regulation specify additional retention requirements for health records.
BC: CHCPBC practice standards (when effective November 2027) will set retention requirements for registered therapists. Until then, PIPA requires organizations to retain personal information only as long as necessary to fulfill the purposes for which it was collected.
Destruction method: At the end of the retention period, email records are destroyed using [method: e.g., permanent deletion from email servers and backups, certificate of destruction from service provider].
4. Consent process
Before communicating PHI by email with a client, [Practice Name] obtains informed consent using the following process:
-
Provide the consent form. At intake (or before first email communication), present the client with a written consent form that explains: what email will be used for, what encryption protects and what it does not, the risks of email communication, and alternatives to email.
-
Allow questions. Give the client time to ask questions. Do not rush consent.
-
Obtain signature. The client signs the consent form. Store the signed form in the client record.
-
Document in the clinical record. Note the date consent was obtained and which communication channels the client consented to.
-
Review annually. At each annual review (or sooner if circumstances change), confirm the client still consents to email communication.
-
Withdrawal. If a client withdraws consent, stop email communication within [___] business days and switch to an alternative channel. Document the withdrawal.
Provincial context: consent requirements
Ontario (PHIPA s.18): Consent must be knowledgeable (the client understands what they’re consenting to), relate to the information being collected/used/disclosed, and not be obtained through deception or coercion. For email, this means the client must understand the specific risks of electronic communication before consenting.
Alberta (HIA): HIA requires informed consent for the collection, use, and disclosure of health information. The custodian must inform the individual of the purposes, and consent must be in writing when the information will be disclosed outside the circle of care.
BC (PIPA): PIPA requires that consent be meaningful. The individual must understand what personal information is being collected, the purposes, and to whom it may be disclosed. Organizations must make a reasonable effort to ensure the individual understands.
Template available: For a ready to use consent form that meets PHIPA s.18 and CRPO Standard 3.4 requirements, see the therapist email consent form template.
5. Breach response
A breach occurs when PHI is collected, used, disclosed, retained, or disposed of in a manner that contravenes the applicable privacy legislation. For email, common breaches include: sending PHI to the wrong recipient, unauthorized access to an email account, or loss of a device containing unencrypted PHI.
Breach response steps
-
Contain. Immediately limit the breach. Recall the email if possible. Change passwords if an account was compromised. Secure or remotely wipe lost devices.
-
Assess. Determine: what PHI was involved, how many clients are affected, whether the information was actually accessed, and the risk of harm.
-
Notify (mandatory). Report the breach as required by provincial legislation:
| Province | Notification obligations | Authority |
|---|---|---|
| Ontario | Notify the IPC (Information and Privacy Commissioner of Ontario) at first reasonable opportunity. Notify affected individuals if there is a reasonable expectation of harm. | PHIPA s.12(2) |
| Alberta | Notify the OIPC (Office of the Information and Privacy Commissioner of Alberta) without unreasonable delay if the breach creates a real risk of significant harm. Notify affected individuals. | HIA s.60.1 |
| BC | BC PIPA does not currently mandate private sector breach notification. However, the OIPC BC recommends notifying affected individuals and the OIPC when a breach creates a real risk of significant harm. Treat this as a best practice obligation. | PIPA (no mandatory provision; OIPC guidance) |
-
Document. Record: date and time of breach, date and time of discovery, description of the breach, PHI involved, individuals affected, containment actions taken, root cause analysis, and corrective measures.
-
Remediate. Address the root cause. Update this policy if the breach reveals a gap. Retrain staff if applicable.
Breach log
Maintain a breach log documenting all incidents, regardless of severity. Store the log in [location: e.g., secure practice management system, encrypted file]. Retain breach documentation for [___] years.
6. Staff training (group practices)
This section applies to practices with two or more clinicians or any support staff who handle PHI.
All staff at [Practice Name] who send, receive, or have access to email containing PHI must complete training on this policy before handling PHI and annually thereafter.
Training covers:
- This email policy (all sections)
- How to verify encryption is active before sending PHI
- How to identify a breach and escalate immediately
- Client consent procedures and where to find consent forms
- Retention schedule and destruction procedures
- Provincial legislation requirements relevant to their role
Training records:
| Staff member | Date trained | Training version | Signature |
|---|---|---|---|
| [___] | [___] | [___] | [___] |
| [___] | [___] | [___] | [___] |
| [___] | [___] | [___] | [___] |
Annual review:
This policy is reviewed annually on [Date] by [Responsible person]. All staff are notified of changes and re-sign acknowledgment.
7. Privacy impact assessment (Alberta)
This section applies to Alberta custodians.
Under HIA s.64, custodians must prepare a privacy impact assessment (PIA) before implementing a new administrative practice or information system that affects the collection, use, or disclosure of health information. If your email system or encryption tooling constitutes a new information system, submit a PIA to the OIPC Alberta before implementation.
If you’ve recently changed your email setup (new encryption service, new email provider, new practice management integration), check whether a PIA is required.
Policy acceptance
I have read and understand this email policy. I agree to follow the procedures described.
Name: [___]
Role: [___]
Signature: [___]
Date: [___]
This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.
Curio automates the encryption and audit trail steps referenced in sections 2 and 5. If you’re looking for encryption that works with your existing Gmail, join the waitlist.
Related reading: