PIPEDA & PHIPA: A Simple Privacy Checklist for Canadian Therapists (2025 Update)

Because building trust with clients starts with protecting their privacy.

Introduction

When you’re building your therapy practice in Canada, your website, client forms, and telehealth tools aren’t just about convenience — they’re about trust. And that trust depends on how well you protect your clients’ personal health information.

That’s where PIPEDA (the federal Personal Information Protection and Electronic Documents Act) and PHIPA (Personal Health Information Protection Act, for Ontario) come in.

These laws ensure that private practices — including counsellors, psychologists, psychotherapists, and wellness professionals — collect, store, and use client data responsibly. But if you’re not a legal expert (and most therapists aren’t), the compliance side can feel overwhelming.

So, here’s a simple, actionable checklist to help Canadian therapists understand and meet privacy requirements in 2025 — without the legal jargon.

1. Understand What PIPEDA and PHIPA Mean for You

PIPEDA applies across Canada to all private businesses that handle personal information. For therapists, this means any identifiable client information — names, addresses, session notes, billing details, or even email exchanges.

In Ontario, you’ll also need to comply with PHIPA, which covers “personal health information” (PHI) in healthcare contexts.
If you’re in Alberta, British Columbia, or Quebec, those provinces have their own privacy acts that are considered substantially similar to PIPEDA.

In short:
If you collect, store, or share any client data electronically, you’re responsible for protecting it under these laws.

2. Get Informed Consent — and Make It Easy to Understand

Before collecting or using personal information, clients should know:

• What you’re collecting and why.

• How you’ll store it.

• Who can access it.

• How long you’ll keep it.

Your intake forms, website, and telehealth consent documents should clearly mention this.

Pro tip:
Avoid legalese. Write your privacy statement in simple, human language. “We keep your session notes secure and never share them without your consent” works better than a page of complex clauses.

3. Limit What You Collect (Data Minimization)

Ask only for what’s truly necessary for therapy or billing. If a detail isn’t needed to provide care, leave it out.

Examples:

• Don’t ask for a home address if sessions are exclusively online.

• Avoid collecting emergency contacts unless required for safety reasons.

Remember — the less data you store, the less risk you carry.

4. Store Data Securely — Online and Offline

Whether it’s paper notes or a cloud-based platform, ensure your systems are safe.

For physical files:

• Keep them in a locked cabinet or office space.

• Restrict access to authorized staff only.

For digital records:

• Use secure, encrypted storage (HIPAA/PIPEDA-compliant EMRs).

• Turn on two-factor authentication for logins.

• Never store session notes on personal devices without encryption.

If you’re using Wellovis or a similar provider for your website, make sure your hosting includes SSL encryption (that little padlock in the browser bar).

5. Plan How Long You’ll Keep Records

Each province has its own rules for record retention. For example:

• In Ontario, health records are typically kept for at least 10 years after the last contact with the client (or 10 years after a minor turns 18).

• After that period, records should be securely destroyed — think shredding paper or using certified digital deletion tools.

Having a clear data retention policy protects you from accidental non-compliance.

6. Give Clients Access and Control Over Their Information

Under both PIPEDA and PHIPA, clients have the right to:

• Access their records.

• Request corrections.

• Know how their data has been used.

If a client asks to see their file, you should be ready to provide it within a reasonable time.
If you refuse (say, for clinical reasons), you must explain why — in writing.

7. Have a Breach Response Plan

Even with the best systems, breaches can happen — a lost laptop, hacked email, or mis-sent report.

Your plan should include:

• How you’ll contain the breach.

• When and how you’ll notify affected clients.

• Reporting serious breaches to the Office of the Privacy Commissioner (as required by law).

• Steps to prevent similar issues in the future.

A clear plan shows professionalism and accountability — two things clients deeply appreciate.

8. Keep Training and Policies Up to Date

Privacy compliance isn’t a “set it and forget it” thing.
Revisit your privacy policies yearly, especially as technology and regulations evolve.

✅ Hold brief training for any staff or assistants.
✅ Review your consent forms regularly.
✅ Stay updated through your regulatory college or provincial association.

Small updates now can save you big trouble later.

Bonus Tip: Review Your Website Privacy Page

Your website is often the first place clients learn about your privacy approach.
Include a simple, friendly Privacy Policy page that mentions:

• What data is collected via contact forms or analytics.

• How cookies or tracking tools are used.

• How clients can contact you with privacy questions.

If you use Wellovis, their website templates already include sections for privacy and consent — you just need to personalize them.

Final Thoughts

Privacy isn’t just a legal requirement — it’s a promise to your clients.
It says: “You can trust me with your story.”

Following this checklist helps you stay compliant with PIPEDA and PHIPA, but more importantly, it builds confidence, credibility, and care into every client relationship.