PIPEDA Compliance for Therapists in Ontario and BC — A 2026 Practical Guide

If you're running a private practice in Ontario or British Columbia, the Personal Information Protection and Electronic Documents Act (PIPEDA) applies to you — even as a solo practitioner. Yet the vast majority of therapists in private practice have never received any formal training on their data privacy obligations.

This guide breaks down what PIPEDA means for your daily practice in plain, actionable language — and how to choose software that keeps you on the right side of the law.

Starting a private practice involves more than clinical skills. Our complete guide to opening a private practice in Ontario and BC covers everything from college registration to building your first intake process — and data privacy is a foundational piece of that puzzle.

Does PIPEDA Really Apply to Me?

Yes. PIPEDA is Canada's federal privacy law governing the collection, use, and disclosure of personal information in the course of commercial activities. As a private practice therapist, you're operating a commercial activity — even as a one-person practice.

PIPEDA covers:

Client records (name, contact details, clinical history)
Intake forms and consent documents
Session notes and progress notes
Billing and payment information
All electronic communications with clients

Ontario note: Ontario has its own provincial health privacy law — the Personal Health Information Protection Act (PHIPA). If you're a Registered Psychotherapist (RP), social worker, or psychologist in Ontario, both PIPEDA and PHIPA apply to your practice. PHIPA is often the stricter of the two.

Your 10 Core PIPEDA Obligations

Obtain client consent before collecting their personal information. Your intake form must clearly explain what data is collected, why, and how it will be used.

Consent isn't just a checkbox — it's the foundation of a compliant intake process. Learn how to design compliant intake forms for private practice that cover both clinical and legal requirements.

2. Limiting Collection

Only collect information that is directly necessary to provide your services. Nothing more.

3. Limiting Use, Disclosure, and Retention

Information collected for one purpose cannot be used for another purpose without new, explicit consent.

4. Accuracy

Client records must be accurate, complete, and current. This is both a legal obligation and an ethical standard.

5. Safeguards

You must protect client information from unauthorized access, disclosure, copying, or use. This includes:

Encryption of data at rest and in transit
Two-factor authentication on all access points
Hosting on Canadian servers (more on this below — it's critical)
Restricted and revocable access policies

6. Openness

Maintain an accessible privacy policy describing your data management practices and how clients can exercise their rights.

7. Individual Access

Clients have the right to access their personal information held by your practice — and to request corrections.

8. Challenging Compliance

Have a complaints process in place for privacy-related concerns from clients or regulatory bodies.

9. Breach Notification

Since 2018, you are legally required to notify the Office of the Privacy Commissioner of Canada and affected individuals when a breach poses a real risk of significant harm. This is not optional and non-compliance carries significant penalties.

10. Accountability

You are personally responsible for compliance — even when using a third-party tool (practice software, payment processor, telehealth platform) to handle client data. Outsourcing the tool doesn't outsource the responsibility.

Why American Software Creates Real Compliance Risk

SimplePractice, TherapyNotes, TheraNest — these platforms are widely used across North America. But they store data on American servers, subject to the US CLOUD Act, which allows the US government to compel access to data held by American companies — including data belonging to Canadian citizens.

The Office of the Privacy Commissioner of Canada has explicitly flagged the use of US-based cloud providers as a PIPEDA and PHIPA compliance risk for Canadian health professionals.

Using American practice management software for your client files may:

Violate your obligations under PIPEDA and/or PHIPA
Expose you to regulatory action from the OPC or Ontario IPC
Erode client trust in the event of a breach or government access request

For a full comparison of PIPEDA-compliant software options available to Canadian therapists — including why Canadian hosting is the non-negotiable differentiator — see our complete guide to free practice management software for Canadian therapists.

The practical solution: choose a platform that keeps your data in Canada. FYL.care is the only 100% free, Canadian-hosted practice management platform purpose-built for solo therapists.

PHIPA in Ontario: What Goes Further Than PIPEDA

If you practice in Ontario, PHIPA adds layers that PIPEDA doesn't cover:

A broader definition of "health information custodians" that includes Registered Psychotherapists, regulated social workers, and psychologists in private practice
Obligation to designate a privacy contact for your practice
Stricter rules on the electronic transmission of health records — including telehealth session documentation
Mandatory notification to the Ontario Information and Privacy Commissioner (IPC) in the event of a privacy breach
Clients can file complaints directly with the IPC, which has investigative powers

PIPEDA + PHIPA Compliance Checklist for Private Practice Therapists

Documents to have in place:

Accessible privacy policy (available to clients before first appointment)
Informed consent form integrated into the intake process
Service agreement covering telehealth terms if applicable
Written data breach response plan

Operational practices:

Client data stored on Canadian servers (confirmed in writing from provider)
Active encryption of records at rest and in transit
Strong passwords + 2FA on all systems with client data
Data retention and destruction schedule documented
Process for responding to client access requests within legal timeframes

Practice management software:

Canadian hosting confirmed and documented
Security protocols available (SOC 2, ISO 27001, or equivalent)
Data processing agreement available upon request

One area where PIPEDA and PHIPA compliance intersects directly with clinical practice is digital informed consent. Collecting e-signatures, sending consent forms electronically, and conducting telehealth sessions all have specific privacy implications.

Our guide to digital informed consent in private practice covers the specific requirements for consent documentation in a Canadian context — including what must appear in your forms to be both clinically sound and legally compliant.

Frequently Asked Questions

Does PIPEDA apply if I only practice from home or via telehealth?

Yes. Where you practice doesn't matter. If you conduct commercial activities involving personal information — including telehealth sessions from your home office — PIPEDA applies. In Ontario, PHIPA also applies regardless of the care setting.

Can I use Google Drive or Dropbox for client files?

Not recommended. These services store data outside Canada and don't guarantee PIPEDA or PHIPA compliance for health data. Use a solution built for health professionals with confirmed Canadian hosting.

What if I use an American telehealth platform for video sessions?

Telehealth platforms that store session recordings or clinical notes on US servers create the same compliance risk as US-based EHRs. Review the data residency terms of any platform before use — and prioritize Canadian-hosted alternatives where available.

What do I do if I have a data breach?

Immediately: (1) assess whether the breach presents a real risk of significant harm, (2) notify the Office of the Privacy Commissioner of Canada, (3) notify all affected individuals directly, and (4) document the incident in detail. In Ontario, also notify the IPC. Acting quickly reduces your legal exposure significantly.

Complete guide: To compare all available practice management software options for Canadian therapists — and see why Canadian data residency is the key compliance factor — read our complete guide to free practice management software for therapists.

Start Compliant from Day One

PIPEDA compliance doesn't have to be complicated — or expensive. FYL.care is built for Canadian therapists in private practice: Canadian hosting, end-to-end data security, and integrated consent forms included at no cost.

Free. No credit card. Forever.

Create my FYL.care account →