If you run a private practice in Quebec — as a psychologist, psychotherapist, speech-language pathologist, occupational therapist, dietitian, social worker or counsellor — Law 25 applies to you. Not just to large corporations, not just to hospitals: to every private enterprise that collects personal information, including a solo practice.

And the information you handle every day — clinical notes, diagnoses, mental health histories — is among the most sensitive there is. That raises the bar for you compared to the average small business. The good news: the obligations are demanding on paper but entirely manageable for a small practice, provided you approach them methodically.

This guide covers what Law 25 actually requires, a realistic checklist, and how the right electronic health record (EHR) does much of the heavy lifting for you.

Law 25 in a nutshell

Adopted in September 2021, Law 25 (formally An Act to modernize legislative provisions as regards the protection of personal information) overhauled Quebec's private-sector privacy regime. Its obligations came into force in phases between September 2022 and September 2024 — which means everything is in force today.

Two things to internalize from the start:

  • You are an "enterprise" under the law, even as a solo practitioner working part-time. Size doesn't exempt you; it only affects what counts as "reasonable" measures.
  • Health information is sensitive information. The law requires safeguards proportional to sensitivity, so for a clinical file, expectations are high.

The penalty regime is serious — the Commission d'accès à l'information (CAI) can impose substantial administrative monetary penalties, and even higher penal fines exist for serious violations. For a small practice, though, the most concrete risks are more mundane: a client complaint to the CAI, a poorly handled privacy incident, or a gap flagged during an inspection by your professional order.

Obligation 1: appoint a person in charge of personal information protection

Every enterprise must have a designated person in charge of the protection of personal information — Quebec's equivalent of a privacy officer. By default, it is the person with the highest authority in the enterprise. In a solo practice, that's you. You can delegate the role in writing, but most small practices simply keep it.

What you actually have to do:

  • Formally designate the person (a short written note documenting it is enough).
  • Publish the title and contact information of that person on your website — or make them accessible by other appropriate means if you have no site.
  • Make that person the contact point for access requests, complaints and incidents.

This is the easiest obligation to meet, and the first thing anyone will check.

Obligation 2: get consent right

Under Law 25, consent must be manifest, free, informed and given for specific purposes. For sensitive information — and health information is sensitive by definition — consent must be express: no pre-checked boxes, no implied consent buried in a form.

For a clinical practice, this means:

  • A clear, explicit consent for collecting and using health information, obtained at the start of care.
  • Transparency about purposes: the clinical record, billing, appointment reminders, communication with third parties (insurers, referring physicians), and so on.
  • Fresh consent if you later use the information for a purpose that wasn't covered.
  • A published privacy policy in plain language if you collect information through technological means — a website form, online booking, a client portal.
  • Privacy by default: the default settings of your tools must provide the highest level of confidentiality.

Your intake forms are the natural place to collect and document these consents — provided they are up to date.

Obligation 3: keep a confidentiality incident register

A confidentiality incident is any unauthorized access, use, communication or loss of personal information: an email sent to the wrong client, a stolen laptop, a compromised account.

Law 25 requires you to:

  1. Keep a register of all incidents, even minor ones, and produce it if the CAI asks.
  2. Assess the risk of serious injury to the people affected.
  3. Where there is a risk of serious injury, notify the CAI and the affected individuals promptly.
  4. Take reasonable steps to reduce the harm and prevent recurrence.

Build your register template before your first incident: date, nature of the incident, information involved, people affected, risk assessment, measures taken. An empty register is fine; no register at all is a violation.

Obligation 4: conduct a privacy impact assessment (PIA) when required

Law 25 makes a privacy impact assessment (in French, évaluation des facteurs relatifs à la vie privée, or EFVP) mandatory in specific situations, notably:

  • Any project to acquire, develop or overhaul an information system involving personal information — for example, adopting a new EHR, telehealth platform or online booking tool.
  • Before communicating personal information outside Quebec — which includes hosting client data with a cloud provider whose servers are elsewhere.

For a small practice, the PIA must be proportionate: a few pages documenting what data is processed, where it is hosted, who has access, what the risks are and how you mitigate them. Choosing a vendor that hosts data in Canada and documents its security measures makes this exercise dramatically simpler — we go deeper on this in our page on choosing a Law 25-ready EHR.

Obligation 5: respect individual rights

Your clients have the right to:

  • Access the information you hold about them and obtain a copy (subject to the specific rules that govern clinical records under your professional obligations);
  • Have inaccurate or incomplete information corrected;
  • Since September 2024, receive computerized personal information they provided to you in a structured, commonly used technological format (data portability);
  • Be informed when a decision about them is based exclusively on automated processing.

You must respond to an access request within 30 days. A paper file scattered across binders makes that painful; a centralized electronic record makes it trivial.

On top of this, once the purposes of collection are fulfilled, information must be destroyed or anonymized — while still respecting the minimum retention periods your professional order imposes on clinical records. Both regimes coexist; keeping files "forever, just in case" is no longer an option.

A Law 25 checklist for your practice

  • Person in charge of personal information protection designated in writing, title and contact info published
  • Plain-language privacy policy accessible on your website
  • Consent forms updated: express consent for health information, specific purposes stated
  • Inventory of personal information you hold (client files, billing, emails, calendar)
  • Confidentiality incident register created, notification procedure documented
  • PIA completed for your EHR / telehealth platform, including any communication of data outside Quebec
  • Procedure for access and correction requests (30-day deadline)
  • Ability to export client data in a structured format (portability)
  • Retention schedule and secure destruction aligned with your order's requirements
  • Default privacy settings maximized on all tools

How a compliant EHR does the heavy lifting

Law 25 doesn't force you to use an electronic health record. But most of the obligations above are far heavier with paper files or generic tools — word processors, consumer cloud drives, ordinary email — than with software designed for Canadian healthcare privacy requirements.

A well-chosen EHR helps you concretely:

  • Data residency: with hosting in Canada, your analysis of communication outside Quebec (and the corresponding PIA) becomes much simpler;
  • Access control and encryption: the core technical safeguards the law expects, built in rather than bolted on;
  • Digital intake forms: collect and retain proof of express consent;
  • Secure messaging and a client portal: stop exchanging health information over regular email, one of the most common sources of incidents;
  • Centralized records: access requests, portability exports and end-of-retention destruction become manageable tasks instead of archaeology.

That's the thinking behind Colib: a fully bilingual (English/French) EHR built for Canadian therapists, with customizable clinical notes, browser-based telehealth integrated into the record, intake forms, secure messaging and a client portal — hosted in Canada and designed for PIPEDA-aligned practice, including Law 25's requirements for Quebec. Pricing is built for private practice: $3 per appointment, no monthly fees, with a free 30-day trial.

Where to start this week

  1. Designate the person in charge and publish their contact details — the simplest, most visible obligation.
  2. Create the incident register, even if it stays empty.
  3. Inventory your tools and note where each one hosts its data.
  4. Reread your consent form through a client's eyes: would they understand what you do with their information?
  5. If a tool can't tell you where your data lives, plan its replacement — and document the decision in a proportionate PIA.

Law 25 doesn't demand perfection; it demands diligence, documentation and defensible choices. For a private practice, that's a project of weeks, not years.

This article is for general information only and is not legal advice. For your specific situation, consult a lawyer or the resources published by Quebec's Commission d'accès à l'information.