Canadian privacy law is a patchwork. Depending on where you practice, who your clients are, and how your data moves, you may fall under federal law, provincial law, a health-specific statute — or more than one at once. For therapists in private practice, the confusion is understandable: three names come up constantly, and they overlap.

Here's the short version, then the details.

  • PIPEDA is the federal private-sector privacy law. It applies to commercial activities across Canada, except where a province has its own "substantially similar" legislation covering the same ground.
  • PHIPA is Ontario's health-specific privacy law. If you're a regulated health professional in private practice in Ontario, PHIPA is your primary law.
  • Law 25 modernized Quebec's private-sector privacy act. If your practice is in Quebec, it's the strictest of the three and it's fully in force.

Now let's make that useful.

PIPEDA: the federal default

The Personal Information Protection and Electronic Documents Act applies to organizations that collect, use or disclose personal information in the course of commercial activity. A private practice charging clients for therapy is a commercial activity — so PIPEDA is the starting point everywhere in Canada.

But PIPEDA steps back where a province has enacted legislation declared substantially similar:

  • Quebec (private-sector act, now modernized by Law 25)
  • British Columbia and Alberta (each has a Personal Information Protection Act, or PIPA)
  • Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia — for health information specifically, through their health privacy statutes (Ontario's PHIPA being the best known)

Even then, PIPEDA still applies to personal information that crosses provincial or national borders in the course of commercial activity. That nuance matters for telepractice, as we'll see.

Core PIPEDA obligations follow ten fair information principles: accountability, identifying purposes, consent, limiting collection, limiting use and retention, accuracy, safeguards, openness, individual access, and challenging compliance. Since 2018, PIPEDA also requires breach reporting to the Privacy Commissioner and affected individuals when a breach creates a real risk of significant harm, plus a breach record.

PHIPA: Ontario's health privacy law

The Personal Health Information Protection Act applies to health information custodians in Ontario — a category that includes regulated health professionals in private practice: psychologists, registered psychotherapists, speech-language pathologists, occupational therapists, dietitians, social workers providing health care, and others.

If that's you, PHIPA governs how you collect, use and disclose personal health information. Key features:

  • Consent-based regime with room for implied consent within the "circle of care", but express consent for most disclosures outside it;
  • Safeguard obligations: you must protect records against theft, loss and unauthorized access, and notify affected individuals when their information is stolen, lost or used/disclosed without authority — with reporting to the Information and Privacy Commissioner of Ontario (IPC) in prescribed cases, and to your regulatory college in some situations;
  • Agents and service providers: your EHR vendor acts as a service provider handling records on your behalf, and you remain accountable for what happens to the data;
  • Access and correction rights for clients, with defined timelines.

Practical takeaway: in Ontario, your college's record-keeping standards and PHIPA work together. Your software choices — where records live, who can access them, how they're encrypted — are part of your PHIPA accountability.

Law 25: Quebec's modernized regime

Quebec's private-sector privacy act, overhauled by Law 25 (in force in phases from 2022 to 2024), now imposes the most demanding requirements in the country:

  • Mandatory person in charge of the protection of personal information (a privacy officer, by default the person with highest authority — you, in a solo practice), with contact details published;
  • Express consent for sensitive information — which includes all health information;
  • A confidentiality incident register, with notification to the Commission d'accès à l'information and affected individuals when there's a risk of serious injury;
  • Privacy impact assessments (PIAs) before acquiring or overhauling an information system that handles personal information, and before communicating personal information outside Quebec — which directly affects your choice of software and where it hosts data;
  • Data portability (since September 2024) and strong access and correction rights;
  • Significant administrative monetary penalties for non-compliance.

If your practice is in Quebec, Law 25 is your primary framework. We cover it in depth in our practical Law 25 guide for clinics.

Comparison table

PIPEDAPHIPALaw 25 (Quebec)
ScopeFederal; commercial activityOntario; personal health informationQuebec; all personal information held by enterprises
Who it coversPrivate organizations Canada-wide (default)Health information custodians (incl. private-practice clinicians)Every enterprise, including solo practices
Consent for health dataExpress consent expected for sensitive informationImplied within circle of care; express beyond itExpress consent (health data is sensitive)
Privacy officerAccountability principle (designated individual)Contact person requiredMandatory, contact details published
Breach obligationsReport to OPC + notify individuals (real risk of significant harm); keep recordsNotify individuals; report to IPC in prescribed casesIncident register; notify CAI + individuals (risk of serious injury)
PIA requiredNot generally mandatedNot generally mandatedYes — new systems and data leaving Quebec
Data portabilityNo general rightAccess rightsYes (since Sept. 2024)

Three concrete scenarios

1. Solo psychotherapist in Ontario

You're a Registered Psychotherapist seeing clients in Ottawa. PHIPA is your primary law as a health information custodian; your college's standards complete the picture. PIPEDA can still be relevant for information flows that cross borders — for instance, if your practice management software stores data outside Canada. Choosing a PIPEDA-aligned platform that hosts data in Canada keeps both frameworks comfortable.

2. Multidisciplinary clinic in Quebec

Your clinic in Laval employs psychologists, an SLP and a dietitian. Law 25 governs everything: you need a designated privacy officer with published contact details, express consent workflows in your intake forms, an incident register, and a PIA before adopting any new records system — including an analysis of whether client data leaves Quebec. Your professional orders' record-keeping rules apply on top.

3. Interprovincial telepractice

You're licensed in BC and see clients by video in BC and Manitoba. BC's PIPA covers your practice locally; PIPEDA applies to interprovincial data flows and to your activities in provinces without substantially similar laws. Add the regulatory layer: most colleges consider you to be practising where the client is located, which may require registration there. Your telehealth platform choice matters doubly — data residency and encryption need to satisfy the strictest framework you touch.

What this means for your software choices

Notice the pattern: whichever law applies to you, the questions converge.

  • Where is the data hosted? Canadian residency simplifies PIPEDA analysis, avoids Law 25's out-of-Quebec assessment headaches, and aligns with PHIPA accountability.
  • Is health information encrypted and access-controlled? Every framework expects safeguards proportional to sensitivity — and clinical data is maximum sensitivity.
  • Can you document consent? Express, purpose-specific consent captured in intake forms satisfies the strictest standard (Law 25) and therefore all the others.
  • Can you respond to access requests and breaches? Centralized, exportable records turn 30-day deadlines into routine tasks.

This is why we built Colib to satisfy the strictest common denominator: an EHR hosted in Canada, PIPEDA-aligned and designed with PHIPA and Law 25 requirements in mind, with encrypted records, digital intake forms, secure messaging and integrated telehealth — fully bilingual, at $3 per appointment with no monthly fees and a 30-day free trial.

The bottom line

  • Ontario clinician? PHIPA first, PIPEDA at the borders.
  • Quebec practice? Law 25, full stop — and it's the strictest.
  • BC or Alberta? Your provincial PIPA, with PIPEDA for cross-border flows.
  • Everywhere else? PIPEDA (plus your province's health privacy statute if it has one).
  • Telepractice across provinces? Assume the strictest applicable framework and the client's location both count.

When in doubt, design your practice for the toughest standard you might face. It costs little more, and it means never having to re-engineer your consent forms, your records or your software because a client moved.

This article is for general information only and is not legal advice. Consult a privacy lawyer or your regulatory college for guidance on your specific situation.