The Complete PIPEDA & PHIPA Tech Stack for Canadian Therapists: Email, Video, Storage & Messaging

If you run a therapy practice in Canada, every piece of technology you use to communicate with clients, store records, or conduct sessions must comply with federal and provincial privacy legislation. That is not a nice-to-have. It is a legal obligation enforced by regulators with the authority to investigate complaints, order audits, and impose penalties.

The challenge is that most "best tools for therapists" listicles are written from a US perspective. They recommend platforms that store data exclusively on American servers, sign BAAs instead of Canadian-style privacy impact assessments, and never mention PIPEDA, PHIPA, or any provincial health information act. This guide is different. Every recommendation below has been evaluated specifically for Canadian data residency and compliance requirements.

Understanding Canada's Privacy Landscape

Before choosing any tool, you need to understand which legislation applies to your practice. Canada does not have a single, unified health privacy law. Instead, you are likely subject to multiple overlapping statutes.

PIPEDA (Federal)

The Personal Information Protection and Electronic Documents Act applies to every private-sector organization in Canada that collects, uses, or discloses personal information in the course of commercial activity. If you operate a therapy practice and you are not a government employee, PIPEDA applies to you. Its ten fair information principles require meaningful consent, purpose limitation, minimum collection, accuracy, safeguards, and accountability. Critically, PIPEDA does not prohibit cross-border data transfers outright, but it does require that you ensure an "adequate level of protection" wherever data is stored, and you remain accountable for it.

PHIPA (Ontario)

Ontario's Personal Health Information Protection Act governs "health information custodians," which includes psychotherapists, psychologists, and social workers. PHIPA is stricter than PIPEDA in several respects. Section 10(3) requires that personal health information (PHI) stored or accessed outside of Ontario be subject to comparable protections. If you are regulated by the College of Registered Psychotherapists of Ontario (CRPO) or the Ontario College of Social Workers and Social Service Workers (OCSWSSW), PHIPA is your primary governing act.

HIA (Alberta) and PIPA (BC)

Alberta's Health Information Act is uniquely strict: it requires that personal health information be stored and accessible only in Canada unless the individual consents to a cross-border transfer. British Columbia's Personal Information Protection Act similarly applies to private-sector health practitioners, though it does not impose an explicit data residency requirement for the private sector (that requirement exists under BC FIPPA for public bodies). Alberta-based therapists should treat Canadian data residency as a hard requirement, not a preference.

The bottom line: if you cannot confirm that a tool stores your client data on Canadian servers, you should assume it creates a compliance risk, especially in Ontario and Alberta.

Email: Encrypted Communication That Stays in Canada

Email is the most common point of failure for therapy practices. Standard Gmail or Outlook accounts transmit messages in plaintext across servers you do not control, with no guarantee of Canadian data residency. Here are the options that meet Canadian privacy requirements.

Hushmail for Healthcare

Hushmail is a Vancouver-based encrypted email provider that has offered HIPAA-compliant email for years, but more importantly for Canadian practitioners, it stores all data on servers in British Columbia. It provides end-to-end encryption, encrypted web forms for intake, and a signed Business Associate Agreement (though as a Canadian company, the relevant agreement is their Canadian privacy commitment). Plans start at around $11.99 CAD/month per user. This is the single most recommended email solution for Canadian therapists.

Microsoft 365 with Canadian Data Residency

If you need the full Microsoft ecosystem, Microsoft 365 Business plans for Canadian tenants can be configured to store Exchange Online data in Microsoft's Canadian data centres (Toronto and Quebec City). You must verify during tenant setup that your data location is set to Canada. Microsoft publishes data residency commitments per service. Combine this with Azure Information Protection for message-level encryption and you have a compliant solution, though it requires more configuration than Hushmail.

Google Workspace: A Caution

Google Workspace does not guarantee Canadian data residency on standard plans. The data location feature is available only on Business Standard and higher tiers, and even then, Google's own documentation states that "some data" may be processed outside the selected region. For Ontario and Alberta therapists, this is a meaningful risk. If you use Google Workspace, you need to carefully review Google's data residency commitments and accept that some metadata may transit through US servers.

Regardless of which provider you choose, proper email authentication with SPF, DKIM, and DMARC is essential. These DNS records prevent spoofing and ensure that client-facing emails from your practice actually reach inboxes instead of spam folders.

Video Conferencing: Telehealth Platforms Compared

Since the pandemic, virtual therapy has become standard practice. Provincial colleges have established clear expectations for the platforms you use, and we have compiled a detailed telehealth setup checklist covering CRPO and BCACC standards to help you meet them.

Jane Telehealth

Jane App, headquartered in North Vancouver, offers a built-in telehealth feature that runs on Canadian infrastructure. Because it is integrated directly into your Jane scheduling and charting workflow, there is no separate login or platform to manage. Video sessions are encrypted in transit and at rest, and all data remains on Canadian servers. For practices already using Jane as their EHR, this is the simplest compliant choice.

Doxy.me

Doxy.me is a popular free telehealth platform, but it is a US company with servers in the United States. While it does provide end-to-end encryption for video calls and signs BAAs for HIPAA compliance, it does not offer Canadian data residency. The call content itself is peer-to-peer (so it does not transit through a central server), but signaling data and account information are stored in the US. For Alberta-based therapists operating under HIA, this is a problem. For Ontario therapists, you would need to assess whether the peer-to-peer nature of the actual video stream sufficiently mitigates the data residency concern.

Zoom for Healthcare

Zoom offers a healthcare-specific plan with BAA signing and waiting rooms. Zoom opened a Canadian data centre in 2020, and Canadian accounts can have meeting data routed through Canadian infrastructure. However, you need to verify that your specific plan and configuration actually uses the Canadian data centre, as it is not automatic on all tiers. Zoom's encryption is AES-256 in transit, with optional end-to-end encryption that you must enable manually. The healthcare plan costs more than the standard business plan but includes compliance features you need.

OnCall Health

OnCall Health is a Toronto-based telehealth platform built specifically for Canadian healthcare providers. All data is stored in Canada, it integrates with several EHR systems, and it was designed from the ground up for Canadian privacy compliance. It is not as well-known as Zoom or Doxy.me, but it is purpose-built for the Canadian regulatory environment.

Cloud Storage: Where Your Client Files Actually Live

Clinical notes, assessment reports, consent forms, and correspondence all need to be stored somewhere. The location of that storage matters enormously, and your approach to digital record-keeping must account for both provincial retention laws and data residency.

AWS Canada (ca-central-1)

Amazon Web Services operates a Canadian region (ca-central-1) located in Montreal. When a platform tells you it uses "AWS" for hosting, that alone means nothing for compliance. You need to confirm that the specific application stores your data in the ca-central-1 region. Many Canadian-built therapy tools, including UnicornCRM, explicitly use AWS ca-central-1 for all client data storage, database hosting, and file storage via S3 buckets configured for the Canadian region.

Microsoft Azure Canada

Azure operates two Canadian regions: Canada Central (Toronto) and Canada East (Quebec City). If your practice uses SharePoint, OneDrive, or Azure-hosted applications, verify that your tenant is assigned to a Canadian region. Azure's compliance documentation includes specific Canadian certifications.

Google Cloud Canada

Google Cloud has a Montreal region (northamerica-northeast1) and a Toronto region (northamerica-northeast2). However, Google's consumer products (Google Drive, standard Gmail) do not allow you to pin data to a specific region. Only Google Cloud Platform services used by developers allow region selection. Do not assume that your Google Drive files are stored in Canada simply because Google has Canadian data centres.

Canadian-Only Providers

For practices that want to avoid US-headquartered cloud providers entirely, options include:

• OVHcloud Canada - Montreal-based data centre, a subsidiary of French cloud provider OVH, fully operated within Canada
• HostPapa - Canadian-headquartered hosting provider with Canadian data centres
• Sync.com - Toronto-based encrypted cloud storage with zero-knowledge encryption and guaranteed Canadian data residency, making it an excellent Dropbox alternative for therapy practices

Messaging: Secure Client Communication

Text messaging and instant messaging with clients present unique privacy risks. SMS messages are unencrypted and transit through telecom infrastructure you do not control. Here are better alternatives.

Jane App Messaging

Jane's built-in secure messaging feature allows clients to communicate with their therapist through the Jane patient portal. Messages are stored on Canadian servers alongside the rest of the clinical record. This keeps communication within the same system as scheduling and charting, reducing the number of tools that handle PHI.

Signal

Signal uses end-to-end encryption by default and collects minimal metadata. However, Signal's servers are in the United States, and you have no control over data residency. Some Canadian privacy consultants consider Signal acceptable for message content (since it is end-to-end encrypted and Signal cannot access it) but note that metadata (who messaged whom and when) is still processed by a US entity. This is a nuanced assessment that depends on your provincial regulator's interpretation.

OhMD

OhMD offers HIPAA-compliant two-way texting and can integrate with various EHR systems. It is US-based, so the same data residency concerns apply. The advantage is that it provides an auditable communication trail, which is important for clinical documentation.

The safest approach for Canadian therapists is to keep all client messaging within your EHR platform (Jane, OWL, or your CRM) so that messages are stored alongside the clinical record on Canadian servers.

What Provincial Colleges Actually Require

Regulatory colleges set practice standards that go beyond the legislation. Here is what the major Ontario colleges expect:

• CRPO (College of Registered Psychotherapists of Ontario) - Requires that electronic records be stored securely, that practitioners understand where data is stored, and that privacy impact assessments are completed for new technology. The CRPO's practice standard on electronic records explicitly references PHIPA compliance.
• OCSWSSW - Requires social workers to use "reasonable security safeguards" for electronic records. Their guidance documents reference PHIPA and recommend Canadian data storage.
• CPO (College of Psychologists of Ontario) - Sets standards for electronic record-keeping that align with PHIPA requirements, including encryption, access controls, and data breach notification procedures.

In Alberta, the College of Alberta Psychologists explicitly requires that client records be stored in Canada, referencing HIA requirements. In BC, the BC Association of Clinical Counsellors provides guidance that aligns with PIPA but does not mandate Canadian-only data storage for private practitioners.

Building Your Compliant Stack: A Practical Framework

Here is a practical tech stack that keeps all client data on Canadian servers:

1. EHR/Practice Management: Jane App (Vancouver, Canadian servers) for scheduling, charting, telehealth, and client messaging
2. CRM & Business Operations: UnicornCRM (AWS ca-central-1) for client relationship management, session tracking, and business analytics, with automated data sync via Jane Bridge
3. Email: Hushmail for Healthcare (Vancouver, Canadian servers) for all client-facing email communication
4. Cloud Storage: Sync.com (Toronto) for any files stored outside your EHR
5. Video: Jane Telehealth (built into Jane, Canadian servers) for virtual sessions
6. Website & DNS: A Canadian-hosted website with proper email authentication (SPF, DKIM, DMARC) and local SEO to ensure your practice is findable

This stack keeps every piece of client data within Canadian borders, uses encryption in transit and at rest across all layers, and minimizes the number of vendors who handle PHI.

Due Diligence Checklist

Before adopting any new tool for your practice, ask these questions:

• Where are the servers physically located? Get a specific answer (city or region), not just "the cloud."
• Does the vendor have a Canadian privacy policy, or only a US-oriented one referencing HIPAA?
• Is data encrypted at rest and in transit? What encryption standard (AES-256 is the current minimum)?
• Can you export or delete all client data if you leave the platform?
• Does the vendor have a data breach notification process that aligns with PIPEDA's mandatory breach reporting requirements?
• Will the vendor sign a data processing agreement that references Canadian legislation, not just HIPAA?
• Does the tool integrate with your existing EHR to avoid duplicate data entry and reduce the number of systems handling PHI?

Privacy compliance is not a one-time setup. It requires ongoing attention as tools update their terms of service, change their infrastructure, or get acquired by foreign companies. Review your tech stack annually and document your compliance rationale for each tool you use.