Launch Offer

Founding 100 View terms

Grace App, AI practice management for Canadian mental health professionals
Health Privacy

Canadian Health Privacy. PHIPA. PIPEDA. Law 25. And beyond.

Mental health professionals in Canada are bound by strict health information privacy laws, at both the federal and provincial level. Grace is designed to support these obligations from the ground up, across all provinces.

From consent collection to data retention, every workflow in Grace is informed by the requirements of PHIPA (Ontario), PIPEDA (federal), Law 25 (Quebec), and other provincial frameworks.

Personal health information. Protected by design.

Back to Trust Center

Provincial legislation

What is PHIPA?

The Personal Health Information Protection Act (PHIPA) is Ontario's law governing the collection, use, disclosure, and retention of personal health information (PHI) by health information custodians.

For mental health professionals, psychotherapists, psychologists, social workers, and counsellors, PHIPA defines specific obligations around clinical notes, treatment records, and any information related to an individual's health.

Key elements of PHIPA:

  • Consent required for collection, use, and disclosure of PHI
  • Right of individuals to access their own health records
  • Obligation to safeguard PHI with appropriate security measures
  • Mandatory notification in the event of theft, loss, or unauthorized access
  • Retention policies and secure destruction of records
  • Requirement to store PHI in Canada, unless specific cross-border transfer conditions are met

Recent amendments:

Bill 11 (The More Convenient Care Act, 2025) introduced Digital Health Identifiers (DHIs) and expanded electronic health record obligations. Additionally, mental health information is treated as particularly sensitive PHI under PHIPA, requiring heightened protections and explicit consent for disclosure.

Federal legislation

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector data protection law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activities.

In provinces without substantially similar legislation, PIPEDA applies directly. Even in Ontario, where PHIPA governs health information, PIPEDA can apply to personal information that is not health-related.

Key PIPEDA principles:

  • Accountability: designating an individual accountable for compliance
  • Consent: obtaining informed consent for collection
  • Limiting collection: collect only what is necessary
  • Safeguards: protecting information with appropriate measures
  • Openness: making policies and practices readily available
  • Identifying purposes: identifying the reasons for collection at or before the time of collection
  • Limiting use, disclosure, and retention: using and retaining only for identified purposes
  • Accuracy: keeping personal information current and accurate
  • Individual access: allowing individuals to access their personal information
  • Challenging compliance: allowing individuals to challenge an organization's compliance

March 2025 amendment:

PIPEDA was amended to establish an interoperable data mobility framework, adding a data portability right to existing access rights. Organizations must provide specified personal information in a structured, commonly used format upon request.

How Grace addresses each requirement

Designed to support Canadian health privacy legislation

Here's how Grace's features map to the key requirements of Canadian health data privacy legislation, from PHIPA and PIPEDA to Quebec's Law 25 and beyond.

01

Consent and authorization

Requirement

PHIPA requires informed consent before the collection, use, or disclosure of personal health information, with limited exceptions.

How Grace supports this

Grace includes built-in consent workflows in the client portal, telehealth system, and clinical documentation. Consent records are timestamped and immutable.

02

Access limitation

Requirement

Only authorized individuals should access PHI, and only to the extent necessary to carry out their duties.

How Grace supports this

Grace uses role-based access control (RBAC) with least-privilege principles. Clinicians see only their own clients unless broader access is explicitly granted by an administrator.

03

Security safeguards

Requirement

Custodians must take reasonable steps to protect PHI against theft, loss, unauthorized access, copying, modification, or disposal.

How Grace supports this

Full encryption at rest and in transit, immutable audit logs, multi-factor authentication (MFA) available, and hosting in certified Canadian data centers.

04

Audit trail and accountability

Requirement

Custodians must be able to demonstrate compliance and track who accessed PHI, when, and for what purpose.

How Grace supports this

Grace generates immutable audit logs for every operation on PHI: viewing, modification, export. Administrators can review the complete access history.

05

Breach notification

Requirement

PHIPA requires notification to the IPC in the event of theft, loss, or unauthorized access to PHI. PIPEDA requires notification "as soon as feasible" to affected individuals and the OPC when a breach poses a real risk of significant harm, with mandatory 24-month breach record retention. Quebec's Law 25 requires notification to the CAI within 72 hours.

How Grace supports this

Grace has documented incident response protocols. In the event of a breach, we commit to notifying affected practices promptly so they can fulfill their own notification obligations. Breach records are maintained for a minimum of 24 months in accordance with PIPEDA.

06

Retention and destruction

Requirement

PHI must only be retained as long as necessary for the purposes it was collected, then securely destroyed.

How Grace supports this

Grace is designed to support configurable retention policies and secure record deletion. Practices can define retention periods that match their professional college's requirements (typically 7 to 10 years after last service for mental health records). Breach records are maintained for a minimum of 24 months in accordance with PIPEDA.

Quebec legislation

Quebec's Law 25

Law 25 (An Act to modernize legislative provisions as regards the protection of personal information) is Quebec's comprehensive privacy reform, fully in force since September 2023. Inspired by GDPR standards, it imposes strict requirements on organizations that process personal information in Quebec.

Mental health information is defined as information concerning a person's mental or physical health state and is treated as sensitive health and social services information under the law.

Key Law 25 requirements:

  • Mandatory designation of a privacy officer
  • Mandatory privacy impact assessments for high-risk activities
  • Explicit consent required for sensitive personal information
  • Breach notification to the CAI within 72 hours when there is a risk of serious injury
  • Mandatory transfer risk assessments for any data leaving Quebec
  • Data portability rights and right to erasure
  • Penalties up to CAD $25 million or 4% of global revenue

How Grace supports Law 25:

Grace is designed to support Law 25 requirements through configurable consent workflows, audit trails, Canadian data residency (avoiding cross-border transfer assessments), and structured data export capabilities for portability requests.

Provincial landscape

Other provincial frameworks

Grace is designed to serve mental health professionals across all Canadian provinces. Here are other key provincial frameworks the platform is designed to support.

Alberta's HIA

Alberta's Health Information Act (HIA) governs the collection, use, and disclosure of health information by health information custodians in the province, with requirements around consent, security safeguards, and breach notification.

BC's PIPA

British Columbia's Personal Information Protection Act (PIPA) is considered substantially similar to PIPEDA and governs private-sector personal information protection in the province.

Other provinces

New Brunswick, Newfoundland and Labrador, and Nova Scotia have health information privacy laws substantially similar to PHIPA. Other provinces are subject to federal PIPEDA and their respective provincial legislation.

Upcoming federal reform

A new federal private-sector privacy statute is expected, with enhanced penalties of up to CAD $25 million or 5% of gross global revenue. Grace monitors these developments and is designed to adapt as the regulatory landscape evolves.

AI and privacy

AI under clinician control

Grace's AI features are designed with PHIPA and PIPEDA privacy principles at the core. All AI outputs are marked as drafts or AI-generated and require clinician approval before becoming part of the clinical record.

No autonomous decisions

AI never makes clinical decisions, sends bills, or records without consent (GAL-4).

Labeled outputs

Every AI output is clearly labeled as draft or AI-generated for transparency.

Explicit consent

Features like audio transcription require explicit consent before activation.

Built for Canadian requirements.

See how Grace helps mental health professionals manage their practice while meeting health data privacy laws.

Book a demo Join Founding 100
Book a demo Join Founding 100

Join the Founding 100

3 months fully free. No commitment. No credit card.

3 months freeNo commitmentNo credit cardThen $99/mo, rate guaranteed

Limited to the first 100 founding partners.