A guide to secure, compliant email for healthcare practitioners in Canada

Published on July 21, 2022

01_Featured image_Email guide Canada

As a healthcare professional, keeping your clients’ personal information private is essential to the integrity of your practice.

However, online privacy laws in Canada are complex.

Some of the privacy laws address all business types. Others just apply to the healthcare profession. But their intent is the same. To help people maintain ownership and control over their information.

If you have clients and communicate with them using email, you need to make sure you follow whatever law applies.

Fortunately, when it comes to email, it’s pretty easy to comply as long as you follow a few key recommendations regarding security, storage, and signed agreements.

02_3 icons_Email guide CanadaWe’ll take a closer look at each of these in this article.

But first, let’s consider the laws. 

What are the Canadian privacy laws? 

PIPEDA’s the main Canadian privacy law. It governs how most privately owned businesses (including healthcare practices) collect, store, and exchange personal information. However, depending on where you practice, a similar law, like PIPA in British Columbia, might apply. 

And in some cases a provincial privacy law relating to health records might apply instead of or in addition to PIPEDA.   

03_Canada map_Email guide Canada

The laws on the map aren't exhaustive. To verify the ones that apply to you, contact the provincial or territorial oversight office based on the location of your practice.

Multiple laws to consider might seem intimidating when figuring out how to communicate with your clients online. But if you keep a few basic guidelines in mind, you can feel confident that your practice is in compliance with whatever law applies. 

When it comes to choosing an email service, you want to look for these three things:

04_Security icon_Email Guide CanadaSecurity to protect your email messages 


As a healthcare provider, you handle a lot of sensitive information. It’s important to keep this information from falling into the wrong hands. 

One of the best security measures for keeping your clients’ information safe is encryption.

What’s encryption? 

Encryption makes information unreadable to anyone other than the intended recipients. 

Computers do this by scrambling the information into a secret code. Only the recipient can decode it with a key you give them. This means that if anyone else gets a hold of the information while it’s encrypted, it won’t make sense to them.

05_Encryption_Email guide Canada

How you add encryption to your emails depends on the service you’re using. Some services automatically encrypt all emails. Other services allow you to turn the encryption on and off with a switch.

You can read more about encryption in the blog post Encryption is a lot like a cryptogram.

06_storage icon_Email Guide CanadaData storage in Canada

In some instances, you may be required to store your data in Canada. For example, if you work in the public sector, such as in a hospital clinic.

When data is stored in Canada, it’s protected under Canada’s privacy laws. When it’s stored in other countries, data is subject to that country’s laws, even if your clients are Canadian citizens.

Even if data storage in Canada isn’t a legal requirement for your practice, it’s still an important protective measure to take. Otherwise, you could be surprised by a foreign government accessing your clients’ information with little or no warning.

For example, if you store your clients’ data in the US, laws such as the Patriot Act would apply. This law allows US authorities to easily access private records, sometimes without informing the individual until after the fact. Canadian laws can’t protect your clients’ data in this situation. 😮

Because of this, some popular email services aren’t good solutions for Canadian practitioners. They can compromise your clients’ data even though they might be considered secure (e.g., Paubox). 

By choosing an email service provider that stores its data in Canada, you avoid the headaches of multiple laws. Not to mention having to explain to your clients that their information is subject to the laws of a foreign government.

07_signed agreement icon_Email Guide CanadaA signed agreement like an Information Manager Agreement (IMA)


When you hire a business that will handle your clients’ information, you need to make sure that the business will protect it. 

An IMA is a signed document stating that the business (called an “information manager”) acknowledges its responsibility to keep your clients’ information safe.

Not all provinces require an IMA. However, it’s a good idea for practitioners to require the document when they hire service vendors, regardless of where they practice. That way there are no misunderstandings about how data can be handled.

The IMA explains how the business is allowed to handle information and agrees to put safeguards in place to protect it. It also outlines what will be done in the case of a data breach. 

In short, an IMA ensures that everyone is on the same page regarding the protection of your clients’ information. With a signed agreement, you can confidently tell your clients that their information is secure.

If you’d like to take a look at what an actual IMA looks like, this is one we sign with our customers at Hushmail:

Hushmail IMA

If your practice is in Alberta, you’ll need an IMA written specifically to meet Alberta’s requirements. 

Hushmail Alberta IMA

 

08_IMA conversation_Email Guide Canada

Hushmail covers everything you need for secure, compliant email in Canada

Follow the three guidelines listed above, and you’ll comply with PIPEDA and the provincial privacy laws when you use email.

Now you need to find a secure email provider that meets these requirements.

Like Hushmail for Healthcare. 

If you’ve already been to our website, you might think we’re based in the US, but we’re not. 

True, we have a lot of customers in the US, but our company is located in Vancouver, Canada, where we store all of our customer data. 

So let’s check that box right away. ✅

We also provide encryption for your emails and a signed IMA. 

And…

We’re not just an email provider; we also provide web forms designed specifically for healthcare practitioners. 

All of your practice forms… your intake, consent, and release of information forms… can be made with our drag-and-drop form builder. Then sent out from your secure email account. 

Your clients can fill them out on their own device, sign them electronically, and send them back all in one place. 

All your forms and emails are secure and compliant under an IMA we sign for all our Canadian customers. 09_Carlo Grandi quote_A guide to secure, compliant email for healthcare practitioners in Canada-1

To ensure that our plans fit your unique requirements as Canadian practitioners, the best way to get started is to reach out and talk to a Hushmail specialist. 

They’ll make sure your plan is the right size for your practice, set up Canadian dollar billing, and answer any questions you have about using Hushmail in Canada.

So go ahead and check the boxes:

✅ Security 
✅ Data storage in Canada
✅ Signed IMA

And rest assured that your practice is compliant with Canadian privacy laws when it comes to your email and forms.

Talk to a Hushmail specialist

Subscribe to our newsletter

...and we’ll send 6 tips to make sure your emails are truly HIPAA compliant straight to your inbox.