Beginning January 1, 2024, this version of the Standard is out-of-date. For the current version, visit the 2024 Standards document. This page will be updated to the current version in the coming months.


Confidentiality is considered a cornerstone of the profession of psychotherapy and is embedded in its core values. Individuals come to therapists with sensitive, personal information, and confidentiality is required to build trust in the therapeutic relationship.

Confidentiality is also an important legal concept that applies to all regulated health professionals, including Registered Psychotherapists. The Personal Health Information Protection Act, 2004 (PHIPA) establishes the rules relating to confidentiality and privacy of personal health information in Ontario. PHIPA requires that personal health information be kept confidential and secure.

It is a fundamental responsibility of members to maintain client confidentiality at all times. In compliance with PHIPA, members must ensure that the professional relationship with the client and the client’s personal information are kept confidential, within legal limitations. Members must explain to clients the principle of client confidentiality and the legal limits to confidentiality (see “Limits to confidentiality” below. Members are also responsible for maintaining client information in a secure manner, so that unauthorized individuals do not gain access to records (see Section 5, Record-keeping and Documentation).

Personal health information

Personal health information is identifying information about a client.* It can be in verbal, written or in electronic format, and does not necessarily include the client’s name. If a client can be recognized, the information is considered personal health information; it includes information in the client health record. Information that does not allow the client to be identified is not personal health information, and is not subject to PHIPA.

* Personal Health Information Protection Act, SO 2004, c 3, Sch A, section 4

Consent to the collection, use, and disclosure of personal health information

A member does not collect or use information about a client without the informed consent of the client or the client’s authorized representative, nor does the member disclose information about a client to anyone without the written informed consent of the client or the client’s authorized representative, except where disclosure is permitted or required by law.

Circle of care and “lock box”

The terms “circle of care” and “lock box” are based on PHIPA and are defined by the Office of the Information and Privacy Commissioner, Ontario. The circle of care includes other health professionals who provide care to a client, other providers in a multidisciplinary setting, and other providers to whom the member has referred a client. PHIPA allows health providers to assume in certain circumstances that a client has provided implied consent to disclose his/her personal health information to another individual within the circle of care or to a specific health care provider. Despite this generality, however, a client may indicate that s/he does not want certain information (or any information) shared, even within that circle. In this circumstance, the practitioner must not share the information. This is called placing information in a “lock box.”* Despite PHIPA provisions, the College will require members to obtain explicit informed consent from clients for the disclosure of any client information (see below).

*See Personal Health Information Protection Act, SO 2004, c 3, Sch A, sections 20(3), 40(1).

Release of client information by RPs

Due to the nature of the psychotherapeutic relationship, the sensitivity of information shared between client and therapist, and because of the particular weight placed on the duty of confidentiality by the psychotherapy profession, this College requires a higher standard of confidentiality than is set out in PHIPA regarding the circle of care. Specifically, the College requires members to obtain written consent before disclosing information to any other party, including other health professionals. This also applies to sharing information with individuals such as the client’s spouse, or contacting any third party, such as third-party payors, insurance companies, or Employee Assistance Program for billing purposes.

This standard is not intended to prevent members from sharing client information within a care team such as those found in a hospital or agency settings, nor in an emergency situation. Members providing care as part of a team should enter into written agreements with clients explaining what information will be shared with other providers in the team context.

In all cases, professional discretion is employed, and only relevant and necessary personal health information may be disclosed.

In obtaining informed consent from a client to disclose his/her information to any third party, the member must explain what information will be disclosed, to whom, the reasons for the disclosure, and the time-frame within which disclosure is to be made. The member should report back to the client following the disclosure.

Limits to confidentiality

Normally, a member may only disclose personal health information with the consent of the client or his/her authorized representative. However, in law, there are a limited number of circumstances where disclosure of personal health information is required without consent. Notable limits to confidentiality include:

  1. where the member believes on reasonable grounds that disclosure is necessary to eliminate or reduce significant, imminent risk of serious bodily harm (includes physical or psychological harm) to the client or anyone else, e.g. suicide, homicide. Note: If the member believes a significant, imminent risk of serious bodily harm exists (this includes physical or psychological harm), there may be a professional and legal duty to warn the intended victim to contact relevant authorities, such as the police, or to inform a physician who is involved in the care of the client.*
  2. where disclosure is required under the Child and Family Services Act, 1990 for example, where the member has reasonable grounds to suspect that a child is in need of protection due to physical harm, neglect or sexual abuse by a person having charge of the child;
  3. where necessary for particular legal proceedings (e.g. when the member is subpoenaed);
  4. to facilitate an investigation or inspection if authorized by warrant or by any provincial or federal law (e.g. a criminal investigation against the member, his/her staff, or a client);
  5. for the purpose of contacting a relative, friend or potential substitute decision-maker of the individual, if the individual is injured, incapacitated or ill and unable to give consent personally; and
  6. to a college for the purpose of administration or enforcement of the Regulated Health Professions Act, 1991 (e.g. providing information about your client to the College if a complaint has been made against you, assessment of the member’s practice as part of the Quality Assurance Program; mandatory reporting where the member’s client is a regulated health professional and the member has reasonable
    grounds to believe that the client has sexually abused a patient/client).

When compelled to disclose client information for a legal proceeding, members should exercise prudence, and are advised to consult their legal advisor to determine the best way to respond.

*The law in Canada concerning the “duty to warn” is complex and evolving. Members are advised to consult their legal advisor if faced with a situation where this exception to the duty of confidentiality may apply.

The Standard: Confidentiality

A member does not collect or use information about a client without the informed consent of the client or the client’s authorized representative, nor does s/he disclose information about a client to anyone other than the client or the client’s authorized representative without the written informed consent of the client or the client’s authorized representative, except where the collection, use or disclosure is permitted or required by law.

Demonstrating the Standard

A member demonstrates compliance with the standard by, for example:

  • explaining to the client the duty of confidentiality and the limits to confidentiality;
  • ensuring that the client has given informed consent for the collection, use or sharing of information with others;
  • documenting informed consent in the client record regarding collection, use or disclosure of information, indicating the manner in which consent was given (verbally, by gesture, in writing);
  • collecting, using or disclosing only information that is reasonably required in the circumstances;
  • sharing information without informed consent only in the limited circumstances set out in PHIPA or for other authorized legal purposes;
  • establishing processes to protect personal health information (hard copy and electronic files) from access by unauthorized persons while it is being maintained, transferred, or disposed of.

See also:

Standard 3.2 Consent
Section 4 Clinical Supervision
Section 5 Record-keeping and Documentation
Standard 1.6 Conflict-of-interest
Standard 1.7 Dual or Multiple Relationships
Professional Misconduct Regulation, provision 5

Note: College publications containing practice standards, guidelines or directives should be considered by all members in the care of their clients and in the practice of the profession. College publications are developed in consultation with the profession and describe current professional expectations. It is important to note that these College publications may be used by the College or other bodies in determining whether appropriate standards of practice and professional responsibilities have been maintained.