6 min read

Quebec Law 25: What Every Therapist in Private Practice Needs to Know in 2026

Quebec's Law 25 imposes strict obligations on personal data protection — including for solo practitioners. Practical compliance guide for psychologists and mental health professionals.

F

FYL.CARE Team

Author

Quebec Law 25: What Every Therapist in Private Practice Needs to Know in 2026

Quebec Law 25 & Therapist Privacy Compliance: What Private Practice Clinicians Need to Know in 2026

If you run a private practice in Quebec — as a psychologist, social worker, occupational therapist, or couples and family therapist — Quebec's Law 25 applies to you. Not just to hospitals. Not just to large corporations.

To you.

As of 2026, all provisions of Law 25 are fully in force. The learning curve is over. The compliance window has closed. And the penalties for violations can be substantial.

Here's what you need to know.

What Is Quebec's Law 25?

Law 25 (formally: An Act to modernize legislative provisions as regards the protection of personal information) was adopted in 2021 and came into effect in three waves:

  • September 2022: Initial obligations (designate a privacy officer, report confidentiality incidents)
  • September 2023: Individual rights (right to erasure, data portability, explicit consent requirements)
  • September 2024: Privacy impact assessments (PIAs) and cross-border data sharing rules

In 2026, all of these obligations apply to your practice simultaneously.

Why Should a Solo Therapist Care?

You collect deeply sensitive personal information: names, diagnoses, session notes, medical history, contact details — sometimes even third-party information (partners, parents, children). Under Law 25, this data is classified as sensitive personal information and receives the highest level of protection.

Even as a sole practitioner with no employees, you are considered an "enterprise" under the law if you collect, use, or communicate personal information in the course of a commercial activity.

Mental health practice qualifies. No question.

The 5 Core Compliance Requirements for Your Private Practice

1. Designate a Privacy Officer

If you practice solo, that person is you. The designation must be official — and the name or title of the privacy officer must be published on your website.

In practice: Add a brief mention to your privacy policy: "The Privacy Officer for [Practice Name] is [Your Name], reachable at [email]."

2. Obtain Explicit, Documented Informed Consent

A verbal agreement at the start of the first session is no longer sufficient. Consent must be:

  • Clear: your client understands exactly what is collected and why
  • Free: no pressure to accept as a condition of service
  • Informed: they know who may access their data (insurers, supervisors, etc.)
  • Documented: you can prove it was given — in writing or digitally

In practice: Build a digital intake consent form that explicitly covers: data collection, storage duration, and any potential third-party disclosures.

3. Address Cross-Border Data Transfers

If you use US-based software — SimplePractice, TherapyNotes, Therapy Brands tools — your client data is stored on servers in the United States. Under Law 25, communicating personal information outside of Quebec requires:

  1. A Privacy Impact Assessment (PIA) before transferring data
  2. A data processing agreement with your vendor ensuring equivalent protection
  3. In some cases, explicit client consent if protection is deemed inadequate

In practice: Ask your current software vendor these questions:

  • Where is my data stored?
  • Do you have a Law 25-compliant data processing agreement available?
  • Have you completed a PIA for Quebec-based clients?

If you can't get clear answers, that's a red flag.

4. Manage Confidentiality Incidents

If client data is compromised — a hack, an email sent to the wrong person, a lost device — you must:

  • Assess the risk of serious injury to the individual
  • Notify the Commission d'accès à l'information (CAI) within 72 hours if the risk is high
  • Inform the affected individuals

In practice: Maintain a log of all incidents, even minor ones. The law requires it.

5. Honour the Right to Erasure and Data Portability

Your clients can now request:

  • Deletion of their personal data (with legal exceptions for mandatory record retention)
  • A copy of their data in a common technological format (portability)

In practice: Define a clear retention policy. Professional orders typically mandate minimum retention periods for clinical records — but beyond that, you need a deletion process.

The Risk With US-Based Practice Management Software

Most popular practice management tools — SimplePractice, TherapyNotes, Jane App — host data in the United States. For Quebec therapists, this creates a growing legal risk under Law 25.

The liability is yours, not the software vendor's. In case of an audit or incident, you are the one responsible for ensuring your client data is handled in compliance with Quebec law.

Ask yourself: Does my current software vendor have a Law 25 data processing agreement? Are they willing to sign one? Many US-based vendors either don't offer this, or charge extra for compliance add-ons.

Target Keywords (Canada-EN)

Searches this article targets: Quebec Law 25 therapist compliance, private practice mental health data privacy Quebec, Law 25 psychologist solo practice, PIPEDA Law 25 therapist Quebec, privacy compliant EHR Quebec therapist.

How FYL.care Approaches This

FYL.care was built with the Canadian regulatory context in mind — not retrofitted from a US tool.

  • Data hosted in Canada
  • Digital consent forms built directly into the client intake workflow
  • Structured client records with clear management and deletion capabilities
  • Free — no compliance module surcharges on your monthly bill

Law 25 compliance isn't a burden to sidestep. It's a baseline of respect for your clients. Choosing tools aligned with your regulatory environment is one of the simplest steps you can take.

Your Law 25 Compliance Checklist

✅ You've officially designated a Privacy Officer (yourself, if solo)
✅ Your privacy policy is published on your website
✅ Your intake consent forms are explicit, complete, and digitally documented
✅ You know where your data is stored — and if it's outside Quebec, you've assessed the risk
✅ You have a process for identifying and reporting confidentiality incidents
✅ You can fulfill a client's request to delete or export their data

If any box is unchecked, it's worth addressing now — before a client complaint or an audit makes the decision for you.

Manage your private practice with tools built for the Canadian context.
👉 Create your free account at FYL.care

F

FYL.CARE Team

Published on March 16, 2026