
As a business owner, you can't avoid the legalities of online therapy services.
There is a chronological sequence that you will go through with every client, from a public enquiry to an archived case. There are privacy issues throughout this sequence.
Here is an overview of the phases of online service provision and some terms you should become familiar with.
Phase 1: Marketing
Marketing involves interacting with the public to inform people about your services.
Sales Funnel: Your marketing efforts will look like an inverted triangle or funnel, with many people from the public entering at the top and only a limited number making the decision to become your clients.
Landing Page: This page is where the public lands when they click on a link in a search engine. It is different than the home page of your website. A landing page promotes a product or service. The purpose is to collect leads. A blog post can serve as a landing page. Sometimes landing pages have no menu because you don’t want the public to wander away from the page. Many landing pages have a strong call to action which people click in order to get something they want.
Generic Traffic: This means you are not using paid advertising to bring the public to your online content. They are finding the content by searching for it.
Cost Per Click: You might pay for traffic if you are not getting enough generic traffic. Online advertisers put your advertisement in front of an audience. In many cases, you get billed for the number of clicks on the ad. This cost per click is determined by many competitive factors.
Inbound Marketing: People have questions, and they are actively looking online for answers. Inbound marketing means that the public is finding you because they want a solution to a problem. By providing the public with information, you can help them decide if your services are a good fit for them. This is contrasted with traditional marketing which interrupts people and tells them about services they may have no interest in.
Lead: At the very beginning, someone from the general public might find your website, click on a few pages and fill in a form. By doing so, the person has become a lead. Your next step is to interact with that person.
Phase 2: Qualifying
Qualifying is a term that refers to narrowing down leads into potential clients. These people have not purchased services from you yet, but you have collected enough information to know that they meet the requirements for your telepractice.
Sometimes the lead is a family member or agency contact so it can take several interactions before the enquiry narrows down to an actual prospect for your telepractice services.
Support staff might be involved in processing enquiries. This might take place in person rather than via online interactions. There might be some screening that takes place, to ensure that the prospect is a good fit for the telepractice services that you are offering.
Qualified Prospect: This is a person who meets your requirements for telepractice.
Phase 3: Billing
Billing involves getting a commitment and getting paid. You need confidential processes for formal quotes, contract negotiations, funding applications, signatures, storing credit card information, billing accurately, issuing receipts and storing financial records.
Client: A qualified prospect converts to a client when a commitment is made. You offer services or a product and the client accepts your terms.
Conversion: The step of making a commitment to become a client is referred to as a conversion in your sales funnel.
Third Party Funding: The people getting the service are the first party. You are the second party. When the funding is coming from an agency rather than the people getting the service, it is called 'third party funding.'
Phase 4: Onboarding
Onboarding refers to the early phase of working with a new client. Your words and actions will either build rapport or sabotage it. Your new clients will be getting to know you. They will also be experiencing your tech processes and communication tools for the first time.
Buyer’s Remorse: Be mindful that buyer’s remorse often hits. This means that your new client regrets making a commitment. With new telepractice clients, the technology can be overwhelming for the client. Skillfully improving your onboarding process will help you keep clients and build your practice. If you show a lack of professionalism regarding privacy protection, your clients will feel nervous or offended. Make sure you know how to interact as a telepractice professional.
Phase 5: Maintaining
Maintaining clients beyond the first contract will help your business succeed.
Creating Data: While working with an active client, you will create clinical notes, progress reports, email messages and possibly some webcam recordings. All of this is data about your client. Most likely this data will be created in various forms, in various locations.
Accessing Data: You might retire or leave to work elsewhere. Another clinician might have access to all the information you collected about your clients. Eventually a clinician will close the case, but the data will still exist. Your employer or business will still be responsible for maintaining the privacy of that data.
Phase 6: Preserving
Preserving your physical records and online data and keeping all your information confidential remains your responsibility.
Teaching: The data might be viewed by your colleagues, supervisors and administrators. You might want to present interesting cases at a conference or use your recordings to teach students.
Marketing: You might want to use your success stories as testimonials. You might create a press release about your services.

Online therapists need answers about privacy protection.
When I graduated as an SLP, I started working part-time for the Vancouver Health Department and I immediately started seeing private clients. It is fairly common for a speech language pathologist to be employed in more than one setting. Many SLPs have a private practice in addition to a public sector job.
My first boss at the health department was an experienced SLP who taught me about caseload management. Essentially, all the administrative skills that I was learning in my public sector job were directly applicable to my private practice. Obviously, things have changed.
If you want to excel at running a telepractice business, there is a lot to learn! Online therapists need answers.
In BC, the rules for staying legal in your public job are not the same as the rules for staying legal in your business. This document will help you discover the contrasts between the privacy protection laws for public employment versus private employment.
I didn’t know there was a difference until 2018. From 2014 until 2018, I was running a telepractice business without much interaction with professional colleagues.
In 2018, I joined a telepractice interest group organized through Speech and Hearing BC. I was surprised that employees in government jobs were required to follow strict policies, such as storing people’s personal information only on servers in Canada. Was I breaking the law by using a telepractice platform hosted on a global server?
In researching this question, I learned that telepractice providers in other regions of Canada faced different legal requirements than I did as a business owner in BC. If you are searching for answers online, you might come across advice intended for Ontario’s health care providers. Be judicious. It might not apply to your situation.

Some of the provincial privacy protection laws in Canada cause confusion for therapists.
Q: Does BC’s Freedom of Information and Protection of Privacy Act (FOIPPA) apply to me?
Freedom of Information and Protection of Privacy Act (FOIPPA): BC's provincial law that applies to public bodies is FOIPPA. Public bodies are defined as any organization that carries out the functions of government, like a public-school board, a public hospital or health authority.
FOIPPA states that personal information collected by a public body must be stored on a server in Canada. Nova Scotia, Quebec and Alberta have similar provincial laws, also stating that public data must stay in Canada.
SLPs employed in public jobs are being told that most online telepractice platforms are not secure enough and therefore not permitted. Likewise, they face prohibitions against using email with clients or saving any data to a cloud-based application.
Personal Information Protection Act (PIPA): Private sector organizations in BC are required to comply with PIPA BC. Note that private practices in audiology and speech language pathology, healthcare companies and private treatment centers are all private sector organizations. Private hospitals, unlike public hospitals, are not government operated. Even BC’s doctor’s offices are private businesses and are therefore not required to comply with FOIPPA but are required to comply with PIPA.
A key difference is that there is no requirement to store data on servers located in Canada. There are no prohibitions against using online telepractice platforms, email and cloud-based data storage.
PIPA BC outlines how all of BC’s private sector organizations must handle the personal information of its employees and the public (i.e. customers) and creates common-sense rules about collecting, using and disclosing that personal information. Many other provinces have laws for the private sector that cover the same principles as Canada’s federal law known as PIPEDA.
Q: I’m a private practice SLP working as a service provider for WorkSafe BC. Why does WorkSafe BC expect me to comply with FOIPPA?
WorkSafe BC is a provincial agency which gets involved when workers are injured on the job. WorkSafe BC has case coordinators and managers who arrange rehab contracts with service providers. As part of the referral process, these WorkSafe BC employees send case files to service providers.
Rehab professionals go through an application process to become WorkSafe BC service providers. Because the provincial government owns and controls the case files about clients, the government is responsible for what happens to that data. WorkSafe BC imposes a legal requirement upon private sector contractors, ensuring that these private entities offer the same level of privacy protection as the public sector.
This is not optional. FOIPPA states that a public body has a continuing obligation to ensure that, when dealing with a business that it has retained under contract to perform services, the business signs a contract promising to comply with FOIPPA’s privacy requirements. The only circumstance in which a privacy protection schedule may not be required is if a contract clearly states that the government will not own or control any personal information involved.
Q: I do contracts for the Community Brain Injury Program for Children and Youth, which is run by the BC Center for Ability, a public body. Is that why I must agree to a long list of privacy requirements every year?
Yes, government ministries and other public sector organizations are instructed to attach a privacy protection schedule to any contracts that involve personal information. The privacy protection schedule ensures that the high privacy standards set by the FOIPPA are maintained for personal information held by service providers. Specifically, BC’s Privacy Protection Schedule lays out the security, storage, use, retention, disclosure requirements and limitations required by law, as well as a clause for termination for non-compliance.
Alternatively, a public body may be able to use a modified version of the privacy protection schedule in situations where the original wording of the privacy protection schedule template does not capture the circumstances or context of the contract. The public body seeking approval for a modified privacy protection schedule must first obtain consent from the Privacy, Compliance and Training Branch and provide the following information:
- the modified version of the privacy protection schedule, and
- provide a detailed explanation of why an alternative is required.
It is important to note that BC’s Privacy, Compliance and Training Branch will only consider changes that are equivalent to or better than the requirements of the standard privacy protection schedule.
Q: I am a Registered Autism Service Provider (i.e. RASP) for BC’s Autism Funding Program. I do a lot of video conferencing with clients. It is featured in their online search function, so it must be permitted, right?
Yes, it is legal for private practice speech language pathologists on the RASP list to do video conferencing with clients funded by the Autism Funding Program. Furthermore, these professionals can store data about clients on global servers and use email to interact with clients.
In this situation, PIPA applies and there is no government mandate to ensure that service providers comply with FOIPPA. This is because the Autism Funding Program does not give personal information about clients to service providers. You will recall that the government does not own or control contact information (e.g. name, phone, address, email). It is parents who hire the service providers and sign the contract to authorize payment to the service providers. The provincial government simply provides a billing authorization number for the contract with the service provider.
Similarly, a private doctor’s office obtains the medical information directly from the patient. Doctors can bill the Medical Services Plan using a billing code. Private doctors are not contractors or service providers for the provincial government.
Q: Does that mean that the determining factor is the source of the data, not the source of the funding?
Yes, exactly. As a speech language pathologist in private practice, you might have multiple referral sources and various third-party payers. When the data is coming from a public body, FOIPPA will apply if you have been asked to sign a contract to that effect. When the data is coming from private body or directly from clients, PIPA will apply.

Obtain client consent for case studies while therapy clients are still on your active caseload.
Q: Can I use clinical videos for educational purposes?
You can share information with authorized people within your workplace. You should obtain written client consent for showing your images and videos to anyone outside of your public organization or private company.
Always ask for consent to use recordings for educational purposes. Do this at the beginning, when they become your clients. If they move away and you lose their contact information, you won’t be able to request consent later.
If you will be showing images and videos at a public event like a conference, or on your website, do not reveal identifying information about the person.
When you are making a recording, remember not to say the name of the person. Keep your video clips short. Use clinical descriptions to name the files, rather than using the name of the person.
Q: Can I ask clients for testimonials?
Testimonials are a big part of social media. Sometimes clients are eager to give you a rating and recommend your service. If you use a service such as YELP, the client is responsible for creating the testimonial and making it public, thereby shielding you from breaching any privacy laws.
Don't ask clients to post testimonials because the comment will be linked to their social profile. There is no privacy.
Instead, you can ask for feedback by email. Shorten testimonials and make spelling corrections. Post the testimonials on your website using initials rather than full names. This method provides you with social proof while protecting each client’s identity.
You can use social media to congratulate clients on making progress in therapy. To do this, post objective data that shows before and after scores. Use the client’s initials and avoid adding any identifying details.
Q: Can I use case studies in my marketing? Can I submit pictures of clients with a press release?
Case studies and news stories help to build your credibility. Show clients the drafts and get written consent before you make the information public.

Canadian therapists should be aware of the risks of data storage.
Q: Where can data be stored?
Often the same data is stored in more than one place. It is common to have an automatic back-up system which makes a copy of the information stored on local computers. Storing data in the cloud introduces a privacy risk. Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.
In general, data can be stored on:
- local computers, in the RAM and on the drive
- external drives, USB flash drives, memory cards
- servers
- the browser you are using to access internet sites, the sites you visit and the software you are accessing online.
Server: A server is a computer program that provides a service to other computer programs. In a data centre, the physical computer which runs the server program is also frequently referred to as a server. If you work for a school district, health authority or hospital, your organization will have servers in specific locations and you will be able to store information on one of those servers rather than on your local computer.
LAN: A local area network is a computer network within a small geographical area such as a home, school, computer laboratory, office building or group of buildings. If your place of employment has a LAN, you will have inter-connected workstations and personal computers which are each capable of accessing and sharing data and devices such as printers, scanners and a central server.
Q: Why does data storage entail privacy risks?
The Internet can best be understood as a community of computers that are allowed to connect to each other, and any computer on the Internet can connect to any other computer at any time it wishes. Through infrastructure that spans the globe, there is one single, unified Internet that all computers connect to, allowing anyone connected to share and access all the information that they choose to. Thus, this open availability of data creates a huge privacy risk.
Q: What does terrorism and FBI surveillance have to do with our privacy laws in Canada?
The US passed the Patriot Act shortly after the terrorist attacks on Sept 11, 2001. It allows the US government to eavesdrop on face to face, telephone and electronic communication without cause. This includes banking information and employee records, essentially any personal information. The critical point is that any information stored on servers in the US is available for surveillance by the FBI without the person’s knowledge or consent.
Here in Canada, that level of surveillance makes our government uncomfortable.
Q: How would the FBI gain access to data on my clients?
Many companies in Canada outsource data processing to the US. Lots of cloud-based programs are stored on US servers.
Cloud-Based: This is a term that refers to applications, services or resources made available to users on demand via the Internet from a cloud computing provider's server.
Global Server Load Balancing (GSLB): This is the practice of distributing Internet traffic amongst many connected servers dispersed around the world. The benefits of GSLB include increased reliability and reductions in latency. For example, email programs like Gmail, Hotmail, and Yahoo run from global servers.
Q: How do I know where my data is stored?
If you are an employee of a public body in BC, your employer should be in compliance with FOIPPA. A public body is required to store data on a server in Canada, subject to three main exceptions.
Client Consent: The client has given consent for the public body to store and access the personal information on a server outside of Canada.
The client’s consent must:
- Specify the purpose of storing or accessing the personal information
- Be in writing
- Specify the personal information for which the client is providing consent
- Specify the date on which the consent is effective
- What date the client’s consent expires (if applicable)
- Specify who may store or access the personal information from outside of Canada
- Specify which jurisdiction the personal information may be stored in or accessed from (if practicable)
Authorized by a Written Agreement: Personal information may lawfully be stored in another jurisdiction in circumstances where, for instance, a written agreement authorizes the disclosure of the personal information in another jurisdiction.
For Purposes of Payment: The personal information may be stored or accessed on a server outside of Canada for the purposes of a payment to be made to or by the government of British Columbia or a public body.
If you are working in the private sector, FOIPPA does not apply unless you are obtaining data from the provincial government. Instead, your company is expected to comply with PIPA, which does not prohibit the storage of data on global servers and cloud-based applications. Because of Global Server Load Balancing, it is unlikely that you will be able to determine where your data is stored.
Q: Should I use Canadian cloud storage?
If you work for a public employer, find out where your employer wants you to store data.
If you work alone in private practice and your contracts require you to keep data in Canada, you could just store your data on your local computer and on a local backup drive.
If you work with a treatment team and you want to keep your data in Canada, yes, Canadian cloud storage would be a good idea. There are many options.