Canadian telehealth grew explosively after 2020, and the patient consent forms most providers use have not kept up with provincial privacy law. Each province has its own health information statute (Ontario's PHIPA, Alberta's HIA, BC's PIPA, Quebec's Law 25), and a single national consent form rarely satisfies all of them. The federal PIPEDA also applies where information crosses provincial or international borders. The issue is not that Canadian patients lack rights — they have substantial rights. The issue is that telehealth contracts often try to layer broad consent over them, asking patients to authorise data uses (research, marketing, analytics, AI training, US storage) that go far beyond what the patient actually wants. Valid consent in Canada must be specific, informed, and capable of withdrawal. A blanket consent form that bundles everything together is unlikely to meet that standard.
What is a Patient Consent?
A telehealth patient consent agreement in Canada is the contract authorising a regulated health professional to provide care via video, phone, or asynchronous messaging, and authorising the collection, use, and disclosure of personal health information to deliver that care. It is governed by federal PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5), the relevant provincial health information privacy statute (PHIPA in Ontario, HIA in Alberta, PIPA in BC, Law 25 in Quebec, etc.), and the standards of the relevant provincial regulatory College (CPSO, CPSA, CPSBC, Collège des médecins du Québec, etc.). Consent must be specific to the purpose and the recipient, informed, and capable of withdrawal.
Red flags to watch for
Canadian privacy law requires consent to be specific to each purpose. PHIPA s 18 (Ontario) requires the patient know the purposes of collection, use, and disclosure. Bundling unrelated purposes (treatment + research + commercial AI training) under a single checkbox is not informed consent and may be successfully challenged before the Information and Privacy Commissioner.
Quebec's Law 25 (in force since September 2023) requires explicit notice if personal information will be transferred outside Quebec, including assessment of the destination's privacy regime. BC's PIPA has historically restricted public-body data outside Canada. A telehealth contract that stores PHI on US servers without specific consent creates regulatory exposure.
Withdrawal of consent is a fundamental requirement under PIPEDA Principle 4.3.8 and provincial equivalents. A contract that says consent is 'irrevocable' or that does not provide a clear withdrawal procedure does not meet the legal standard. The patient must be able to withdraw consent for any non-essential purpose at any time.
Each provincial College requires that the regulated health professional be identifiable to the patient, including registration number. A telehealth platform that only identifies 'a licensed Canadian physician' without naming the individual at the time of consultation does not meet the College standard for informed consent and continuity of care.
Patient rights to make a complaint to the relevant College, to the Information and Privacy Commissioner, or to bring a civil claim cannot be waived by contract. Provisions that purport to waive these rights are void as contrary to public policy. The contract may include arbitration for fee disputes, but not for professional regulation or privacy complaints.
Recording a clinical encounter is a separate purpose requiring separate consent under privacy law. PHIPA s 18 (Ontario) requires the patient be informed of the recording, its purpose, retention period, and access. A general consent form that does not separately address recording — including who can access the recording and for how long — is non-compliant.
Where AI tools (ambient scribes, diagnostic AI, prescription AI) process patient information, this is a distinct purpose that must be disclosed. The Office of the Privacy Commissioner of Canada and provincial Commissioners have signalled increased scrutiny of AI in health care. Failing to disclose AI involvement undermines informed consent and may breach the College's standard of practice.
Your legal rights
Canadian telehealth patients are protected by: the federal Personal Information Protection and Electronic Documents Act (PIPEDA, S.C. 2000, c. 5) for cross-border and inter-provincial transfers; provincial health information privacy statutes — Ontario's Personal Health Information Protection Act, 2004 (PHIPA), Alberta's Health Information Act, BC's Personal Information Protection Act, Quebec's Act respecting the protection of personal information in the private sector (as amended by Law 25, 2021), and equivalent statutes in other provinces; the standards of practice and codes of ethics of the provincial Colleges (e.g., CPSO Policy on Virtual Care); the Canada Health Act for publicly insured services; and the common law of consent (and the Civil Code in Quebec) for treatment. Complaints about privacy can be made to the Office of the Privacy Commissioner of Canada or the provincial Information and Privacy Commissioner. Complaints about professional conduct go to the relevant College.
Questions to ask before you sign
- 1Who is the regulated health professional providing care, and what is their College and registration number?
- 2Where will my personal health information be stored — in Canada, the United States, or another jurisdiction — and what protections apply there?
- 3What specific purposes am I consenting to, and can I consent to treatment without consenting to research, marketing, or AI training?
- 4How do I withdraw consent for any specific purpose, and what happens to my information if I do?
- 5Will the consultation be recorded, and if so, who can access the recording, for how long, and for what purpose?
- 6Are AI tools (scribe, diagnostic, prescription) used during my consultation, and if so, how are they disclosed and what is their role?
- 7If I want to make a privacy complaint, who do I contact — the provider, the College, or the Information and Privacy Commissioner?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.