formisoft
Blog
Compliance

How to Set Up SMS Reminders That Comply with PIPEDA and PHIPA in Canada

February 22, 2026 · Maya Torres

How to Set Up SMS Reminders That Comply with PIPEDA and PHIPA in Canada
Formisoft

From the team at Formisoft, the HIPAA-ready platform for patient intake, scheduling, and payments. Learn more →

Setting up SMS reminders for PIPEDA and PHIPA compliance means more than just avoiding the word "appointment" in your texts. I've worked with hundreds of Canadian practices over the past three years, and the ones who get this right share a specific setup pattern.

The confusion makes sense. Ontario practices follow PHIPA. The rest of Canada follows PIPEDA. Both regulate how you can text patients, but the specific requirements differ in ways that matter for your reminder workflow.

What PIPEDA and PHIPA Actually Require for SMS

PIPEDA (Personal Information Protection and Electronic Documents Act) applies federally and in provinces without their own health privacy laws. PHIPA (Personal Health Information Protection Act) governs Ontario specifically.

Both laws require explicit consent before you send appointment reminders via SMS. That's not the same as implied consent. You need documented proof that the patient agreed to receive texts at a specific phone number.

Ontario practices face extra requirements under PHIPA. Any third-party vendor (like your SMS provider) must sign a data processing agreement. You're also required to limit the personal health information included in the message itself. A compliant PHIPA text reminder might say "Appointment reminder for tomorrow at 2pm" but shouldn't include diagnosis details or treatment specifics.

Federal practices under PIPEDA have similar limits. The Office of the Privacy Commissioner clarifies that SMS reminders should contain the minimum information necessary. Patient name, appointment time, and clinic location are acceptable. Medical details are not.

Getting Consent the Right Way

I see the same mistake repeatedly. Practices add a checkbox to their intake form that says "I agree to receive appointment reminders." That's not specific enough.

Your consent mechanism needs to cover three things: the purpose (appointment reminders), the method (SMS), and the phone number. A compliant version looks like this:

"I consent to receive appointment reminders via SMS text message at the phone number I provided: [phone number display]. I understand I can withdraw this consent at any time by contacting the clinic."

Include this in your new patient intake form or during registration. Document it. Store it with the patient's record.

For Ontario practices under PHIPA, add a line about third-party processors: "I understand that SMS reminders may be sent using a third-party service provider, and my information will be handled according to PHIPA requirements."

Most practices I work with handle this during intake, which means patients consent before their first appointment. That prevents the scramble of trying to get consent retroactively.

Configuring Your SMS Content

The content of your reminder matters as much as the consent. Canadian practices need to balance usefulness with privacy protection.

Safe SMS content under both PIPEDA and PHIPA:

  • Clinic name
  • Appointment date and time
  • Clinic phone number
  • Brief cancellation instructions

Risky content that could violate either law:

  • Diagnosis or condition references
  • Treatment details
  • Medication names
  • Test results
  • Provider specialty (in some cases)

I've seen practices in Vancouver get creative with their reminder wording. Instead of "Dr. Smith, dermatology appointment," they text "Appointment at Smith Clinic tomorrow at 3pm. Call 604-555-0100 to confirm or cancel." That keeps it compliant while staying useful.

Ontario practices need extra caution. PHIPA's definition of "personal health information" is broad. Even the fact that someone has an appointment at a specific type of clinic could be identifying in small communities.

Technical Setup That Meets Canadian Standards

Your patient notification system needs specific technical safeguards to meet PIPEDA and PHIPA requirements.

Use a platform that stores patient data on Canadian servers or has explicit Canadian data residency. PHIPA requires that personal health information stay in Ontario unless you have consent to transfer it outside the province. PIPEDA has similar cross-border transfer restrictions.

Make sure your SMS vendor signs a data processing agreement. Both laws make you responsible for how third parties handle patient information. That contract needs to specify data location, security measures, and breach notification procedures.

Implement opt-out functionality in every message. Both laws require patients to have an easy way to stop receiving texts. Most practices add "Reply STOP to opt out" at the end of each message. When someone opts out, document it immediately and update their communication preferences.

Formisoft handles Canadian data residency requirements and includes opt-out tracking built into the notification system. Practices in Toronto and Edmonton use it because it documents the full consent and delivery chain without manual logging.

Handling Opt-Outs and Consent Withdrawal

PIPEDA and PHIPA both give patients the right to withdraw consent at any time. Your system needs to process that withdrawal immediately and keep a record of when it happened.

When a patient opts out:

  1. Stop sending SMS reminders within 24 hours (both laws require prompt compliance)
  2. Document the opt-out date and time
  3. Switch to an alternative communication method if the patient provided one
  4. Keep the original consent record (showing they once agreed) and the withdrawal record

Can you call patients who opt out of SMS? Yes, but you need consent for phone calls too. The safest approach: ask during intake what their preferred contact method is, get consent for all methods they choose, and honor withdrawals promptly.

Special Considerations for Multi-Location Practices

Clinic groups across Canada often have locations in both Ontario and other provinces, which means navigating both PHIPA and PIPEDA simultaneously.

The practical approach: build your SMS reminder system to meet the stricter standard (usually PHIPA). That makes sure compliance across all locations without maintaining separate processes.

That means Ontario-level data processing agreements, conservative message content, and explicit consent language that works under both laws. A multi-provider practice workflow helps coordinate this across locations without duplicating effort.

What Top Performers Actually Do

The practices with the cleanest SMS reminder compliance share these patterns:

They collect SMS consent during digital intake before the first appointment. They use pre-visit intake automation that includes consent collection as step one.

They audit message content quarterly. Someone on the team reviews what's actually being sent and checks it against PIPEDA or PHIPA requirements. They catch drift before it becomes a problem.

Front desk staff know exactly how to handle opt-out requests. When a patient calls to stop texts, the team documents it and processes the change immediately.

Consent records get stored as long as patient records do. Compliance isn't just about current practice. If a patient complaint or audit happens years later, you need proof you had consent when you sent those reminders.

The common thread: these practices treat SMS consent as part of their intake workflow, not an afterthought. They build it into forms, document it systematically, and review it regularly. That's what keeps them compliant under Canadian privacy law without making it complicated.

Related Articles

Patient Intake Requirements for Dental Practices in Canada (PIPEDA & PHIPA)

Feb 2026

Ready to digitize your intake?

Start building HIPAA-ready patient intake forms in minutes.

Get Started