Canada Veterinary Clinic Compliance Guide
A practical reference for provincial recordkeeping, CASL consent, PIPEDA privacy, controlled substances, telemedicine, and public health reporting obligations across Canadian veterinary clinics.
Disclaimer: This guide is informational and generalized. It is not legal advice. Requirements can change, and regulators can interpret rules differently depending on facts. Always confirm obligations with your provincial veterinary regulator and qualified Canadian counsel.
Medical Records
Provincial regulation
Veterinary medical recordkeeping in Canada is regulated at the provincial level. Each province has its own veterinary statutory authority (often called a college or association) that sets standards for how records must be created, maintained, and retained. There is no single federal recordkeeping statute for veterinary medicine. Instead, each provincial regulator publishes its own practice standards, bylaws, or regulations governing medical records.
What records must contain
Although specific requirements vary by province, most regulators require that veterinary medical records include: patient identification (species, breed, age, sex, colour, markings, and microchip or tattoo number), client identification and contact details, date and nature of each visit, examination findings and clinical observations, diagnostic tests ordered and results, diagnosis or differential diagnoses, treatments administered (including drug name, dose, route, and frequency), surgical procedures and anaesthetic records, informed consent documentation, and discharge instructions.
Retention periods
Minimum retention periods typically range from five to seven years, though exact requirements vary by province. Some provinces specify that records must be kept for a defined number of years after the last patient visit, while others measure from the date of record creation. Clinics should default to the longer interpretation when provincial guidance is ambiguous.
Inspections and peer review
Most provincial regulators have the authority to inspect veterinary facilities and review medical records, either through scheduled practice inspections or in response to complaints. Several provinces also use peer review or quality assurance programs where records may be randomly selected for evaluation by other licensed veterinarians.
Province-by-province overview
| Province | Primary Regulator | Record Retention Minimum | Client Access Rule | Inspection / Peer Review | Notable Notes |
|---|---|---|---|---|---|
| Ontario | College of Veterinarians of Ontario (CVO) | 5 years from last entry | Clients may request copies of records; reasonable fees may apply | Mandatory facility inspections; peer-review quality assurance program | Electronic records must meet CVO digital standards; informed consent documentation required for procedures |
| British Columbia | College of Veterinarians of British Columbia (CVBC) | 5 years from last entry | Clients entitled to copies on request | Facility inspections; complaint-triggered reviews | Practice standards include detailed requirements for anaesthetic and surgical logs |
| Alberta | Alberta Veterinary Medical Association (ABVMA) | 5 years from last entry | Client access provided within a reasonable timeframe; fee permitted | Practice inspections; random record audits | ABVMA requires records be legible, complete, and contemporaneous; separate controlled substance logs required |
| Quebec | Ordre des médecins vétérinaires du Québec (OMVQ) | 5 years from last entry | Clients may access records under Quebec professional code provisions | Professional inspection program; mandatory peer-review cycles | Quebec professional code imposes additional obligations on record content and language requirements (French) |
| Nova Scotia | Nova Scotia Veterinary Medical Association (NSVMA) | 5 years from last entry | Client access on request; reasonable reproduction cost | Facility inspections conducted periodically | Practice standards aligned broadly with national guidelines; small-practice exemptions may apply for some documentation requirements |
| Manitoba | Manitoba Veterinary Medical Association (MVMA) | 5 years from last entry | Clients entitled to copies of records | Routine facility inspections | MVMA bylaws require records be maintained in a secure, retrievable format |
| Saskatchewan | Saskatchewan Veterinary Medical Association (SVMA) | 5 years from last entry | Client access on request | Practice inspections; complaint-driven record reviews | SVMA telemedicine standards include specific recordkeeping provisions for virtual consultations |
| New Brunswick | New Brunswick Veterinary Medical Association (NBVMA) | 7 years from last entry | Client access on request | Periodic facility inspections | Longer retention period than most provinces; recordkeeping standards emphasize completeness |
| Newfoundland and Labrador | Newfoundland and Labrador Veterinary Medical Association (NLVMA) | 5 years from last entry | Client access on request | Complaint-triggered reviews | Telemedicine-specific record requirements due to geography-driven remote care needs |
| Prince Edward Island | PEI Veterinary Medical Association (PEIVMA) | 5 years from last entry | Client access on request | Periodic facility inspections | Smallest provincial regulatory body; standards broadly follow national recommendations |
Practical tip: Adopt a seven-year retention policy across all provinces to simplify multi-province compliance and provide a safe margin above most minimums.
CASL & Messaging Consent
What CASL covers
Canada's Anti-Spam Legislation (CASL) is a federal law that applies to commercial electronic messages (CEMs) sent to or from Canada. CEMs include email, text messages (SMS), and certain other electronic communications that have a commercial purpose, such as appointment reminders that include promotional content, wellness plan offers, product recommendations, and newsletters with marketing elements.
CASL requires that senders have consent before sending CEMs, include identification information in every message, and provide a functioning unsubscribe mechanism. Penalties for non-compliance can reach up to $10 million per violation for organizations.
Consent types
CASL recognizes two forms of consent: express and implied. Express consent is obtained when a person actively opts in to receiving messages, for example by checking a box on an intake form, verbally agreeing during a call, or signing a consent document. Express consent does not expire unless the person unsubscribes.
Implied consent arises from an existing business relationship. For veterinary clinics, a client who has purchased a service or product within the past two years has implied consent. An inquiry (but not a purchase) provides implied consent for six months. Once implied consent expires, you must obtain express consent to continue sending CEMs.
Consent evidence
Clinics bear the burden of proving consent exists. Best practice is to maintain a consent log that records: the date and method of consent, the specific language presented to the person at the time of consent, whether consent was express or implied, and the source (intake form, phone call recording timestamp, online form submission). If consent is collected verbally (for example, by an AI receptionist during a phone call), the call recording and timestamp should be preserved as evidence.
Vendor responsibilities
If your clinic uses a third-party platform to send messages on your behalf, both the clinic and the vendor can be held liable under CASL. Clinics should ensure that any messaging vendor: sends messages only to recipients for whom valid consent exists, includes proper sender identification, provides a working unsubscribe mechanism in every message, and processes unsubscribe requests within ten business days as required by CASL.
Practical tip: Capture express consent at every client touchpoint. Configure your AI receptionist or intake workflow to record a timestamped consent statement that can be retrieved for audit purposes.
Privacy & Data Protection
Federal framework: PIPEDA
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law governing the collection, use, and disclosure of personal information in the course of commercial activity. PIPEDA applies to veterinary clinics across Canada except in provinces that have enacted substantially similar provincial privacy legislation.
Under PIPEDA, personal information includes any information about an identifiable individual. For veterinary clinics, this covers client names, contact details, payment information, and potentially information that links a person to their animal (such as patient records tied to a client account).
Provincial privacy laws
Three provinces have enacted private-sector privacy legislation recognized as substantially similar to PIPEDA:
- British Columbia: Personal Information Protection Act (PIPA) governs private-sector data handling within BC. PIPA imposes requirements for consent, access, and breach notification that closely parallel PIPEDA.
- Alberta: Personal Information Protection Act (PIPA Alberta) applies to organizations operating in Alberta. It includes specific provisions for data subject access requests, with a response deadline of 45 calendar days.
- Quebec: An Act Respecting the Protection of Personal Information in the Private Sector (known as Quebec's Law 25 after recent amendments) significantly strengthened privacy obligations for organizations operating in Quebec. Quebec's law requires a privacy officer, privacy impact assessments for certain projects, and breach notification. Data subject access requests must be fulfilled within 30 calendar days.
For interprovincial or cross-border data flows, PIPEDA continues to apply regardless of provincial legislation.
Accountability and governance
Both PIPEDA and provincial privacy laws follow an accountability model. This means the clinic is responsible for all personal information under its control, including information processed by third-party vendors. Key obligations include: designating a privacy officer or point of contact, developing internal privacy policies and procedures, limiting collection to what is necessary for identified purposes, obtaining meaningful consent for collection and use, and safeguarding information with appropriate security measures.
Data subject access requests (DSARs)
Individuals have the right to request access to their personal information and to request corrections. Response timelines vary:
| Jurisdiction | Response Deadline | Extension Available |
|---|---|---|
| PIPEDA (federal) | 30 calendar days | Yes, with notice to the individual |
| British Columbia (PIPA) | 30 business days | Yes, with notice to the individual |
| Alberta (PIPA) | 45 calendar days | Yes, with notice to the individual |
| Quebec (Law 25) | 30 calendar days | Additional 10 days with written notice |
Breach handling
Under PIPEDA and provincial equivalents, organizations must report breaches of personal information that create a real risk of significant harm. The federal requirement is to notify the Privacy Commissioner of Canada, affected individuals, and any other organizations that may be able to mitigate harm. Quebec's Law 25 also requires notification to the Commission d'acces a l'information du Quebec. Breach records must be maintained for at least two years under PIPEDA.
Practical tip: Ensure your technology vendors have signed data processing agreements that specify where data is stored, who has access, and how breach notification flows back to your clinic. If your vendor processes data in the United States, confirm that adequate cross-border transfer protections are in place.
Controlled Substances
Federal regulation
The prescribing, dispensing, and storage of controlled substances in veterinary practice is governed federally under the Controlled Drugs and Substances Act (CDSA) and associated regulations, including the Narcotic Control Regulations and the Benzodiazepines and Other Targeted Substances Regulations. Health Canada oversees compliance, and provincial veterinary regulators may impose additional requirements.
Recordkeeping requirements
Veterinarians who administer, prescribe, or dispense narcotics and controlled drugs must maintain detailed records including: the name and quantity of the substance, the date of each transaction, the name and address of the person or animal for whom it was provided, and a running inventory or log. These records must be retained for a minimum of two years from the date of the transaction. Many provincial regulators recommend or require longer retention periods that align with their general medical record retention standards.
Inventory and reconciliation
Clinics must maintain accurate inventories of all controlled substances. Regular reconciliation (comparing physical stock against recorded transactions) is expected. Any discrepancies must be investigated and documented. Health Canada inspectors may request inventory records during inspections.
Loss and theft reporting
Any loss or theft of a narcotic or controlled substance must be reported to Health Canada and to local police. Reports should include the substance name, quantity lost, circumstances of the loss or theft, and any actions taken. There is no statutory grace period for reporting; clinics should report losses as soon as they are discovered.
Practical tip: Maintain a dedicated controlled substance log that is separate from general medical records. Conduct physical inventory counts at least quarterly, and document each count with date and counter signatures.
Telemedicine & VCPR
Provincial VCPR frameworks
The veterinarian-client-patient relationship (VCPR) is the foundational requirement for providing veterinary medical advice, prescribing medications, and making treatment decisions. In Canada, VCPR requirements are set by each provincial regulator, and the rules around whether and how a VCPR can be established or maintained through telemedicine vary significantly.
Most provinces require that an initial VCPR be established through an in-person examination. Once established, some provinces permit the VCPR to be maintained through telemedicine for follow-up consultations, prescription refills, and ongoing care management. A few provinces have adopted more flexible frameworks that allow a VCPR to be established remotely under certain conditions.
Provincial examples
- Saskatchewan: The SVMA has published telemedicine guidelines that permit veterinarians to use telecommunications technology to provide veterinary services, including in some cases establishing a VCPR remotely when an in-person examination is not feasible due to geographic or logistical barriers. Detailed recordkeeping of telemedicine consultations is required.
- British Columbia: The CVBC permits telemedicine as part of ongoing care within an established VCPR. The initial VCPR generally requires a physical examination. The CVBC has published practice standards for telemedicine that include requirements for informed consent, record documentation, and technology standards.
- Newfoundland and Labrador: The NLVMA has recognized that geographic challenges in the province may necessitate remote consultations. Telemedicine provisions allow for remote follow-up care and, in certain circumstances, initial consultations when in-person examination is not practically available. Records of telemedicine encounters must meet the same standards as in-person visits.
Key considerations for clinics
Regardless of province, clinics offering telemedicine services should: verify that their provincial regulator permits telemedicine and under what conditions, ensure informed consent is obtained and documented for telemedicine consultations, maintain medical records for telemedicine encounters at the same standard as in-person visits, use secure and reliable communication technology, and clearly inform clients of the limitations of remote assessment.
Practical tip: Check your provincial regulator's current telemedicine policy at least annually. These frameworks are evolving rapidly, and several provinces have revised their standards in recent years.
Public Health Reporting
CFIA reportable diseases
The Canadian Food Inspection Agency (CFIA) maintains a list of federally reportable animal diseases under the Health of Animals Act and the Reportable Diseases Regulations. Any veterinarian who suspects or diagnoses a reportable disease must immediately notify a CFIA district veterinarian. Reportable diseases include, among others, anthrax, rabies, bovine spongiform encephalopathy (BSE), avian influenza (highly pathogenic), and foot-and-mouth disease.
In addition to CFIA reportable diseases, some provinces maintain their own lists of provincially notifiable diseases. Veterinarians must be aware of both federal and provincial reporting obligations.
Rabies and bite reporting
Rabies reporting is mandatory across all provinces. Veterinarians who suspect rabies in an animal must notify the CFIA immediately. Provinces and municipalities may also require bite reporting to local public health authorities. The specifics vary: some jurisdictions require veterinarians to report animal bites directly, while others place the reporting obligation on the animal owner, public health officer, or attending physician for the bite victim. Clinics should be familiar with both the federal rabies reporting obligation and their local bite reporting requirements.
Adverse drug event reporting
Veterinarians are encouraged to report suspected adverse reactions to veterinary drugs and biologics to Health Canada through the Veterinary Drugs Directorate adverse reaction reporting program. While reporting is voluntary for most adverse events, it is strongly recommended, and some adverse events involving human safety (for example, from antimicrobial resistance) may carry heightened reporting expectations.
Practical tip: Keep a quick-reference list of CFIA reportable diseases and your local public health authority contact information posted in examination areas. Speed matters for reportable disease notification.
Enforcement & Audits
Who checks what
| Area | Primary Authority | What They Check |
|---|---|---|
| Medical records and practice standards | Provincial veterinary regulator (college or association) | Record completeness, retention, consent documentation, facility standards, professional conduct |
| CASL compliance | Canadian Radio-television and Telecommunications Commission (CRTC) | Consent evidence, message content, unsubscribe mechanisms, sender identification |
| Privacy (PIPEDA) | Office of the Privacy Commissioner of Canada (OPC) | Consent practices, data handling, breach notification, access request compliance |
| Privacy (BC) | Office of the Information and Privacy Commissioner for BC | PIPA compliance, access requests, breach handling |
| Privacy (Alberta) | Office of the Information and Privacy Commissioner of Alberta | PIPA Alberta compliance, access requests within 45-day deadline |
| Privacy (Quebec) | Commission d'acces a l'information du Quebec | Law 25 compliance, privacy impact assessments, breach notification, access requests within 30-day deadline |
| Controlled substances | Health Canada (Office of Controlled Substances) | Narcotic logs, inventory reconciliation, loss/theft reports, storage security |
| Reportable diseases | Canadian Food Inspection Agency (CFIA) | Timely notification of reportable diseases, specimen handling, quarantine compliance |
Must-produce artifacts
When a regulator or enforcement authority requests information, clinics should be prepared to produce the following without delay:
- Complete medical records for specified patients or date ranges
- CASL consent logs with timestamps and method of consent capture
- Privacy policies, data processing agreements, and breach response records
- Controlled substance logs, inventory counts, and reconciliation records
- Telemedicine consultation records (if applicable)
- Disease reporting correspondence and notification receipts
- Staff training records related to privacy, controlled substances, or practice standards
Vendor expectations
Regulators increasingly expect clinics to demonstrate that their technology vendors support compliance rather than undermine it. When evaluating or auditing vendor relationships, clinics should confirm that vendors can: export complete records in a portable format, produce audit trails showing who accessed or modified records, demonstrate data residency (where data is stored and processed), provide evidence of security measures and breach notification procedures, support consent capture and logging in a manner that satisfies CASL requirements, and cooperate with regulatory requests for information.
Practical tip: Build a compliance binder (physical or digital) that contains your privacy policy, CASL consent procedures, controlled substance protocols, vendor agreements, and staff training logs. Having these artifacts organized and accessible reduces response time when a regulator comes calling.