NEXTIWEB
30-second summary
- As soon as your site collects information (booking, contact form), it falls under Law 25.
- An osteopathy practice is particularly concerned: the reason for the visit is health information, among the most sensitive.
- Osteopathy has no professional order — so no order's code of ethics — but Law 25 applies to everyone, plus your association's guidelines.
- Points to cover: purpose, consent, privacy policy, security, retention, cookies — and the insurance receipt.
- These are mostly adjustments, not a rebuild. This article gives principles — not legal advice.
Law 25 (the modernization of Quebec's private-sector privacy rules) worries many practitioners — often because the topic feels vague. For an osteopath, the stake is real but manageable: it isn't about reinventing everything, but about covering a few specific points on your site. Here they are, in plain language.
Why an osteopath is particularly concerned
Any site that collects personal information is covered — even a simple contact form. But an osteopathy practice goes further: the moment a person tells you why they want an appointment — chronic back pain, a pregnancy, an infant who won't sleep, a sports injury — you are handling health-related information, among the most sensitive there is. There's nothing alarming about this: it simply means the care given to your forms and your data should match that sensitivity.
No professional order — but Law 25 applies anyway
This is the point that surprises many osteopaths in Quebec: the profession is not governed by a professional order. There is no order's code of ethics to follow, and no order's confidentiality rules layered on top of your site. That can feel like a grey zone — but it doesn't make you exempt.
Law 25 applies to every private-sector business that handles personal information, profession or not. So your privacy framework rests on Law 25 itself, plus any guidelines published by the osteopathy association you belong to. The absence of an order doesn't lower the bar — it simply means you can't lean on an order's playbook, and the general law becomes your main reference. Where your exact obligations are concerned, the CAI is the authority to consult.
1 — Your forms: collect only what's necessary
The first principle is minimization: a booking form should ask only for the information genuinely necessary for its purpose. The less you collect, the less you have to protect. A name, contact details and a short reason for the visit are usually enough to book a first appointment — the full clinical history belongs in your in-clinic intake, not in a public web form. Avoid "just in case" fields that gather data you don't need at this stage.
2 — Purpose and consent (say why)
The person must understand why you ask for their information and consent to it. On a site, this means clear wording near the form and a link to your privacy policy. If the form asks for a reason for the visit, say plainly that it's used only to prepare the appointment. Consent must be informed — not extracted through pre-checked boxes or ambiguous wording.
Are your form and site ready for Law 25? Get a free audit of your online presence, delivered as a PDF report within 24 h.
See our services for osteopaths →3 — The insurance receipt: data that travels
This one is specific to osteopathy and worth its own section. Most of your patients ask for a receipt to claim reimbursement from their private or group insurance. That receipt — name, date, amount, the nature of the care — is personal information that the patient then shares with their insurer. The data leaves your practice, but the way you collected, stored and protected it beforehand stays your responsibility.
Your website's role here is upstream. A lean, secure booking form and a clear privacy policy set the tone: the patient understands from the first click that you handle their information seriously. The receipt itself is usually generated by your practice management software (Jane App, Cliniko, or similar) and handed to the patient — but the principle of minimization and protection that governs your form should govern that whole chain. The exact handling of receipts and insurer communication should be validated with a professional.
4 — The privacy policy and the responsible person
A clear, accessible privacy policy is central: it explains what information you collect, why, how it's used and protected, and how a person can exercise their rights (access to their data and rectification of it). Law 25 also provides for designating a person responsible for protecting personal information — in a solo or small practice, that may well be you. Our role is to make this information accessible on the site; the exact legal content of the policy should be established with a professional.
5 — Security and retention
Collecting information means protecting it: secure form transmission (HTTPS), reputable hosting, limited access, and a retention period that doesn't drag on beyond what's needed. Keeping a booking enquiry indefinitely "out of habit" raises risk with no benefit. Technical measures are set up on the site and hosting; the exact durations and procedures fall under your own obligations — and the CAI is the right reference for the specifics.
6 — Cookies and tracking
Analytics and advertising tools (cookies, pixels) raise questions of transparency and consent. A site that uses them must inform visitors and, depending on the case, obtain their consent and offer control — often via a cookie-management banner and a mention in the policy. The configuration depends on the tools in place; we put the mechanisms in place, and the precise obligations are validated with a professional.
Compliance plan (website side)
| Step | Action |
|---|---|
| Step 1 | Review the booking form: keep only necessary fields. |
| Step 2 | Add clear purpose wording + consent near the form. |
| Step 3 | Publish an accessible privacy policy and name a responsible person. |
| Step 4 | Secure transmission (HTTPS) and frame a retention period. |
| Step 5 | Keep receipt handling lean and protected (software side). |
| Step 6 | Set up cookie management (banner + mention). |
Frequently asked questions — Law 25 and an osteopath's website
As soon as your site collects personal information — even just a booking or contact form — it falls under Law 25. An osteopathy practice is particularly concerned, because the reason for the visit (back pain, pregnancy, an infant's sleep, a sports injury) is health-related information, among the most sensitive there is. This doesn't mean your site is non-compliant: it means there are specific points to cover (consent, purpose, security, privacy policy). This article describes those points in general terms; for your exact obligations, validate with a legal professional or Quebec's Commission d'accès à l'information.
Yes. Osteopathy in Quebec is not governed by a professional order, so there is no order's code of ethics to follow. But Law 25 applies to every private-sector business that handles personal information, regardless of profession. The absence of an order doesn't exempt you — it simply means your privacy framework rests on Law 25 itself, plus any guidelines from the osteopathy association you belong to. For your exact obligations, validate with a professional or the Commission d'accès à l'information.
Often, yes, at least to clarify a few things. A compliant form collects only what's necessary for its purpose, clearly explains why the information is requested, obtains the person's consent and transmits the data securely. For an osteopathy booking form, where the reason for the visit can touch on health, these principles matter even more. The good news: these are mostly design and wording adjustments, not a rebuild. The precise obligations should still be validated with a professional.
The receipt you issue so a patient can claim reimbursement contains personal and health-adjacent information that the patient then shares with their insurer. As long as the receipt is generated by your practice management software and handed to the patient, you remain responsible for how you collect, store and protect that data on your side. Your website's role is upstream: a lean, secure booking form and a clear privacy policy. The exact handling of receipts and insurer communication should be validated with a professional.
A clear privacy policy is a central element of a Law 25-compliant online presence. It explains what information you collect, why, how it's used and protected, and how a person can exercise their rights (access, rectification). Law 25 also provides for designating a person responsible for protecting personal information. Our role as an agency is to make this information accessible on the site; the exact legal content of the policy should be established with a qualified professional.
Final responsibility belongs to you, the practitioner, as the custodian of your patients' information. A serious web agency builds a site that facilitates compliance (lean forms, secure transmission, accessible policy, cookie management), but it doesn't replace legal advice. The right approach is teamwork: the agency for technical implementation, and a legal professional or the Commission d'accès à l'information to validate your exact obligations.
Go further
Compliance goes hand in hand with a site that converts and inspires trust:
- Turning visitors into appointments
- Google reviews (ethical method)
- Google Business Profile for osteopaths
- All guides for osteopathy clinics
A site that inspires trust, starting with the form. Get a free audit of your online presence and your booking form — delivered as a personalized PDF report within 24 h.
Get My Free Audit →