Posted on
Feb 28, 2026
PHIPA Compliance for AI Documentation in Ontario: A Legal Guide for Physicians
PHIPA Compliance for AI Documentation in Ontario: A Legal Guide for Physicians
Ontario physicians adopting AI-powered clinical documentation face a regulatory landscape that demands precision. The Personal Health Information Protection Act (PHIPA) governs every step of how personal health information is collected, used, disclosed, and stored — and AI scribes introduce new vectors of risk at each stage. Platforms like Scribing.io are architected specifically for Canadian privacy law, but understanding your obligations as a Health Information Custodian is non-delegable. This guide provides the legal and practical framework you need.
Following the Information and Privacy Commissioner of Ontario's (IPC) landmark January 28, 2026 guidance on AI scribes in healthcare, the expectations for Ontario physicians have sharpened considerably. Whether you run a solo family medicine practice or a multi-physician specialty clinic, PHIPA compliance for AI documentation in Ontario now requires documented governance, meaningful patient consent, privacy impact assessments, and technical safeguards that go well beyond what many vendors offer. Scribing.io's compliance-first architecture was designed to meet these requirements — but you still need to understand what the law demands of you personally as the custodian.
TL;DR — What Ontario Physicians Need to Know
Ontario physicians using AI documentation tools must comply with PHIPA, which holds the physician — not the vendor — ultimately accountable for all PHI handling. The IPC's January 28, 2026 guidance now requires privacy impact assessments before AI scribe deployment, meaningful patient consent (beyond implied consent within the circle of care), human oversight of every AI-generated note, and PHIPA-compliant vendor agreements with Canadian data residency assurances. Administrative monetary penalties reach up to $500,000 per organization. This guide covers each obligation in detail, with practical workflows and compliance checklists Ontario physicians can implement immediately.
What PHIPA Requires for AI Documentation
Consent Requirements for AI Scribes
Privacy Impact Assessments and AI Governance
Data Residency, Encryption, and Technical Safeguards
PHIPA-Compliant Vendor Agreements
Breach Notification Obligations
Enforcement Trends and Penalties
Get Started Today
Table of Contents
What PHIPA Requires and Why It Matters for AI-Assisted Documentation
Consent Requirements for AI Scribes Under PHIPA
Privacy Impact Assessments and AI Governance
Data Residency, Encryption, and Technical Safeguards
PHIPA-Compliant Vendor Agreements
Breach Notification Obligations for AI Documentation
Enforcement Trends and Administrative Monetary Penalties
Get Started Today
What PHIPA Requires and Why It Matters for AI-Assisted Documentation
PHIPA's Core Framework: Who It Covers and What It Protects
PHIPA applies to every Health Information Custodian (HIC) in Ontario — a category that includes physicians, hospitals, pharmacies, and other regulated health professionals. Under PHIPA s. 3(1), physicians are HICs by default, meaning they bear primary legal accountability for all personal health information in their custody or control.
Personal health information (PHI) is defined broadly under s. 4(1). It includes identifying information about an individual that relates to their physical or mental health, the provision of health care, a plan of service, payments for health care, donation of body parts, the individual's health number, and — critically for AI scribes — any recording of health-related information. An audio recording of a clinical encounter is PHI from the moment the microphone activates.
When a physician engages an AI scribe vendor, that vendor functions as the physician's agent under PHIPA s. 17. Agents may collect, use, and disclose PHI only at the custodian's direction and for the custodian's purposes. However — and this is the point many physicians miss — the HIC retains full accountability for the agent's actions. If your AI scribe vendor mishandles patient data, the IPC will investigate you as the custodian, not just the vendor.
Why AI Documentation Tools Trigger Heightened PHIPA Scrutiny
Traditional dictation tools and human scribes already create PHIPA obligations, but AI documentation introduces three distinct risk layers that compound compliance exposure:
Audio capture of clinical encounters. The AI scribe records the full patient-physician conversation — including sensitive disclosures, mental health discussions, and information patients may consider highly private. This recording constitutes PHI under s. 4(1) even before the AI processes it.
Algorithmic processing and note generation. The AI model ingests the audio, applies natural language processing, and generates structured clinical notes containing diagnoses, treatment plans, and patient-reported symptoms. Each transformation creates a new PHI artifact subject to PHIPA's collection, use, and retention rules.
Data transmission to third-party infrastructure. Unless the AI runs entirely on local hardware (which almost no clinical AI scribe does), patient data traverses networks and is processed on servers. This raises questions about data residency, encryption in transit, subcontractor access, and cross-border data flows.
Each layer creates discrete PHIPA obligations — and a failure at any point exposes the physician-HIC to complaints, investigations, and penalties.
The January 2026 IPC Guidance on AI Scribes — What Changed
On January 28, 2026, the Information and Privacy Commissioner of Ontario published guidance specifically addressing AI scribes in healthcare settings. This guidance does not create new law, but it represents the IPC's interpretation of existing PHIPA obligations as applied to AI documentation — and IPC interpretations carry significant weight in enforcement proceedings.
The guidance established five core expectations:
AI governance structures — Practices must designate responsibility for AI oversight, even if the "governance structure" is a solo physician documenting their own decision-making process.
Privacy impact assessments (PIAs) — A PIA must be completed before any AI scribe is deployed, not after.
Vendor due diligence — HICs must conduct meaningful evaluation of the vendor's privacy and security practices, data residency, subcontractor controls, and breach response capabilities.
Meaningful patient consent — Patients must be informed that AI is processing their encounter, and the information provided must be sufficient for the patient to make a genuine choice.
Mandatory human oversight — AI-generated clinical notes must be reviewed and approved by the physician before being finalized in the medical record. Fully automated note entry without physician review is not acceptable.
The IPC also referenced its six principles for responsible AI use, developed jointly with the Ontario Human Rights Commission, reinforcing that AI tools must be transparent, accountable, and subject to ongoing evaluation — not deployed and forgotten.
Consent Requirements for AI Scribes Under PHIPA — Express, Implied, and the Circle of Care
Express vs. Implied Consent for AI-Assisted Documentation
This is the question Ontario physicians ask most frequently: Do I need express consent from every patient before using an AI scribe?
The statutory framework provides one answer; the IPC's practical guidance provides another, more conservative one. Under PHIPA s. 20(2), a HIC may assume implied consent for the collection, use, and disclosure of PHI within the "circle of care" — meaning among health care providers involved in the patient's treatment — provided the HIC has posted or made available a public notice about its information practices, and the patient has not expressly withheld consent.
Technically, documentation of a clinical encounter falls within the provision of health care. A physician could argue that using an AI tool to generate clinical notes is simply a method of documentation, analogous to dictation software, and that implied consent within the circle of care applies.
However, the IPC's January 2026 guidance takes a more protective stance. It establishes that meaningful patient notification is required when AI processes clinical encounters. The reasoning is sound: patients have a reasonable expectation that their conversations with physicians are heard only by the people in the room. An AI system recording and processing that conversation introduces a fundamentally different dynamic that patients should know about.
The safest compliance position for Ontario physicians: treat AI scribe use as requiring informed notification at minimum, and provide a genuine opportunity for patients to decline.
What "Meaningful Consent" Looks Like in Practice
For family medicine practices in Ontario, meaningful consent for AI documentation should include these elements:
Verbal disclosure at the start of the visit: "I use an AI tool that listens to our conversation and creates a draft of my clinical notes. The recording is processed securely on Canadian servers and is not stored after the note is generated. You can ask me to turn it off at any time."
Clear explanation of what the AI does: Patients should understand that the tool records audio, generates a written summary, and that the physician reviews and approves the note before it goes into their chart.
Right to decline without penalty: The patient must be able to say "no" without any reduction in care quality. If a patient declines, the physician must have a manual documentation fallback.
Documentation of consent in the chart: A brief notation such as "Patient informed of AI documentation tool; patient consented" or "Patient declined AI documentation; manual notes taken" satisfies the accountability requirement.
Clinic waiting rooms should also display a notice explaining AI documentation practices — consistent with the s. 16 requirement to make information practices publicly available.
The Lock-Box Right and AI Documentation
Under PHIPA s. 19, patients can expressly withhold or withdraw consent for the disclosure of specific PHI — commonly called the "lock-box" provision. This right applies even within the circle of care. A patient might consent to AI documentation generally but instruct the physician not to include specific information (such as a mental health disclosure or substance use history) in the AI-processed note.
Your AI scribe workflow must accommodate this. If a patient invokes their lock-box right mid-encounter, the physician needs to be able to pause or stop the AI recording for that portion of the conversation. Psychiatry practices should be particularly attuned to this, given the sensitivity of mental health disclosures.
Substitute Decision-Makers and AI Consent
Under PHIPA s. 25, when a patient is incapable of consenting, their substitute decision-maker (SDM) exercises consent rights on their behalf. The SDM must be informed of AI scribe use in the same manner the patient would be, and the SDM has the same right to decline AI documentation. Pediatric encounters require parental or guardian notification. Physicians working with pediatric patients should integrate AI disclosure into their existing SDM consent workflows.
Privacy Impact Assessments and AI Governance — The IPC's New Expectations
Do You Need a Privacy Impact Assessment Before Using an AI Scribe?
Yes. The IPC's January 2026 guidance is unambiguous: a privacy impact assessment must be completed before deploying any AI scribe in a clinical setting. This is not optional guidance — it represents the IPC's interpretation of the HIC's existing duty under PHIPA s. 10(1) to take reasonable steps to protect PHI.
A PIA is a structured process for identifying privacy risks associated with a new system, evaluating those risks against the organization's obligations, and documenting the safeguards that mitigate them. For AI scribes, the PIA must cover the entire data lifecycle: audio capture, transmission, processing, note generation, EMR integration, data retention, and deletion.
AI Governance for Solo Practitioners and Small Practices
If you are a solo physician reading this and feeling overwhelmed by the phrase "AI governance structure," the IPC has explicitly acknowledged that governance scales to practice size. Referencing the IPC's May 2025 Privacy Management Handbook for Small Health Care Organizations, a solo practitioner can designate themselves as the AI governance authority. What the IPC requires is documented decision-making, not organizational complexity.
This means:
You document your decision to adopt an AI scribe, including why you selected the specific vendor.
You complete (or have completed on your behalf) a PIA before deployment.
You record your review of the vendor's privacy and security practices.
You establish and document policies for consent, opt-out handling, note review, and data retention.
You revisit these decisions periodically — at minimum annually or when the vendor makes significant changes.
A binder or digital folder containing these documented decisions satisfies the governance requirement for a small practice.
What Your PIA Should Cover for an AI Scribe
The following checklist covers the elements your PIA should address when evaluating an AI documentation tool:
PIA Element | What to Document |
|---|---|
Data flow mapping | Audio capture → transmission → processing server → note generation → EMR integration → storage/deletion |
PHI types collected | Audio recordings, transcribed text, generated clinical notes, patient identifiers |
Data residency | Where is data processed? Where is it stored? Are any subcontractors located outside Canada? |
Vendor data handling | Does the vendor retain audio or transcripts after note generation? For how long? For what purpose? |
Encryption standards | AES-256 at rest, TLS 1.2+ in transit — per IPC Fact Sheet #16 |
Access controls | Who at the vendor can access patient data? Under what circumstances? |
Subcontractor controls | Does the vendor use sub-processors? Are they bound by equivalent PHIPA-compliant obligations? |
Breach notification procedures | How quickly will the vendor notify you of a breach? What information will they provide? |
Patient opt-out mechanisms | How does the system handle a patient declining AI documentation mid-encounter? |
Retention and deletion | When is audio deleted? When are intermediate transcripts purged? Can you verify deletion? |
How Scribing.io Simplifies the PIA Process
Completing a PIA from scratch is time-intensive — especially for physicians whose expertise is clinical, not regulatory. Scribing.io provides Ontario customers with PIA-ready documentation packages that include pre-populated data flow diagrams, vendor security attestations, encryption specifications, data residency confirmation, and breach notification protocols. These materials are designed to be dropped directly into a PIA template, significantly reducing the compliance burden for solo practitioners and small practices alike.
Data Residency, Encryption, and Technical Safeguards for AI Documentation in Ontario
Does PHIPA Require Canadian Data Residency?
This is one of the most misunderstood aspects of Ontario health privacy law. PHIPA itself does not contain an explicit statutory prohibition on storing or processing PHI outside Canada. However, the practical compliance landscape creates such strong de facto Canadian data residency expectations that treating it as a requirement is the only defensible position.
Here is why:
PHIPA s. 10(3) requires the HIC to take reasonable steps to ensure that PHI transferred to an agent is protected. Storing data in jurisdictions with weaker privacy protections (such as the United States, where the Patriot Act and CLOUD Act create government access risks) undermines this obligation.
Ontario Health's Virtual Visit Standard requires Canadian data hosting for virtual care platforms — and many Ontario Health Teams extend this requirement to AI documentation tools used within their networks.
The IPC's January 2026 guidance specifically flagged cross-border data flows as a high-risk factor in AI scribe PIAs and recommended Canadian data residency as a baseline safeguard.
ConnectingOntario requirements for systems that integrate with provincial health information exchanges mandate Canadian hosting.
The safest position: all PHI processing, storage, and backup should occur on infrastructure physically located in Canada. If your AI scribe vendor cannot confirm this, that is a disqualifying risk factor.
Encryption Standards the IPC Expects
The IPC's Fact Sheet #16 establishes clear encryption expectations: AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. These are not suggestions — they represent the IPC's operational standard for what constitutes "reasonable" technical safeguards under PHIPA s. 12(1).
A nuance worth noting: the IPC has acknowledged that loss of a device containing encrypted PHI may mitigate breach notification obligations, but encryption does not automatically eliminate them. The determination depends on whether the encryption was properly implemented and whether the decryption key was also compromised.
Audit Logging, Access Controls, and the "Demonstrable Accountability" Standard
Following PHIPA Decision 298 (August 2025), the IPC has made clear that it expects practices to produce evidence of compliance — not merely assert it. This "demonstrable accountability" standard has significant implications for AI scribe deployments.
Your AI documentation system must include:
Unique user credentials — No shared logins. Every physician and staff member accessing the AI scribe must have individual authentication.
Multi-factor authentication (MFA) — Required for all access to systems containing PHI.
Role-based access controls (RBAC) — Administrative staff should not have the same access privileges as treating physicians.
Tamper-evident audit logs — Every access to PHI, every note generated, and every modification must be logged with user identity, timestamp, and action taken.
Regular log review — The IPC expects periodic review of audit logs to detect unauthorized access. For small practices, quarterly review is a defensible frequency.
PHIPA-Compliant Vendor Agreements — What Your AI Scribe Contract Must Include
The Agent Agreement Under PHIPA s. 17
Because your AI scribe vendor is your agent under PHIPA, you must have a written agreement that satisfies s. 17(3). This is not a standard SaaS terms-of-service agreement — it is a specific PHIPA agent agreement that defines the vendor's obligations with respect to PHI.
The agreement must address:
The specific PHI the agent will handle and the purposes for which it may be used.
The agent's obligation to comply with PHIPA and any conditions or restrictions imposed by the HIC.
The agent's obligation to notify the HIC of any breach or suspected breach of PHI.
Requirements for return or secure destruction of PHI upon termination of the agreement.
The HIC's right to audit the agent's privacy and security practices.
Restrictions on the agent's use of PHI for its own purposes (including AI model training — see below).
The AI Model Training Question
This is a critical and frequently overlooked issue. Many AI vendors use customer data to train and improve their machine learning models. Under PHIPA, using patient PHI to train an AI model constitutes a use of PHI — and it must be authorized by the custodian and fall within the purposes for which the PHI was collected.
If your vendor's terms of service include a clause allowing them to use "anonymized" or "de-identified" data for model improvement, examine it carefully. The IPC has taken the position that de-identification must be robust and verifiable — simply stripping names and health numbers may not be sufficient if the remaining data could be re-identified through contextual analysis.
Your vendor agreement should include an explicit prohibition on using PHI for model training unless you have made a deliberate, documented decision to permit it and have assessed the privacy implications in your PIA. Scribing.io's standard agreement includes this prohibition by default.
Subcontractor and Sub-Processor Controls
Your vendor likely uses sub-processors — cloud hosting providers, speech-to-text engines, or other third-party services. Under PHIPA, your vendor's sub-processors are also agents, and the same accountability chain applies. Your agreement should require:
Disclosure of all sub-processors who handle PHI.
Equivalent contractual protections flowing down to sub-processors.
Notification before any new sub-processor is engaged.
Canadian data residency commitments that bind sub-processors.
Breach Notification Obligations for AI Documentation
What Constitutes a Breach Under PHIPA
Under PHIPA s. 12(2), a breach includes any unauthorized collection, use, disclosure, retention, or disposal of PHI. For AI scribe systems, breach scenarios include unauthorized access to audio recordings, unintended disclosure of clinical notes, data exfiltration from the vendor's infrastructure, or processing of PHI on non-Canadian servers contrary to your agreement.
Notification Requirements and Timelines
PHIPA s. 12(2) requires HICs to notify the IPC "at the first reasonable opportunity" of any theft, loss, or unauthorized use or disclosure of PHI. The College of Physicians and Surgeons of Ontario (CPSO) also expects timely notification in cases involving patient safety. Additionally, affected individuals must be notified if there is a reasonable risk of significant harm.
Your vendor agreement should specify breach notification timelines — ideally within 24 to 72 hours of the vendor becoming aware of the incident. Generic vendor commitments to notify "as soon as practicable" are insufficient. Define a specific timeframe.
Breach Response Planning for AI Scribe Incidents
Every practice using an AI scribe should have a documented breach response plan that covers:
Immediate containment: disconnecting the AI scribe, preserving audit logs.
Assessment: determining what PHI was affected, how many patients were impacted, and the nature of the unauthorized access.
Notification: IPC notification, patient notification, and CPSO notification if applicable.
Remediation: addressing the root cause and implementing additional safeguards.
Documentation: recording the entire response for accountability purposes.
Enforcement Trends and Administrative Monetary Penalties
The Current Enforcement Landscape
Ontario's enforcement of PHIPA has intensified significantly. The administrative monetary penalty (AMP) provisions under Part VI.1 of PHIPA authorize penalties of up to $50,000 per contravention for individuals and $500,000 per contravention for organizations. These AMPs are now being actively imposed — not merely held in reserve.
The IPC has signaled that AI-related complaints will be treated as a priority area, given the volume of PHI processed and the systemic risks posed by improperly deployed AI tools. A single AI scribe processing encounters for a busy family physician could involve thousands of patients' PHI — meaning a single compliance failure could affect a large population and attract correspondingly serious enforcement attention.
How Investigations Typically Arise
Most IPC investigations are triggered by patient complaints, mandatory breach notifications, or the IPC's own review activities. Common triggers in the AI documentation context include:
A patient learning about AI documentation after the fact and filing a complaint about lack of consent.
A breach notification revealing inadequate vendor safeguards.
An IPC review of a practice's information practices that reveals no PIA was completed before AI scribe deployment.
Protecting Your Practice
The pattern in IPC decisions is consistent: practices that can demonstrate documented compliance — PIAs, consent policies, vendor agreements, audit logs, governance records — receive significantly more favorable treatment than those that cannot. The issue is rarely whether the physician intended to comply, but whether they can prove that they did. This is the "demonstrable accountability" standard in practice.
Building this documentation portfolio is not optional overhead — it is the core of PHIPA compliance for AI documentation. Working with a vendor that provides compliance-ready documentation, like Scribing.io, materially reduces both the effort required and the risk of enforcement gaps.
For physicians also practicing across provincial or international borders, understanding how AI scribe regulations differ by jurisdiction — such as California's AI scribe laws — provides additional context for building robust compliance programs.
Get Started Today
PHIPA compliance for AI documentation in Ontario is not a barrier to adoption — it is a framework that protects both your patients and your practice. The physicians who adopt AI scribes successfully are the ones who choose vendors built for Canadian health privacy law from the ground up. Scribing.io provides Canadian-hosted infrastructure, PHIPA-compliant agent agreements, PIA-ready documentation, consent workflow support, and the technical safeguards the IPC expects — so you can focus on patient care instead of regulatory risk.
