If you use an AI scribe in a Canadian private practice, privacy law applies to how you record and store patient information. For most practitioners, that law is PIPEDA. Staying PIPEDA-compliant with your AI scribe means three main things: obtain consent before recording, collect only what the note requires, and keep the information secure.
For some practitioners, a provincial health-privacy law applies instead of PIPEDA, but the day-to-day duties and principles are the same.
You don’t need to become a privacy expert to get it right, either. It mostly comes down to knowing which law applies to you, being transparent in your practice, having a clear consent conversation, and choosing a tool that handles patient data the way these laws and your regulatory college expect.
Does PIPEDA apply to my private practice?
For most Canadian practitioners, yes. PIPEDA is Canada’s federal privacy law for the private sector, and it covers any organization that collects, uses, or discloses personal information in the course of commercial activity. A private clinic that charges for care is doing exactly that, so PIPEDA generally applies. If you’re curious to see all the details, you can read the law itself on the Office of the Privacy Commissioner’s PIPEDA page.
The nuance here is that some provinces have their own privacy laws the federal government has judged to offer protection equivalent to PIPEDA’s. In those cases, it issues a formal order under PIPEDA itself, and the provincial law takes the lead for patient information you handle inside that province, while PIPEDA steps back.
Here’s the province-specific guidance:
- British Columbia and Alberta each have a Personal Information Protection Act (PIPA), overseen by their Information and Privacy Commissioner.
- Quebec has its own private-sector privacy law, significantly strengthened by Law 25 (Bill 64), and overseen by the Commission d’accès à l’information (CAI).
- Ontario (PHIPA), New Brunswick, Newfoundland and Labrador, and Nova Scotia have their own health-specific privacy laws covering personal health information that the federal government has deemed “substantially similar” to PIPEDA.
So the honest answer to “which privacy law applies to me” depends on your province, but PIPEDA still covers personal information that crosses provincial or national borders. The federal Privacy Commissioner’s summary of privacy laws in Canada is a good, plain-language starting point if you’re not sure which one applies to you.
Either way, the day-to-day obligations for using an AI scribe are broadly the same, no matter which law is your primary one, which is the reassuring part. Your college or association may also have its own guidance on recording and using AI, so be sure to check with them too.
What does PIPEDA require when I use an AI scribe?
PIPEDA runs on ten fair information principles. These are the ones that carry the most weight when an AI tool is being used in a patient visit, and what each looks like for you day to day in the clinic.
Meaningful consent
The patient has to understand that an AI scribe will listen to the visit, help draft the note, and clearly agree before it’s used and turned on. Because health information is sensitive, PIPEDA expects express consent, a clear yes rather than an assumption that silence means okay. It doesn’t dictate whether that yes is spoken or written, so both count, and you do need to be able to show some sort of proof you got it.
Say it out loud, explain what the tool is, how you use it, and the fact that the patient can choose not to have AI used during their visit. This is what makes the consent meaningful and gives the patient room to ask questions. Our walkthrough on getting consent for an AI scribe covers some example scripts on how you could phrase this.
Then capture it in writing too, through a short section on your intake form or a separate consent, so you have a record that doesn’t rely on memory. Our consent form templates give you four to copy and adapt if you don’t already have an AI scribe consent form.
PIPEDA doesn’t strictly require the written part, but many regulatory colleges and associations do expect consent to be obtained and documented in writing by the practitioner or lead health care professional, so this approach should keep you covered.
Limiting collection, use, and retention
Collect the information for one clear purpose, use it only for that, and keep it only as long as you need it.
In the clinic, that means using the recording for the note and nothing else, and editing out any clinically irrelevant points that a patient wants off the record. Before you settle on an AI scribe, take a minute to confirm the vendor won’t use your patients’ audio to train its AI models without consent.
Retention is partly your call, though. If your tool allows it, set recordings to auto-delete on a schedule that fits your practice and your regulatory requirements, or clear them yourself, so old audio isn’t sitting around longer than you need.
Accuracy
A patient’s record has to be accurate and complete, and that duty stays with you as the practitioner even when you’re using an AI scribe. AI can mishear words, miss important context, or introduce small inaccuracies, so you’ll want to read each draft before it goes in the chart and adjust anything that isn’t quite right. Treat the draft as a helpful first pass you review, not a finished note to send straight through.
Safeguards
Health information calls for strong security, and a lot of that starts with choosing the right vendor. Before you sign up, ask where recordings and transcripts are stored, who can access them, and whether data is encrypted both in transit and at rest. Those questions tell you quickly whether a tool is handling patient data with the care it deserves.
Your own habits matter just as much. Make sure you have a strong password and are using two-factor authentication where it’s offered. Plus the everyday care of not leaving a chart, a note, or a transcript open where anyone could see it, like a laptop left unlocked in a shared space. It’s the same sort of thing you already do when keeping patient records private; you’re just extending that process to the scribe.
Accountability
You stay responsible for the patient information even when an outside tool does the processing. In clinic, that means carefully choosing a vendor as part of meeting that duty, making sure everyone who uses the scribe understands how to handle the recordings and notes it produces, saying plainly in your privacy policy that you use an AI scribe, and being ready if a patient has questions about how the tool works and how you keep their data safe.
The Bill C-27 confusion (and what’s true in 2026)
If you’ve been researching AI scribes, you’ve probably come across warnings about steep new penalties under Bill C-27 or the Consumer Privacy Protection Act (CPPA). Those references are worth flagging as neither is law as of 2026, and knowing that helps you filter out vendor materials that are getting ahead of where Canadian privacy law actually sits.
Bill C-27 bundled three things: a PIPEDA replacement called the CPPA, a new privacy tribunal, and Canada’s first AI law (AIDA). The bill never became law though, it was still working its way through Parliament when the government ended (prorogued) that session in January 2025, and any bill that hasn’t passed by the time a session ends gets wiped from the agenda and has to start over. Parliament’s own record shows Bill C-27 never made it past the committee stage. And it hasn’t come back in that form, so PIPEDA is still the federal privacy law, and there’s no federal AI-specific statute in force as of right now.
With that said, Canada’s Privacy Commissioner expects privacy law reform to return as a legislative priority, but no replacement has become law.
The main recent change to PIPEDA itself is a 2026 data portability amendment that allows individuals to request their personal information be transferred between organizations under a data mobility framework (think financial records moving between banks) not clinical records. So, the rules you should follow today are PIPEDA’s existing principles and your provincial law. There’s no need to worry about a new standard that hasn’t arrived yet, but know it’s something to keep an eye out for.
Is a HIPAA-compliant AI scribe enough for Canada?
Many AI scribe tools are built in the United States and advertise HIPAA compliance. That’s a good signal, HIPAA sets real standards around protecting health data, limiting access, and accountability. But it doesn’t automatically cover Canadian privacy rules too.
One of the bigger differences between the two regulations is consent. Under HIPAA, you can use patient information for the everyday work of care. Things like treatment, coordinating with other providers, and billing without a separate sign-off each time. PIPEDA takes a stricter approach and generally requires meaningful consent before collecting or using personal information, which is why getting a clear yes before turning on an AI scribe matters.
The other gap worth knowing about is data residency. A HIPAA-compliant tool can lawfully store data on US servers, but some provincial health privacy laws and college policies prefer or expect health information to stay in Canada. PIPEDA doesn’t prohibit offshore storage, but it does require comparable protection wherever data goes and transparency with patients about it. Before signing up, ask any vendor where recordings are stored for Canadian users and whether anything is processed outside Canada.
FAQ
Is an AI scribe PIPEDA compliant?
Yes, if you choose a tool built for Canadian privacy rules and your regulatory college or body, and back it up with good habits in your clinic.
A tool handles the technical side keeping data in Canada, encrypting it in transit and at rest, and making it easy to capture consent. The rest takes judgment, and that part is still with you. You get the patient’s consent before using it, you decide what belongs in the note so you collect only what care needs, and you control who can see the record and for how long. A good tool makes your part easier, but how you handle the data is still important.
Do I need patient consent to use an AI scribe in Canada?
Yes. PIPEDA requires meaningful consent before you collect personal information. So the patient needs to know an AI scribe will listen and help write the note, and agree, before you start recording. In practice, that’s one plain sentence at the top of the visit and a quick note of their answer in the chart. It doesn’t need to be a long legal script, just clear enough that the patient understands what’s happening and has a real chance to opt out or ask questions.
Does my patient data have to stay in Canada?
Not always. PIPEDA doesn’t strictly require Canadian storage, as long as the information gets comparable protection wherever it goes and patients are told about it. That said, some provincial health privacy laws and colleges expect or prefer that data stay in Canada, and plenty of clinics make it a policy regardless. Before you sign up for an AI scribe tool, ask any vendor where recordings and transcripts are stored for Canadian users, and whether anything is processed outside Canada.
Can I still use an AI scribe if a patient says no?
If a patient declines, that’s completely fair. Let them know they can say no now or change their mind later at any point too. Declining the recording doesn’t mean you lose the help with your notes, though. Many practitioners switch to a dictation-only mode in exactly this situation. With dictation, you record only your own voice after the session and summarize what’s clinically relevant in a few minutes, so there’s no ambient recording and no session audio of the patient at all.
This article provides educational information about using AI scribes in Canada. It isn’t legal or regulatory advice. Privacy rules change, and what applies can vary by province and by profession. For guidance specific to your practice, consult your regulatory college or body and, where needed, legal counsel.
See what Jane's AI Scribe can do