PHIPA Compliance for AI Tools in Ontario Healthcare Clinics

If you run a healthcare clinic in Ontario and you're using or considering any AI tool that touches patient information, the Personal Health Information Protection Act (PHIPA) applies. PHIPA governs how health information custodians collect, use, disclose, and protect personal health information (PHI), and those rules don't change because the tool handling the data happens to be AI. This guide explains what PHIPA requires when Ontario clinics use AI tools, from voice receptionists and scheduling assistants to scribes and diagnostic software, in plain English.

---

What PHIPA Covers and Who It Applies To

PHIPA applies to "health information custodians" in Ontario, which includes physicians, dentists, pharmacists, chiropractors, physiotherapists, optometrists, and other regulated health professionals. It also applies to organisations that operate healthcare facilities.

The law governs personal health information, defined broadly to include information about a patient's physical or mental health, their health care history, plans for future care, eligibility for health coverage, and identifying information collected during the provision of healthcare services. A patient's name, phone number, and appointment time collected during a clinic call qualify as PHI under PHIPA when they're connected to healthcare services.

When you use an AI tool in your clinic, you're either processing PHI through that tool or you're not. If you are, PHIPA's full requirements apply. If the AI tool handles only non-identifiable information with no connection to patient care (like a generic marketing newsletter tool), PHIPA may not apply to that specific use.

---

How PHIPA Applies to AI Tools Specifically

PHIPA doesn't mention artificial intelligence by name. The law is technology-neutral, which means it applies to AI the same way it applies to any other system that processes PHI. Several provisions are particularly relevant.

Consent Requirements

Under PHIPA, clinics can collect, use, and disclose PHI for the purpose of providing healthcare without explicit consent in most cases (this is called the "circle of care" exception). However, using PHI for purposes outside direct care, like training an AI model, sharing data with a third-party vendor for product improvement, or analytics, requires express and knowledgeable consent from the patient.

This is critical when evaluating AI vendors. If the vendor uses your patients' data to improve their AI models, that's a use outside the circle of care. You need patient consent for it. The safest approach: choose vendors that contractually commit to zero data retention and no model training on patient data.

Agent Obligations

When an AI vendor processes PHI on your behalf, they are acting as your "agent" under PHIPA. As the health information custodian, you remain responsible for your agent's handling of PHI. This means you need to verify the vendor's privacy and security practices, ensure they only use PHI for the purposes you've authorised, and have a written agreement in place that specifies how data will be handled, stored, and eventually deleted.

Data Residency

PHIPA does not explicitly prohibit storing PHI outside of Canada, but it requires custodians to ensure that PHI transferred outside Ontario receives equivalent protection. The Information and Privacy Commissioner of Ontario (IPC) has noted that jurisdictions outside Canada may have laws allowing broader use of de-identified health information without consent.

Practically, this means you should verify where your AI vendor stores data. Canadian data residency (ideally in an Ontario or Canadian data centre) is the simplest way to ensure compliance. If data is stored in the US or elsewhere, you need to assess whether the foreign jurisdiction's privacy laws provide equivalent protection, and whether the vendor's contractual commitments fill any gaps.

The RCDSO's AI guidance FAQ specifically flags this issue, warning that foreign jurisdictions may permit uses of health data that Ontario patients haven't consented to. For details on how the RCDSO's guidance maps onto dental AI tools, see our RCDSO AI guidance breakdown. For US-based clinics or Canadian clinics serving cross-border patients, see also our HIPAA + AI receptionist guide.

---

What Ontario Clinics Must Do Before Deploying AI

Conduct a Privacy Impact Assessment (PIA)

The IPC recommends that healthcare organisations conduct a PIA before implementing any new technology that processes PHI. A PIA identifies what data the AI will access, how it will be used and stored, what risks exist, and how those risks will be mitigated. For AI tools, the PIA should specifically address whether data is used for model training, how long data is retained, whether data crosses borders, and what happens to data if you terminate the vendor relationship.

Verify Vendor Security Practices

PHIPA requires custodians to take reasonable steps to protect PHI against theft, loss, and unauthorised access. When using AI tools, you should verify encryption standards (data in transit and at rest), access controls (who at the vendor can access patient data), audit logging (records of who accessed what and when), incident response procedures (what happens if there's a breach), and contractual commitments around data handling.

Establish a Written Agreement

Your contract with the AI vendor should specify the permitted uses of PHI, data storage location, retention and deletion policies, security standards, breach notification procedures, and what happens to data when the contract ends.

Train Your Staff

Staff who use AI tools need to understand what PHI the tool accesses, what they should and shouldn't enter into the system, and how to escalate privacy concerns. The IPC's January 2026 guidance on AI scribes emphasises that staff training is a foundational requirement for AI compliance in healthcare.

---

Common PHIPA Questions About AI Tools

AI Voice Receptionists

An AI phone system that answers patient calls and books appointments handles PHI (patient names, phone numbers, appointment details). PHIPA applies. The system should store data in Canada, not retain recordings longer than necessary, not use call data for model training, and inform patients that they're interacting with AI.

At JustReva, REVA is designed with these requirements as defaults: Canadian data residency (Canada Central region), zero data retention on voice processing, no use of patient data for model training, and AI disclosure at the start of every call. See our security page for specifics.

AI Scribes

AI scribes that transcribe clinical encounters handle highly sensitive PHI. The IPC's January 2026 guidance establishes six principles for healthcare AI: valid and reliable, safe, privacy-protective, human rights affirming, transparent, and accountable. Clinics using AI scribes should conduct a thorough PIA, verify the scribe vendor's compliance posture, and ensure patients are informed.

AI Diagnostic Tools

Tools that analyse patient images or data for diagnostic purposes handle PHI and also raise clinical liability questions. Both PHIPA compliance and professional regulatory requirements (from the RCDSO, CPSO, or other colleges) apply simultaneously.

---

What Happens If You Get It Wrong

PHIPA breaches can result in complaints to the IPC, mandatory breach reporting (for significant breaches), orders from the IPC requiring corrective action, and fines. The IPC can order organisations to stop collecting or using information in certain ways, which could effectively shut down an AI deployment.

Beyond regulatory consequences, a PHI breach damages patient trust. In healthcare, trust is your most valuable asset and the hardest to rebuild.

---

Get Compliance Right from Day One

JustReva is built for PHIPA compliance: Canadian data residency, zero data retention on voice processing, and no use of patient data for model training. Start with a free 30-day pilot to see how REVA handles your clinic's calls within Ontario's privacy framework.