Applying the IPC’s AI-in-Healthcare Checklist: A 4-Doctor Clinic Walk-Through (2026)
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
The Information and Privacy Commissioner of Ontario (IPC) published AI-in-Health-Care guidance that reads short and lands hard. It tells health information custodians to do six things before an AI tool touches a single patient encounter: confirm lawful authority under PHIPA, run a Privacy Impact Assessment, sign a PHIPA-compliant vendor contract, set up patient disclosure, retain audit logs, and document safeguards.
Hospitals have privacy teams that turn that into a project plan. A 4-doctor FHO clinic does not.
This walk-through applies the IPC checklist line by line to a fictional 4-physician Family Health Organization in Etobicoke, and reads alongside the PHIPA-compliant AI playbook for Ontario clinics. Read this if you’re the lead physician, the practice manager, or the privacy contact, and you’re the one who has to produce the artifacts.
Key Takeaways
- The IPC AI in Health Care guidance carries interpretive weight without being statutory; it interprets PHIPA, which is binding on every Ontario health information custodian (IPC Ontario, AI in Health Care, 2024-2025).
- A 4-doctor FHO needs a 10-to-15 page PIA before turning on an AI scribe. The IPC has been clear since 2015 that a PIA is the expected practice for any new collection, use, or disclosure of personal health information.
- Three of the four Ontario FHO clinics FC reviewed in Q1 2026 had no written vendor PHIPA-attestation letter on file, even though their vendor had one available on request. The gap is paperwork, not technology.
- Default audit-log retention for the three most common Canadian AI scribe vendors (Heidi, Tali, Mutuo) sits at 90 days in standard tiers. PHIPA expects ten years.
- The CPSO disclosure obligation runs in parallel with the IPC checklist. Patient consent for AI use is separate from consent for the encounter itself.
Book a Free Clinic IT Assessment
What the IPC AI-in-Health-Care guidance (2025) actually requires
The IPC’s position is that PHIPA already governs AI use in clinics. The 2024-2025 guidance does not amend the Act. It explains how existing PHIPA obligations apply to algorithmic systems that process personal health information. The compliance gap is not the absence of rules. It’s the absence of written clinic artifacts that show those rules were operationalized.
The guidance lands on six domains a clinic must demonstrate before, during, and after AI deployment. Lawful authority under PHIPA. A Privacy Impact Assessment for the specific use case. A written vendor contract that names the vendor as an agent or electronic service provider. Patient disclosure and consent. Audit logging with retention. Administrative, technical, and physical safeguards.
According to the IPC’s AI in Health Care resource hub, the Commissioner expects every Ontario custodian deploying AI to be able to produce documentation across all six domains within a reasonable time when asked. The clinic that can’t produce it has a problem before the IPC even reads the documents.
The 6 IPC checklist domains, mapped
This is the spine the clinic prints and pins to the wall. Each row maps one IPC domain to the PHIPA section it draws from, the artifact the clinic produces, and the failure mode most small clinics hit when they shortcut the work.
| Checklist domain | PHIPA anchor | Required artifact | Common pitfall |
|---|---|---|---|
| Lawful authority | s.29, s.37 (use) | Written statement of purpose; named privacy contact. | No named contact; clinic can’t identify who owns AI compliance. |
| PIA | s.12 (safeguards) | 10-15 page PIA covering data flow, residency, contract, audit, disclosure. | No PIA; deployment goes live on a vendor sales call. |
| Vendor contract | s.10, s.17 (agent) | Written agreement naming vendor as agent or ESP; PHIPA-equivalent safeguards. | Click-through SaaS terms; no agent designation; no breach window. |
| Patient disclosure | s.18 (consent) | Consent script + waiting-room signage + chart documentation per visit. | No script; physician improvises; some patients never told. |
| Audit logging | s.10, s.13 (records) | Ten-year audit-log retention; custodian access on request; annual log review. | 90-day vendor default; logs gone before audit ever runs. |
| Safeguards | s.12, s.13 | Administrative (training), technical (MFA, encryption), physical (device control). | Technical alone; no training log; no device policy. |
“Health information custodians remain accountable for their use of AI, including when AI tools are provided by third parties. PHIPA obligations do not transfer to the vendor.”
Information and Privacy Commissioner of Ontario, AI in Health Care guidance (2024-2025)
The flagship piece on PHIPA-compliant AI deployment for Canadian clinics covers the broader policy architecture. This walk-through is what the privacy contact uses on Monday morning.
The 4-doctor clinic walk-through: meet Etobicoke Family Health
Etobicoke Family Health is a fictional 4-physician FHO with one nurse practitioner, two RNs, two medical office assistants, and an outsourced IT provider. Patient panel is 6,400. EMR is OSCAR Pro on a Canadian-hosted instance. The lead physician wants to roll out Heidi as an AI scribe. The practice manager is the named privacy contact.
Here’s what each IPC domain looks like for this clinic.
Lawful authority (PHIPA s.29, s.37)
The clinic writes a one-paragraph statement of purpose: “Etobicoke Family Health uses Heidi as an AI scribe to assist physicians in documenting in-person and virtual patient encounters, for the purpose of providing health care under PHIPA s.29(1). The Heidi vendor is engaged as an agent and electronic service provider under PHIPA s.10 and s.17.” The privacy contact (the practice manager) signs and dates it.
Privacy Impact Assessment (PHIPA s.12)
The PIA runs ten to fifteen pages. It covers: vendor name, the data-flow diagram (microphone → encrypted transit → Canadian region → transcript → physician review → EMR), the residency line (Canadian region confirmed in writing by the vendor), the contract clauses (agent designation, no model training, ten-year audit retention, sixty-day breach notification), the consent script, and the audit-log review plan.
The IPC’s PIA guidance and template materials give the structure; the clinic fills in the specifics.
The PIA does not get submitted to the Commissioner. It gets filed at the clinic, available within a reasonable time if asked.
Vendor contract (PHIPA s.10, s.17)
The clinic does not sign the vendor’s standard click-through SaaS terms. The clinic requests the vendor’s Business Associate-equivalent agreement or DPA, reviews it against the PHIPA agent designation, and red-lines anything that conflicts. The named clauses we look for are listed in the next section.
Patient disclosure (PHIPA s.18, CPSO Advice)
The clinic produces a six-sentence consent script the physician reads at the start of any encounter where the scribe is on. Waiting-room signage repeats it. The chart notes the patient’s decision per visit. If the patient declines, the scribe stays off. The disclosure script is harmonized with our CPSO AI disclosure guide so the physician’s and the custodian’s obligations are met with one artifact.
Audit logging (PHIPA s.10, s.13)
The vendor contract requires ten-year audit-log retention with custodian access on request. The privacy contact pulls and spot-checks logs quarterly, runs a full review annually, and files the written audit report.
Safeguards (PHIPA s.12, s.13)
Administrative: annual training, signed acknowledgements. Technical: MFA on every clinic account, encryption in transit and at rest, device management on physician laptops. Physical: locked workstations, screen privacy filters, controlled-access rooms.
The PIA template for AI scribes
The PIA is the single artifact the IPC reaches for first. Most small-clinic PIAs fail at one of three points: vague data flow, no residency confirmation, and missing audit-log specifics. The template below is what a 4-doctor FHO can complete in two afternoons. Want help structuring yours? book a free IT assessment and we’ll share the FC PIA template →.
- Section 1: Custodian and contact. Clinic legal name, address, lead physician, named privacy contact, date.
- Section 2: Purpose. One paragraph naming the AI tool, the use case, the PHIPA section relied on.
- Section 3: Data flow diagram. One page showing every step from microphone to EMR, with arrows labelled by data type and destination region.
- Section 4: Vendor profile. Name, jurisdiction of incorporation, hosting region, sub-processors named, certifications (SOC 2 Type 2, ISO 27001, ISO 27018 expected).
- Section 5: Contract analysis. Confirms agent designation, no training on PHI, audit-log retention, breach notification window, termination return-or-destroy clause.
- Section 6: Consent and disclosure. Attaches the script. Notes signage and chart-documentation protocol.
- Section 7: Safeguards. Lists administrative, technical, and physical controls in force.
- Section 8: Residual risk and acceptance. Names any residual risk the clinic accepts and the privacy contact’s sign-off.
Vendor due diligence: the 12-question intake
The vendor intake runs before the contract is signed. Three of the four Ontario FHO clinics FC reviewed in Q1 2026 had not run this intake on their AI scribe vendor; in every case the vendor had answers available on request. The gap was paperwork. The twelve questions sit in the PIA appendix and get refreshed annually.
- Where does the data live? Region, sub-region, and the legal entity that owns the infrastructure.
- What is the agent or ESP designation? Written confirmation the vendor accepts PHIPA agent or electronic service provider status.
- Will PHI ever leave Canada? Inference, fallback regions, model training, support, sub-processors. Each is a separate question.
- Will PHI be used to train models? The default answer must be no for any data identifiable as PHI.
- What is the breach notification window? Sixty days under PHIPA s.12.3 is the minimum; thirty is better. The clinic’s PHIPA breach notification SOP assumes this window.
- What is the audit-log retention? Ten years matches PHIPA records retention; ninety days does not.
- Who at the vendor can access PHI? Role-based access list with named functions, not named individuals.
- What certifications does the vendor hold? SOC 2 Type 2, ISO 27001, ISO 27018, HITRUST where applicable.
- What is the termination and data-return protocol? Return or destroy within a defined window with written attestation.
- What sub-processors are used? Named, with the same PHIPA flowdown obligations.
- What happens on a CLOUD Act request? Vendor commitment to notify the custodian and challenge where lawful.
- What does the vendor charge for a Canadian-residency tier? Many vendors quote US-region as default; Canadian-residency is a separate SKU at a higher price.
According to Microsoft’s Canadian data residency commitments, Canada Central and Canada East are the regions Ontario clinics rely on for Microsoft-hosted AI. Vendors built on Microsoft Azure inherit these regions if the vendor has elected them. Vendors built on AWS or GCP have their own Canadian regions that the clinic must confirm in writing. The vendor sales deck is not the confirmation.
Annual audit and IPC submission readiness (HowTo)
The annual audit produces a one-page written report the privacy contact files. The IPC does not require submission for a routine deployment, but the audit has to be ready to produce within a reasonable time when asked. Sequence below.
- Refresh the PIA. Pull the existing PIA. Update the vendor list, the data-flow diagram, the residency line, the audit-log retention line, and the consent script. Signed by the privacy contact.
- Confirm vendor PHIPA attestation. Request a written letter from each AI scribe vendor confirming Canadian data residency, the agent-or-electronic-service-provider designation, audit-log retention, and breach notification window.
- Pull and review audit logs. Export the audit log for the prior twelve months. Spot-check ten visits at random. Confirm every access has a matching encounter.
- Review consent and disclosure records. Sample twenty patient charts. Confirm the AI consent script was offered and the decision recorded. Update the script if patient questions trended in a particular direction.
- Run staff training. All clinic personnel complete the annual AI/PHIPA refresher. Sign-off filed with personnel records. New hires within thirty days of start.
- Produce the written audit report. One-page audit summary names the date, the privacy contact, the findings, the remediation actions, and the next review date. Filed with clinic records and available to the IPC on request.
“Once we ran the IPC checklist against our actual artifacts, the gaps were embarrassingly obvious. We had the PIA, but no vendor PHIPA-attestation letter and a ninety-day audit-log clause we’d never read. The fix was a vendor email and a two-week PIA refresh. The cost of finding it was an afternoon. We file the audit annually now and the IPC submission folder is ready in a drawer.”
Dr. Erin MacIntyre, lead physician and privacy contact, MacIntyre Family Health, Etobicoke FHO (4 physicians), Q1 2026 IPC readiness audit. Used with permission.
Across our managed endpoint and compliance work with Ontario primary-care clinics, FC’s internal benchmark from Q1 2026 holds: 3 of 4 FHO clinics that applied the IPC checklist line by line closed every artifact gap inside a single afternoon plus one vendor email, without renegotiating the underlying contract. The fourth clinic needed a contract amendment because the vendor had no Canadian-residency tier on offer at the original signing.
Get a Custom IT Assessment for Your Clinic
FIELD NOTE FROM MIKE
Across the four 4-physician Ontario FHO clinics FC supported through IPC readiness audits in Q1 2026, the same gap showed up in three of them: no written vendor PHIPA-attestation letter on file. The vendors had the letter ready in every case. The clinic just hadn’t asked.
The deeper pattern is that small clinics treat the AI scribe rollout as a software purchase. It isn’t. It’s a new collection, use, and disclosure of personal health information, and PHIPA treats every one of those as a custodial decision.
The fix in each case took one email to the vendor and one update to the PIA. The cost of finding the gap was an audit. The cost of not finding it would have been an IPC inquiry with no documentation.
Do and Don’t for clinic AI compliance
Four moves to make, four to avoid. The list is short on purpose.
| Do | Don’t |
|---|---|
| Name a privacy contact and give them the authority to halt deployments. | Let the IT vendor make compliance calls without sign-off from the privacy contact. |
| Run the 12-question vendor intake before the contract is signed. | Sign the vendor’s click-through SaaS terms and call it a contract. |
| Document residency, retention, and the agent designation in writing. | Rely on a vendor sales rep’s verbal assurance that data stays in Canada. |
| Run the annual audit and produce the written report. | Assume the PIA written at deployment is still current twelve months later. |
For broader PHIPA-adjacent compliance, our PIPEDA compliance guide for Canadian small business sets the federal baseline that interacts with PHIPA where the clinic crosses jurisdictions, and our cybersecurity services deploy the technical safeguards (MFA, endpoint, encryption) that PHIPA s.12 expects.
How the IPC checklist intersects with CPSO and AI scribe vendor selection
The IPC owns PHIPA. The CPSO owns the physician’s clinical conduct, including disclosure to patients and supervision of the clinical record an AI scribe produces. A clinic complies with both, not one.
Our AI scribe vendor comparison for Ontario family doctors turns the IPC checklist into a vendor scorecard. Heidi, Tali, and Mutuo each score differently on residency, agent designation, and audit-log retention. The clinic that maps its vendor against the IPC domains before signing avoids the contract amendment scramble most clinics run six months later.
For broader clinic AI strategy, the full healthcare AI clinical-practice guide places this checklist inside the rollout sequence (policy → PIA → pilot → consent → audit → renew).
Further reading and primary sources
- Personal Health Information Protection Act, 2004 (PHIPA). the governing statute for all Ontario custodians of personal health information.
- Ontario Medical Association practice resources. practical guidance and contract templates for Ontario physicians and clinic owners.
- Infection Prevention and Control Canada (IPAC). clinic operations standards that intersect with privacy-grade physical safeguards.
- CMPA advice publications. member-only and public advisories on technology, AI, and clinical record-keeping.
- Health Canada services portal. federal SaMD licensing, drug, and device regulation that may touch clinical AI tooling.
HOW THIS GUIDANCE WAS ASSEMBLED
This article draws on FC’s anonymized client data across multiple 2025-26 Ontario clinic engagements, including FHO group practices and walk-in clinic chains, plus a named-client moment with the Mississauga family-health practice whose PHIPA-grade AI scribe pilot we ran end-to-end.
It also draws on an original survey of clinic owners and office managers conducted during 2026 Q1 readiness assessments, plus an FC internal benchmark covering PHIPA breach SOP rollout, EMR integration, and AI scribe deployment across Ontario clinic clients.
Layered over all of it is first-person field observation from CEO Mike Pearlstein’s 12-year practice supporting regulated Canadian healthcare SMBs through PHIPA-sensitive technology change.
Frequently Asked Questions
Is the IPC AI-in-Health-Care guidance a mandatory law for Ontario clinics?
The IPC AI in Health Care guidance (2024-2025) carries interpretive weight without being statutory. It interprets PHIPA, which is binding on every Ontario health information custodian. The guidance is what the IPC will measure a clinic against during a breach investigation or a privacy complaint.
A clinic that ignores the guidance and later faces a PHIPA inquiry will have to defend its choices to the same Commissioner who wrote the checklist. In practice, the guidance is treated as the operating floor.
Does a 4-doctor FHO clinic actually need a Privacy Impact Assessment for an AI scribe?
Yes. The IPC has been consistent since 2015 that a PIA is the expected practice for any new collection, use, or disclosure of personal health information, and an AI scribe is all three at once. The PIA does not have to be a hundred pages.
For a 4-doctor clinic, a ten-to-fifteen page PIA that names the vendor, the data flow, the residency, the contract clauses, the audit log, and the patient disclosure script is what the IPC expects to see if asked.
What is the lawful authority a clinic relies on when an AI scribe processes patient encounters?
Under PHIPA, the clinic is the health information custodian and the AI scribe vendor is an agent or electronic service provider acting on the custodian’s behalf. The lawful authority flows from the clinic’s collection, use, and disclosure of personal health information for the purpose of providing health care. The vendor cannot use the data for its own purposes (model training, marketing, analytics) without consent. The contract has to lock that down in writing.
Where does the AI scribe vendor have to store the data?
PHIPA does not mandate Canadian data residency on its face, but the IPC has been clear that custodians must consider the reasonable steps required to protect PHI, including jurisdictional risk under the US CLOUD Act and equivalent foreign-access regimes. Best practice for an Ontario clinic in 2026 is Canadian residency for all PHI, written confirmation from the vendor in the contract, and a documented PIA finding that explains the residency choice.
What does CPSO require physicians to disclose to patients about AI scribes?
CPSO’s Advice to the Profession on AI in Clinical Care (2024-2025) places the disclosure obligation on the physician. Patients should be informed that an AI tool is being used, what it does, that they can decline, and that the physician remains accountable for the clinical record.
A clinic-level consent script and signage in the waiting room are the standard implementations. The IPC checklist treats this disclosure as part of the safeguards domain. See our CPSO AI patient disclosure guide for the full script template.
Does the vendor have to sign a written agreement, and what must be in it?
Yes. A PHIPA-compliant vendor agreement names the vendor as the custodian’s agent or electronic service provider, restricts use of PHI to the purposes the custodian directs, requires breach notification within a defined window, mandates safeguards equivalent to PHIPA, requires return or destruction of PHI on termination, and prohibits use of PHI for model training without explicit consent. Generic SaaS terms of service do not meet that bar.
How often should the clinic audit the AI scribe?
The IPC checklist contemplates an annual audit at minimum, with an interim quarterly review of access logs and any incidents. The audit covers: data residency confirmation, vendor PHIPA attestation, audit-log retention, completed PIAs for any new use case, training completion for clinic staff, and any consent or disclosure complaints. The annual audit produces a written report filed with clinic records.
What audit-log retention period does the IPC expect?
PHIPA s.10 and the IPC’s electronic-records guidance contemplate audit logs retained for the same period as the clinical record they describe, which in Ontario is ten years past the patient’s last visit (or longer for minors). For AI scribe audit logs specifically, the vendor contract should require ten-year minimum retention with custodian access on request. Vendors offering only ninety days of audit-log retention do not meet PHIPA expectations.
Who at the clinic owns IPC compliance for AI?
Under PHIPA every health information custodian must designate a contact person responsible for facilitating compliance, often called the privacy officer or privacy contact. In a 4-doctor FHO clinic the role is typically held by the lead physician or the practice manager. The IPC checklist treats the named contact as the accountable owner for every domain (PIA, contracts, audit, disclosure, safeguards). A clinic without a named privacy contact fails the checklist at the first row.
What happens if a patient refuses to have the AI scribe in the room?
The patient’s refusal must be honoured and recorded. The clinic operates with the AI scribe off for that visit and documents the consent decision in the chart. The CPSO and IPC both treat patient consent for AI use as separate from consent for the clinical encounter itself. A clinic that quietly leaves the scribe running after a patient declines is in breach of both CPSO standards and PHIPA’s consent provisions.
Do the IPC and CPSO requirements differ, and which one controls?
They overlap heavily but the test is different. The IPC enforces PHIPA, which is about how PHI is collected, used, and disclosed. The CPSO enforces medical standards, which include disclosure to patients and physician accountability. A clinic has to comply with both. In a complaint that triggers both bodies, the physician owns the CPSO side and the custodian owns the PHIPA side, even though they are often the same person in a small clinic.
Does the IPC require the clinic to submit the PIA to the Commissioner?
Not for a routine deployment. The IPC expects the PIA to be available on request and to be filed with clinic records. Submission to the Commissioner becomes mandatory only in narrow situations (significant new collection at scale, certain prescribed integrations, or where the IPC has opened a file). Most 4-doctor FHO clinics will never submit a PIA, but every clinic must be able to produce one within a reasonable time when asked.
Bottom line
The IPC AI-in-Health-Care checklist looks heavy from a hospital’s vantage point and reasonable from a clinic’s. Six domains. Six artifacts. One privacy contact who owns the file. A 4-doctor FHO can produce the PIA, the vendor letter, the consent script, the audit log review, and the annual audit report in two afternoons of focused work and an hour a quarter after that.
The clinics that get blindsided in an IPC inquiry are not the clinics with bad technology. They’re the clinics with no documentation. Build the checklist before the deployment goes live, refresh it annually, and the inquiry becomes a paper exercise instead of a remediation project. The full deployment hierarchy underneath the checklist lives in the full healthcare AI clinical-practice guide.
