AI Scribe Compliance: What Ontario’s New Rules Mean

Did your AI scribe vendor send you a compliance update this quarter? If the answer is no, that should concern you.

Over the past several months, Canadian regulators and professional bodies have released specific guidance on how AI scribes should be used in clinical settings. On January 28, 2026, British Columbia’s Office of the Information and Privacy Commissioner (OIPC) published a relevant framework addressing AI scribes under the Personal Information Protection Act (PIPA). Ontario’s Information and Privacy Commissioner (IPC) has also addressed expectations around AI and health privacy under the Personal Health Information Protection Act (PHIPA). The message across both jurisdictions is consistent: AI scribes can reduce administrative burden significantly, but only if the privacy framework around them is built correctly from the start.

For family physicians already using an AI scribe, or considering one, this is the moment to pressure-test your setup. Not because AI documentation tools are inherently risky, but because the regulatory expectations are becoming more explicit. Vague compliance claims no longer hold up.

What the New Guidelines Actually Require

Let’s start with what regulators have published. Ontario’s IPC has addressed obligations under the Personal Health Information Protection Act (PHIPA) as they relate to AI tools processing patient health information. Under PHIPA, any tool that processes personal health information in the course of clinical documentation must operate within the framework established for health information custodians, which in most family practices means the physician. Physicians should ensure they have appropriate agreements with vendors, clearly defined purposes for data use, and the ability to demonstrate what happened to patient data and when.

Physicians should also be aware that existing professional obligations apply to AI-assisted documentation. Physicians remain accountable for the accuracy and completeness of any documentation generated by an AI tool. That includes reviewing and approving every note before it enters the medical record. Patients should be informed when AI is being used to record or transcribe clinical encounters, and practices should have a clear process for obtaining and documenting consent.

BC’s OIPC published guidance on January 28, 2026, addressing how private-sector healthcare organizations using AI scribes should comply with PIPA. While the legislative details differ across jurisdictions, the principles converge: informed consent, physician oversight, and appropriate safeguards for personal information.

None of this is optional. And none of it is satisfied by a checkbox on a vendor’s marketing page that says “PHIPA compliant.” That phrase, on its own, means very little.

Where Practices Are Most Exposed

The compliance gaps we see most often aren’t dramatic. They’re quiet. A scribe tool that routes audio through a US-based server for processing. A consent workflow that was set up once and never revisited. A vendor agreement that doesn’t specify data retention or deletion obligations.

Here’s a practical example. A family physician in the Golden Horseshoe started using an AI scribe last year and saw real time savings. The documentation quality was good. But when we looked at the vendor’s data processing agreement, there was no mention of PHIPA obligations, no Canadian-hosted infrastructure guarantee, and no audit trail accessible to the physician. The tool worked well clinically. It just wasn’t built to meet the regulatory requirements that now apply.

That gap matters more than it used to. With regulators now publishing explicit guidance on AI scribes, the expectation is that custodians can demonstrate compliance, not just assert it. If a privacy breach occurs and the physician cannot produce evidence of a proper vendor agreement, consent records, and audit logs, the liability falls squarely on them.

The Consent Question

Patient consent for AI-assisted documentation is one of the areas where regulatory expectations are most direct. Patients need to know that a recording is happening, that AI is processing it, and what happens to that data afterward. This isn’t a one-time disclosure buried in an intake form. It needs to be part of the clinical encounter in a way that gives patients a meaningful opportunity to ask questions or decline.

Some practices have handled this well by integrating a brief verbal consent step at the start of each visit. Others are still relying on signage in the waiting room, which likely falls short of what regulators and professional colleges expect.

What This Means for the Work Around the Note

We want to be clear about something. AI scribes solve a real problem. Clinical documentation is one of the biggest contributors to the administrative burden that Ontario family physicians face every week. Tools that reduce that burden and return time to patient care are valuable.

But the scribe handles the note. It doesn’t handle the fax that triggered the referral, the billing code that follows the visit, the requisition that needs to be routed, or the inbox triage that starts the next morning. That operational layer, the work around the note, is what OpsMed was built for.

We are not an AI scribe. We don’t compete with scribes. We handle the administrative workflows that surround clinical documentation, and we do it within a framework designed to meet PHIPA requirements from the ground up. Canadian-hosted infrastructure. No patient data used for model training. Audit logging on every action. Physician review-first on every workflow that touches fee code assignment, diagnostic code selection, or submission approval.

When regulators reference the need for custodians to maintain oversight of automated processes, that’s a design principle we already follow. It’s not something we retrofitted.

How to Audit Your Current Setup

If you’re using an AI scribe today, or evaluating one, here’s a practical checklist drawn from current provincial privacy expectations:

• Vendor agreement: Does it clearly establish the vendor’s privacy obligations? Does it define permitted uses, retention periods, and breach notification obligations?
• Data residency: Is all processing and storage happening on Canadian-hosted infrastructure? Can the vendor confirm this in writing?
• Consent workflow: Are patients informed at each visit that AI is being used? Is there a documented process for patients who decline?
• Audit logging: Can you access a record of what data was processed, when, and by which system component?
• Physician review: Is there a clear human-in-the-loop step before any AI-generated content enters the medical record?

If you can’t answer yes to all five, you have a compliance gap. That doesn’t mean you need to stop using the tool tomorrow. It means you need to close the gap before it becomes a liability issue.

The Financial Dimension

There’s a financial dimension here too. As compensation models for family physicians continue to evolve, recovered administrative time has real value. Every hour your scribe saves you matters, but only if the tool generating those savings doesn’t expose you to regulatory risk that could cost far more. The OntarioMD study found AI scribes save doctors 3-4 hours per week — see our post on how AI scribes are saving Ontario doctors.

Compliance isn’t a drag on efficiency. It’s what makes efficiency sustainable. For the complete PHIPA compliance framework including breach notification and audit requirements, see our PHIPA Compliance Guide.

A Conversation Worth Having

Jason, who brings the frontline clinical perspective to our team, often says that most physicians aren’t resistant to technology. They’re resistant to adopting something that creates a new problem while solving an old one. The emerging provincial guidelines exist precisely to prevent that outcome. To see how each VOR-qualified AI scribe handles these compliance requirements, see our AI Scribes Buyer’s Guide.

If you want to walk through how your current documentation and operational workflows measure up against the latest regulatory expectations, we’re happy to do that. No pitch, just a workflow walkthrough that gives you a clear picture of where you stand.

Book a workflow walkthrough and we’ll map it out together.

Explore our clinic automation services or book a free check-up.