On January 28, the Information and Privacy Commissioner of Ontario (OIPC) published guidance aimed at the responsible development, procurement, and use of AI scribes in the healthcare sector. This move underscores the increasing integration of AI transcription tools within healthcare settings, while emphasizing the importance of maintaining privacy, security, and human rights standards as mandated by the Personal Health Information Protection Act, 2004 (PHIPA).
This guidance arrives in tandem with similar recommendations recently issued by the Office of the Information and Privacy Commissioner for British Columbia (BC-IPC), signaling a growing regulatory focus on the accountability of AI technologies in healthcare. However, key differences in privacy legislation between Ontario and British Columbia lead to distinct approaches from the two offices. Ontario’s PHIPA encompasses all “health information custodians,” while BC’s regulations differentiate between public and private healthcare organizations, thereby shaping the applicability of each set of guidelines.
Ontario’s guidance extends to all health information custodians, while BC’s applies solely to private healthcare providers. Furthermore, the OIPC’s document addresses the entire lifecycle of AI scribes, outlining obligations for developers, procurers, and users, whereas the BC-IPC guidance is primarily geared toward assisting private providers in compliance with the Personal Information Protection Act (PIPA).
AI scribes utilize generative artificial intelligence, speech recognition, and natural language processing to transcribe healthcare visits and create clinical notes, summaries, and related documentation. Their adoption is rapidly growing in Ontario, aimed at alleviating administrative burdens on healthcare practitioners. However, while early results show potential efficiency improvements, the deployment of AI scribe tools raises new concerns regarding data privacy, security, and clinical accuracy which custodians must navigate.
The OIPC’s guidance specifically addresses privacy-related issues emerging from the use of AI scribes for transcription and documentation. It aligns with six core principles for responsible AI use established by the OIPC in conjunction with the Ontario Human Rights Commission: validity and reliability, safety, privacy protection, affirmation of human rights, transparency, and accountability.
Health information custodians bear ultimate responsibility for the personal health information they manage, and their obligations under PHIPA remain in effect when utilizing AI systems such as scribes. To ensure compliance, the OIPC recommends establishing a robust governance and accountability framework tailored for AI scribe use. This framework should integrate into existing governance structures and include elements such as an AI governance committee, adherence to data minimization principles, and the execution of privacy impact assessments prior to the deployment of AI scribes.
Moreover, custodians are encouraged to maintain thorough written policies and procedures that reflect legal changes, provide training for human oversight of AI outputs, and establish clear channels for responding to patient inquiries regarding AI systems. The guidance emphasizes the necessity for accuracy and human oversight, particularly given the heightened risks associated with common AI inaccuracies that could adversely affect patient care.
Custodians may either develop or procure AI scribe systems, each approach carrying its own set of risks. In-house development requires ensuring the system is safe, trained on lawful data, and includes safeguards against bias and cybersecurity threats. Meanwhile, when procuring AI scribes from third-party vendors, custodians must conduct diligent assessments to confirm that vendors meet necessary obligations regarding data use, training practices, and incident reporting.
To fulfill their obligations under PHIPA, custodians should negotiate robust contractual protections with vendors, covering access to personal health information, data retention and destruction practices, subcontractor controls, and breach notification commitments. As the technology surrounding AI scribes evolves, custodians should anticipate increased regulatory scrutiny regarding governance, transparency, and human oversight in their operations.
Moving forward, healthcare organizations will need to stay abreast of legal and regulatory developments, ensuring that their internal frameworks are continually updated. The challenge will be to foster innovation and efficiency while upholding compliance with PHIPA and safeguarding human rights. The implications of these guidelines are profound, impacting the intersection of healthcare and technology as AI tools become more integrated into clinical practices.
The authors express gratitude to Sulayman Syed, articling student, for his contributions to this legal update.
See also
OpenAI’s Rogue AI Safeguards: Decoding the 2025 Safety Revolution
US AI Developments in 2025 Set Stage for 2026 Compliance Challenges and Strategies
Trump Drafts Executive Order to Block State AI Regulations, Centralizing Authority Under Federal Control
California Court Rules AI Misuse Heightens Lawyer’s Responsibilities in Noland Case
Policymakers Urged to Establish Comprehensive Regulations for AI in Mental Health
