As artificial intelligence (AI) tools for notetaking and transcription services continue to gain traction in healthcare, regulatory bodies across Canada are proactively addressing their implications. Provincial data protection authorities (DPAs) are establishing guidelines to govern the use of transcription tools, ensuring patient privacy and data protection in medical settings.
The advantages of AI transcription in healthcare are substantial. A trial program conducted by OntarioMD involving 150 physicians suggests that AI notetaking tools, often referred to as “scribes,” could save clinicians more than 10 hours each week. Despite these efficiencies, improper deployment of such tools could lead to significant risks to patients’ sensitive information.
At the IAPP Canada Symposium 2026, representatives from DPAs in British Columbia, Ontario, and Newfoundland and Labrador detailed their guidelines, highlighting how variations in laws affect the protection of sensitive health data across different provinces.
Where Regulators Landed on Guidance
The Office of the Information and Privacy Commissioner of Ontario was the first to publish its AI scribe guidance, which is relevant for both AI developers and healthcare providers looking to implement AI scribes. IPC Senior Health Policy Advisor Nicole Minutti emphasized that Ontario’s guidance centers on the core function of AI scribes, which is primarily their role in transcribing clinicians’ patient notes.
Minutti also noted that the guidance aims to accommodate potential advancements in AI technology that could expand its applications in clinical settings. AI tools might evolve to handle tasks such as making patient e-referrals, suggesting lab tests, and providing wider “clinical and decision support.”
“While we remain aware of these future possibilities, we had to concentrate our guidance on the primary functionalities,” Minutti remarked. “Whenever feasible, we addressed emerging concerns within our framework concerning these broader capabilities.”
In British Columbia, the Office of the Information and Privacy Commissioner introduced its own AI scribe guidance in January. IPC Policy Analyst Sarah McIntosh explained that British Columbia’s guidance focuses on assisting organizations in ensuring their AI scribes comply with the provincial Personal Information Protection Act.
“While there are many critical factors to consider with these tools, including human rights and equity, our goal was to strictly provide clarity on privacy and access oversight,” McIntosh stated. “We intend to promote the use of these tools while ensuring compliance with the law, thus fostering trust among individuals whose information is being collected.”
The Office of the Information and Privacy Commissioner of Newfoundland and Labrador released its guidance following Ontario and British Columbia, utilizing their frameworks to inform its recommendations. IPC NL Access and Privacy Analyst J. Ruth Marks acknowledged that while the IPC NL lacks formal “order-making” authority, it is responsible for enforcing the provincial health information privacy law, the Personal Health Information Act (PHIA).
The IPC NL’s guidance particularly emphasizes the relationship between data custodians and information managers utilizing AI scribe services.
“According to PHIA, specific agreements are required when engaging the services of an information manager. We also explored unique relationships that custodians might have with their AI vendors,” Marks explained. “Encouraging custodians to consider their relationship with vendors ties back to patient consent. If a custodian designates their AI vendor as an agent or an information manager, expressed consent may not be necessary, but informed consent, even if implicit, is still required.”
Statutory Lines
Provinces such as Newfoundland and Labrador and Ontario have laws specific to healthcare information, whereas British Columbia treats sensitive health data under its private sector privacy law, without specific healthcare legislation.
Ontario’s Minutti remarked that enforcement powers among provincial DPAs vary in their ability to issue corrective orders and recommendations. Despite differences in authority, a “fragmented network of instruments” has emerged, regulating AI integration into the healthcare sector. These regulations range from federal privacy laws to provincial statutes and tribunal decisions.
“The healthcare sector’s engagement with AI is often perceived as lacking regulation, but it is, in fact, highly governed,” Minutti stated. “We must better discuss the various regulatory overlaps in this context.”
McIntosh noted that without a dedicated healthcare information law in British Columbia, most primary care clinics fall under the PIPA, while public entities like hospitals operate under the Freedom of Information and Protection of Privacy Act. This lack of cohesive legislation complicates how AI scribes can be integrated into healthcare settings.
“The fragmented system in our province, which applies different privacy and access frameworks depending on the clinical environment, is less than ideal for the healthcare sector,” McIntosh said.
She emphasized that if lawmakers in the province pursue a health information bill unifying these frameworks, it would offer an opportunity to create a modern regulatory framework for AI integration in healthcare.
“Our office has advocated for a standalone health information law for over a decade because consistent accountability, clearance, and permissions, as well as interoperability of health information, is crucial,” McIntosh concluded. “Lawmakers have the chance to lead by creating updated legislation that not only unifies all stakeholders under one law but also adapts to the current needs of health information management, including AI.”
