PHIPA Compliance for Canadian Dental Practices — A 2026 Checklist
PHIPA isn't a checkbox — it's a posture. Here's the practical 2026 checklist Canadian dental practices can apply to charts, imaging, and AI scribes.
What PHIPA actually says (in plain English)
The Personal Health Information Protection Act, 2004 (PHIPA) governs how personal health information (PHI) is collected, used, and disclosed in Ontario. Dentists are explicitly named as Health Information Custodians (HICs) under section 3(1). That means the legal accountability for every patient record, radiograph, perio chart, and chairside conversation that gets transcribed sits with the dentist — not the vendor, not the cloud provider, not the AI model.
PHIPA is principle-based rather than prescriptive. It does not list "use a specific encryption algorithm" or "host in Toronto." Instead it requires you to take reasonable steps to: limit collection to what's necessary, secure the information against theft and unauthorized access, log accesses, obtain consent (express or implied depending on context), and retain or destroy records appropriately. The Information and Privacy Commissioner of Ontario (IPC) enforces it, and its guidance documents are where most of the practical detail lives.
Outside Ontario, similar laws apply — PIPA in British Columbia and Alberta, the Personal Health Information Act in Manitoba and New Brunswick, and PIPEDA federally for inter-provincial work. PHIPA is the strictest of the bunch for dental practices, so meeting PHIPA generally satisfies the others.
The 2026 dental-practice checklist
Use this as a self-audit you can complete in an afternoon. If a vendor or platform handles any of these on your behalf, get the answer in writing — not on a sales call.
- Data residency: every system that touches PHI (practice management, imaging, AI scribe, backups) processes and stores data in Canada. If a vendor uses sub-processors, they are named and Canadian-resident.
- Encryption: at rest (minimum AES-256) and in transit (TLS 1.2 or higher) — for charts, radiographs, and any AI-generated text.
- Access controls: role-based, with unique logins per staff member and mandatory MFA on anything reachable from the open internet.
- Audit logs: every access to a patient record is logged with user, timestamp, and action. Logs are retained for at least the same period as the underlying chart.
- Consent: documented, plain-language consent at intake for digital radiography, AI-assisted documentation, and any data sharing. Consent is revocable; revocation is logged and acted on within a reasonable timeframe.
- Retention: charts are retained for 10 years post-last-visit (RCDSO guidance for Ontario dentists), and destroyed securely after. AI metadata is retained alongside the chart for traceability.
- Vendor agreements: every PHI-touching vendor signs a PHIPA-aligned agreement that defines purpose, sub-processors, breach notification timelines, and a zero-training clause.
- Breach response: a written plan exists, the practice principal can execute it, and the IPC contact path is documented.
Where AI scribes complicate the picture
An AI scribe records the chairside conversation, transcribes it, and writes a structured note. Three PHIPA-relevant questions appear the moment you turn one on: where does the audio go, who can read it, and is it used to train a model.
Audio routing matters because the recording itself is PHI the second it captures a patient's voice and clinical context. If the vendor streams audio to a US-based transcription service, you've effectively disclosed PHI to a US sub-processor — which is permissible under PHIPA only with appropriate safeguards and (usually) explicit consent. Practices that want to stay on the safe side of the IPC's published guidance keep audio entirely in Canada.
Model training is the silent risk. Many AI vendors reserve the right to use customer data to improve their models. For a dental practice that is a problem: clinical conversations could end up in a training set that powers a product sold to your competitors, or worse, leak verbatim back to another user via prompt injection. A zero-training contractual clause is the only durable fix.
What "PHIPA-aligned" should mean from a vendor
"PHIPA-aligned" is marketing language unless it's backed by specific commitments. The minimum bar in 2026:
- Canadian data residency (provable — region name, sub-processor list).
- Encryption in transit and at rest with current standards.
- Zero-training policy in the contract, not just on the website.
- Per-practice audit logs you can export.
- Named breach notification timelines (24–72 hours is the modern standard).
- Right to delete on contract termination, with timeline and method specified.
- A privacy/security contact who responds to PHIPA questions within one business day.
Putting it together — a practical 30-day rollout
If your practice is starting from scratch, you don't have to boil the ocean. A pragmatic 30-day plan: Week 1 — inventory every system that touches PHI and map where data physically lives. Week 2 — pull vendor contracts, flag missing PHIPA clauses, and start the renegotiation. Week 3 — turn on MFA everywhere, audit user accounts, and prune anyone who shouldn't have access. Week 4 — document the breach response plan and run a tabletop exercise.
After that, PHIPA compliance becomes a quarterly review rather than a project. Nurvivo Dental ships with the contractual and infrastructure pieces in place (Canadian residency on AWS Toronto, AES-256, audit logs, zero-training) so the practice's residual work is mostly process: consent, training, and the breach plan.
Frequently asked questions
Does PHIPA require dental practices to host patient data in Canada?+
PHIPA does not explicitly prohibit storing PHI outside Canada, but the IPC of Ontario has consistently advised that custodians who allow PHI to leave the country must demonstrate the safeguards are equivalent and that they have notified patients. In practice, the cleanest path for a Canadian dental practice is to choose vendors that host data in Canada — it removes the analysis entirely.
Is implied consent enough for AI-assisted dental scribing?+
Implied consent under PHIPA covers PHI use within the circle of care for the purpose of providing health care. AI scribing for the purpose of documenting a visit usually fits, but any secondary use — training models, analytics for the vendor, sharing with marketing — requires express consent. Best practice is to add one explicit line to your intake consent covering AI-assisted documentation.
What are the penalties for a PHIPA breach?+
Individual offenders can face fines up to CAD 200,000 and up to a year imprisonment; corporations face fines up to CAD 1,000,000. The bigger cost in practice is the IPC investigation, the mandatory patient notification, and the reputational impact on the practice.
How does PHIPA differ from HIPAA?+
HIPAA is US federal law focused on covered entities and business associates with detailed prescriptive rules. PHIPA is Ontario provincial law that is more principles-based and places stronger emphasis on consent and the role of the custodian. A vendor that is HIPAA-compliant is not automatically PHIPA-compliant — different consent rules, different residency considerations, and different breach notification timelines.
Does Nurvivo Dental satisfy PHIPA for a Canadian dental practice?+
Nurvivo Dental is PHIPA-aligned out of the box: Canadian data residency in AWS Toronto, AES-256 at rest, TLS 1.2+ in transit, full per-practice audit logs, a contractual zero-training policy, and named breach notification timelines. The remaining PHIPA work for any practice is process-side — consent flow, role assignments, and the breach response plan — which we provide templates for.
See Nurvivo Dental in your practice
Founding-member pricing — CAD 29/month, locked for life. Limited to the first 100 Canadian practices.
Join the waitlist →