Compliance Overview¶
Canadian Healthcare Privacy Regulatory Landscape
Regulatory Framework¶
VitaraVox operates in the Canadian healthcare sector, which is governed by overlapping federal and provincial privacy legislation.
Federal¶
| Legislation | Scope | Key Requirements |
|---|---|---|
| PIPEDA | Commercial organizations | Consent, purpose limitation, safeguards |
Provincial (Healthcare-Specific)¶
| Province | Legislation | Key Differences |
|---|---|---|
| Ontario | PHIPA | Health Information Custodian model |
| British Columbia | PIPA + E-Health Act | Consent emphasis |
| Alberta | HIA | Custodian model similar to Ontario |
| Quebec | Bill 64 / Law 25 | Stricter consent, data localization |
Industry Standards¶
| Standard | Purpose | Status |
|---|---|---|
| SOC 2 Type II | Trust services | Recommended for enterprise |
| ISO 27001 | Information security | Optional |
| HIPAA | US healthcare | Not applicable (Canada) |
VitaraVox Data Processing Activities¶
What We Process¶
| Activity | Data Types | Legal Basis |
|---|---|---|
| Patient lookup | Name, DOB, phone | Implied consent (scheduling) |
| Appointment booking | Patient ID, provider, time | Implied consent (healthcare) |
| Registration | Demographics, PHN | Explicit consent |
| Waitlist | Name, phone | Explicit consent |
| Call analytics | Metadata only (no PHI) | Legitimate interest |
What We Store¶
| Location | Data | Retention |
|---|---|---|
| Vitara DB | Clinic config | Permanent |
| Vitara DB | Call metadata | 1 year |
| Vitara DB | Waitlist | Until registered |
| Vitara DB | Audit logs | 7 years |
| Vapi | Call recordings | 30 days (configurable) |
| OSCAR | All PHI | Clinic responsibility |
What We Don't Store¶
- Patient names (in logs)
- Medical records
- Clinical notes
- Lab results
- Prescriptions
Role Classification¶
VitaraVox as Processor¶
Under PIPEDA/PHIPA, VitaraVox acts as a data processor (agent), not a controller (custodian):
| Role | Entity | Responsibilities |
|---|---|---|
| Controller/Custodian | Medical Clinic | Consent, purpose, patient rights |
| Processor/Agent | VitaraVox | Security, confidentiality, limited use |
| Sub-processor | Vapi.ai | Call handling, same obligations |
Implications¶
- Clinic remains accountable for patient data
- VitaraVox must process only as instructed
- Business Associate Agreement required between parties
- Sub-processor disclosures required (Vapi, cloud providers)
Consent Framework¶
Implied Consent (Scheduling)¶
When a patient calls to book an appointment, consent is implied for: - Verifying identity - Accessing appointment schedule - Creating/modifying appointments - Providing appointment confirmations
Basis: Healthcare operations exception under PIPEDA/PHIPA
Explicit Consent (Registration)¶
New patient registration requires explicit verbal consent for: - Collecting personal health information - Creating record in OSCAR EMR - Storing contact information
Voice Agent Script:
"I'll collect some information to register you as a new patient. This will be stored in the clinic's medical records system. Do you consent to proceed?"
Withdrawal of Consent¶
Patients may withdraw consent by: - Requesting transfer to staff - Stating "I don't want to provide that" - Hanging up
System Response: Log incomplete interaction, do not persist partial data
Cross-Border Considerations¶
Data Residency¶
| Component | Location | Cross-Border? |
|---|---|---|
| Vitara DB | Canada (OCI Toronto) | No |
| OSCAR EMR | Clinic-controlled | Clinic decision |
| Vapi AI | United States | Yes |
| Cloudflare | Global edge | Yes (encrypted transit only) |
Vapi Cross-Border¶
Vapi.ai processes voice data in the United States. This requires:
- Disclosure in privacy policy
- Comparable protection (Vapi is HIPAA-compliant)
- Contractual safeguards (BAA with Vapi)
Recommendation: Disclose US processing in clinic privacy notice
Breach Notification¶
PIPEDA Requirements¶
| Threshold | Action | Timeline |
|---|---|---|
| Real risk of significant harm | Report to Privacy Commissioner | As soon as feasible |
| Real risk of significant harm | Notify affected individuals | As soon as feasible |
| Any breach | Document internally | Immediately |
PHIPA Requirements (Ontario)¶
| Threshold | Action | Timeline |
|---|---|---|
| Theft, loss, unauthorized access | Report to IPC | At first reasonable opportunity |
| Theft, loss, unauthorized access | Notify individuals | At first reasonable opportunity |
Breach Response Procedure¶
┌─────────────────────────────────────────────────────────────────────────────┐
│ BREACH RESPONSE FLOWCHART │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. DETECTION │
│ ────────── │
│ • Monitoring alert │
│ • User report │
│ • Audit finding │
│ │ │
│ ▼ │
│ 2. CONTAINMENT (Immediate) │
│ ─────────────────────── │
│ • Isolate affected systems │
│ • Revoke compromised credentials │
│ • Preserve evidence │
│ │ │
│ ▼ │
│ 3. ASSESSMENT (24 hours) │
│ ───────────────────── │
│ • Determine scope │
│ • Identify affected data │
│ • Assess harm potential │
│ │ │
│ ▼ │
│ 4. NOTIFICATION (If required) │
│ ────────────────────────── │
│ • Privacy Commissioner / IPC │
│ • Affected individuals │
│ • Affected clinics │
│ │ │
│ ▼ │
│ 5. REMEDIATION │
│ ──────────── │
│ • Fix root cause │
│ • Update controls │
│ • Document lessons learned │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Documentation Requirements¶
Required Documents¶
| Document | Purpose | Status |
|---|---|---|
| Privacy Policy | Public disclosure | ⚠️ Needs update |
| Business Associate Agreement | Clinic-Vitara relationship | ⚠️ Template needed |
| Sub-processor List | Transparency | ✅ Documented |
| Data Retention Policy | Compliance | ⚠️ Needs formalization |
| Breach Response Plan | Incident handling | ✅ Documented |
| Security Policies | Control framework | ⚠️ Needs formalization |
Audit Trail Requirements¶
| Event | Logged? | Retention |
|---|---|---|
| API calls | Yes (metadata) | 1 year |
| Authentication | Yes | 7 years |
| Admin actions | Yes | 7 years |
| Patient data access | Via OSCAR | Clinic responsibility |
| Configuration changes | Yes | 7 years |