Canadian Healthcare Compliance¶
VitaraVox Enterprise Readiness Analysis¶
Date: February 17, 2026 | Updated: 2026-03-09 (v4.3.0 SMS Consent)¶
Agent: Canadian Healthcare Regulatory Compliance Analyst¶
Canadian Healthcare AI Voice Agent Compliance Report (2025-2026)¶
This report covers the regulatory, legal, and standards landscape for deploying AI voice agents in Canadian healthcare. All findings are based on publicly available sources as of February 2026.
1. PHIPA (Ontario) -- Personal Health Information Protection Act¶
PHIPA governs the collection, use, and disclosure of personal health information (PHI) by "health information custodians" (physicians, hospitals, pharmacies, labs) and their "agents" (including SaaS vendors).
Key requirements for AI voice systems:
- Agent accountability: Any vendor processing PHI on behalf of a custodian is an "agent" under PHIPA. Custodians must have written agreements, training programs, and oversight mechanisms in place before granting agent access to PHI.
- Consent and purpose limitation: Collection, use, and disclosure must align with the individual's consent and specified purposes. Secondary uses (e.g., model training) generally require additional consent or robust de-identification.
- Data minimization: Only the minimum amount of PHI reasonably necessary for the stated purpose may be collected, used, or disclosed.
- Voice recording considerations: The IPC of Ontario has specifically flagged that voice biometrics are "virtually impossible to de-identify," and recordings may capture bystander conversations in open environments.
- No explicit data residency mandate: PHIPA does not explicitly require data to remain in Canada, but practical interpretation and contractual requirements effectively mandate Canadian storage for PHI to ensure jurisdictional protection.
Recent developments (January 2026): - The Information and Privacy Commissioner of Ontario released guidance on AI scribes in healthcare, warning that AI scribes introduce "substantial privacy and data security risks." - OntarioMD, the Ministry of Health, and the Canadian Medical Protective Association jointly developed a Vendor of Record (VOR) procurement program for AI scribes. As of early 2026, 18 vendors have been approved (second intake in progress). The VOR runs from April 2025 through April 2028.
Sources: - PHIPA Compliance for AI Tools -- Ontario Healthcare Guide - AI Scribes and Privacy Risks -- McCarthy Tetrault - The Rise of AI Scribes -- Aird Berlis - OntarioMD VOR Program for AI Scribes - IPC Ontario AI Scribe Guidance (Feb 2026)
2. PIPA (British Columbia) -- Personal Information Protection Act¶
BC's PIPA governs private-sector organizations' handling of personal information, including healthcare providers operating outside the public system.
Key requirements:
- Consent before recording: Best practices require obtaining patient consent before recording clinical encounters, explaining the purpose, and outlining privacy and accuracy risks.
- Employee training: Organizations must train employees on how AI tools work and what data they process.
- De-identification skepticism: The BC Privacy Commissioner recommends healthcare providers "carefully review claims that an AI scribe de-identifies data." Without a standard definition of "de-identified," such data may still constitute personal information under PIPA if it can be combined with other information to identify an individual.
- Vendor data processing location: Organizations are "unlikely to meet PIPA section 34 requirements" if they use a vendor that processes or stores patients' sensitive personal information in a jurisdiction that "does not respect the rule of law, or has inadequate protections."
Recent developments (January 2026): - The OIPC of British Columbia published "PIPA and AI scribes: best practices for healthcare organizations in BC" -- formal guidance for AI tools in clinical settings.
Sources: - PIPA and AI Scribes: Best Practices -- OIPC BC - AI Scribes and Privacy Risks -- McCarthy Tetrault - Understanding PIPA -- Centraleyes
3. HIA (Alberta) -- Health Information Act¶
Alberta's HIA governs health information custodians and has the most prescriptive requirements for AI tools in healthcare.
Key requirements:
- Mandatory Privacy Impact Assessment (PIA): Before using any AI scribe or voice tool, custodians must submit a PIA to the Office of the Information and Privacy Commissioner (OIPC) of Alberta. This is not optional.
- No training on patient data: HIA "would likely not permit a vendor to use health information provided to it from a custodian, or that is otherwise accessible, to train the AI." This is a critical restriction for voice AI vendors.
- Recording retention: Custodians must detail how long full voice recordings will be retained and how the information will be securely deleted or destroyed at the end of its retention period.
Recent developments (September 2025): - The OIPC Alberta published AI Scribe PIA Guidance -- a detailed document to help custodians develop privacy impact assessments specifically for AI scribe tools. - The Alberta College of Family Physicians also published AI Scribe Guidelines.
Sources: - AI Scribe PIA Guidance -- OIPC Alberta (Sept 2025) - OIPC Alberta Guidance Announcement - Alberta Health Information Act Overview - AI Scribe Guidelines -- ACFP
4. PIPEDA -- Federal Privacy Law¶
PIPEDA is Canada's federal private-sector privacy law. It applies to healthcare AI where provincial legislation does not provide "substantially similar" coverage.
Key requirements:
- Consent: Meaningful consent is required for collection, use, and disclosure of personal information. For AI systems, this includes transparency about how data is processed by algorithms.
- Accountability: Organizations must designate a privacy officer and implement policies and practices to give effect to privacy principles.
- Violations: PIPEDA violations carry fines up to C$100,000, extending to AI systems that misuse or improperly collect data.
- Biometrics guidance (2025): The OPC released updated guidance on biometrics, AI-related data use, and consent, emphasizing necessity, proportionality, and transparency.
Current status: - PIPEDA still operates as written in 2000, with no AI-specific amendments. - The OPC published "A Regulatory Framework for AI: Recommendations for PIPEDA Reform" recommending stronger accountability, explicit rules for automated decision-making, and rights for individuals to challenge AI-driven decisions. - A new federal private-sector privacy statute is expected to be introduced in late 2025 or early 2026, with privacy-based AI regulation rather than standalone AI legislation. - As of December 2025, the Privacy Commissioner launched a consultation on modernizing PIPEDA guidance, open until March 2026.
Provincial applicability map: | Province | Primary Law | PIPEDA Applies? | |----------|-----------|----------------| | Ontario | PHIPA (health) | No (substantially similar) | | BC | PIPA | No (substantially similar) | | Alberta | HIA (health) / PIPA (private) | No (substantially similar) | | Quebec | Law 25 / Law 5 (health) | No (substantially similar) | | Manitoba, Saskatchewan, PEI | Provincial + Federal | Yes (dual compliance) | | NB, NL, NS | Provincial health laws | Partially |
Sources: - Canada's 2026 Privacy Priorities -- Osler - AI Regulation in Canada 2025 -- Xenoss - Guide to Healthcare AI 2025 -- Gowling WLG - OPC Regulatory Framework for AI
5. Canada Health Infoway -- Interoperability Standards¶
Canada Health Infoway and CIHI are building the national interoperability framework for Canadian healthcare.
Current standards and specifications:
- CA Core+: Translates the Pan-Canadian Health Data Content Framework requirements to FHIR. This is the Canadian adaptation of international FHIR standards.
- PS-CA (Pan-Canadian Patient Summary): Defines the terminology for cross-provincial, cross-language, cross-specialty health data exchange.
- CA:FeX (Pan-Canadian FHIR Exchange): Specification for FHIR-based data exchange.
- CA:eReC (Pan-Canadian eReferral/eConsult): Specification for referral workflows.
2026 initiatives: - The 2026 Pan-Canadian Projectathon (February 24-26, 2026) is a three-day national testing event to validate and accelerate adoption of PS-CA, CA:eReC, and CA:FeX specifications. - The Pan-Canadian Interoperability Roadmap data standards are due to be completed by 2027. - The 2025 Vendor Innovation Program selected vendors supporting interoperability goals.
Sources: - Canada Health Infoway Interoperability - Digital Health Standards -- Canada Health Infoway - 2026 Pan-Canadian Projectathon Announcement - Connected Care for Canadians Act -- PMC
6. FHIR R4 Requirements in Canadian Healthcare¶
Current state:
- FHIR R4 is the de facto standard for new healthcare integrations in Canada, though no federal or provincial law explicitly mandates it with compliance deadlines or fines.
- The Canadian FHIR Registry hosts the national baseline of recommended FHIR profiles, extensions, value sets, and URIs.
- BC Core FHIR Profiles (aligned to Canadian FHIR Baseline) are defined for FHIR R4 base resources.
- The Canadian FHIR Baseline is still a continuous build at version 0.1.0 -- not yet normative.
- Oracle Health (Cerner) fully deprecated DSTU2 by December 2025, making FHIR R4 the required standard for Cerner integrations.
- AWS HealthLake launched in Canada with FHIR R4 support.
Practical implications for voice AI: - Voice agents interacting with EMRs should use FHIR R4 APIs where available. - OSCAR EMR uses SOAP/CXF APIs (not FHIR-native), so a translation layer is needed. - OntarioMD EMR certification requires connectivity to provincial EHR products (OLIS, HRM) which are moving toward FHIR.
Sources: - Canadian FHIR Registry -- Simplifier - BC FHIR Profiles -- Province of BC - FHIR R4 -- HL7 - AWS HealthLake in Canada
7. SOC 2 Type II -- Healthcare SaaS in Canada¶
Key findings:
- SOC 2 audits are voluntary in Canada -- there is no legal mandate equivalent to HIPAA. However, SOC 2 Type II has become the de facto trust signal for enterprise healthcare SaaS sales.
- For healthcare SaaS, the relevant Trust Services Criteria are:
- Security (required in all SOC 2 reports)
- Availability (critical for clinical systems)
- Confidentiality (required for PHI handling)
- Privacy (recommended for patient-facing systems)
- Processing Integrity (recommended for AI decision-making systems)
- SOC 2 Type II covers a minimum 6-month observation period of controls operating effectively.
- Canadian healthcare procurement (including the OntarioMD VOR program) increasingly lists SOC 2 Type II as a requirement or strong preference.
Practical recommendation: For a voice AI agent handling PHI, pursue SOC 2 Type II covering all five Trust Services Criteria. This positions you for both enterprise sales and regulatory comfort.
Sources: - SOC 2 Certification in Canada -- Prowise Systems - SOC 2 Compliance -- BDO Canada - SOC 2 Compliance -- Mallette
8. Penetration Testing Requirements¶
Key findings:
- No single Canadian law mandates a specific penetration testing cadence for healthcare software. However, multiple frameworks create effective requirements:
- SOC 2 Type II: Expects regular vulnerability assessments and penetration testing as part of security controls.
- OntarioMD EMR Certification: Privacy and security requirements include security testing.
- PIPEDA / provincial laws: Require "appropriate safeguards" -- penetration testing is the standard way to demonstrate this.
- Bill C-26 (Critical Cyber Systems Protection Act): New federal legislation that may impose explicit security testing requirements on critical infrastructure, including healthcare.
- Industry best practice for healthcare: Quarterly or biannual penetration testing cycles.
- Penetration Testing as a Service (PTaaS): Emerging model offering continuous, subscription-based testing -- increasingly adopted in Canadian healthcare.
Sources: - Penetration Testing for Healthcare Cyber Security -- BlueOrange - What Type of Penetration Testing for Compliance 2026 -- TrustCloud - Healthcare Penetration Testing -- Indusface
9. Call Recording Consent Laws by Province¶
This is critical for voice AI agents that record patient interactions.
Federal baseline -- Criminal Code s. 184(2)(a): - Canada is a one-party consent country at the criminal law level. If one person in the conversation consents, the recording is legal. - However, this only addresses criminal liability. Privacy laws impose additional requirements on businesses.
Business/commercial recording requirements:
| Jurisdiction | Law | Requirement |
|---|---|---|
| Federal (PIPEDA) | PIPEDA | Businesses must secure consent and state the purpose. Passive consent (automated message) is acceptable. |
| Ontario | PHIPA | One-party consent for criminal purposes, but PHIPA requires informing patients about recording and its purpose. |
| BC | PIPA | Restricts recording in workplaces and businesses. Must inform and obtain consent. |
| Alberta | PIPA / HIA | Restricts business recording. HIA requires PIA for voice recording systems. |
| Quebec | Civil Code / Law 25 | Strictest province. Often requires explicit consent. Quebec Civil Code provides strong privacy protections beyond criminal law. |
Practical requirement for voice AI: Always implement a clear consent disclosure at the start of every call (e.g., "This call may be recorded for quality and documentation purposes. Do you consent to continue?"). This satisfies the highest bar across all provinces.
Recent development (December 2025): The Privacy Commissioner of Canada launched a consultation on modernizing PIPEDA guidance including consent requirements for recording, open until March 2026.
Sources: - Canada Recording Laws 2026 Guide - Call Recording Consent in Canada -- Small Business Chatbot - Ontario Laws for Recording Phone Calls -- Network Telecom
9A. SMS Consent for Appointment Confirmations (v4.3.0)¶
Implementation Reference
Source: server/src/services/sms.service.ts | server/src/routes/sms.routes.ts
VitaraVox v4.3.0 introduced SMS booking confirmations via Telnyx. The consent model is designed to align with Canadian privacy requirements across all provinces.
VitaraVox SMS Consent Model¶
| Aspect | Implementation | Regulatory Alignment |
|---|---|---|
| Consent type | Opt-out (patient explicitly declines during voice call) | PIPEDA: meaningful consent with stated purpose |
| Collection point | Voice agent asks during booking/modification call | PIPA (BC): consent before collection |
| Purpose stated | "Would you like an SMS confirmation?" | PIPEDA Principle 4.3: knowledge and consent |
| Storage | smsConsent field per call log (true/false/null) |
HIA (AB): retention documented |
| Withdrawal | Patient can decline on any subsequent call | PIPEDA: consent can be withdrawn |
| Data minimized | SMS contains only: action, date/time, clinic name | PIPEDA Principle 4.4: limiting collection |
| No marketing | SMS used only for appointment confirmation/modification/cancellation | CASL: transactional messages exempt from CASL consent |
Guard Chain (5 Checks Before Sending)¶
The SMS service implements a 5-guard chain that must all pass before any message is sent:
┌─────────────────────────────────────────────┐
│ Guard 1: SMS enabled for clinic? │
│ Guard 2: Patient has phone number? │
│ Guard 3: Patient consented (smsConsent)? │
│ Guard 4: Template exists for action+lang? │
│ Guard 5: Telnyx credentials configured? │
└─────────────────────────────────────────────┘
ALL PASS → Send SMS
ANY FAIL → Silent skip (no error to patient)
CASL (Canada's Anti-Spam Legislation) Analysis¶
SMS appointment confirmations fall under CASL's transactional message exemption (s. 6(6)):
- Messages that confirm, complete, or provide information about an existing transaction
- Appointment confirmations are directly related to the booking transaction initiated by the patient
- No commercial or promotional content included
- Result: CASL consent requirements do NOT apply to these messages
However, VitaraVox still collects explicit consent as a best practice, exceeding the legal minimum.
Provincial Considerations¶
| Province | SMS Requirement | VitaraVox Compliance |
|---|---|---|
| PIPEDA (Federal) | Meaningful consent for purpose | Opt-out with stated purpose during call |
| PHIPA (Ontario) | Inform patient of use | Voice agent explains SMS purpose before asking |
| PIPA (BC) | Consent before collection | Consent collected before sending |
| HIA (Alberta) | PIA for communication channels | SMS should be included in clinic PIA |
| Quebec (Law 25) | Explicit consent + French option | French templates available (book-zh pattern extensible to book-fr) |
Recommendation¶
The current opt-out model meets or exceeds requirements in all provinces except potentially Quebec, where explicit opt-in may be preferred. For Quebec deployments, consider switching to opt-in (patient must say "yes" rather than not saying "no").
10. AI Transparency -- Bill C-27 / AIDA Status¶
Bill C-27 and AIDA are dead.
- On January 5, 2025, the prorogation of the Canadian Parliament terminated all pending bills, including Bill C-27 and the Artificial Intelligence and Data Act (AIDA).
- A snap federal election in April 2025 pushed privacy reform further down the road.
- In June 2025, Minister Evan Solomon confirmed "C-27 will not return in its old form" and AIDA is "off the table as drafted." Only parts may survive in a new framework.
- The government signaled a "light, tight, right" approach -- light enough to avoid stifling innovation, tight enough to close real risks, right-sized for Canada's economy.
- Canada currently has no federal AI legislation. AI regulation is expected to be pursued through privacy law reform rather than standalone AI-specific legislation.
- The current legal framework remains PIPEDA (enacted 2000) with no AI-specific provisions.
What this means for voice AI vendors: There is currently no federal AI transparency law. However, provincial privacy commissioners are filling the gap through guidance documents, and the OPC's recommendations for PIPEDA reform include explicit rules for automated decision-making and rights to challenge AI-driven decisions. Plan for these requirements to eventually become law.
Sources: - The Demise of AIDA -- McInnes Cooper - Canadian AI Bill Stalls -- BABL AI - What's Next After AIDA -- Schwartz Reisman Institute - AI Watch: Canada -- White & Case - Federal Privacy Reform -- Gowling WLG
11. Data Residency -- Must Health Data Stay in Canada?¶
Summary: It depends on the province and sector.
| Jurisdiction | Requirement | Scope |
|---|---|---|
| Federal (PIPEDA) | No explicit data residency requirement | Private sector |
| Ontario (PHIPA) | No explicit mandate, but practical/contractual requirements effectively push toward Canadian storage | Health custodians |
| BC (FIPPA s. 30.1) | Must be stored AND accessed only in Canada | Public bodies (health authorities, hospitals, universities) |
| Nova Scotia (PIIDPA s. 5(1)) | Must be stored AND accessed only in Canada | Public bodies |
| Alberta | Strong data protection requirements; PIA must address cross-border transfers | Health custodians |
| Quebec (Law 25) | Requires privacy impact assessment before transferring personal information outside Quebec; must ensure "equivalent protection" | All organizations |
Policy trajectory: There are active calls from health policy researchers for federal and provincial laws to incorporate explicit data residency or data localization requirements, requiring that "patient and community data must remain in Canada, stored on servers subject to Canadian law, with no exports permitted without explicit, informed consent."
Practical recommendation: Store all PHI in Canadian data centers. This satisfies the strictest provincial requirements and aligns with where policy is heading. Major cloud providers (AWS, Azure, GCP) all have Canadian regions.
Sources: - Does Canadian Data Need to be Stored in Canada -- SysCreations - Canadian Data Residency Requirements -- IAPP - Data Sovereignty in Canada by Province -- CHG 2025 - Canada Risks Losing Health Data Sovereignty -- Policy Options - Ensuring Sovereignty of Canadian Health Data -- PMC
12. EMR Certification Requirements (OntarioMD)¶
OntarioMD EMR Certification Program:
- EMR vendors must demonstrate their offering meets Ontario EMR Specifications and complies with privacy, security, service level, and hosting requirements.
- Certification is mandatory for EMRs to subscribe to provincial EHR products and services (OLIS, HRM, and future services).
- EMR Specifications define minimum requirements in three categories:
- Data (structured data, coding standards, interoperability)
- Identity (patient identification, provider authentication)
- Privacy and Security, Hosting (encryption, access controls, audit logging, Canadian hosting)
AI Scribe VOR Program (separate from EMR certification): - The VOR arrangement runs from April 27, 2025 through April 27, 2028 (3 years + optional 1-year extension). - Vendors must meet provincial requirements for clinical functions, privacy, and secure data storage. - Managed by Supply Ontario in partnership with OntarioMD. - Clinicians receive complimentary change management support from OntarioMD.
Implications for voice AI: A voice agent is not an EMR and likely does not need OntarioMD EMR certification directly. However, if it writes to an EMR, the receiving EMR must be certified. The AI Scribe VOR program is the more relevant certification pathway for voice AI tools.
Sources: - OntarioMD EMR Certification Overview - Ontario EMR Specifications Overview - OntarioMD VOR Program for AI Scribes - Supply Ontario AI Scribe Tender
13. Accessibility -- AODA, ACA, and AI-Specific Standards¶
Three overlapping frameworks apply:
AODA (Ontario)¶
- Requires both public- and private-sector organizations to follow accessibility standards in five areas: information/communications, customer service, transportation, employment, and public spaces.
- Next formal reporting date for organizations with 20+ employees: December 31, 2026.
- Applies to hospitals, clinics, and healthcare facilities with more than one worker.
Accessible Canada Act (ACA) / Accessible Canada Regulations¶
- In December 2025, the federal government made significant updates to the Accessible Canada Regulations, expanding digital accessibility requirements for federally regulated organizations.
- The compliance standard is CAN/ASC -- EN 301 549:2024 -- the Canadian adoption of the European ICT accessibility standard, covering two-way voice communication requirements.
- Implementation timeline: New digital technology must conform within 24-36 months after registration (2027-2028).
CAN-ASC-6.2:2025 -- Accessible and Equitable AI Systems (NEW)¶
- Published December 2025 -- the world's first national standard specifically focused on accessible AI.
- Developed by a technical committee primarily composed of people with disabilities.
- Sets a process-and-outcomes framework to ensure AI systems are accessible and equitable across the entire AI lifecycle.
- Currently voluntary but expected to become a market baseline, especially for federally regulated entities and public-sector procurement.
- Available free in both official languages and accessible formats (including ASL and LSQ).
Practical implications for voice AI: - Voice systems must be usable by people with hearing impairments (text alternatives), speech impairments (alternative input methods), and cognitive disabilities (simple language options). - CAN-ASC-6.2 provides the framework for ensuring AI systems do not discriminate against users with disabilities.
Sources: - CAN-ASC-6.2:2025 -- Accessibility Standards Canada - Canada Releases World's First Accessible AI Standard - Canadian Accessibility Regulations & 2025 ACA Amendments -- Level Access - CAN/ASC EN 301 549:2024 -- Voice Communication Requirements - From AODA to ACA -- Allyant
14. French Language Requirements¶
Two overlapping regimes:
Quebec -- Bill 96 (Charter of the French Language)¶
- Final provisions took effect June 1, 2025. Full enforcement is now live.
- Software interfaces used by employees in Quebec must be available in French.
- Customer-facing communications, contracts, warranties, and after-sale interactions must be provided in French.
- Businesses with 25+ employees must register with the Office Quebecois De La Langue Francaise (OQLF) and comply with Francization requirements.
- French must be "markedly predominant" on websites, product labels, and commercial materials targeting Quebec.
- The OQLF has expanded authority to investigate complaints, conduct inspections, and issue fines.
Federal -- Official Languages Act¶
- Federal institutions must provide services in both English and French.
- The Accessible Canada Act's CAN-ASC-6.2 standard is published in both official languages.
- Healthcare organizations receiving federal funding may have bilingual service obligations.
Practical implications for voice AI: - If deploying in Quebec, the voice agent must offer a French-language option -- not just as a nicety but as a legal requirement under Bill 96. - All patient-facing communications, consent disclosures, and documentation must be available in French. - The AI agent must handle French speech recognition and text-to-speech at production quality.
Sources: - Quebec's Language Laws Changed -- DLA Piper - Everything About Quebec's Law 14 (Bill 96) -- CFIB - Quebec's Bill 96 Key Changes 2025 -- TransPerfect - How to Comply with Quebec Language Law -- Pairaphrase
15. Incident Response and Breach Notification Requirements¶
Multi-jurisdictional requirements create a complex notification landscape:
Federal -- PIPEDA¶
- Report any "breach of security safeguards" with a "real risk of significant harm" to the OPC.
- Notify affected individuals "as soon as feasible" after determining the breach occurred.
- Maintain records of all breaches (whether or not they meet the threshold) for 24 months.
- Two-tier assessment required: (1) sensitivity of information, (2) probability of misuse.
Ontario -- PHIPA¶
- Notify individuals and the IPC "at the first reasonable opportunity" if PHI is stolen, lost, or used/disclosed without authority.
- No risk threshold -- unlike PIPEDA, Ontario does not require assessing whether there is a "real risk of significant harm." All breaches involving unauthorized use/disclosure must be reported.
- Notification can be by telephone, in writing, or by notation in the patient's file.
- September 2025: The Divisional Court affirmed that the "first reasonable opportunity" duty applies even in cyberattack/ransomware scenarios.
Quebec -- Law 25 / Law 5¶
- Report breaches posing a "risk of serious injury" to the Commission d'acces a l'information (CAI) and affected individuals.
- For healthcare organizations, Law 5 additionally requires reporting to the Minister of Health and Social Services.
- Maintain a record of all security incidents.
- Penalties: Up to $25 million or 4% of global revenue, whichever is higher.
Alberta -- HIA¶
- Mandatory PIA submission before deploying AI tools (not just breach response, but proactive).
- Breach notification to the OIPC as required under HIA regulations.
BC -- PIPA¶
- Report breaches that create a "real risk of significant harm."
- Notify affected individuals and the OIPC.
Summary table:
| Jurisdiction | Threshold | Notify | Timeline | Record Keeping |
|---|---|---|---|---|
| PIPEDA | Real risk of significant harm | OPC + individuals | As soon as feasible | 24 months, all breaches |
| PHIPA (ON) | No threshold (all breaches) | IPC + individuals | First reasonable opportunity | Required |
| Law 25 (QC) | Risk of serious injury | CAI + individuals + Minister (health) | As soon as possible | All incidents |
| HIA (AB) | As per regulations | OIPC + individuals | As required | Required |
| PIPA (BC) | Real risk of significant harm | OIPC + individuals | Without unreasonable delay | Required |
Sources: - Security Requirements and Breach Notification Canada -- Baker McKenzie - Ontario's Breach Notification Provision -- Varonis - PHIPA Breach Protocol -- IPC Ontario - Navigating Privacy Breaches 2025 -- McCarthy Tetrault - Quebec Law 25 -- OneTrust - Quebec's Health Information Privacy Law -- Blakes
Enterprise-Readiness Summary¶
Based on this research, a Canadian healthcare AI voice agent must address the following to be enterprise-ready:
| Priority | Requirement | Status |
|---|---|---|
| P0 | Canadian data residency (all PHI in Canadian data centers) | Required by BC/NS public sector, effectively required elsewhere |
| P0 | Patient consent mechanism at call start | Required by all provinces — IMPLEMENTED (voice recording disclosure) |
| P0 | SMS consent for appointment confirmations | Required under PIPEDA/PIPA — IMPLEMENTED v4.3.0 (opt-out + 5-guard chain) |
| P0 | Privacy Impact Assessment support (especially Alberta) | Mandatory in Alberta, best practice everywhere |
| P0 | Breach notification procedures for all provinces | Multi-jurisdictional requirements |
| P0 | No use of patient data for model training | Likely prohibited under HIA; strong guidance against it elsewhere |
| P1 | SOC 2 Type II (all 5 Trust Services Criteria) | De facto requirement for enterprise sales |
| P1 | French language support | Legally required in Quebec (Bill 96) — ZH track live, FR planned |
| P1 | OntarioMD VOR program application (if targeting Ontario) | Preferred procurement pathway |
| P1 | FHIR R4 integration capability | Industry standard, approaching mandated |
| P1 | Annual penetration testing with audit documentation | SOC 2 requirement, regulatory best practice |
| P2 | CAN-ASC-6.2 AI accessibility compliance | Voluntary now, likely required for public procurement |
| P2 | CAN/ASC EN 301 549 ICT accessibility | Mandatory for federally regulated in 2027-2028 |
| P2 | AI transparency documentation | No current law, but expected in upcoming privacy reform |
| P2 | Bilingual (EN/FR) operation | Federal institutions; all Quebec operations |