Compliance & Data Protection

BC’s Personal Information Protection Act (PIPA) governs the collection, use, and disclosure of personal information by private-sector organizations in BC, including private medical clinics and physician offices.

Health Assist AI’s role under BC PIPA: We act as a service provider — we process patient personal health information on behalf of the healthcare organization (the Controller). The healthcare organization retains accountability for its patients’ personal information under PIPA, including the requirement to obtain express patient consent before using an AI-assisted intake tool.

What Health Assist AI provides to support BC PIPA compliance:

• Express consent collection at the point of patient intake (clinic-branded consent checkbox naming the clinic, the AI tool, cross-border processing, and retention period)
• Configurable PHI retention window — default 12 hours, auto-deleted at expiry
• On-demand PHI deletion via the platform dashboard
• Audit logs of all PHI access and deletion events (retained 7 years)
• Breach notification to the healthcare organization within 48 hours
• Pre-filled Privacy Impact Assessment (PIA) template available on request
• Pilot Agreement including a service provider clause (PIPA s. 6 compatible)

Healthcare organization responsibilities under BC PIPA: Clinics must obtain express patient consent, document that consent in the patient’s record, appoint a Privacy Contact, and ensure their own patient-facing privacy policy discloses that personal health information may be transferred to and processed in the United States. See Cross-Border Processing below.

Relevant guidance: Doctors of BC advises physicians in private practice to obtain informed patient consent for AI-assisted tools and to inform patients they can withdraw consent at any time without affecting care. CMPA guidance similarly recommends that patients be told the purpose of AI recording/transcription, the privacy and accuracy risks, and that the physician will review and edit the result.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to federally regulated organizations and governs cross-border transfers of personal information. Under PIPEDA, Canadian organizations are not prohibited from transferring personal information to another jurisdiction for processing, but they remain accountable and must use contractual or other means to ensure a comparable level of protection.

The federal Office of the Privacy Commissioner (OPC) also requires that organizations be transparent that information may be processed in another jurisdiction and may be accessible there by courts, law enforcement, or national security authorities.

Health Assist AI addresses these requirements through our Microsoft Data Processing Agreement (DPA) — see Cross-Border Processing below.

Contractual safeguards: We have in place with Microsoft Corporation:

• A Data Processing Agreement (DPA) requiring Microsoft to implement safeguards for personal information comparable to those required under BC PIPA and PIPEDA, and restricting use of data to delivering contracted services only.
• A HIPAA Business Associate Agreement (BAA) governing the handling of Protected Health Information in HIPAA-eligible Azure services.

Healthcare organizations in BC may rely on these agreements as the contractual protection mechanism satisfying their accountability obligations under BC PIPA s. 6 and the OPC cross-border transfer framework. Copies of the DPA and BAA are available upon written request.

Disclosure to patients: Health Assist AI’s patient intake consent form discloses that information will be processed on Microsoft Azure including servers in the USA. Healthcare organizations must also reflect this disclosure in their own clinic privacy policy.

For US-based healthcare organizations, Health Assist AI operates as a HIPAA Business Associate. We execute Business Associate Agreements (BAAs) with US Customers upon request.

HIPAA safeguards implemented on the platform include:

• Encryption of PHI in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and mandatory multi-factor authentication
• PHI excluded from application logs, analytics, and error reporting
• Audit logs of all PHI access and deletion events
• PHI not used for public AI model training
• Breach notification procedures aligned with the HIPAA Breach Notification Rule

Platform infrastructure runs on HIPAA-eligible Microsoft Azure services.

For Ontario-based healthcare organizations, Health Assist AI aligns with the Personal Health Information Protection Act (PHIPA). We act as a service provider under PHIPA, processing personal health information only on the instructions of the health information custodian (the healthcare organization). Data minimization, reasonable safeguards, and patient access rights are maintained consistent with PHIPA requirements.

For EU-based organizations, Health Assist AI functions as a Data Processor, with the Customer acting as Data Controller. We execute Data Processing Agreements (DPAs) with EU Customers upon request. We do not proactively market to or process personal data from EU residents outside of Customer-initiated workflows.

Health Assist AI maintains documented breach detection, investigation, and notification procedures aligned with BC PIPA, PIPEDA, and HIPAA requirements. In the event of an actual or suspected breach involving Customer PHI, we will:

• Notify the affected Customer within 48 hours of becoming aware of the incident
• Provide a written summary of the nature and scope of the incident
• Cooperate with the Customer’s own regulatory notification obligations
• Take immediate steps to contain and remediate the incident