Ontario's IPC Just Released AI Scribe Guidelines. Here's What Your Clinic Needs to Do.

On January 28, 2026, Ontario's Information and Privacy Commissioner released new guidance specifically addressing AI scribes in healthcare: AI Scribes: Key Considerations for the Health Sector. If your clinic is using, piloting, or considering an AI scribe, this guidance applies to you.

The timing matters. AI scribes are spreading fast across Ontario clinics, driven by physician burnout and the promise of reduced documentation time. But the regulatory framework hasn't kept pace, and the IPC's guidance makes clear that convenience is not a justification for deploying AI tools that touch patient data without proper governance.

Here's what the guidance says, what the CPSO and CMPA expect alongside it, and what your clinic needs to do right now.

What are AI scribes, and why does the IPC care?

AI scribes use speech recognition, generative AI, and natural language processing to record clinical encounters and generate notes, summaries, and documentation. Some tools now go beyond transcription to suggest diagnoses, flag billing codes, and generate referral letters.

The IPC cares because these tools record entire conversations between clinicians and patients, processing sensitive personal health information in ways that are more complex and potentially more privacy-invasive than traditional notetaking. Even when the AI scribe is operated by a third-party vendor, the health information custodian remains fully accountable for PHIPA compliance.

The six principles driving the guidance

The IPC's guidance aligns with six principles it developed jointly with the Ontario Human Rights Commission for the responsible use of AI. Every AI scribe deployment should satisfy all six:

• Valid and reliable: The tool must actually do what it claims to do, accurately and consistently.
• Safe: It must not introduce clinical risks through transcription errors, hallucinations, or session mixing.
• Privacy protective: It must comply with PHIPA requirements for collection, use, disclosure, and safeguarding of personal health information.
• Human rights affirming: It must not perpetuate bias or discrimination based on language, accent, or demographics.
• Transparent: Patients must know an AI scribe is being used and understand how their data is handled.
• Accountable: Clear governance structures must be in place, with human oversight at every stage.

What the IPC expects from your clinic

The guidance lays out specific obligations for healthcare organizations. These are not suggestions. They represent the IPC's interpretation of what PHIPA already requires when AI systems are introduced.

1. Conduct a Privacy Impact Assessment before deployment

Before introducing an AI scribe, you need to complete a Privacy Impact Assessment and update it whenever purposes, systems, or risks change. This includes threat risk assessments and AI-specific assessments. If your clinic adopted an AI scribe without completing a PIA, you're already offside.

2. Obtain meaningful patient consent

Patients must be informed that an AI scribe is being used and must consent before the recording begins. The IPC is clear: patients who withhold or withdraw consent must receive the same level of care as consenting patients. You cannot make AI scribe use a condition of receiving care.

3. Maintain human oversight of all AI-generated content

Every AI-generated note, summary, or clinical document must be reviewed by a clinician before it is relied upon or entered into the electronic medical record. The risks of AI hallucinations, transcription errors, and multilingual mistakes are heightened in healthcare. A mistake in a clinical note can directly affect patient safety.

4. Implement comprehensive written policies

Your clinic needs documented policies, practices, and procedures for AI scribe use. These must be regularly reviewed to reflect legal changes, IPC guidance, and technology updates. This includes end-user agreements and mandatory training for all staff who interact with AI outputs.

5. Build transparency materials for patients

You need patient-facing materials explaining how the AI scribe works, what data it collects, how that data is used, and who has access to it. You also need a process for responding to patient inquiries about the AI system.

6. Manage vendor relationships with rigour

If you're procuring an AI scribe from a vendor, you remain accountable for PHIPA compliance. The IPC expects you to assess the vendor's security practices, prohibit secondary use of patient data for model training, limit data retention outside the EMR, and maintain strong contractual safeguards including audit rights, breach notification requirements, and data residency guarantees.

What CPSO and CMPA add to the picture

The IPC isn't the only regulator paying attention. The College of Physicians and Surgeons of Ontario has issued advice on AI in clinical practice emphasizing physician accountability, consent, transparency, and the obligation to explain AI use to patients. The Canadian Medical Protective Association recommends obtaining patient consent before any clinical recording, documenting the purpose of the transcription, and conducting a privacy impact assessment before adoption.

Taken together, the message from all three bodies is consistent: AI scribes are not plug-and-play tools. They require governance infrastructure before deployment.

A practical starting point for your clinic

If your clinic is currently using or evaluating an AI scribe, here are the first five things to address:

• Audit your current state. Which AI tools are in use? Who authorized them? Is there a written policy? Has a PIA been completed?
• Review your consent process. Are patients being informed before recording begins? Is consent documented? What happens when a patient declines?
• Check your vendor agreement. Does the contract address data residency, secondary use, breach notification, and audit rights? Is patient data being processed or stored outside Canada?
• Establish human review protocols. Who reviews AI-generated notes before they enter the EMR? How are errors flagged and corrected?
• Document everything. Policies, training records, consent forms, vendor assessments, PIAs. If it's not documented, it didn't happen.

The IPC has made clear that it takes a proportionate approach to compliance, but it has also reminded healthcare organizations that administrative monetary penalties of up to $500,000 for corporations are available for serious or repeated violations.

Governance first, then adoption

The IPC's guidance reinforces what responsible AI adoption has always required: governance before deployment, not after. The organizations that build their governance frameworks now will be the ones that can adopt AI tools confidently, with the compliance infrastructure already in place to protect patients, providers, and the organization itself.

This is exactly the work Ciniji Group does. We help Ontario healthcare organizations build the governance frameworks, policies, and compliance infrastructure needed before AI touches patient data.