A PHIPA Checklist for AI Scribes and EMR Features in Your Clinic

Your clinic adopted an AI scribe. Or your EMR rolled out a new AI-powered feature. Maybe ambient listening, smart note suggestions, or automated referral drafts. It showed up in a software update. Someone on your team turned it on. And now patient data is flowing through an AI system that nobody assessed, nobody approved, and nobody governs.

This is happening in Ontario clinics right now. And the IPC's January 2026 guidance makes clear that every one of these tools triggers PHIPA obligations, whether you bought the tool deliberately or it was embedded in your existing software.

This article is the practical companion to our breakdown of the IPC's AI scribe guidance. Where that article explains what the IPC requires and why, this one gives you the checklist to verify you're actually doing it.

Why a checklist matters more than a policy document

Most clinics that get into trouble with PHIPA compliance don't lack awareness. They lack follow-through. The privacy officer attended a webinar. Leadership had a conversation. But the front desk staff, the clinicians, and the practice manager never received anything concrete enough to act on.

A checklist works because it's specific. It forces the question: did we do this, yes or no? There's no room for "we're working on it." Either you completed a Privacy Impact Assessment for your AI scribe, or you didn't. Either patients are being told before the recording starts, or they aren't.

The checklist below is built directly from the IPC's January 2026 AI scribe guidance, cross-referenced with CPSO's advice on AI in clinical practice and CMPA's AI scribe recommendations. It covers every obligation those three bodies have identified.

The checklist: four categories, 30 items

Work through each section. Check what's in place. Flag what's missing. The gaps are your governance priorities.

This section is where most clinics fall down first. There's no named person responsible for AI decisions, and no written policy governing which tools are approved. If the IPC asks "who oversees AI use in your organization?" and the answer is "nobody specifically," you have a governance gap.

The fact that a vendor is on Ontario's Vendor of Record (VOR) list through the AI scribe program does not mean your clinic's governance obligations are met. The VOR qualifies the vendor's product. It does not assess your practice's consent workflows, your data flows, your staff training, or your incident response procedures. Those remain your responsibility as the health information custodian.

Patient consent is the most visible and most frequently missed item. The IPC requires express consent before each use, not a blanket consent form signed at intake six months ago. The patient must know the AI scribe is active before it starts recording, and must be able to decline without any impact on their care.

Human oversight is equally non-negotiable. Every AI-generated note must be reviewed by a clinician before it enters the EMR. AI scribes hallucinate. They mix sessions. They misinterpret accented speech. A clinical note with fabricated content that goes unreviewed is a patient safety risk and a PHIPA violation.

Governance doesn't end at deployment. The IPC expects ongoing monitoring of AI performance, documented results, and a clear threshold for shutting the tool down if outputs become unreliable or harmful. If your staff notice the AI scribe is consistently misattributing statements or generating inaccurate notes, there must be a mechanism for reporting it and a clear decision pathway for what happens next.

How to score yourself

Count the items you can honestly check off. Not the ones you plan to address, but the ones that are already in place with documentation to prove it.

• 25+ checked: You're ahead of most clinics in Ontario. Keep going. Review quarterly.
• 15–24 checked: Significant gaps. Prioritize consent workflows and human oversight protocols first. These are the items most likely to trigger an IPC inquiry.
• Under 15: You have material compliance risk. The gaps are structural, not cosmetic. You need governance infrastructure before continuing to use AI tools with patient data.

What to do with your gaps

The checklist tells you where you stand. Here's how to prioritize what to fix first:

1. Consent and human oversight. These are the items the IPC, CPSO, and CMPA all emphasize most strongly. If patients aren't being told about the AI scribe before it records, fix that today.
2. Privacy Impact Assessment. If you haven't completed a PIA for your AI scribe, you're operating without the foundational assessment PHIPA requires. This is not optional.
3. Vendor contract review. Check whether your agreement prohibits secondary use of patient data, requires Canadian data residency, and includes breach notification terms. If it doesn't, you have contractual exposure.
4. Written policies and training. Staff need to know what's approved, what's not, and what to do when something goes wrong. If these don't exist in writing, create them.
5. Monitoring and reporting. Set up a quarterly review cadence. Document AI performance. Create a channel for staff to report errors.

This checklist is a starting point, not the finish line

Checking every box on this list means you've addressed what the IPC, CPSO, and CMPA currently require. But governance is not a one-time exercise. AI tools evolve. Vendors push updates. Regulations change. The clinics that stay compliant are the ones that build governance into their operations, not as a project that ends, but as an ongoing function.

This is the work Ciniji Group does. We help Ontario healthcare organizations move from checklist to framework, building the governance infrastructure, vendor oversight, and staff training that makes AI adoption sustainable and audit-ready.