AI scribes — tools that listen to a session or take a dictation and draft the clinical note for you — are the most tempting productivity gain to hit therapy practice in years. Clinicians routinely spend a substantial part of their week on documentation; a tool that turns a fifty-minute session into a structured draft note in seconds is hard to ignore.
But a session recording is arguably the most sensitive artifact your practice produces: the client's voice, their disclosures, your clinical reasoning. Feeding that into an AI pipeline raises exactly the questions PIPEDA — and PHIPA in Ontario, and Law 25 in Quebec — were written to govern.
So, are AI scribes PIPEDA-compliant? The honest answer: an AI scribe is never compliant by itself — your deployment of it is, or isn't. Here's how to tell the difference.
Why "compliant" is a property of your setup, not the product
PIPEDA doesn't certify software. It makes you accountable for the personal information handled in your practice — including by your vendors. The same scribe can be a defensible choice in one practice and a serious liability in another, depending on:
- what data leaves your control, and to where;
- what the client consented to;
- how long recordings and transcripts persist, and where;
- what the vendor and its subprocessors do with the data afterwards.
That reframing matters because AI scribe marketing leans hard on words like "secure" and "compliant". Your job is to translate those words into verifiable facts.
The four real risks
1. Data leaving Canada — and entering someone else's model pipeline
Most AI scribes are built on large language models operated by third parties, and much of that infrastructure runs in the United States. When a session recording or transcript is processed abroad, it becomes subject to foreign law, and you inherit the obligation to account for that: informing clients under PIPEDA's transparency expectations, and — for Quebec practitioners — conducting the assessment Law 25 requires before personal information is communicated outside the province.
The sharper version of the risk: some AI providers reserve the right to use customer data to improve or train models. A clinical session used as training data is a disclosure your client almost certainly never contemplated. This must be contractually excluded, not just absent from the marketing page.
2. Consent that doesn't cover what's actually happening
Your existing consent form probably covers "keeping a clinical record". It probably does not cover "recording the session audio, transmitting it to a third-party AI provider for automated transcription and note generation".
Those are different things, and for information this sensitive, consent should be express, specific and documented:
- Tell the client an AI tool assists with documentation, in plain language;
- Say whether audio is recorded, and what happens to it;
- Offer a real alternative — clients must be able to decline AI processing and still receive care;
- Record the consent (or refusal) in the file.
3. Retention you don't control
Every stage of the pipeline can persist data: the audio recording, the transcript, the draft note, vendor logs, subprocessor caches. Your professional obligations define how long the clinical record is retained — but a transcript sitting indefinitely on a vendor's servers follows the vendor's policy, not your order's. You need to know what is deleted, when, and whether deletion is verifiable.
4. Accuracy and professional responsibility
A privacy article can't skip this: the note is yours. AI drafts contain errors — mishearings, invented details, misattributed statements — and signing an unreviewed AI note is a documentation failure no privacy safeguard fixes. Several Canadian regulatory colleges and professional associations have begun publishing guidance on the use of AI in practice; check what your own college has said, because expectations are forming quickly and they consistently emphasize practitioner responsibility, consent and vendor due diligence.
Ten questions to ask any AI scribe vendor
Get the answers in writing:
- Where is data processed and stored? Which country, which subprocessors?
- Is any of my clients' data used to train or improve models? (The only acceptable answer is a contractual no.)
- Is audio recorded at all, or processed as a stream? If recorded, when is it deleted?
- How long are transcripts and drafts retained, and can I trigger deletion?
- Is data encrypted in transit and at rest?
- Who at the vendor can access identifiable session content, and under what controls?
- Will you sign terms recognizing you process health information on my behalf, with breach notification commitments?
- What happens to my data if I cancel?
- Can clients be excluded from AI processing on a per-session basis?
- Can you support my regulatory context — including Quebec's Law 25 assessment if my practice is there?
A vendor comfortable with this list is a vendor you can defend choosing. A vendor who deflects to "we're fully compliant" has answered a different question.
The integration advantage: why where your scribe lives matters
There's a structural point that gets missed in tool-by-tool comparisons: every additional system that touches session content multiplies your risk surface.
A standalone scribe means a second vendor with access to your most sensitive data, a second privacy assessment, a second consent clause, a second breach-notification chain — and then the awkward step where the generated note travels (by copy-paste, export or sync) into your actual clinical record, often via a clipboard or email that was never part of anyone's compliance analysis.
A scribe integrated into your EHR collapses that: one vendor relationship, one data residency answer, one consent workflow captured in your intake forms, and a note that is generated inside the record it belongs to — no transit through unmanaged channels. If the EHR is hosted in Canada, the data residency question is answered for the scribe at the same time.
That's how we approached it at Colib: the AI-generated clinical notes feature drafts your note after the session directly within the client's chart, in an EHR hosted in Canada and built for PIPEDA-aligned practice. It works in both English and French, and pairs naturally with the browser-based telehealth already built into the platform — the session, the note and the record stay in one governed place. You review, edit and sign; the clinical judgment remains where it belongs.
A deployment checklist before you turn a scribe on
- Vendor's written answers to the ten questions above, on file
- Consent form updated: AI-assisted documentation named explicitly, opt-out offered
- Quebec practices: Law 25 privacy impact assessment completed (new system + any out-of-province data flow)
- Retention verified: audio and transcripts deleted on a known schedule
- Internal rule: every AI draft is reviewed and edited before signing
- Your college's AI guidance (if published) reviewed and reflected in the above
- The decision documented — one page saying what you chose and why
The bottom line
AI scribes can absolutely be used in a PIPEDA-respecting Canadian practice — thousands of hours of documentation time argue for figuring it out. But compliance lives in the details: where the data goes, what the client agreed to, what persists, and how many systems touch the session. Prefer scribes that keep data in Canada, contractually exclude model training on your clients, and live inside the record rather than beside it. Then review every note before you sign it — because no vendor, however compliant, holds your license.
This article is general information, not legal advice. Consult your regulatory college's guidance on AI and a privacy professional for your specific situation.