Comment les médecins canadiens peuvent utiliser l'IA sans violer la LPRPS

What Counts as PHI Under PHIPA

The Personal Health Information Protection Act defines personal health information broadly — deliberately so. It covers information about an individual's physical or mental health, health history, health card number, health care provider, payments for health care, and the fact that an individual is or was a patient of a particular practitioner.

That last item catches people off guard. You don't need a diagnosis or a test result for information to be PHI. A document that says "patient of Dr. Ahmed at the Westdale Family Health Team" contains PHI. A referral letter with a patient's name and OHIP number is PHI. A scheduling note that links a name to an appointment type is PHI.

What PHIPA Actually Requires of You

PHIPA applies to health information custodians — physicians, hospitals, pharmacists, labs, and others — and governs how they collect, use, and disclose personal health information. Three things matter most for AI use.

First, you can use PHI for the purpose for which it was collected without additional consent. Running it through an external AI tool is a disclosure to a third party — and that requires either explicit consent or a careful analysis of whether it qualifies as a permitted use. Most AI use cases don't survive that analysis cleanly.

Second, when you disclose PHI to any third party — including a technology vendor — PHIPA requires a data sharing agreement with specific protections. The vendor must use the information only for the permitted purpose, protect it with appropriate safeguards, and notify you of any breach. OpenAI's standard terms of service do not meet this standard. Neither does any other consumer AI product currently on the market.

Third, while PHIPA doesn't prohibit cross-border transfers outright, it requires that PHI be protected by "comparable" legislation wherever it goes. The United States does not have federal health privacy legislation comparable to PHIPA. Sending PHIPA-governed PHI to US servers is not straightforwardly permissible.

The Risk Physicians Tend to Underestimate

The primary risk isn't a patient complaint — though that's possible. The risk is a breach at OpenAI's end. If OpenAI experienced a data incident that exposed Canadian patient records, every physician who had sent PHI to ChatGPT would be explaining to the IPC why they disclosed patient information to a US company without a compliant data sharing agreement, without patient consent, and without a privacy impact assessment.

The IPC has the authority to require organizations to stop using non-compliant technology, retrieve information, and overhaul their processes entirely.

The Approach That Actually Works

The solution that satisfies PHIPA's requirements without requiring physicians to give up AI tools is anonymization before any data leaves the practice environment. Remove the identifying information from the document before it goes anywhere near an external AI tool. Replace the patient's name with a placeholder, strip the health card number, remove the date of birth and address. Send the de-identified document to AI, get the output, then restore the identifying context in your own environment.

The AI never sees PHI. No disclosure occurs under PHIPA. The regulation is satisfied at the root level rather than papered over with contracts.

Evaluating AI Tools Marketed to Healthcare

Several AI tools are being marketed specifically to healthcare providers with claims of PHIPA compliance. Evaluate these carefully — PHIPA compliance for a vendor means they've agreed to appropriate contractual terms, not that the IPC has certified them.

Before committing to any healthcare AI vendor, get clear written answers to: Where are your servers located? Do you have a data sharing agreement template that meets PHIPA requirements? Have you had a third-party privacy audit? What is your breach notification timeline? What happens to patient data if we terminate the relationship?

The Path Forward

Canadian physicians who want to use AI responsibly have a clear path. Use AI freely for tasks that don't involve patient information — clinical guideline research, practice policy drafting, patient education materials about conditions rather than specific patients. For tasks that do involve patient information, anonymize first, then use AI.

The administrative burden in Canadian medicine is real and AI is a real part of addressing it. The legal framework that requires using it carefully is also real. Neither of those things cancels the other out.