Artificial intelligence is rapidly spreading across healthcare, and one of the fastest-growing applications is the AI medical scribe. It’s easy to see why they’re attracting so much attention. These tools promise to reduce administrative burden, speed up documentation, and give clinicians more time to focus on patients.
But before implementing an AI scribe, Alberta healthcare providers need to understand how the service fits into their privacy compliance.
Recognizing the unique risks posed by AI, Alberta’s Office of the Information and Privacy Commissioner (OIPC) released new guidance outlining factors custodians must address when preparing a Privacy Impact Assessment (PIA) or amendment for AI scribes. The guidance doesn’t discourage the use of AI—it establishes the expectations for how organizations evaluate, implement, and oversee it.
Watch our webinar recording or read on below to learn more.
AI Scribes Aren’t Just Another Software Purchase
Unlike traditional dictation software, AI scribes process patient conversations through multiple stages. They listen, transcribe, interpret, summarize, and often generate structured clinical documentation.
That creates significant efficiencies, including:
- Reduced charting time
- More consistent clinical documentation
- Improved note completeness
- Less administrative work for clinicians
However, it also introduces entirely new privacy questions.
- Where is patient information processed?
- Is it stored temporarily?
- Does the AI learn from patient conversations?
- Who has access to the information?
- Can the vendor explain exactly how the technology works?
These questions form the foundation of the OIPC’s AI Scribe guidance released in September of 2025.
The Message Is Clear: Custodians Remain Responsible
One of the most important points in the guidance is that adopting AI does not transfer responsibility to the software vendor.
Healthcare custodians remain accountable for ensuring patient information is collected, used, disclosed, stored, and destroyed in accordance with Alberta’s Health Information Act (HIA).
That means before implementing an AI scribe, organizations must be confident they understand exactly how the technology handles health information.
Simply accepting a vendor’s marketing claims is no longer enough. A PIA for AI tools needs to provide detail about how patient data is processed and what it is used for.
Privacy Impact Assessments Need Complete Details
Traditional PIAs often focus on how information flows through an organization.
Assessments of AI require the same diligent analysis.
The OIPC expects organizations to understand topics such as:
- Complete data flows
- System architecture
- Temporary and permanent storage locations
- Data retention and destruction practices
- Access controls
- Security testing
- AI model training methods
- Third-party subprocessors
- Cross-border data transfers
- Human oversight processes
- Logging and monitoring capabilities
In some cases, organizations may need considerably more technical documentation from vendors than they have requested in the past.
AI Vendor Transparency Matters
One recurring theme throughout the guidance is transparency.
If a vendor cannot (or will not) clearly explain how their system works, that’s a warning sign.
Healthcare organizations should expect vendors to provide documentation that explains:
- Where patient information travels
- Where it is stored
- How long it is retained
- How it is protected
- Whether information is ever used to train AI models
- How data is permanently deleted
- How breaches are detected and reported
Vague statements such as “We’re HIPAA compliant” or “Our system is proprietary” are not sufficient to demonstrate compliance with Alberta’s Health Information Act.
AI Introduces Privacy Risks Traditional Software Doesn’t
Many AI-specific risks simply didn’t exist with existing healthcare software.
For example:
- Recording beyond the intended patient encounter
- Capturing conversations involving other patients
- Over-collecting health information unrelated to treatment
- AI hallucinations appearing in clinical documentation
- Adaptive AI models retaining patient information
- Use of patient information beyond intended purpose
- APIs creating additional exposure points
Each of these risks must be identified with appropriate safeguards documented and implemented before an AI scribe is put into use.
Contracts Matter More Than Ever
One area where organizations often encounter problems is vendor contracts.
Many agreements reference legislation such as HIPAA or PIPEDA because vendors serve customers across multiple jurisdictions.
Unfortunately, those laws don’t necessarily satisfy Alberta’s Health Information Act.
The OIPC expects agreements that clearly establish:
- The custodian retains control of health information.
- Vendors cannot use patient data to improve or train AI models unless legally authorized.
- Information is returned or securely destroyed when the relationship ends.
- Responsibilities for breach reporting are clearly defined.
- Collection, use, and disclosure align with Alberta legislation.
These contractual protections are just as important as technical safeguards.
Watch for These AI Vendor Red Flags
Before selecting an AI scribe, healthcare organizations should pause if a vendor:
- Cannot provide a Privacy Impact Assessment.
- Refuses to sign an Information Manager Agreement (IMA).
- Won’t explain their system architecture.
- Cannot describe retention or deletion processes.
- Relies on generic statements about privacy compliance.
- Refuses to explain how AI models are trained.
- Avoids questions about subcontractors or hosting locations.
Transparency should never be optional when patient information is involved.
The Best Time to Ask Questions Is Before You Buy
Perhaps the simplest lesson from the OIPC guidance is this: Do your due diligence before implementation—not after.
- Request vendor documentation early.
- Review the PIA.
- Review the Information Manager Agreement.
- Fully understand how patient information is handled before entering into a contract.
Doing this work upfront can prevent expensive delays, compliance issues, and privacy risks later.
AI Can Absolutely Be Used Responsibly
The OIPC’s guidance shouldn’t be viewed as a barrier to innovation. Quite the opposite.
AI medical scribes can deliver significant value to healthcare providers when implemented thoughtfully and supported by appropriate privacy safeguards.
The goal isn’t to prevent AI adoption.
It’s to ensure patient information remains protected while healthcare organizations take advantage of technologies that improve efficiency and reduce administrative burden.
As AI continues to evolve, organizations that build strong privacy governance today will be best positioned to adopt new technologies with confidence tomorrow.