Healthcare Privacy Notice
This privacy policy governs the collection, use, and disclosure of Personal Health Information (PHI) under Ontario's Personal Health Information Protection Act (PHIPA). As healthcare professionals, you have specific rights and protections regarding your PHI and that of your clients.
1. Who We Are
Paige Scribe ("we," "us," "our") operates as a Health Information Network Provider under PHIPA, providing therapy documentation services to licensed healthcare professionals in Ontario, Canada. We serve as a Business Associate under applicable privacy legislation.
2. Information We Collect
2.1 Personal Health Information (PHI)
Under PHIPA, we collect and process the following PHI:
- Audio Recordings: Therapy session audio for transcription (deleted immediately after processing)
- Session Transcripts: Text transcription of therapy sessions
- Clinical Notes: AI-generated and therapist-edited session documentation
- Client Identifiers: Encrypted client names and session metadata
- Professional Information: Therapist license numbers and specialties (encrypted)
2.2 Account Information
We also collect non-PHI account data:
- Professional email addresses and authentication credentials
- Subscription and billing information
- Platform usage analytics (anonymized)
- Technical logs for security and performance monitoring
3. How We Use Information
3.1 Primary Purposes (PHIPA Section 36)
We use PHI only for the following healthcare purposes:
- Transcription Services: Converting audio to text for clinical documentation
- Note Generation: AI-assisted creation of therapy session notes
- Session Management: Organizing and storing session data for therapist access
- Quality Assurance: Ensuring accuracy and completeness of documentation
3.2 Secondary Purposes (With Consent)
With your explicit consent, we may use aggregated, anonymized data for:
- Service improvement and feature development
- Healthcare research (fully anonymized, no PHI)
- Quality metrics and performance analytics
4. Information Sharing and Disclosure
4.1 Permitted Disclosures
We may disclose PHI only in the following circumstances:
- To You: Full access to your own session data and documentation
- Business Associates: OpenAI (US) for transcription under equivalent protection
- Legal Requirements: Court orders or regulatory investigations
- Health and Safety: Imminent risk to individual or public health
4.2 Third-Party Processors
PHI is processed by the following third parties under Business Associate Agreements:
- OpenAI (United States): Audio transcription services
- Amazon Web Services (Canada): Secure cloud storage and processing
- Stripe (Global): Payment processing (billing data only, no PHI)
All third parties operate under equivalent privacy protection standards and are contractually bound to PHIPA compliance requirements.
5. Data Security and Protection
5.1 Technical Safeguards (PHIPA Section 29)
We implement comprehensive security measures:
- Encryption: AES-256 encryption for all PHI at rest and in transit
- Access Controls: Multi-factor authentication and role-based access
- Audit Logging: Complete access logs per PHIPA Section 10.1 requirements
- Network Security: Firewalls, intrusion detection, and monitoring
5.2 Administrative Safeguards
Our administrative protections include:
- Designated Privacy Officer responsible for PHIPA compliance
- Regular staff training on healthcare privacy requirements
- Incident response procedures for potential breaches
- Regular security assessments and vulnerability testing
6. Data Retention and Deletion
6.1 Retention Periods
We retain data according to CRPO professional standards:
- Session Transcripts: 10 years from last session date (CRPO Standard 5.1)
- Clinical Notes: 10 years from creation date
- Audio Recordings: Deleted immediately after transcription processing
- Account Data: 7 years after account closure for legal compliance
6.2 Secure Deletion
When retention periods expire, we ensure:
- Cryptographic erasure of encryption keys
- Multi-pass overwriting of storage media
- Certificate of destruction for physical media
- Verification of complete data removal
7. Your Privacy Rights Under PHIPA
7.1 Access Rights (PHIPA Section 52)
You have the right to:
- Access Your PHI: View and obtain copies of all your session data
- Correct Inaccuracies: Request corrections to any incorrect information
- Access History: See who has accessed your PHI and when
- Complaint Process: File complaints with the Ontario IPC
7.2 How to Exercise Your Rights
To access or correct your PHI:
- Log into your account dashboard for immediate access to most data
- Email privacy@paige-ai.com for formal access requests
- We will respond within 30 days as required by PHIPA
- Complex requests may incur reasonable administrative fees
8. Consent Management
8.1 Types of Consent
We obtain different types of consent for various activities:
- Express Consent: Required for AI processing and cross-border transfers
- Implied Consent: Basic transcription within Canada
- Ongoing Consent: Continued use implies consent for core services
8.2 Withdrawing Consent
You may withdraw consent at any time by:
- Updating preferences in your account settings
- Contacting our Privacy Officer
- Note: Withdrawal may limit service functionality
- Previously processed data remains subject to retention requirements
9. Cross-Border Data Transfers
9.1 United States Processing
With your express consent, PHI may be processed in the United States for:
- OpenAI transcription services
- Advanced AI analysis features
US processing is subject to:
- Business Associate Agreements ensuring equivalent protection
- Contractual data protection requirements
- Immediate deletion after processing
- No permanent storage outside Canada
10. Breach Notification
10.1 Our Obligations
In case of a privacy breach, we will:
- Notify the Ontario IPC within 24 hours of discovery
- Notify affected individuals "at the first reasonable opportunity"
- Provide details about the breach and steps taken
- Offer support and remediation services as appropriate
10.2 Your Reporting Rights
If you suspect a privacy breach, contact us immediately at:
- Emergency: privacy@paige-ai.com
- Phone: 1-800-PAIGE-AI (available 24/7)
- You may also report directly to the Ontario IPC
11. Children's Privacy
Our service is designed for licensed healthcare professionals only. We do not knowingly collect PHI from individuals under 18 without appropriate parental consent and professional authorization.
12. Changes to This Policy
We may update this privacy policy to reflect:
- Changes in privacy legislation
- New service features or functionality
- Enhanced security measures
Material changes will be communicated with 30 days advance notice via email and account notifications.
13. Contact Information
13.1 Privacy Officer
- Email: privacy@paige-ai.com
- Phone: 1-800-PAIGE-AI
- Mail: Paige Privacy Officer, [Address TBD]
13.2 Regulatory Contacts
- Ontario IPC: 1-800-387-0073 or www.ipc.on.ca
- CRPO: info@crpo.ca
Your Privacy Rights Summary
- ✓ Access your PHI and session data anytime
- ✓ Correct any inaccurate information
- ✓ Know who accessed your data and when
- ✓ Withdraw consent for optional services
- ✓ File complaints with Ontario IPC
- ✓ Receive breach notifications immediately
PHIPA Compliance Guarantee
We are committed to maintaining full compliance with PHIPA and supporting your professional obligations. Our privacy practices are regularly audited and updated to meet the highest healthcare privacy standards.