PIPEDA Compliance for Dental Practices in Canada: What You Need to Know

Q: What is PIPEDA and does it apply to dental practices?

PIPEDA is the Personal Information Protection and Electronic Documents Act, Canada's federal privacy law. It applies to all Canadian dental practices that collect, use, or disclose personal health information in the course of commercial activity. This includes patient names, addresses, health history, treatment records, billing information, and appointment details.

Q: What are the 10 PIPEDA principles dental practices must follow?

The 10 PIPEDA principles are: accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Dental practices must document policies for each principle and demonstrate compliance if questioned by the Privacy Commissioner.

Q: What is data residency and why does it matter for PIPEDA compliance?

Data residency means where patient data is physically stored. PIPEDA requires that personal information either remains in Canada or is transferred only to jurisdictions with equivalent privacy protections. US servers are subject to laws like the CLOUD Act and Patriot Act, which allow US government access to data stored by US companies, even for Canadian patients. For PIPEDA compliance, Canadian dental practices should confirm patient data stays on Canadian servers.

Q: What are the PIPEDA penalties for non-compliance?

The Privacy Commissioner of Canada can investigate complaints and issue public reports identifying non-compliant organizations. While PIPEDA does not impose direct fines, violations can result in reputational damage, mandatory audits, and civil lawsuits from affected patients. Provincial health privacy laws like Ontario's PHIPA impose fines up to CA$100,000 for individuals and CA$500,000 for organizations per violation.

Q: How does PHIPA differ from PIPEDA for Ontario dental practices?

PHIPA is Ontario's health-specific privacy law and applies instead of PIPEDA for health information custodians in Ontario, which includes dental practices. PHIPA has stricter requirements than PIPEDA, including mandatory breach notifications within specific timelines and higher fines. Ontario dental practices must comply with PHIPA, not PIPEDA, but the core principles (consent, safeguards, data minimization) are similar.

Most Canadian dental practices know PIPEDA exists. Fewer know what it requires. Even fewer have documented policies that would hold up under a Privacy Commissioner investigation. This post explains PIPEDA in plain language, identifies the most common compliance gaps, and shows where US-based dental software creates exposure.

This is not legal advice. For specific compliance questions, consult a privacy lawyer familiar with PIPEDA and your provincial health privacy laws.

What PIPEDA is and which dental practices it applies to

PIPEDA is Canada's federal privacy law for commercial activity. It applies to all Canadian dental practices that handle personal health information.

PIPEDA stands for the Personal Information Protection and Electronic Documents Act. It was enacted in 2000 and sets the baseline for how Canadian organizations collect, use, and disclose personal information in the course of commercial activities.

For dental practices, PIPEDA covers:

Patient names, addresses, phone numbers, email addresses, and date of birth
Health history, treatment records, and clinical notes
Billing information, insurance details, and payment records
Appointment schedules and call logs
Any other information that identifies a patient or relates to their health

PIPEDA applies to all federally regulated organizations and to private-sector organizations in provinces without substantially similar provincial privacy laws. In practice, this means dental practices in most provinces operate under PIPEDA. Exceptions include:

Ontario: PHIPA (Personal Health Information Protection Act) applies instead of PIPEDA for health information custodians, which includes dental practices.
Quebec: Quebec's Act Respecting the Protection of Personal Information in the Private Sector applies, along with Law 25 (2022) which added stricter requirements.
British Columbia and Alberta: Provincial privacy laws apply for some organizations, but PIPEDA remains the federal standard.

Even if your province has its own health privacy law, the principles are similar. This guide focuses on PIPEDA because it represents the baseline. Provincial laws often add requirements, not subtract them.

The 10 PIPEDA principles every dental practice must follow

PIPEDA has 10 principles: accountability, purpose, consent, collection limits, use limits, accuracy, safeguards, openness, access, and recourse.

PIPEDA compliance is built on 10 principles. Dental practices must document policies for each one and be able to demonstrate compliance if questioned by the Privacy Commissioner.

Principle	What it means for dental practices
1. Accountability	Your practice is responsible for all patient data, even when handled by third-party vendors (PMS, answering service, billing company). You must have contracts in place with vendors that specify their PIPEDA obligations.
2. Identifying purposes	Tell patients why you are collecting their information before or at the time of collection. Example: 'We collect your phone number to confirm appointments and reach you for recalls.'
3. Consent	Get patient consent before collecting, using, or disclosing personal information. Implied consent works for routine use (booking appointments). Express consent required for non-routine use (sharing with specialists).
4. Limiting collection	Collect only the information you actually need. Do not ask for details you will never use.
5. Limiting use, disclosure, and retention	Use patient information only for the purposes you identified. Do not sell patient lists. Do not keep records longer than necessary.
6. Accuracy	Keep patient information up to date. Correct errors when patients report them.
7. Safeguards	Protect patient information with security appropriate to its sensitivity. Use encryption, access controls, and secure storage.
8. Openness	Make your privacy policies available to patients. Explain how you handle their information.
9. Individual access	Patients can request access to their records. You must provide them within a reasonable timeframe, typically 30 days.
10. Challenging compliance	Patients can file complaints if they believe you violated PIPEDA. You must have a process for handling complaints.

Most dental practices fail on Principle 1 (Accountability). They assume that because they hired a reputable PMS vendor or answering service, compliance is the vendor's problem. Under PIPEDA, it is not. The dental practice remains accountable for how patient information is handled by every vendor they work with.

Where US-based dental software fails PIPEDA requirements

Most US dental software stores patient data on US servers. PIPEDA restricts cross-border transfer without equivalent protections.

The most common PIPEDA compliance gap in Canadian dental practices is data residency. Many practices use US-based practice management systems, billing software, or answering services without realizing that patient data is stored on US servers.

PIPEDA allows cross-border data transfer only if:

The receiving jurisdiction has privacy protections substantially similar to PIPEDA, or
The organization has contractual safeguards in place that replicate PIPEDA protections.

The United States does not have federal privacy legislation equivalent to PIPEDA. US privacy law is sector-specific (HIPAA for health, GLBA for finance, etc.) and does not provide the same level of protection for personal information. Additionally, US laws like the CLOUD Act and the Patriot Act allow US government agencies to access data stored by US companies, even when that data belongs to Canadian patients.

For Canadian dental practices, this means:

Patient data stored on US servers is subject to US government access, which PIPEDA does not permit without patient knowledge.
US vendors are not required to comply with PIPEDA principles unless contractually obligated to do so by the Canadian practice.
In the event of a data breach, US breach notification laws do not align with Canadian requirements under PIPEDA or provincial laws like PHIPA or Law 25.

The Privacy Commissioner of Canada has issued guidance stating that Canadian organizations should avoid transferring personal information to jurisdictions without equivalent protections unless they can demonstrate contractual safeguards and inform individuals of the risks. For dental practices, the simplest solution is to use vendors that store patient data on Canadian servers.

What data residency means and why it matters

Data residency is where patient data is stored. Canadian servers keep data under Canadian jurisdiction and block US government access.

Data residency refers to the physical location where data is stored. For Canadian dental practices, data residency determines which country's laws apply to patient information.

If patient data is stored on Canadian servers:

Canadian privacy laws (PIPEDA, PHIPA, Law 25) apply.
Canadian courts have jurisdiction over data access requests and breach investigations.
Foreign governments cannot compel access without following Canadian legal processes.

If patient data is stored on US servers:

US laws like the CLOUD Act and Patriot Act apply, allowing US government access without notifying the Canadian practice or the patient.
US courts have jurisdiction, which complicates enforcement of Canadian privacy rights.
The Canadian practice may be unable to fulfill its PIPEDA obligations (such as informing patients of foreign access) because the vendor is not required to notify them.

For PIPEDA compliance, Canadian dental practices should confirm that any vendor handling patient information stores data on Canadian servers or has documented contractual safeguards and patient consent for cross-border transfer.

Common PIPEDA compliance gaps in dental practices

Most gaps: vendor accountability, consent documentation, breach response, and patient access requests. Document policies for all four.

These are the four most common PIPEDA compliance gaps found in Canadian dental practices during Privacy Commissioner investigations:

1. Vendor accountability

The practice has no written agreements with vendors (PMS, answering service, billing company) specifying PIPEDA obligations. Under Principle 1 (Accountability), the practice remains responsible for how vendors handle patient data. Without a contract that obligates the vendor to comply with PIPEDA, the practice cannot demonstrate accountability.

How to fix: Review all vendor contracts. Ensure each contract includes:

Confirmation that the vendor will comply with PIPEDA principles
Specification of where patient data is stored (data residency)
Procedures for breach notification
Confirmation that the vendor will not use patient data for purposes other than those authorized by the practice

2. Consent documentation

The practice collects patient information but does not document when and how consent was obtained. PIPEDA requires meaningful consent, which means patients understand what information is being collected and why. Many practices assume implied consent covers everything, but express consent is required for non-routine uses.

How to fix: Create a consent form or privacy notice that:

Identifies the purposes for which you collect patient information (treatment, billing, appointment reminders, recalls)
Explains any non-routine uses (sharing with specialists, research, marketing)
Provides patients an opportunity to opt out of non-essential uses
Is provided to patients before or at the time of first collection

3. Breach response planning

The practice has no documented plan for responding to a privacy breach. PIPEDA does not require breach notification unless there is a real risk of significant harm, but provincial laws like PHIPA (Ontario) and Law 25 (Quebec) impose mandatory breach notification timelines. Without a plan, practices cannot respond within required timeframes.

How to fix: Document a breach response plan that includes:

Who is responsible for investigating the breach (typically the practice owner or office manager)
How to assess whether the breach meets the threshold for notification
Notification timelines (PHIPA requires notification to the Privacy Commissioner within 24 hours in some cases)
How affected patients will be notified
Steps to prevent future breaches

4. Patient access requests

The practice has no process for handling patient requests to access their records. PIPEDA gives patients the right to request access to their information and requires the practice to respond within 30 days. Many practices respond informally but do not document the request or their response, which creates problems if the patient files a complaint.

How to fix: Create a formal process for access requests:

Designate one person to handle access requests
Document every request in writing (even if the request was verbal)
Confirm the requester's identity before providing records
Respond within 30 days with the records or an explanation for any delay
Keep a log of all access requests and responses

How AI answering services must comply with PIPEDA

AI answering services must use Canadian servers, document security safeguards, and sign vendor accountability agreements with practices.

AI answering services handle patient names, phone numbers, appointment details, and sometimes health information (emergency triage, CDCP intake). Under PIPEDA, the dental practice is accountable for how the AI service handles this data.

For PIPEDA compliance, an AI answering service must:

Store patient data on Canadian servers. This ensures data remains under Canadian jurisdiction and is not subject to US laws like the CLOUD Act. Practices should confirm data residency in writing before signing.
Implement appropriate security safeguards. PIPEDA Principle 7 requires safeguards appropriate to the sensitivity of the information. For health information, this typically means encryption in transit and at rest, access controls, and audit logs.
Sign a vendor agreement that specifies PIPEDA obligations. The agreement should state that the AI service will comply with PIPEDA principles, will not use patient data for purposes other than those authorized by the practice, and will notify the practice of any breach within a specified timeframe.
Limit data retention. PIPEDA Principle 5 requires that personal information be retained only as long as necessary. AI answering services should not retain call recordings or transcripts indefinitely. Best practice is to retain data only for the period required for appointment confirmation and follow-up, then delete it.
Provide transparency about how data is used. The AI service should provide the practice with documentation explaining what data is collected, how it is used, where it is stored, and how long it is retained. The practice must be able to explain this to patients if asked.

Aida meets these requirements. Patient call data is processed and stored on Canadian servers, encrypted in transit and at rest, and retained only for the period necessary to complete the appointment workflow. Attainment signs a vendor agreement with every dental practice specifying PIPEDA compliance obligations and data residency.

Ontario PHIPA and Quebec Law 25: what is different

Ontario PHIPA and Quebec Law 25 are stricter than PIPEDA: mandatory breach notifications, higher fines. Consult provincial law.

Dental practices in Ontario and Quebec operate under provincial privacy laws that are stricter than PIPEDA in key areas.

Ontario PHIPA

The Personal Health Information Protection Act (PHIPA) applies to health information custodians in Ontario, which includes dental practices. PHIPA differs from PIPEDA in several important ways:

Mandatory breach notification: PHIPA requires notification to the Privacy Commissioner within specific timelines if there is a risk of harm. Some breaches must be reported within 24 hours.
Fines: PHIPA imposes fines up to CA$100,000 for individuals and CA$500,000 for organizations per violation.
Consent requirements: PHIPA has stricter consent rules than PIPEDA for certain types of information sharing.

Ontario dental practices should consult the Information and Privacy Commissioner of Ontario for PHIPA-specific guidance.

Quebec Law 25

Quebec's Act Respecting the Protection of Personal Information in the Private Sector was modernized in 2022 with Law 25, which added requirements similar to Europe's GDPR:

Privacy impact assessments: Required for any project involving new technologies or new uses of personal information that present a risk to privacy.
Mandatory breach notification: Breaches presenting a risk of serious harm must be reported to the Commission d'accès à l'information within 72 hours.
Data minimization: Only collect information that is necessary and proportionate to the identified purpose.
Cross-border transfers: Law 25 restricts cross-border data transfers more strictly than PIPEDA. Transfers to countries without equivalent protections require patient consent.

Quebec dental practices must comply with both Law 25 and the broader Quebec privacy law. Consult a privacy lawyer familiar with Quebec law before implementing new systems or vendors.

Key takeaways

PIPEDA applies to all Canadian dental practices that handle personal health information. Provincial laws like PHIPA and Law 25 add stricter requirements.
The 10 PIPEDA principles include accountability, consent, data minimization, safeguards, and patient access. Document policies for each.
Dental practices are accountable for all vendors, including PMS, answering services, and billing companies. Vendor contracts must specify PIPEDA obligations.
US-based dental software creates PIPEDA compliance exposure because patient data on US servers is subject to US laws, not Canadian privacy protections.
Data residency matters. Canadian servers keep patient data under Canadian jurisdiction and avoid cross-border transfer issues.
AI answering services must store data on Canadian servers, implement security safeguards, and sign vendor agreements specifying PIPEDA compliance.
Ontario PHIPA and Quebec Law 25 impose mandatory breach notifications and higher fines than PIPEDA. Consult provincial law for specific requirements.

Frequently asked questions

What is PIPEDA and does it apply to dental practices?

PIPEDA is Canada's federal privacy law. It applies to all Canadian dental practices that collect, use, or disclose personal health information in the course of commercial activity, which includes patient names, addresses, health history, treatment records, and billing information.

What are the 10 PIPEDA principles dental practices must follow?

The 10 principles are accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. Dental practices must document policies for each and demonstrate compliance if investigated.

Do US-based dental software companies comply with PIPEDA?

Many do not. PIPEDA requires Canadian personal information to remain under Canadian jurisdiction or be subject to equivalent protections. US servers create cross-border data transfer, which typically does not meet PIPEDA requirements unless specific contractual safeguards are in place.

What is data residency and why does it matter for PIPEDA compliance?

Data residency is where patient data is physically stored. PIPEDA requires that personal information either remains in Canada or is transferred only to jurisdictions with equivalent privacy protections. US servers are subject to the CLOUD Act and Patriot Act, which allow US government access to data stored by US companies.

What are the PIPEDA penalties for non-compliance?

The Privacy Commissioner can investigate complaints and issue public reports identifying non-compliant organizations. PIPEDA does not impose direct fines, but violations can result in reputational damage, mandatory audits, and civil lawsuits. Provincial laws like PHIPA impose fines up to CA$500,000 per violation.

Does a dental AI answering service need to be PIPEDA compliant?

Yes. Any service that handles patient names, phone numbers, appointment details, or health information must comply with PIPEDA. The dental practice remains accountable for ensuring all vendors meet PIPEDA requirements, so verify data residency and security safeguards before signing.

How does PHIPA differ from PIPEDA for Ontario dental practices?

PHIPA applies instead of PIPEDA for health information custodians in Ontario. PHIPA has stricter requirements than PIPEDA, including mandatory breach notifications within specific timelines and higher fines (up to CA$500,000 for organizations). The core principles are similar.

PIPEDA-compliant AI answering for Canadian dental practices.

Aida stores all patient data on Canadian servers. No cross-border transfer. Vendor agreements specify PIPEDA compliance. Call the demo line or book a walkthrough.

Call (365) 360-4369 Learn about Aida