A dental AI receptionist purpose-built for PHIPA-aware implementation.
Every US-based dental AI competitor carries a HIPAA badge. HIPAA does not apply in Canada. Canadian dental practices are governed by PHIPA (Ontario), PIPA (BC), and HIA (Alberta). Aida is built for PHIPA-aware implementation: privacy-aware data-flow planning, scoped encryption review, interaction logging, retention planning, and a data processing agreement path for each practice.
What is PHIPA and why does it matter for dental practices?
PHIPA is Ontario's Personal Health Information Protection Act. It requires dental practices to protect patient data at every point of contact, including when a patient calls to book an appointment. Any third-party service that handles patient calls must comply.
PHIPA applies to every Ontario dentist and any staff member or third-party service that handles personal health information on their behalf. When a patient calls your practice to book an appointment or ask about coverage, that interaction creates personal health information: the caller's name, contact details, reason for calling, and any health details they share.
An after-hours answering service that records those calls, transcribes them, or books or prepares appointment requests is handling personal health information under PHIPA. That service needs appropriate security controls, a documented data flow, and a data processing agreement with your practice before it can be used responsibly.
Most dental answering services do not document this clearly for Canadian practices. US-based AI receptionists are usually built around HIPAA, not PHIPA. A HIPAA Business Associate Agreement should not be treated as a substitute for Canadian privacy review. This is not a minor technicality: it is a meaningful compliance gap that exposes your practice to regulatory risk.
PHIPA vs HIPAA: what Canadian dentists need to know.
HIPAA is a US law. It does not apply to Canadian dental practices. Vendors that advertise HIPAA compliance are not automatically PHIPA-aware. The two laws share similar goals but differ in jurisdiction, data residency requirements, and breach notification timelines.
| Topic | HIPAA (US) | PHIPA (Ontario) |
|---|---|---|
| Jurisdiction | United States only | Ontario (PIPA in BC, HIA in Alberta) |
| Applies to dental practices | Only US-based practices | All Ontario dentists and staff |
| Data residency requirement | No explicit residency requirement | Data should remain in Canada (transfers require equivalent protections) |
| Vendor agreement required | Business Associate Agreement (BAA) | Data processing agreement specifying Canadian residency |
| Breach notification | 60 days to notify HHS | Without delay, as soon as reasonably possible |
| Patient access rights | Right to access, amend, restrict | Right to access and correct personal health information |
A US dental AI receptionist that stores patient call data on American servers should not be treated as PHIPA-ready just because it carries a HIPAA badge. Privacy-aware data handling is a core requirement, not an optional add-on.
How Aida supports PHIPA-aware implementation.
Aida was built for the Canadian market from day one. Privacy-aware data-flow planning, scoped encryption review, per-practice access control, interaction logging, and data processing agreement planning are part of implementation.
Privacy-aware data handling
Aida is planned around minimum necessary data, restricted access, encryption, and implementation review. The exact data flow is validated with the practice before launch.
Encrypted data handling
Data handling is scoped before launch, including encryption in transit, encryption at rest where applicable, access control, and retention terms.
Interaction logging
Calls can generate a timestamped transcript, structured data record, and outcome log so staff can review what happened before updating the chart.
Full compliance checklist
What happens to patient data when Aida answers the phone.
Aida collects only the data needed to complete each call, encrypts it, and makes it available to your practice through your dashboard. Data is not sold or used to train public AI models. Your patient data belongs to your practice.
Call received
Aida answers the call. The connection is established over an encrypted line. No call audio is stored unencrypted at any point.
Data collected
Aida collects only what the call requires: caller name, phone number, appointment details, and for CDCP calls, Sun Life member ID and date of birth. Aida does not ask for payment information, health card numbers, or government IDs.
Encrypted and isolated by practice
Call data is encrypted immediately using AES-256 and kept in your practice's isolated account. The full data flow is validated during implementation.
Appointment booked or call flagged
If schedule access is available, Aida can complete the booking and send an SMS confirmation. If not, it prepares the appointment request for your team with a full transcript.
Transcript available in your dashboard
Your team reviews the complete call log when they arrive. Every interaction has a full transcript, structured data record, and outcome for the practice audit trail.
PIPEDA-aware implementation for dental practices.
PIPEDA is Canada's federal privacy law for private sector organizations. Dental practices in provinces without substantially similar legislation should review vendor workflows against PIPEDA's fair information principles.
Accountability
Attainment is accountable for patient data under our data processing agreement. A designated privacy officer handles compliance.
Identifying purposes
Aida identifies why it is collecting data at the time of collection. Patients are informed that the call is being handled by an AI receptionist.
Consent
Aida collects data only for purposes the caller has consented to: booking an appointment or getting practice information.
Limiting collection
Aida collects only the minimum data required to complete the call. No payment details, government IDs, or unnecessary personal information.
Limiting use, disclosure, and retention
Data is used only to serve your practice. It is never sold or shared with third parties. Retention schedules are configurable per practice.
Safeguards
TLS 1.3 in transit, AES-256 at rest, per-practice isolation, access logging, and SOC 2-aligned security controls.
Data flow: why it matters for your practice.
Data flow matters because patient information can move through telephony, transcription, storage, dashboards, and practice systems. Canadian dental practices should understand where that data is processed, who can access it, how long it is retained, and what agreements govern it.
PHIPA requires dental practices to use reasonable safeguards and appropriate vendor controls when personal health information is handled outside the clinic. Cross-border processing can be possible in some circumstances, but it needs careful review instead of generic HIPAA assurances.
For dental practices, this means that using a US-based dental AI receptionist, including competitors that advertise HIPAA compliance, should be evaluated against Canadian privacy obligations before launch. The risk is not theoretical: privacy commissioners have investigated cross-border handling of personal health information.
Aida's onboarding includes a data-flow review, minimum necessary data collection, role-based access, encryption, retention planning, and a data processing agreement. The goal is simple: make the workflow useful without creating a privacy mess for the practice.
PHIPA-aware implementation questions answered.
Privacy-aware data handling, PHIPA, PIPEDA, provincial health privacy laws, data processing agreements, and breach notification. If it affects your practice's compliance posture, it is covered here.
What is PHIPA and does it apply to dental practices?
PHIPA is the Personal Health Information Protection Act, Ontario's health privacy law. It applies to all health information custodians in Ontario, including dentists. PHIPA governs how patient data is collected, used, stored, and disclosed. Any software that handles patient calls or books or prepares appointment requests on behalf of a dental practice needs appropriate privacy controls. Dental practices in BC fall under PIPA; in Alberta under HIA. Aida is designed around privacy-aware workflows for Canadian dental practices.
What is the difference between PHIPA and HIPAA?
HIPAA is the US Health Insurance Portability and Accountability Act. It applies to American healthcare providers and does not apply in Canada. PHIPA is Ontario's equivalent. The core requirements are similar: protect personal health information, limit access, maintain audit trails, and get appropriate agreements with service providers. The key difference is jurisdiction: HIPAA compliance alone is not enough for PHIPA-aware planning. Data flow, safeguards, and vendor agreements need review.
Where is patient data stored when Aida handles a call?
Aida is planned around minimum necessary data for each call, including details such as caller name, appointment request, and contact information. The data flow is validated during implementation, and the workflow is documented with privacy controls before launch.
What data does Aida collect during a dental call?
Aida collects only the information needed to complete the call: caller name, phone number, appointment request details, and for CDCP calls, Sun Life member ID and date of birth. Aida does not collect payment information, government ID numbers, or health card numbers. All collected data is encrypted immediately and stored in the practice's isolated account.
Do you provide a data processing agreement for PHIPA-aware implementation?
Yes. A data processing agreement is included for all practices as part of onboarding. The agreement covers PHIPA obligations, privacy-aware data handling, retention schedules, security controls, and breach notification procedures. This is the vendor agreement your practice needs to support PHIPA-aware planning for third-party data processors.
Is Aida appropriate for dental practices outside Ontario?
Aida is designed for Canadian dental privacy workflows, including PIPA in BC, HIA in Alberta, and federal PIPEDA where it applies. The implementation should still be reviewed against the practice's province, data flow, and vendor agreement.
How does Aida handle a potential data breach?
Aida's infrastructure follows SOC 2-aligned security controls including intrusion detection, access logging, and incident response procedures. In the event of a breach affecting patient data, we notify the affected practice immediately and within the timelines required under PHIPA, PIPEDA, and applicable provincial legislation. The data processing agreement specifies these obligations.
Can US-based dental AI receptionists comply with PHIPA?
It depends on the vendor's data flow, safeguards, contracts, and the practice's privacy obligations. HIPAA alone should not be treated as enough for a Canadian dental practice. Ask where data is processed, who can access it, what agreements are available, and how breach notification works.
Your practice handles patient calls every day. Make sure every call is PHIPA-aware.
Canadian dental practices are fielding more calls than ever as patients navigate CDCP coverage and eligibility. Aida answers after hours, handles the intake, and gives your team a documented, encrypted call record to review.
Data processing agreement included. Implementation reviewed before launch.