A dental AI receptionist purpose-built for PHIPA-aware implementation.
Every US-based dental AI competitor carries a HIPAA badge. HIPAA does not apply in Canada. Canadian dental practices are governed by PHIPA (Ontario), PIPA (BC), and HIA (Alberta). Aida is built for PHIPA-aware implementation: privacy-aware data-flow planning, scoped encryption review, interaction logging, retention planning, and a data processing agreement path for each practice. And Aida stores patient data on Canadian regions of Microsoft Azure and AWS, so it stays in Canada, not on US servers.
What is PHIPA and why does it matter for dental practices?
PHIPA is Ontario's Personal Health Information Protection Act. It requires dental practices to protect patient data at every point of contact, including when a patient calls to book an appointment. Any third-party service that handles patient calls needs appropriate safeguards, agreements, and review.
PHIPA applies to every Ontario dentist and any staff member or third-party service that handles personal health information on their behalf. When a patient calls your practice to book an appointment or ask about coverage, that interaction creates personal health information: the caller's name, contact details, reason for calling, and any health details they share.
An after-hours answering service that records those calls, transcribes them, or books or prepares appointment requests is handling personal health information under PHIPA. That service needs appropriate security controls, a documented data flow, and a data processing agreement with your practice before it can be used responsibly.
Most dental answering services do not document this clearly for Canadian practices. US-based AI receptionists are usually built around HIPAA, not PHIPA. A HIPAA Business Associate Agreement should not be treated as a substitute for Canadian privacy review. This is not a minor technicality: it is a meaningful compliance gap that exposes your practice to regulatory risk.
PHIPA vs HIPAA: what Canadian dentists need to know.
HIPAA is a US law. It does not apply to Canadian dental practices. Vendors that advertise HIPAA compliance are not automatically PHIPA-aware. The two laws share similar goals but differ in jurisdiction, processing-location review, and breach notification timelines.
| Topic | HIPAA (US) | PHIPA (Ontario) |
|---|---|---|
| Jurisdiction | United States only | Ontario (PIPA in BC, HIA in Alberta) |
| Applies to dental practices | Only US-based practices | All Ontario dentists and staff |
| Data-flow review requirement | No explicit residency requirement | Processing location and cross-border transfer risk should be reviewed |
| Vendor agreement required | Business Associate Agreement (BAA) | Vendor agreement covering safeguards, access, retention, and notification |
| Breach notification | 60 days to notify HHS | Without delay, as soon as reasonably possible |
| Patient access rights | Right to access, amend, restrict | Right to access and correct personal health information |
A US dental AI receptionist that stores patient call data on American servers should not be treated as PHIPA-ready just because it carries a HIPAA badge. Privacy-aware data handling is a core requirement, not an optional add-on. Aida stores patient call data on Canadian regions of Azure and AWS, so it stays in Canada.
How Aida supports PHIPA-aware implementation.
Aida was built for the Canadian market from day one. Privacy-aware data-flow planning, scoped encryption review, per-practice access control, interaction logging, and data processing agreement planning are part of implementation.
Privacy-aware data handling
Aida is planned around minimum necessary data, access review, retention planning, and implementation review. The exact data flow is validated with the practice before launch.
Encryption scope review
Data handling is scoped before launch, including encryption scope where applicable, access control, retention, and vendor terms.
Interaction logging
Calls can generate a timestamped transcript, structured data record, and outcome log so staff can review what happened before updating the chart.
Full compliance checklist
What happens to patient data when Aida answers the phone.
Aida collects only the data needed to complete each call and documents it in the reviewed workflow. Data is not sold or used to train public AI models. Your patient data belongs to your practice.
Call received
Aida answers the call. The connection method and call handling are reviewed during implementation before the workflow goes live.
Data collected
Aida collects only what the call requires: caller name, phone number, appointment details, and for CDCP calls, Sun Life member ID and date of birth. Aida does not ask for payment information, health card numbers, or government IDs.
Handled under practice controls
The data handling and encryption scope are reviewed during implementation. The goal is to keep each practice's call data separated, controlled, and documented.
Appointment booked or call flagged
If schedule access is available, Aida can complete the booking and send an SMS confirmation. If not, it prepares the appointment request for your team with call notes or a transcript where configured.
Call record available for review
Your team reviews the configured call record when they arrive. Interactions can include a transcript, structured data record, and outcome for staff review.
PIPEDA-aware implementation for dental practices.
PIPEDA is Canada's federal privacy law for private sector organizations. Dental practices in provinces without substantially similar legislation should review vendor workflows against PIPEDA's fair information principles.
Accountability
Accountability responsibilities are defined in the practice agreement and implementation review.
Identifying purposes
Aida identifies why it is collecting data at the time of collection. Patients are informed that the call is being handled by an AI receptionist.
Consent
Aida collects data only for purposes the caller has consented to: booking an appointment or getting practice information.
Limiting collection
Aida collects only the minimum data required to complete the call. No payment details, government IDs, or unnecessary personal information.
Limiting use, disclosure, and retention
Data is used only to serve your practice and is not sold. Vendor access and retention schedules are governed by the practice agreement and implementation scope.
Safeguards
Encryption scope, practice-level isolation, access logging, retention, and incident response responsibilities are reviewed before launch.
Data flow: why it matters for your practice.
Data flow matters because patient information can move through telephony, transcription, storage, dashboards, and practice systems. Canadian dental practices should understand where that data is processed, who can access it, how long it is retained, and what agreements govern it.
PHIPA requires dental practices to use reasonable safeguards and appropriate vendor controls when personal health information is handled outside the clinic. Cross-border processing can be possible in some circumstances, but it needs careful review instead of generic HIPAA assurances.
For dental practices, this means that using a US-based dental AI receptionist, including competitors that advertise HIPAA compliance, should be evaluated against Canadian privacy obligations before launch. The risk is not theoretical: privacy commissioners have investigated cross-border handling of personal health information.
Aida's onboarding includes a data-flow review, minimum necessary data collection, access review, encryption scope where applicable, retention planning, and vendor agreement planning. The goal is simple: make the workflow useful without creating a privacy mess for the practice.
PHIPA-aware implementation questions answered.
Privacy-aware data handling, PHIPA, PIPEDA, provincial health privacy laws, data processing agreements, and breach notification. If it affects your practice's compliance posture, it is covered here.
What is PHIPA and does it apply to dental practices?
PHIPA is the Personal Health Information Protection Act, Ontario's health privacy law. It applies to all health information custodians in Ontario, including dentists. PHIPA governs how patient data is collected, used, stored, and disclosed. Any software that handles patient calls or books or prepares appointment requests on behalf of a dental practice needs appropriate privacy controls. Dental practices in BC fall under PIPA; in Alberta under HIA. Aida is designed around privacy-aware workflows for Canadian dental practices.
What is the difference between PHIPA and HIPAA?
HIPAA is the US Health Insurance Portability and Accountability Act. It applies to American healthcare providers and does not apply in Canada. PHIPA is Ontario's equivalent. The core requirements are similar: protect personal health information, limit access, document activity, and get appropriate agreements with service providers. The key difference is jurisdiction: HIPAA compliance alone is not enough for PHIPA-aware planning. Data flow, safeguards, and vendor agreements need review.
Where is patient data stored when Aida handles a call?
In Canada. Aida stores patient call data on Canadian cloud infrastructure, the Canadian regions of Microsoft Azure and Amazon Web Services, so stored patient data stays in Canada rather than on US servers. Aida is also planned around the minimum necessary data for each call, with the data flow validated and documented with privacy controls before launch.
What data does Aida collect during a dental call?
Aida collects only the information needed to complete the call: caller name, phone number, appointment request details, and for CDCP calls, Sun Life member ID and date of birth. Aida does not collect payment information, government ID numbers, or health card numbers. The data flow is documented and reviewed with the practice before launch.
Do you provide a data processing agreement for PHIPA-aware implementation?
Agreement terms are reviewed as part of onboarding. The review covers PHIPA obligations, privacy-aware data handling, retention schedules, safeguards, and breach-notification responsibilities so the practice understands the vendor terms before launch.
Is Aida appropriate for dental practices outside Ontario?
Aida is designed for Canadian dental privacy workflows, including PIPA in BC, HIA in Alberta, and federal PIPEDA where it applies. The implementation should still be reviewed against the practice's province, data flow, and vendor agreement.
How does Aida handle a potential data breach?
Breach handling is defined during implementation and in the practice agreement. The review covers access logging, incident response, notification responsibilities, and applicable PHIPA, PIPEDA, and provincial obligations.
Can US-based dental AI receptionists comply with PHIPA?
It depends on the vendor's data flow, safeguards, contracts, and the practice's privacy obligations. HIPAA alone should not be treated as enough for a Canadian dental practice. Ask where data is processed, who can access it, what agreements are available, and how breach notification works.
Your practice handles patient calls every day. Make sure every call is PHIPA-aware.
Canadian dental practices are fielding more calls than ever as patients navigate CDCP coverage and eligibility. Aida answers after hours, handles the intake, and gives your team a documented call record to review.
Vendor agreement path reviewed. Implementation reviewed before launch.