A dental AI receptionist purpose-built for PHIPA compliance.
Every US-based dental AI competitor carries a HIPAA badge. HIPAA does not apply in Canada. Canadian dental practices are governed by PHIPA (Ontario), PIPA (BC), and HIA (Alberta). Aida was built from the ground up for Canadian health privacy law: Canadian servers, full encryption, complete audit trail, and a data processing agreement included for every practice.
What is PHIPA and why does it matter for dental practices?
PHIPA is Ontario's Personal Health Information Protection Act. It requires dental practices to protect patient data at every point of contact, including when a patient calls to book an appointment. Any third-party service that handles patient calls must comply.
PHIPA applies to every Ontario dentist and any staff member or third-party service that handles personal health information on their behalf. When a patient calls your practice to book an appointment or ask about coverage, that interaction creates personal health information: the caller's name, contact details, reason for calling, and any health details they share.
An after-hours answering service that records those calls, transcribes them, or books appointments is handling personal health information under PHIPA. That service must have appropriate security controls, store data in Canada, and sign a data processing agreement with your practice before it can legally operate.
Most dental answering services in Canada do not meet this bar. US-based AI receptionists are built for HIPAA, not PHIPA. They store data on American servers. A HIPAA Business Associate Agreement does not satisfy PHIPA. This is not a minor technicality: it is a meaningful compliance gap that exposes your practice to regulatory risk.
PHIPA vs HIPAA: what Canadian dentists need to know.
HIPAA is a US law. It does not apply to Canadian dental practices. Vendors that advertise HIPAA compliance are not automatically PHIPA compliant. The two laws share similar goals but differ in jurisdiction, data residency requirements, and breach notification timelines.
| Topic | HIPAA (US) | PHIPA (Ontario) |
|---|---|---|
| Jurisdiction | United States only | Ontario (PIPA in BC, HIA in Alberta) |
| Applies to dental practices | Only US-based practices | All Ontario dentists and staff |
| Data residency requirement | No explicit residency requirement | Data should remain in Canada (transfers require equivalent protections) |
| Vendor agreement required | Business Associate Agreement (BAA) | Data processing agreement specifying Canadian residency |
| Breach notification | 60 days to notify HHS | Without delay, as soon as reasonably possible |
| Patient access rights | Right to access, amend, restrict | Right to access and correct personal health information |
A US dental AI receptionist that stores patient call data on American servers does not satisfy PHIPA even if it carries a HIPAA badge. Canadian data residency is a core PHIPA requirement, not an optional add-on.
How Aida meets PHIPA requirements.
Aida was built for the Canadian market from day one. Canadian servers, end-to-end encryption, per-practice data isolation, complete audit trails, and a data processing agreement are included for every practice, not available as upgrades.
Canadian data residency
All patient data collected during calls, including transcripts, appointment records, and member IDs, is stored exclusively on Canadian servers. No data leaves Canada.
End-to-end encryption
All call data is encrypted in transit using TLS 1.3 and at rest using AES-256. Each practice account is isolated: your data is never accessible to other practices or third parties.
Complete audit trail
Every call generates a timestamped transcript, structured data record, and outcome log. Your practice maintains a complete audit trail of every patient interaction handled by Aida.
Full compliance checklist
What happens to patient data when Aida answers the phone.
Aida collects only the data needed to complete each call, stores it encrypted on Canadian servers, and makes it available to your practice through your dashboard. No data is sold, shared, or used to train AI models. Your patient data belongs to your practice.
Call received
Aida answers the call. The connection is established over an encrypted line. No call audio is stored unencrypted at any point.
Data collected
Aida collects only what the call requires: caller name, phone number, appointment details, and for CDCP calls, Sun Life member ID and date of birth. Aida does not ask for payment information, health card numbers, or government IDs.
Encrypted and stored on Canadian servers
All data is encrypted immediately using AES-256 and stored on Canadian servers in your practice's isolated account. No data is routed through US infrastructure.
Appointment booked or call flagged
If Aida completes the booking, the appointment is written directly to your PMS and an SMS confirmation is sent to the patient. If the call cannot be completed, it is flagged for your team with a full transcript.
Transcript available in your dashboard
Your team reviews the complete call log when they arrive. Every interaction has a full transcript, structured data record, and outcome. This is your PHIPA-compliant audit trail.
PIPEDA compliance for dental practices.
PIPEDA is Canada's federal privacy law for private sector organizations. Dental practices in provinces without substantially similar legislation (Saskatchewan, Manitoba, Atlantic Canada) are governed by PIPEDA. Aida complies with all 10 of PIPEDA's fair information principles.
Accountability
Attainment is accountable for patient data under our data processing agreement. A designated privacy officer handles compliance.
Identifying purposes
Aida identifies why it is collecting data at the time of collection. Patients are informed that the call is being handled by an AI receptionist.
Consent
Aida collects data only for purposes the caller has consented to: booking an appointment or getting practice information.
Limiting collection
Aida collects only the minimum data required to complete the call. No payment details, government IDs, or unnecessary personal information.
Limiting use, disclosure, and retention
Data is used only to serve your practice. It is never sold or shared with third parties. Retention schedules are configurable per practice.
Safeguards
TLS 1.3 in transit, AES-256 at rest, per-practice isolation, access logging, and SOC 2-aligned security controls.
Canadian data residency: why it matters for your practice.
Data residency means patient data is stored within Canada and subject to Canadian law. When data is stored in the US, it falls under US jurisdiction, including the CLOUD Act, which allows US authorities to compel access to data held by US companies even when stored abroad.
PHIPA requires that personal health information not be transferred outside Canada unless the recipient jurisdiction provides equivalent privacy protections or specific contractual safeguards are in place. The Information and Privacy Commissioner of Ontario has interpreted this conservatively: if a US vendor processes patient data on US infrastructure, Canadian data residency requirements are not met regardless of contractual terms.
For dental practices, this means that using a US-based dental AI receptionist, including well-funded competitors that advertise HIPAA compliance, likely does not satisfy PHIPA. The risk is not theoretical: the IPC has investigated and addressed cases involving cross-border transfers of personal health information from Ontario organizations.
Aida runs entirely on Canadian infrastructure. There is no US-hosted component in the data path. Patient call data is collected, processed, and stored in Canada from the moment the call connects. This is the standard your practice needs, and it is built into Aida by default.
PHIPA compliance questions answered.
Canadian data residency, PHIPA, PIPEDA, provincial health privacy laws, data processing agreements, and breach notification. If it affects your practice's compliance posture, it is covered here.
What is PHIPA and does it apply to dental practices?
PHIPA is the Personal Health Information Protection Act, Ontario's health privacy law. It applies to all health information custodians in Ontario, including dentists. PHIPA governs how patient data is collected, used, stored, and disclosed. Any software that handles patient calls or books appointments on behalf of a dental practice must comply with PHIPA. Dental practices in BC fall under PIPA; in Alberta under HIA. Aida's Canadian-only architecture satisfies all three.
What is the difference between PHIPA and HIPAA?
HIPAA is the US Health Insurance Portability and Accountability Act. It applies to American healthcare providers and does not apply in Canada. PHIPA is Ontario's equivalent. The core requirements are similar: protect personal health information, limit access, maintain audit trails, and get appropriate agreements with service providers. The key difference is jurisdiction: a HIPAA-compliant vendor operating on US servers does not satisfy PHIPA. Canadian data residency is required.
Where is patient data stored when Aida handles a call?
All patient data collected by Aida, including call transcripts, appointment details, member IDs, and contact information, is stored on Canadian servers. No data is routed through or stored in the United States or other jurisdictions. This satisfies the PHIPA requirement that personal health information remain in Canada or in a jurisdiction with equivalent protections.
What data does Aida collect during a dental call?
Aida collects only the information needed to complete the call: caller name, phone number, appointment request details, and for CDCP calls, Sun Life member ID and date of birth. Aida does not collect payment information, government ID numbers, or health card numbers. All collected data is encrypted immediately and stored in the practice's isolated account.
Do you provide a data processing agreement for PHIPA compliance?
Yes. A data processing agreement is included for all practices as part of onboarding. The agreement covers PHIPA obligations, Canadian data residency, retention schedules, security controls, and breach notification procedures. This is the vendor agreement your practice needs to satisfy PHIPA requirements for third-party data processors.
Is Aida compliant for dental practices outside Ontario?
Yes. Aida's Canadian-only architecture satisfies PIPA (BC), HIA (Alberta), and the health privacy frameworks in other provinces. Federal PIPEDA also applies to dental practices in provinces without substantially similar legislation. Aida complies with PIPEDA's 10 fair information principles including accountability, consent, and safeguards.
How does Aida handle a potential data breach?
Aida's infrastructure follows SOC 2-aligned security controls including intrusion detection, access logging, and incident response procedures. In the event of a breach affecting patient data, we notify the affected practice immediately and within the timelines required under PHIPA, PIPEDA, and applicable provincial legislation. The data processing agreement specifies these obligations.
Can US-based dental AI receptionists comply with PHIPA?
Not if patient data is stored in the United States. PHIPA allows data to be sent outside Canada only to jurisdictions with substantially equivalent protections, and only with appropriate safeguards. A vendor that processes and stores patient data on US servers, even with a HIPAA BAA, does not satisfy PHIPA's Canadian data residency expectation. This is the most common compliance gap for Canadian practices using US-built dental AI tools.
Your practice handles patient calls every day. Make sure every call is PHIPA compliant.
Canadian dental practices are fielding more calls than ever as patients navigate CDCP coverage and eligibility. Aida answers after hours, handles the full intake, and stores everything on Canadian servers.
Data processing agreement included. No additional compliance setup required.