Contract Guidance

Understanding contracts isn’t always straightforward.

Ontario’s new Vendor of Record (VOR) Program, can streamline your selection process, and help you make informed decisions regarding use of an AI scribe. Whether you’re working with a VOR-approved vendor or exploring broader AI solutions, we highlight essential clauses, potential risks, and practical questions to ask. Explore our tips and tools to help you meet your practice needs and take advantage of the evolving digital health technology.

Under the province’s Vendor of Record Program, contract terms have already been negotiated, alleviating this responsibility.

If you are not using an AI scribe through the VOR, it’s important to look at the vendor’s contract as a whole, there are specific clauses potential AI scribe users should keep in mind:

  • PHIPA Compliance: Whatever tool you are considering, ensure the vendor contractually confirms their compliance with PHIPA specifically. Their compliance with PIPEDA (Canadian federal privacy law), HIPAA (US health privacy law) or GDPR (European Union data regulations) is not enough.
  • Data Ownership and Control: The contract should indicate that you, as the Health Information Custodian (HIC), have custody and control over the patient data. It’s essential that you, as the HIC, retain ownership of the data and that the vendor is only there to support you and only able to access and process the data in order to serve your practice.  The vendor should have no ability to de-identify or continue to use or disclose data for any other purpose.
  • Vendor Activity: The vendor should have no ability to de-identify or continue to use or disclose data for any purpose other than supporting you. Some AI scribe vendors try to include terms that you will get patient consent to allow them to use or disclose patient data for purposes like training their AI model, quality improvement, product development or even their own marketing.  OntarioMD does not recommend accepting those terms. It might mean you decide to choose a different AI scribe.
  • Data Location: Where does the vendor host data? If data is being held outside Ontario, notice of this should be included in the agreement so you can reflect this in your own privacy policy and notice to patients.
  • Data Retention and Disposal: The contract must have clear data retention terms in order to prevent unnecessary data exposure and ensure patient information is retained for no longer than is necessary. No recordings of patient encounters should be retained by the vendor (they should be immediately deleted after generation of SOAP notes). Similarly, any transcription and draft SOAP note should be destroyed after a short period of time (less than 30 days). Pay attention to how long you must rely on the storage of the transitory audio recordings, transcripts or summary notes if you do not intend to complete your SOAP notes after every encounter. You could lose access to those files after a certain number of hours or days.
  • Privacy Incident: The contract must require the vendor to notify you in case of any privacy or security incident. The contract should specify who is responsible in the event of a data breach and how the vendor will support you.
  • Indemnification: Indemnification is a legal term that shifts the financial risk of harm, loss or damages from one party to another. Ideally, the vendor would indemnify you for its actions if it does something wrong. At a minimum, do not accept contract terms for you to indemnify the vendor.
  • Liability Limitations: Vendors will often limit their liability in case of technology errors or security breaches. Be sure to review these limitations to ensure they are reasonable and don’t leave you solely responsible for issues beyond your control. Having fair liability terms prevents your practice from shouldering disproportionate risk.
  • Intellectual Property Rights: This clause outlines who owns any intellectual property (IP), such as your notes, templates, or other data. It’s important that this ownership doesn’t infringe on your rights to your data and that any IP created through your data use is clearly attributed. This helps protect both your practice and patient confidentiality.
  • Term and Termination: Especially if you are new to using an AI scribe, you may want flexibility in testing the product for a while without a long-term commitment.  

Limiting the vendor’s ability to share data with third parties without consent is also critical for maintaining your compliance with privacy obligations. As the individual or organization signing the agreement, it remains your responsibility to ensure you understand all the terms in the vendor contract. For questions or concerns about the terms of a vendor contract, you can also contact the OMA or consider seeking legal counsel to assist you in reviewing it. 

Under the province’s new Vendor of Record Program for AI scribes, worrying about privacy law compliance is no longer something you have to worry about. The province, in collaboration with experts and stakeholders including OntarioMD, have already worked to vet and review vendor’s privacy and security compliance. If you are interested in joining the VOR, you can share your AI Scribe Expression of Interest by completing this OMD form.

Carefully review any consent form offered by a vendor to check if it is easy for your patients to understand. If the AI scribe makes a recording, you will need the consent form to obtain consent for you to record the interaction. Be careful not to use a form that asks your patients to give the vendor consent to use or disclose their data for the vendor’s own quality improvement, product development, marketing or training of the AI model. 

OntarioMD also provides a Model Patient Consent for using AI Scribe.

Under the Province’s Vendor of Record (VOR) Program, favourable terms have already been negotiated for healthcare providers, meaning no need for independent negotiation or having to contact a lawyer to help you. 

Those seeking an AI scribe outside the VOR can typically negotiate terms in a contract with an AI scribe vendor, but would want to consider asking for regular compliance reports to monitor ongoing compliance. Additionally, if they are not already included, consider requesting terms that restrict data use solely to providing the service, preventing any use of patient data for secondary purposes without explicit patient consent. In both cases, these considerations have already been reviewed and vetted under the VOR.

Many associations, including the OMA, provide guidance for AI in health care. As a subsidiary of the OMA, OntarioMD is committed to helping you with effectively implementing digital health tools into your practice, including AI scribes.

If you are having issues with your current AI scribe, you should start by contacting your vendor, as they will be most likely to help resolve the problem. Use your vendor’s designated email or telephone number. If you’re looking to enhance or integrate your AI scribe into your clinic’s workflow, you can contact OntarioMD at support@ontariomd.com. We can also assist with any general questions you may have on AI scribes.

If you are dealing with a vendor issue that requires escalation, such as termination or other contract-related issues, please contact Supply Ontario at aiscribe@supplyontario.ca.

`