Risks
Manage Risks
Learn more about addressing risks involved in implementing AI in your practice. This includes responding to your functional, legal, privacy and security needs. Dive into insights and practical guidance tailored to healthcare professionals, plus tools to navigate compliance and stay informed on new developments.
AI scribes can make mistakes, including hallucinating (inaccurate information which is fabricated or incorrect), misinterpreting or mishearing conversations, or having internal biases which impact their output. As part of the Vendor of Record Program, AI scribe tools underwent a clinical and privacy evaluation process.
As a physician, you must review the notes transcribed or generated by a scribe to ensure accuracy and completeness. An AI scribe is a tool to support your obligations as a physician, not a replacement for your professional judgement. Vendors typically include disclaimers in agreements limiting their liability for clinical decisions, . Ultimately, it is a physician’s obligation to review and make any corrections to a patient record and SOAP note. You must review and edit SOAP notes to ensure accuracy and completeness before finalizing.
It is best practice to document during a clinical encounter and save the clinical note in the moment. Using an AI scribe will help you accomplish this and increase the likelihood you finish your documentation every day.
If you don’t review and save your AI scribe-generated notes in the moment, you need to understand how long the AI scribe vendor stores your transitory files for that clinical encounter. You would be responsible if the AI scribe auto-deleted your historic files you did not have time to finish (such as the audio recording, transcript or draft summary note). Also, be aware that when your contract with the AI scribe vendor ends, you will likely lose access to the temporary audio recordings, transcripts or notes made by the AI scribe that you have not yet moved into your EMR.
Anything you add to the EMR using AI scribes becomes part of your normal health record and is subject to a patient’s right of access under the Personal Health Information Protection Act (PHIPA). The same exceptions to a patient’s right of access would also apply to AI scribe-generated notes. AI scribes may make draft notes and recordings that you wouldn’t have made manually, such as audio recordings, transcripts and draft summary notes. These are usually transitory and should be securely destroyed after the final SOAP Note or record is made and entered into your EMR. However, if a patient asks for a copy of those transitory notes and you still have them, they are likely subject to the same right of access under PHIPA. You can check the contract with the AI scribe vendor to see how long these transitory notes are stored to understand their retention policy.
AI scribe vendors require limited access to patient physician conversations to process and generate draft summary notes. Some AI scribes may create recordings and transcriptions of patient encounters. AI scribe vendors under the province’s Vendor of Record (VOR) Program have been reviewed and vetted for compliance with the Personal Health Information Protection Act (PHIPA) and other data privacy obligations, and all vendors are required to have robust security measures to prevent any unauthorized access. It is important that patient data is encrypted, when in transit and at rest, to ensure that it remains secure from unauthorized access. It also remains your responsibility to ensure there are limits on secondary use and sharing of patient data.
As with any technology that interfaces with patient data, AI scribes can pose cybersecurity risks and create new kinds of vulnerabilities to consider.
In the past few years, due to the sensitive nature of patient data, the healthcare sector – hospitals, pharmacies, and other healthcare providers – has become an increasing target for these kinds of attacks. To mitigate these risks, vendor’s security practices have been vetted under the Vendor of Record Program, including their encryption methods, auditing, and vulnerability assessments.
You can also take OntarioMD’s free Privacy & Security training which comprehensively covers the do’s and don’ts of protecting personal health information from breaches and security incidents, increasing your AI literacy and awareness in order to defend against cybersecurity risks. The modules are comprehensive, tailored to the health sector, and best of all, it’s free!
AI scribes do not access data contained in an EMR. Instead, AI scribes generate notes externally. Physicians are responsible for reviewing and finalizing SOAP notes and uploading them to their EMR.
All Health Information Custodians (HICs) in Ontario must comply with the Personal Health Information Protection Act (PHIPA). Your use of AI must comply with the College of Physicians and Surgeons of Ontario’s standards for medical record-keeping, clinical judgment, and medical professionalism.
Other regulatory risks in healthcare for use of AI scribes revolve around privacy compliance, data security, and adherence to standards like those cited in PHIPA. Ultimately, you are HIC and are responsible for PHIPA compliance.
To mitigate these risks, you should take the following steps:
- Ensure that an AI scribe vendor demonstrates PHIPA compliance, including transparent consent processes and privacy-focused design features. Confirm the vendor implements strong security measures to protect patient data from unauthorized access or breaches. The Vendor of Record Program, has attempted to simplify privacy and security requirements and risks by pre-qualifying vendors and evaluating their commitments related to privacy and security. If you are not selecting a vendor from this Program you must confirm your chosen vendor complies with health privacy laws in Ontario and implements strong security measures to protect patient data from unauthorized access or breaches.
- Regularly audit data access to monitor and control who can view or use PHI. If you are not using an AI scribe under the VOR Program, consider working with legal counsel to include clear responsibilities and security obligations in vendor contracts, along with indemnity and auditing clauses.
- Perform ongoing risk assessments, regardless of the ones performed by your AI scribe vendor.
- Keep your patients informed about data usage and collection to foster and maintain trust.
Beginning in April 2025, the province has launched a Vendor of Record (VOR) Program designed to help you select and use an AI scribe. One of the main benefits of the VOR is having compliance with privacy laws already reviewed and vetted by experts at Supply Ontario and OntarioMD.
If you are still interested in learning more about a vendor’s compliance, or you are not planning on using an AI scribe through the VOR, you should ask a vendor for more information on their compliance with applicable laws. Ask for evidence that the vendor complies with PHIPA and any relevant Canadian health data regulations, and review any policies contained on their website or elsewhere.
The following guidelines can be helpful to clinicians looking to evaluate the compliance of AI scribe vendors’ services:
- Data Protection Measures: Ensure the service provider has robust measures to protect data confidentiality and integrity, including encryption protocols for data at rest and in transit, access controls, limited retention periods, and data anonymization.
- Consent Mechanisms: Verify that appropriate consent is obtained for the collection, processing, and storage of data, and that these consent mechanisms comply with relevant privacy laws and regulations.
- Data Minimization: Confirm that the service provider collects and retains only the amount of data necessary for the intended purpose, and that procedures are in place for securely disposing of data when no longer needed.
- Transparency and Accountability: Is the service provider transparent about their data handling practices, including clear privacy policies and terms of service, and that mechanisms are in place for accountability and redress in the event of data breaches or privacy violations?
- Compliance Monitoring: The ultimate responsibility for PHIPA compliance remains with you as the Health Information Custodian (HIC). Part of this monitoring can be achieved by obtaining an annual report from your vendor (e.g., SOC2) to verify their compliance and review any new contractual terms, or changes to their privacy policy.
These guidelines account for the current regulatory landscape. As privacy regulations and AI-enabled practices continue to evolve, more robust compliance guidelines may be introduced by regulators, such as the Information and Privacy Commissioner of Ontario and the College of Physicians and Surgeons of Ontario and new laws may come into effect.