Thinking About Using AI Scribe in Your Healthcare Practice?

Thinking About Using AI Scribe

What is AI?

AI (artificial intelligence) is an advanced form of information processing to help automate or enhance tasks. In healthcare, AI doesn’t replace providers—it supports them. Clinicians still need to guide its use, review outputs, and make informed decisions.

AI tools typically involve hardware, software, and your data. Even common tools like Microsoft Copilot or ChatGPT rely on this structure. In healthcare, you are often purchasing software and applying it to your patient data—so privacy and transparency are critical.

What Is AI Scribe?

“AI Scribe” is a broad term for tools that help generate clinical notes. Common workflows include:

Dictation: The provider speaks, and AI formats the note.
Live Listening: The AI listens during a patient visit and drafts the note based on the conversation.

Some advanced tools go further—analyzing lab trends, suggesting diagnoses, or reminding providers about follow-ups. For example, an AI integrated into your EMR may prompt you to include trending lab values in the note.

The AI can “listen” to the patient encounter and summarize it, preparing a draft clinic note for the provider to review.

What Are the Benefits?

AI scribe tools can reduce documentation time by up to 40%, allowing for:

Less administrative burden
More time with patients
Reduced provider burnout

Supporting data:

Ontario’s Ministry of Health reports significant time savings.
Canada Health Infoway highlights administrative efficiency gains.
Alberta’s OIPC HIA Engagement Survey (2024) found public support—with a strong emphasis on transparency.

Do You Need Patient Consent?

Some technology providers argue that patient consent isn’t required—just like we don’t ask patients to approve our use of an EMR system. However, informing patients is essential, especially if the AI listens to or analyzes conversations.

For example, if the provider speaks observations aloud (e.g., “You appear pale and sweaty”) for the AI to capture, patients should understand that this is part of the documentation process.

Inform Patients When We Use AI Tools

As part of your AI implementation plan, consider how you will inform individuals. You might use:

A poster in the clinic
A verbal explanation at the visit start
A statement in your privacy notice

The key is to make a thoughtful, documented decision—and apply it consistently.
Your risk assessment and associated policies will form the foundation of your Privacy Impact Assessment (PIA).

Implementation: It’s Not Plug and Play

AI tools require careful planning. Follow these steps to support successful implementation:

Understand Your Workflow – Know what works and what needs improvement.
Benchmark – Collect data to measure impact.
Choose a Vendor – Use Canada Health Infoway’s pre-qualified vendor list (https://aiscribe.infoway-inforoute.ca).
Do a Risk Assessment & PIA – Ensure compliance with privacy legislation.
Start Small – Pilot the tool first before full rollout.
Analyze Results – Check what’s working.
Roll Out Broadly – Expand based on success.
Monitor Continuously – Evaluate, adjust, and improve as needed.

Who Benefits Most From AI Scribe?

According to the eHealth Centre of Excellence, family physicians and primary care providers benefit most—especially those not already using dictation tools. AI scribe tools are ideal for routine, episodic care with clear documentation needs.

Funding Opportunity

Canada Health Infoway is offering one-year fully funded one-year licenses for eligible primary care providers across Canada including:

Family physicians
Nurse practitioners
Nurses in remote communities
Pediatricians providing community-based care

Visit (https://aiscribe.infoway-inforoute.ca) to register for updates and eligibility notifications.

Final Thoughts

AI scribe tools aren’t one-size-fits-all. But with thoughtful planning, clear communication, and proper implementation, the benefits can be significant: more efficient workflows, improved care, and reduced clinician burnout. This improves patient access to healthcare, too!

Need help getting started with your AI privacy and implementation plan?

Practice Management Success members have access to additional tools, including:

AI Privacy Checklists
Sample Risk Assessments
On-demand Q and A with Jean replays:
- AI in Healthcare – AB Engagement Survey (Mar 11, 2025)
- AI Implementation Toolkit (Nov 12, 2024)
- Is AI the Right Choice for Your Clinic? Key Questions Before Using AI Transcription Tools (Jul 9, 2024)

When we know better, we can do better…

Jean Eaton is constructively obsessive about privacy, confidentiality, and security especially when it comes to the handling of personal health information. If you would like to discuss how I can help your practice, just send me an email. I am here to help you.

Jean L. Eaton
Your Practical Privacy Coach
INFORMATION MANAGERS

Why You Need Policies and Procedures

Why You Need Health Information Policies and Procedures

Maybe you’ve heard you need written policies and procedures for your health information, but you’re left asking yourself why it’s so important?

The truth is, without written policies and procedures, you open a healthcare practice up to a whole host of problems, including major legal issues.

In fact, every business needs good practices that apply to your:

Information that you collect from patients/clients
Website
Email
Business practices including electronic (or paper) patient records, and computer network
Financial information
Billing, collection, and payment processing

Within the healthcare industry, there are additional legislation requirements that require specific written health information policies and procedures.

The Health Information Act (HIA) and the Personal Information Privacy Act (PIPA)

As we mentioned, when a custodian collects health information, you must follow the Health Information Act (HIA) in Alberta.

Like most other private businesses in Alberta, private healthcare practices must also comply with the Personal Information Privacy Act (PIPA).

The colleges of regulated health professionals (like the Alberta Dental Association and College (ADAC) and the College of Physicians and Surgeons of Alberta (CPSA), require dentists and physicians to meet the standards of practice which includes compliance to HIA and PIPA legislation.

In addition, the college has other standards of practice that you must meet, including policies and procedures for the collection, use, disclosure, and access of health information.

So, let’s explore further why written policies and procedures are so essential, as well as what can happen without them, and why healthcare practices may not think they need them in the first place.

Benefits of Policies and Procedures

One of the most critical benefits of having policies and procedures in place is that they’re good for business.

Here’s how:

They contribute to consistent, efficient workflow.
You can figure it out once, write the procedure, tweak it to make it better, and then repeat the same procedure again and again.
They help you make better business decisions, like buying supplies, choosing services, and selecting vendors.
They help support your accreditation efforts.
On-boarding employees the right way with no missed steps is much easier with policies and procedures in place.

If you’re looking for even more proof of the benefits of having written procedures, it can also help you avoid:

Internal disputes within your team and external disputes with your patients and clients
Re-work and re-training employees
Poor customer service
Poor reputation
Fines and penalties

Fines And Penalties For Not Having Written Policies And Procedures

You might be wondering why you would face fines and penalties for not having written policies and procedures in the first place.

The HIA requires the custodian – which includes the physician, pharmacist, dentist or dental hygienist – to take reasonable safeguards to protect the privacy and confidentiality of patients’ health information.

Having written policies and procedures is a common, expected, and reasonable safeguard.

Let’s say you have a privacy breach in your practice or an error (like sending a fax to the wrong number or you are a victim of a phishing or ransomware attack).

You can learn more about what makes a privacy breach a privacy breach here.

If you can’t demonstrate that you had the appropriate reasonable safeguards, like written policies and procedures in place, you are guilty of an offence under the law.

It’s illegal not to have policies and procedures when you collect health information.

If you are guilty of this offence, you are liable for a fine of a minimum of $2,000 and not more than $500,000. (HIA section 107(7)).

3 Policies and Procedures Myths

One reason some healthcare practices fail to have written policies and procedures is because they believe they don’t need them.

Often, this is because they’ve fallen prey to the common myths about policies and procedures.

There are 3 of the common myths that stop healthcare providers and their clinic managers from creating written policies and procedures:

It’s Too Hard

While it does take some skill to write clear, easy to read, and easy to understand policies and procedures, it doesn’t have to be heard. In fact, you can even purchase templates to make this easier.

It Takes Too Much Time

Writing policies and procedures does take some time.

But investing the time to create policies and procedures pays off by preventing suffering from inconsistent or broken procedures, using or disclosing health information in error, and having to pay fines, penalties, public relations nightmares, or spending the time required to run a privacy or security investigation.

It’s A Waste Of Time

Here are a few good reasons that prove writing policies and procedures is not a waste of time:

Practical privacy policies and procedures will create a more efficient practice and help you make better business decisions.
The policies and procedures become the foundation of your privacy impact assessment.
Policies and procedures are pre-requisites for other initiatives, like access to Netcare or other community integration initiatives, and privacy impact assessment (PIA). Click here to learn more about PIAs.
You must have them as part of your legislative compliance.
It’s the law. Not having policies and procedures regarding the collection, use, disclosure, and access of health information is illegal.

As you can see, written policies and procedures help ensure consistent office procedures and good communication between team members in your healthcare practice.

In addition to those good reasons, you must have good written policies and procedures about how you collect, use, disclose, and provide access to health information to avoid legal problems, fees, penalties, and other problems.

Not Sure Which Policies and Procedures That You Need?

Show Me Policy And Procedure Checklist

Did you enjoy this article? If you’d like to look at similar posts, visit these links:

Do You Know Where Your Policies and Procedures Are?

Privacy Impact Assessments (PIA)

Policy and Procedure Checklist book image

Leaving a Group Practice? Know Your Responsibilities for Patient Records

You’ve been part of a group practice for some time.

Now, you’re preparing to open your own clinic, relocate to another area, or step away from practice altogether. Whatever your next move, it’s important to understand your responsibilities when it comes to patient health records.

Here’s what you need to know to leave well—and stay compliant.

Understanding Your Rights and Responsibilities

When you leave a group practice, you still have important obligations tied to patient records. These include:

Record access, security, and retention – You’re responsible for the health records you’ve collected while in practice.
Right of continuing access – You have the right to access the records of patients you’ve cared for, even after leaving, to respond to inquiries for access, disclosure, complaints, or investigations.
Continuity of care – You’re responsible for ensuring appropriate access to patient records to support ongoing care.
Duty to inform – Patients should be made aware of your departure and how their records will be managed.
Respect existing agreements – This includes any contracts or group practice policies in place, such as Information Management Agreements (IMAs) or Information Sharing Agreements (ISAs).

Resources to Guide You

Before finalizing your departure, review the following documents and standards:

Your contract – especially termination clauses
Information Management Agreements (IMAs) – with both the group practice and EMR providers
Information Sharing Agreements (ISAs)
Privacy and security policies – especially those related to closing or relocating a practice
Professional college standards – around recordkeeping and patient notification
Provincial health privacy legislation – such as Alberta’s Health Information Act or Ontario’s PHIPA

These documents can help clarify who retains custody of the records, what access rights you have, and how to ensure continuity of care for your patients.

What Are Your Plans?

Your responsibilities will vary depending on your next step:
If You’re Relocating (and Patients May Follow)
You may want to request a copy of relevant patient records for continuity of care. To do this:

Review your IMA – Is there a cost to receive a copy of your patient records?
Talk to your EMR vendor – Is data export or transfer supported? What is the cost?
Ensure data quality assurance – Will the records be intact and complete?
Prepare a new Privacy Impact Assessment (PIA) for your new location, including data migration

If You’re Leaving Practice or Relocating Far Away
You may choose to leave records with the current group practice. In that case:

Make sure you have a written agreement outlining who is responsible for access, storage, and disclosures.
Update your IMA to authorize the group to manage patient inquiries on your behalf.
Keep in touch with group practice so that they can reach you in case you’re needed to support access to patient records or respond to complaints. You also want to know if the group practice changes significantly.
Don’t abandon your records. Even if you’re no longer practicing, you’re still responsible for their safekeeping

The group practice must also agree to manage your patient records on your behalf. Don’t make assumptions—get it in writing!

It Takes Time

It takes time

You didn’t start your practice overnight. It will take time to successfully plan and implement the transition of patient records when you leave the group practice.

Leaving a group practice is a significant professional step—and handling patient records properly is part of doing it right.

With the right planning, communication, and documentation, you can support your patients, protect yourself, and move forward with peace of mind.

Want Extra Support To Navigate Your Transition?

These resources include practical templates, checklists, and expert guidance to help you leave your current practice confidently and in compliance.

✅ Download the Practice Management Success Tips – Closing or Moving Your Healthcare Practice

✅ Get your copy of The Top 3 Agreements Your Healthcare Practice MUST Have (and Why)

Does AI Take Your Data? AI and Data Privacy

Generative AI, including platforms like ChatGPT, DALL-E, Google Gemini, Apple Intelligence, has revolutionized our relationship with technology. Maybe these tools have completely changed how you work and engage with the internet. There seems to be endless ways to use these platforms, many of which are called large language models (LLMs). These chatbots can assist with brainstorming, writing, and even coding—but they also can be significant risks when used carelessly. One of the biggest concerns? Employees inadvertently exposing sensitive company information.

The National Cybersecurity Alliance 2024 Oh Behave report found that 65% of us are concerned about AI-related cybercrime, and most people (55%) haven’t received any training about using AI securely. For AI Fools Week, let’s change that! #AIFools

First and foremost, when you’re using an AI tool, think about what you’re sharing and how it could be used.

Generative AI

Think intelligent about AI

AI models process and store data differently than traditional software. Public AI platforms often retain input data for training purposes, meaning that anything you share could be used to refine future responses—or worse, inadvertently exposed to other users.

Here are the major risks of entering sensitive data into public AI platforms:

Exposure of private company data – Proprietary company data, such as project details, strategies, software code, and unpublished research, could be retained and influence future AI outputs.

Confidential customer information – Personal data or client records should never be entered, as this could lead to privacy violations and legal repercussions.

Many AI platforms allow you to toggle off the use of what you enter for training data, but you shouldn’t trust that as an ultimate failsafe. Think of AI platforms as social media: if you wouldn’t post it, don’t enter it into AI.

Check Before You Use AI At Work

Before integrating AI tools into your workflow, take these critical steps:

Review company AI policies – Many organizations now have policies governing AI use. Check whether your company allows employees to use AI and under what conditions.
See if your company has a private AI platform – Many businesses, especially large corporations, now have internal AI tools that offer greater security and prevent data from being shared with third-party services.
Understand data retention and privacy policies – If you use public AI platforms, review their terms of service to understand how your data is stored and used. Specifically look at their data retention and data use policies.

How To Protect Your Data While Using AI

If you’re going to use AI, use it safely!

Stick to secure, company-approved AI tools at work – If your organization provides an internal AI solution, use it instead of public alternatives. If your workplace isn’t there yet, check with your supervisor about what you should do.
Think before you click – Treat AI interactions like public forums. Don’t enter information into a chatbot if you wouldn’t share it in a press release or post it on social media.
Use vague or generic inputs – Instead of inputting confidential information, use general, nonspecific questions as your prompt.
Protect your AI account with strong passwords and MFA – Protect your AI accounts like all your other ones: use a unique, complex, and long password (at least 16 characters). Enable multi-factor authentication (MFA), which will add another solid layer of protection.

Increase your AI IQ

Generative AI is powerful! But you are wise. Use AI intelligently, especially when sensitive data is involved. By being mindful of what you share, following company policies, and prioritizing security, you can benefit from AI without putting your company at risk.

You May Also Be Interested In

Is AI the Right Fit for Your Clinic? Key Considerations Before You Implement

Medical Secretary Fined for Unauthorized Access And Disclosure to Health Information

Medical Secretary Fined for Unauthorized Access And Disclosure

Privacy Breach Nugget
Ever wonder how privacy breaches happen—and what you can do to stop them? Privacy Breach Nuggets takes real cases and turns them into practical lessons for privacy officers, clinics, and healthcare practices. Let’s unpack today’s case and explore what went wrong, what worked, and how you can apply these insights to protect patient information.

What Happened

In 2020, a medical secretary working at the University of Alberta Hospital in Edmonton, Alberta, accessed the health information of 17 individuals without any legitimate job-related reason.

The individuals whose information was accessed had personal relationships with the secretary. She went a step further by disclosing sensitive health information about two of them—including infectious disease details—to others who had no reason to know this information.

One of the individuals experienced harassment through text messages as a direct result of this disclosure.

Managing the Breach

The management of the privacy breach can be examined using the 4 Step Response Plan.

unauthorized breach

Step 1 – Spot and Stop

When a privacy incident is suspected, the first priority is to stop the unauthorized access. It would be appropriate to immediately suspend the employee’s access to health information systems like ConnectCare and Netcare.

If you suspect a privacy breach, don’t wait—report it to your Privacy Officer and Custodian right away.

Step 2 – Investigate

Alberta Health Services (AHS) completed an internal investigation including auditing the employee’s system activity.

The investigation assessed the “real risk of significant harm” (RROSH). This case is a stark reminder of how improper access and disclosure of health information can lead to serious harm.

Step 3 – Notify

In Alberta, custodians like physicians and healthcare organizations are legally required to notify:

• The Office of the Information and Privacy Commissioner (OIPC). (See Guide to Reporting Privacy Breaches)
• The Alberta Minister of Health.
• The affected patients whose personal health information was improperly accessed or disclosed.

Additional notifications may include law enforcement, insurers, or other stakeholders depending on the situation.

Step 4 –Prevent the Breach from Happening Again

Proactive prevention is key to prevent breaches like this. Here’s how:

• Conduct regular privacy training to keep privacy awareness top of mind.
• Maintain a privacy incident log to spot trends and address recurring issues.
• Implement and enforce privacy-monitoring practices to detect and deter snooping.

Diane McLeod, Alberta’s Privacy Commissioner, highlighted an “alarming rise” in snooping incidents in health information systems. The OIPC’s 2023-2024 Annual Report revealed 14 potential breaches of the Health Information Act investigated by the Commissioner’s office, with hundreds more reported.

Commissioner’s Investigation

The OIPC has implemented a process to focus on high-priority breaches. Following its investigation, the Commissioner recommended charges under the Health Information Act (HIA).

Court’s Decision

In February 2025, the court sentenced the medical secretary, Kayla Satre, to a $2,000 fine for unauthorized access to health information, violating the HIA.

However, the Crown Attorney withdrew charges related to the unauthorized disclosure of health information.

Take-Aways

Snooping is the unauthorized access to health information. This remains a persistent issue in healthcare. Here’s what you can do:

• Educate and remind your team regularly about the importance of patient privacy.
• Monitor system access proactively to detect and stop unauthorized activity.
• Share real-world examples like this one to drive home the importance of privacy compliance.

Protecting patient information isn’t just about compliance—it’s about trust. Share this example with your team and make privacy a daily priority!

Reference and Resources

Office of the Information and Privacy Commissioner of Alberta. Former Alberta Health Services employee fined for unauthorized disclosure of health information, February 6, 2025. https://oipc.ab.ca/former-alberta-health-services-employee-fined-for-unauthorized-disclosure-of-health-information/

You May Also Be Interested In

3rd Largest Fine Ever Under the HIA – Blog post on the unauthorized use of health information that led to costly fines

Practical Privacy Officer Strategies – Training for clinic manages and privacy officers includes how to respond to a privacy breach and prevention strategies.
Tips to Prevent Employee Snooping – A Key Component of Your Privacy Practice Management Program: A Hands-On Guide to Protect Your Healthcare Practice from Privacy Beaches

« Older Entries

Next Entries »

Search

What is the elephant in the room?

Find out here....

"Jean Eaton is one of those 'critical suppliers' you keep in your email contacts list, no matter what company you manage. She really knows her stuff and delivers prompt, accurate information on time. Her courses are interesting, informative, and I like the opportunity to meet with classmates who have similar challenges."

- Kevin Morris, Shape MD, Team Leader/Office Manager