AI and Health Information

This article describes how OutSmart’s AI features handle patient health information, the privacy frameworks that apply across Canada and the United States, the safeguards OutSmart has in place, and a suggested paragraph you can add to your patient consent forms to inform patients that AI may be used in their care.

Why this matters

The privacy laws that apply to clinicians (HIPAA in the United States, PIPEDA federally in Canada, and the various provincial health-information laws) share a common principle: patients have the right to know how their information is being used and to give meaningful consent to that use. When a clinician starts using a new tool, especially one that processes information differently than the existing chart system, patients should be told what’s changing.

OutSmart’s AI features are exactly that kind of new tool. They process specific pieces of a patient’s record to draft letters, read lab reports, and produce clinical summaries. The processing happens on secure third-party computer systems, and depending on the specific AI service, those systems may be located in Canada, in the United States, or both. None of this violates the privacy frameworks in itself. But your patients need to be informed that it’s happening, the same way they’re informed about other handling of their health information.

This article walks through what those frameworks expect, what OutSmart does to meet those expectations, and the concrete step you can take in your own clinic: updating your consent form so patients are aware that AI is part of their care.

The privacy frameworks that apply

The frameworks below are the ones most commonly referenced by clinics using OutSmart. This is not a complete list, and provincial or state laws may add their own requirements on top.

HIPAA (United States)

The Health Insurance Portability and Accountability Act (HIPAA) is the federal law in the United States that governs how covered entities (healthcare providers, health plans, and clearinghouses) handle Protected Health Information (PHI). HIPAA’s Privacy Rule covers what can be disclosed and to whom. Its Security Rule sets out the technical, administrative, and physical safeguards required. When a covered entity uses a third-party technology provider that processes PHI on their behalf, HIPAA requires a Business Associate Agreement (BAA) between them, defining how the provider may use the information and what safeguards they must apply.

Many US states layer additional protections on top of HIPAA. Check your state law for anything HIPAA does not specifically address.

PIPEDA (Canada, federal)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal law in Canada that governs the collection, use, and disclosure of personal information by private-sector organisations. PIPEDA applies in provinces without their own substantially similar private-sector privacy law, and in some inter-provincial and international contexts even in provinces that do have one.

PIPEDA’s principles include accountability, identifying purposes, consent, limiting use, safeguards, openness, individual access, and challenging compliance. For health information specifically, most Canadian provinces have their own dedicated health-privacy law that takes precedence within the province.

Provincial health-information laws (Canada)

Each province has its own health-information privacy law. The specifics vary, but they generally cover the same ground: consent, safeguards, transparency, individual access, and accountability for cross-border data handling. The most-cited examples:

Province	Law
Ontario	Personal Health Information Protection Act (PHIPA)
Quebec	Act respecting the protection of personal information in the private sector, modernised by Law 25 (formerly Bill 64)
Alberta	Health Information Act (HIA) + Personal Information Protection Act (PIPA)
British Columbia	Personal Information Protection Act (PIPA) + E-Health (Personal Health Information Access and Protection of Privacy) Act
Manitoba	Personal Health Information Act (PHIA)
Saskatchewan	Health Information Protection Act (HIPA)
Nova Scotia	Personal Health Information Act (PHIA)
New Brunswick	Personal Health Information Privacy and Access Act (PHIPAA)
Newfoundland and Labrador	Personal Health Information Act (PHIA)

Quebec’s framework in particular has stricter requirements around informing patients when their information may be transferred outside the province, and the suggested consent paragraph in this article was written with that in mind.

What the frameworks expect for AI

The laws above care about a few things that translate directly to how an AI feature should be handled:

Consent and transparency. Patients should be told that AI is being used in their care, what kind of information it processes, and where that processing may happen. Generic consent to the use of an electronic medical record isn’t sufficient on its own. Patients need to know about the AI specifically.
Reasonable safeguards. The information has to be protected against loss, theft, and unauthorised access through encryption, access controls, and contractual obligations on any third party that handles it.
Purpose limitation. The information should be used for the specific purpose the patient consented to. It shouldn’t be repurposed, for example used to train someone else’s general-purpose AI system, without explicit further consent.
Cross-border handling. When information crosses a border (notably from Canada into the United States), patients should be told, because the law that governs the information once it lands may differ from the law where it originated.
Accountability. The clinic (the “custodian” of the information in most provincial frameworks) remains responsible for the handling of the information, even when a third party does the actual processing on their behalf.

What OutSmart does to protect health information used by AI

The safeguards below are the ones OutSmart has in place for the AI features described elsewhere in this guide.

Written agreements with our AI providers. OutSmart has signed privacy and confidentiality agreements with the technology providers that operate our AI features. Where the provider supports a Business Associate Agreement for health information, that agreement is in place.
The AI providers cannot use your data to train their own AI systems. This is a contractual obligation in those agreements. The information you send to draft a letter or read a lab report is used to produce the result for you, and is not retained for the provider’s own model training.
Only task-specific information is processed. When you use Lab AI on a lab report, the lab document is what gets processed, not the patient’s full chart. When you use Patient Correspondence, the relevant parts of the chart and your letter-type choice plus any instructions you typed are processed, not every record in your account. Your full medical record stays in OutSmart.
We work to minimize patient-identifying information in AI processing. The principle is “minimum necessary for the task”. What gets sent to the AI is what the AI actually needs to produce a useful result, and no more. For tasks that don’t require a patient’s identity to produce a useful result, identifying details are kept out of what’s sent. For tasks where some patient context is unavoidable (a letter that names the patient, a lab document addressed to a specific patient), the AI is asked only to perform the specific task, not to retain or reason about the patient’s identity beyond that.
Encryption while information is in transit. Information sent to the AI service is encrypted in transit using current industry-standard protocols. Information stored within OutSmart is encrypted at rest.
Strict access controls. Only authorised systems and authorised personnel can access the information involved in AI processing. Access is logged and auditable.
Your full medical record stays in OutSmart, in its country of origin. The AI processing is short-lived and task-specific. The patient record itself is kept in the OutSmart account it has always been in, on the same infrastructure as the rest of your patient data.

For the broader privacy framework OutSmart operates under (including how we handle personal information more generally, how we contract with providers, and how we respond to access requests), see our Privacy Policy and Terms of Use.

Where AI processing happens

OutSmart’s AI features are operated on secure computer systems that may be located in Canada or the United States, depending on the specific feature and how the underlying service routes the request. Some processing happens on Canadian infrastructure. Some happens on United States infrastructure. Information processed in the United States is subject to United States law during that processing.

This is important for two reasons:

It doesn’t violate data-residency rules in itself. Most Canadian privacy frameworks allow personal health information to be processed outside the country, provided patients are informed and reasonable safeguards are in place. The safeguards listed above (written agreements, encryption, access control, no model training, your full record stays put) are designed to satisfy those expectations.
Patients should be told. Because cross-border processing is part of how the AI features work, telling your patients about it in your consent form is the right thing to do under almost every framework that applies.

The realistic picture: the world’s most capable AI infrastructure is geographically distributed, and even Canadian-headquartered AI providers route some processing through US data centres. Insisting on Canada-only processing means losing access to the best tools your clinic could use for your patients. The honest answer is to use the best tools, take real precautions, and tell your patients exactly what’s happening.

The most concrete step you can take in your clinic is to add a short paragraph about AI to your patient consent forms. Below is suggested wording you can use as a starting point.

Some tools within our service use artificial intelligence to help your healthcare provider work more efficiently, for example by helping to draft a letter or summarize information already in your record. Your provider always reviews this work before it is used or relied upon.

To make these tools work, the information needed for a specific task may be processed on secure computer systems located in Canada or the United States. Information processed in the United States may be subject to U.S. laws. We take measures to protect your information throughout this processing, including:

written privacy and confidentiality agreements with the technology providers who help operate these features, including a Business Associate Agreement (BAA) where it applies to health information;

encryption of information while it is transmitted and handled;

strict access controls limiting who and what can access the information.

The providers of these AI tools are not permitted to use your information to train their own AI systems. Your full medical record continues to be stored in its country of origin. If you have questions about how your provider uses these tools, please speak with your healthcare provider.

You can copy this paragraph directly into your existing consent forms, intake forms, or new-patient paperwork. Adjust the wording to match the rest of your form’s tone if you want to. The substance is what matters.

Common worries about AI and health information

When patients (and clinicians thinking through how to explain AI in their clinic) have worries about how AI handles health information, the same questions tend to come up. The honest answers to those worries are usually more reassuring than the worry itself, and it helps to know them in advance, both for your own peace of mind and for conversations with patients.

”Is the AI learning from my health information? Is my data being used to train AI models?”

No. The AI providers OutSmart uses are contractually prohibited from using your information to train their own AI models. The data sent for a specific clinical task (drafting a letter, reading a lab report, summarizing a chart entry) is used to produce the result for that task, and is not retained as training material for the provider’s general-purpose AI systems. This is a contractual commitment in our written agreements with those providers, not an informal assumption. A patient’s health information stays out of the model-training pipeline, full stop.

”Could the AI mix up my information with another patient’s?”

No. Each AI request is processed as a self-contained task tied to one specific patient record. The AI does not see other patients’ information when working on yours, and the output it produces is returned to your record only. There is no shared scratchpad where one patient’s data could leak into another’s.

”Could the AI accidentally expose my health information to people outside the clinic?”

No. The processing happens on systems with strict access controls, and the information is encrypted while it’s being transmitted and handled. The information is not posted to a public service, shared with another organisation, indexed by a search engine, or made visible to anyone outside the secured pipeline that performs the task. Only the systems specifically authorised to do the work can read the information involved.

”Does the AI know who I am? Is it building a profile of me?”

No. The AI does not maintain a persistent profile of any patient across visits. Each task starts fresh from the specific record information the clinician sends for that one task. There is no AI-side memory accumulating a picture of you over time, and the AI provider does not retain a patient-level dossier between requests.

”Could the AI make decisions about my care without my doctor?”

No. Every AI output is reviewed by your healthcare provider before it is used. Lab AI extracts test values from a lab report, but the practitioner reviews each extracted row and decides what to import. Patient Correspondence drafts the letter, but the practitioner edits, signs, and finalizes it. The AI is a starting point for mechanical work like transcribing values and drafting standard phrasing, and it saves time. Clinical judgement remains with your provider, where it belongs.

”What happens if there’s a security incident at the AI provider?”

The AI providers OutSmart uses are required by contract to maintain strong security around their systems and to notify us if a security event affects information we have sent them. Because the information sent for each task is limited to what’s needed for that task (not your full medical record), the scope of what any single incident could expose is also limited. Your full medical record continues to live in OutSmart’s own systems, in its country of origin, separate from the AI provider’s infrastructure.

”Can I refuse to have AI used in my care?”

Yes. The AI features are time-savers for clinicians. They are not required to provide care. A patient can ask their healthcare provider to draft their letters, read their lab reports, and prepare their notes without the AI assist. The work simply takes a bit longer. This is an entirely normal request and should not affect the quality of care a patient receives.

”Is my name and personal information sent to the AI provider?”

Only what the specific task requires. OutSmart follows the principle of sending the minimum information necessary for each task and nothing more. In practice this looks different depending on the task:

An AI-drafted Patient Correspondence letter is, by its nature, a letter about a patient, so the patient’s name and the relevant chart context are part of the task. The AI needs to know who the letter is about in order to write it. Information unrelated to the letter is not included.
A lab document being read by Lab AI is a document addressed to a specific patient. The lab report is sent to the AI as it appears, so the test values can be extracted. Like any lab report, it carries the patient’s identifying details on it. The AI is asked only to extract the test data. It is not asked to “remember” who the patient is or to do anything else with that identity.
Tasks that don’t need patient identity at all keep identifying details out of the information sent.

What stays constant across every AI task in OutSmart: the AI provider is contractually prohibited from using the information for any other purpose, the AI does not maintain a persistent record of any patient across requests, and your full medical record is not sent. Only the task-specific information is.

”Is my health information stored on the AI provider’s systems after the task is done?”

The agreements with our AI providers limit how the task-specific information can be retained and prohibit its use for any other purpose. Your full medical record stays in OutSmart, in its country of origin. Only the specific information needed for a specific AI task is sent to the AI provider, and only for the time it takes to do that task. The AI provider does not hold a copy of your medical record.

”Could my employer, insurance company, or anyone else get my health information from the AI?”

No. The AI providers do not share processed information with third parties. Your information is not packaged, sold, or made available to employers, insurance companies, marketing services, or any other outside organisation. The clinic remains the custodian of your record and remains in control of who has access to it, and that hasn’t changed with the use of AI tools.

”What if the AI gets something wrong?”

The AI’s job is to give your healthcare provider a starting point, not the final word. When Lab AI reads a lab report, the practitioner reviews each extracted value before it lands in the chart. When AI Letters drafts a referral, the practitioner reads, edits, and signs the letter before it is sent. The AI’s output is always treated as a draft to be checked, not as a finished record. If the AI got something wrong, the practitioner catches and corrects it before it affects care.

What to tell patients who ask

A patient who reads the paragraph above and wants to know more will usually have one of a few questions. Short answers you can give in the moment:

“Is my information being used to train AI?” No. The AI providers we use are contractually prohibited from using your information for their own model training.
“Where does the processing happen?” On secure systems in Canada or the United States, depending on the specific tool. The full medical record stays in OutSmart, in its country of origin.
“Can I opt out of AI tools?” Yes. You can ask your healthcare provider to draft letters and summarise records without the AI assist. The work simply takes a bit longer.
“Does this comply with HIPAA / PHIPA / [other law]?” The system is designed with the principles of those laws in mind, including written agreements with technology providers, encryption, and access controls. Your clinic’s privacy officer can answer specific compliance questions.

What this article does not cover

A few things deliberately outside the scope of this article:

Specific certifications, audit reports, and contract terms. If you need formal documentation (such as a BAA between your clinic and OutSmart, audit reports, or copies of vendor agreements) for your own compliance file, contact us at contact.outsmartemr.com and we can provide what’s appropriate for your jurisdiction.
Step-by-step guidance for any one province or state’s law. That requires a privacy officer or legal advisor who knows your specific situation.
The technical architecture of the AI features. This article describes the safeguards from a clinic-and-patient perspective. The underlying systems are documented for OutSmart’s internal use.

AI in OutSmart Overview. The family of AI features this article applies to.
Lab AI Overview. What information Lab AI processes.
AI Letters Overview. What information AI Letters processes.
Privacy Policy. OutSmart’s broader privacy framework.
Terms of Use. The terms under which OutSmart is provided.