As AI scribes become part of clinical care, patients often ask thoughtful questions about where their data lives, who can see it, and how safe it really is. Addressing these concerns openly builds confidence and shows that patient privacy is a top priority.
How to Explain AI Scribes to Patients
When introducing AI scribes in your clinic, a clear and transparent explanation goes a long way toward building trust. Patients want to know what’s happening, why it’s used, and how their privacy is protected.
Here’s a framework clinicians can use:
- What it is: “This is an AI medical scribe. It helps capture our conversation and turn it into a medical note, so I can focus on you instead of typing.”
- My role: “I always review, edit, and sign the note. Nothing becomes part of your chart without my approval.”
- Privacy & security: “Your data is encrypted and stored in Canada, using the same secure cloud providers trusted by hospitals. No insurer, employer, or third party can access it without your consent.”
- Proven system: “These systems are already used in clinics and hospitals across Canada and the U.S. They’ve been tested and meet strict healthcare privacy standards.”
- Why it matters: “It reduces paperwork and frees up more time for me to focus on your care. It can also help generate a comprehensive patient educations handout for you to take home. ”
- Your choice: “If you have any questions or concerns, please let me know — I want you to feel comfortable with the tools we use.”
“Where exactly is my data stored? Is it on a local server in the clinic, or in the cloud?”
Response:
“That’s a very important question. By Canadian law, health information must be stored securely within Canada. The only province that specifically requires in-province storage is Quebec — which is why our cloud provider uses Canadian data centers, including in Quebec. Cloud storage in these facilities is actually more secure than a single office computer, because it includes hospital-grade safeguards like encryption, redundancy, continuous monitoring, and automatic backups.”
“What kind of certifications or compliance standards does this system meet?”
Response:
“Empathia is built on cloud infrastructure that is independently audited and certified to the highest international standards. These include:
- SOC 2 Type II (security, availability, confidentiality)
- HIPAA (U.S. health privacy law)
- PIPEDA & PHIPA (Canada federal & Ontario provincial privacy acts)
- PHIA (Personal Health Information Act)
- HIA (Alberta Health Information Act)
- FIPPA (British Columbia’s Freedom of Information and Protection of Privacy Act)
- GDPR (European Union privacy regulation)
By hosting data on AWS, Google Cloud, and Microsoft Azure in Canada — the same platforms trusted by hospitals and governments — Empathia ensures your information is protected with enterprise-grade compliance, redundancy, and 99.9999% uptime guarantees.”
“If the data is online, doesn’t that mean it could be hacked from anywhere in the world?”
Response:
“You’re right to point out that any connected system could be a target. What matters is the protection around it. Your data is encrypted both in transit and at rest, protected by multiple firewalls, and monitored 24/7. Empathia AI also applies security patches as soon as they are available. These layers make unauthorized access extremely difficult — it’s the same approach used by hospitals and health authorities in Canada.”
“Could insurers, employers, or other third parties ever get access to my data?”
Response:
“No. Only your care team can access your records. Insurers, employers, or any other third parties cannot see your data unless you provide explicit written consent. This is guaranteed by Canadian privacy laws such as PIPEDA, PHIPA, PHIA and HIA, and Empathia AI system is designed to enforce those protections.”
“If you only use my first name in the system, is that really safe? Don’t you still need unique identifiers?”
Response:
“Yes, in Empathia, using just a first name and age is often enough, as long as your physician can clearly tell which patient they’re documenting for. Unlike a full EMR, which always requires multiple unique identifiers, Empathia is designed to be flexible. Demographic details such as health card number or date of birth are optional, and can be added if your clinic prefers extra identifiers. The important part is that your information is linked correctly to you — and all data, whether minimal or detailed, is encrypted and stored securely in Canada.”
“I’ve seen news about big breaches, like LifeLabs or London Drugs. Could the same thing happen here?”
Response:
“Those incidents are reminders of how important strong safeguards are. Our system was designed with those lessons in mind. Data is stored only in Canada, access is strictly limited to your care team, and multiple layers of encryption and monitoring are in place. While no system is 100% risk-free, these protections significantly reduce the chances of a similar breach.”
“What if there’s a software bug or an update is missed — wouldn’t that create a security risk?”
Response:
“That’s an excellent point. Just like hospital EMRs, our system has a strict update process. Security patches are applied promptly, and monitoring runs 24/7 to detect and fix issues before they become vulnerabilities. This ongoing process helps ensure the system stays safe and reliable.”
Key Takeaways for Patients
- Canadian-only storage: Always stored securely in Canada; Quebec requires Quebec-based servers.
- Multi-layer security: Encryption, firewalls, monitoring, and prompt updates.
- Restricted access: Only your care team can access records — never insurers or employers without your consent.
- Secure identifiers: Records use encrypted health identifiers, not just names.
- Proven system: Already trusted by thousands of clinicians in Canada and beyond.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article