Compliance Centre · Template

Privacy Impact Assessment template

A working structure for assessing DirectScribe in your practice, aligned to the Ontario Information and Privacy Commissioner's AI-scribe guidance (January 2026). Copy it, fill in each prompt, and adapt it to your province.

1. Tool overview and purpose

Prompt: Describe the tool, why you are using it, and its scope.

DirectScribe reference you can cite: DirectScribe is a Mac-native dictation tool. The physician dictates; the audio is transcribed by a chosen cloud vendor and shaped into the physician's own note templates by a chosen intelligence vendor; the physician reviews and pastes the note into the EMR. Only the physician's voice is recorded — it is not an ambient scribe, and the patient is not recorded. There is no DirectScribe server.

2. Data inventory and flows

Prompt: List each data element, where it originates, where it is sent, and how long it is kept.

Complete for your configuration.
Data elementOriginSent toRetained
Physician voice recordingYour MacChosen STT vendor (TLS)Your window; session-end delete
Transcript textSTT vendor resultChosen intelligence vendor (or local LM Studio)Your window
Generated noteIntelligence vendorStays on your Mac → you paste into the EMRYour window
API keysYoumacOS Keychain (local)Until you remove them
Audit log (PHI-free)The appLocal only; never sweptRetained

3. Legal authority, consent and transparency

Prompt: State your authority to collect and use the information, and how patients are informed. Reference PHIPA (or your provincial equivalent) and PIPEDA. Describe your consent/notice approach and record where it is documented.

Use the patient-consent wording as a starting point and adapt it to your college's requirements.

4. Vendors and agreements

Prompt: Record each vendor, its role, data region, and the status of any signed agreement (BAA / data-processing agreement). Do not send patient-derived data to a vendor before the agreement your assessment requires is in place.

Confirm current terms directly with each vendor — see the vendor guides.
VendorRoleAgreement status to confirm
DeepgramTranscriptionBAA on request
ElevenLabsTranscriptionBAA on enterprise plans only
OpenAIIntelligenceBAA by email to individuals
AnthropicIntelligenceSmall-customer BAA status being verified — treat as conditional
LM StudioIntelligence (local)No external vendor; no agreement needed
AWS Transcribe MedicalTranscription (coming soon)AWS BAA via Artifact; ca-central-1

5. Retention and disposal

Prompt: State your retention window and disposal method, and reconcile them with your record-keeping obligations (your EMR — not DirectScribe — is your medical-record system).

Reference: DirectScribe retains for 7, 30, or 90 days plus an on-demand session-end delete. Disposal means deleted from the file system on your schedule; FileVault protects residual storage; backups you configure may retain copies. The audit log evidences the deletion action.

6. Technical and administrative safeguards

Prompt: Document your safeguards. Reference the clinic-responsibility checklist and confirm each item.

  • FileVault full-disk encryption enabled on the Mac.
  • API keys in the macOS Keychain; app runs sandboxed.
  • Encrypted (TLS) transport to vendors; local models kept to loopback.
  • PHI-free, tamper-evident audit log of transmissions and deletions.
  • Screen lock, strong login, and physical device security.

7. Risk register

Prompt: Identify risks, rate likelihood and impact, record mitigations and residual risk.

Example risks to adapt.
RiskMitigationResidual (you assess)
Audio processed by a cloud STT vendorChoose a vendor with acceptable terms; sign an agreement where required
Deleted data residue on APFSFileVault; Time Machine exclusion; deliberate backup policy
Local model port unauthenticated (LM Studio)Enable the bearer token; loopback-only; response-shape check
Lost or stolen MacFileVault; screen lock; short retention window

8. Roles and accountability

Prompt: Name the health-information custodian (typically you), anyone with device access, and who is accountable for the safeguards and this assessment.

9. Review, approval and sign-off

Prompt: Record who reviewed and approved this PIA, the date, and the next review date. Re-review when a vendor, your retention settings, or the regulator's guidance changes.