Compliance Centre · Template
Privacy Impact Assessment template
A working structure for assessing DirectScribe in your practice, aligned to the Ontario Information and Privacy Commissioner's AI-scribe guidance (January 2026). Copy it, fill in each prompt, and adapt it to your province.
Not legal advice
This template is general information, not legal advice, and is not a completed assessment. Read the primary source — the Ontario IPC AI-scribe guidance — and your own province's regulator and college guidance, and involve a privacy advisor. You remain the health-information custodian.
Sections
1. Tool overview and purpose
Prompt: Describe the tool, why you are using it, and its scope.
DirectScribe reference you can cite: DirectScribe is a Mac-native dictation tool. The physician dictates; the audio is transcribed by a chosen cloud vendor and shaped into the physician's own note templates by a chosen intelligence vendor; the physician reviews and pastes the note into the EMR. Only the physician's voice is recorded — it is not an ambient scribe, and the patient is not recorded. There is no DirectScribe server.
2. Data inventory and flows
Prompt: List each data element, where it originates, where it is sent, and how long it is kept.
| Data element | Origin | Sent to | Retained |
|---|---|---|---|
| Physician voice recording | Your Mac | Chosen STT vendor (TLS) | Your window; session-end delete |
| Transcript text | STT vendor result | Chosen intelligence vendor (or local LM Studio) | Your window |
| Generated note | Intelligence vendor | Stays on your Mac → you paste into the EMR | Your window |
| API keys | You | macOS Keychain (local) | Until you remove them |
| Audit log (PHI-free) | The app | Local only; never swept | Retained |
3. Legal authority, consent and transparency
Prompt: State your authority to collect and use the information, and how patients are informed. Reference PHIPA (or your provincial equivalent) and PIPEDA. Describe your consent/notice approach and record where it is documented.
Use the patient-consent wording as a starting point and adapt it to your college's requirements.
4. Vendors and agreements
Prompt: Record each vendor, its role, data region, and the status of any signed agreement (BAA / data-processing agreement). Do not send patient-derived data to a vendor before the agreement your assessment requires is in place.
| Vendor | Role | Agreement status to confirm |
|---|---|---|
| Deepgram | Transcription | BAA on request |
| ElevenLabs | Transcription | BAA on enterprise plans only |
| OpenAI | Intelligence | BAA by email to individuals |
| Anthropic | Intelligence | Small-customer BAA status being verified — treat as conditional |
| LM Studio | Intelligence (local) | No external vendor; no agreement needed |
| AWS Transcribe Medical | Transcription (coming soon) | AWS BAA via Artifact; ca-central-1 |
5. Retention and disposal
Prompt: State your retention window and disposal method, and reconcile them with your record-keeping obligations (your EMR — not DirectScribe — is your medical-record system).
Reference: DirectScribe retains for 7, 30, or 90 days plus an on-demand session-end delete. Disposal means deleted from the file system on your schedule; FileVault protects residual storage; backups you configure may retain copies. The audit log evidences the deletion action.
6. Technical and administrative safeguards
Prompt: Document your safeguards. Reference the clinic-responsibility checklist and confirm each item.
- FileVault full-disk encryption enabled on the Mac.
- API keys in the macOS Keychain; app runs sandboxed.
- Encrypted (TLS) transport to vendors; local models kept to loopback.
- PHI-free, tamper-evident audit log of transmissions and deletions.
- Screen lock, strong login, and physical device security.
7. Risk register
Prompt: Identify risks, rate likelihood and impact, record mitigations and residual risk.
| Risk | Mitigation | Residual (you assess) |
|---|---|---|
| Audio processed by a cloud STT vendor | Choose a vendor with acceptable terms; sign an agreement where required | — |
| Deleted data residue on APFS | FileVault; Time Machine exclusion; deliberate backup policy | — |
| Local model port unauthenticated (LM Studio) | Enable the bearer token; loopback-only; response-shape check | — |
| Lost or stolen Mac | FileVault; screen lock; short retention window | — |
8. Roles and accountability
Prompt: Name the health-information custodian (typically you), anyone with device access, and who is accountable for the safeguards and this assessment.
9. Review, approval and sign-off
Prompt: Record who reviewed and approved this PIA, the date, and the next review date. Re-review when a vendor, your retention settings, or the regulator's guidance changes.