If you're a regulated health professional in Ontario, PHIPA governs every tool that touches patient data — including your phone system. Here's what you need to know, and how Vocatively keeps you compliant.
Personal Health Information Protection Act, 2004
Health Insurance Portability and Accountability Act, 1996
The bottom line: HIPAA compliance alone is not sufficient for Ontario practices. PHIPA's data residency requirement means your tools must store patient data in Canada — and most US-based AI receptionist providers do not.
PHIPA applies to every "health information custodian" in Ontario. This includes:
Plus hospitals, labs, pharmacies, community health centres, and any person or organization described in PHIPA Section 3(1).
All data stored in DigitalOcean Toronto (TOR1), ca-central region. No patient data crosses the border. Meets PHIPA Section 10(3) without patient consent requirements.
Raw call transcripts and audio recordings are never stored. Vapi transcript storage and recording are disabled in code. Only structured metadata is retained.
Caller phone numbers are HMAC-SHA256 hashed before storage. The raw number is never persisted — even our team cannot reverse the hash to identify callers.
Email notifications contain only contact information and a generic call type. All detailed call content is accessible only through your authenticated, encrypted dashboard.
Detailed call records anonymized after 90 days. Anonymized analytics retained for account-level trends. Aggregate statistics (no PII) retained indefinitely for industry research. PHIPA's data minimization principle is enforced by design, not policy.
A full data flow document describing how patient data moves through Vocatively is available upon request. Transparency is a core part of PHIPA compliance.
PHIPA (Personal Health Information Protection Act, 2004) is Ontario's health privacy law. It applies to every health information custodian in Ontario — including dentists, chiropractors, physiotherapists, optometrists, naturopaths, RMTs, physicians, and other regulated health professionals. If your practice collects, uses, or discloses personal health information, PHIPA governs how you must handle that data.
HIPAA is the US federal health privacy law; PHIPA is Ontario-specific and in many ways stricter. The key difference: PHIPA requires that personal health information about Ontario residents be stored in Canada unless the individual consents to cross-border transfer (Section 10(3)). HIPAA has no equivalent data residency requirement. Both require encryption, access controls, and breach notification — but PHIPA's data residency rule means US-hosted tools may not be compliant for Ontario practices without explicit patient consent.
Yes. All Vocatively data is stored in Canadian data centres (Toronto, ca-central). Our primary database is hosted in DigitalOcean Toronto (TOR1). No patient data is transferred to or stored in the United States. This meets PHIPA Section 10(3) data residency requirements without needing patient consent for cross-border transfer.
Vocatively minimizes data collection by design. We do not store raw call transcripts or audio recordings. Caller phone numbers are cryptographically hashed (HMAC-SHA256) — even our team cannot reverse them. We store only structured call metadata: duration, category, sentiment, and an AI-generated summary. Email notifications contain only contact information and a generic call type — never protected health information.
Yes. PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal privacy law for private-sector organizations. PHIPA specifically governs personal health information in Ontario and takes precedence for health information custodians. Vocatively complies with both — PHIPA for Ontario health data and PIPEDA for general personal information across Canada.
Join Ontario practices already using Vocatively for PHIPA-compliant call handling.