Qurvia’s Compliance with Canadian Privacy Laws

At Qurvia, protecting patient privacy isn’t limited to the U.S.—we are equally committed to following Canadian privacy laws and standards. Our practices align with the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as applicable provincial regulations, so clinicians and patients in Canada can use Qurvia with confidence.

Data Residency

Canadian privacy laws do not require personal information to stay within Canada, but they do require strong protection when data is stored elsewhere. Qurvia meets this requirement by using security and encryption methods that comply with both HIPAA and SOC 2 standards.

Consent

Canadian law requires that patients provide informed consent before their data is used. Qurvia recommends that Canadian clinicians obtain consent from patients before using our AI scribe service. We can provide a best practice consent form to support this process.

Breach Notification

  • Canadian laws such as PIPEDA (and provincial rules like Quebec’s) require notification if a data breach occurs.

  • Qurvia already follows these requirements for U.S. customers and will extend the same standard to Canadian customers.

Accountability

Privacy regulations in Canada require each organization to appoint a responsible individual for compliance. At Qurvia, our Chief Technology Officer (CTO) and Chief Financial Officer (CFO) jointly serve as Compliance Officers. Their role is to ensure we follow privacy obligations, and their contact information is available to Canadian customers.

Safeguards

PIPEDA and provincial laws require that personal information be protected with physical, technological, and administrative safeguards:

  • Physical security: Restricted access to offices and secure facilities.

  • Technological security: Encryption, strong passwords, and access controls.

  • Administrative safeguards: “Need-to-know” access policies that limit exposure of sensitive data.

Qurvia is SOC 2 compliant, meaning our systems, policies, and procedures have undergone rigorous third-party review. A detailed overview of our safeguards and protocols can be shared with Canadian customers upon request.

Retention

Canadian law requires that personal information only be kept as long as necessary for its intended purpose. Qurvia supports flexible retention settings:

  • By default, AI-generated notes are retained for 30 days.

  • Customers may increase or decrease this period as needed for clinical, business, or legal purposes.

Access and Correction

Canadian patients have the right to access their health records and request corrections. Qurvia makes this possible by allowing:

  • Sharing after-visit summaries directly with patients.

  • Edits and corrections through the patient’s clinician, ensuring accuracy and compliance with Canadian standards.

Proper Use of Information

Canadian laws restrict the collection, use, and disclosure of patient health information to only authorized purposes. They also prohibit altering, concealing, or destroying records improperly.

Qurvia strictly follows these requirements. We never use protected health information for unauthorized purposes, and we handle data with the highest levels of integrity.

🔒 Our Commitment
Qurvia complies fully with Canadian privacy laws and safeguards personal health information with the same care and transparency we bring to our HIPAA-compliant services.