Under PIPEDA, AI receptionists in Canada should retain PHI only as long as needed for the original purpose; PHIPA in Ontario requires destruction or de-identification once the retention period ends. Mihron AI defaults to a 90-day PHI retention window with full audit logs, giving you compliance confidence while protecting patient privacy.
There is no single "magic number" for PHI retention in Canada. Both PIPEDA (the federal privacy law) and PHIPA (Ontario's health information law) say the same thing: retain PHI only as long as reasonably necessary to fulfill the purpose you collected it for. Once that purpose is met, you must destroy or de-identify the data.
For most healthcare practices using an AI receptionist, this means 30 to 90 days. You need time to confirm appointments, send reminders, process billing, and handle disputes. After that window closes, keeping patient phone numbers, visit dates, or health notes becomes a compliance liability, not an asset.
Take-home: Retention is purpose-driven, not calendar-driven. Once the reason you collected the data is satisfied, delete it.
PIPEDA is Canada's federal private-sector privacy law. It applies to most healthcare providers outside of provincial health systems (e.g., dental practices, physiotherapy clinics, private medical offices, and legal firms). PIPEDA's Principle 4.3.5 states that personal information must not be kept longer than necessary for the purposes identified.
PIPEDA doesn't specify "destroy within 30 days" or "90 days maximum." Instead, it requires organizations to be able to justify their retention period. If a regulator asks, "Why are you still holding Mrs. Chen's phone number from a 2024 appointment?" you need a documented, reasonable answer. "We forgot to delete it" is not acceptable.
Common justifiable reasons to extend retention include: active billing disputes, pending insurance claims, regulatory audits, or legal holds. Once the reason expires, the data must be destroyed. PIPEDA also requires you to have a retention schedule—a written policy that says when each type of data gets deleted—and to follow it.
PIPEDA requires a documented retention reason and a written schedule; vague or indefinite retention is a violation.
PHIPA (Health Information Protection Act) is Ontario's law for health information custodians—hospitals, clinics, dental practices, and any organization that collects and stores health information. If your practice is in Ontario and uses an AI receptionist to collect patient health data (appointment history, insurance info, medical notes), PHIPA applies.
PHIPA's retention principle is similar to PIPEDA: health information must be retained only as long as reasonably necessary. However, PHIPA adds specific requirements for health information custodians: you must have a documented information retention and disposal policy, staff training, and you must be able to prove you followed the policy. The Information & Privacy Commissioner (IPC) of Ontario enforces PHIPA, and violations can result in investigation, corrective action orders, and fines.
PHIPA also requires you to implement reasonable safeguards to prevent unauthorized access to health information while it's in retention, and to dispose of it securely (not just delete it from a database—it must be shredded, burned, or irreversibly de-identified).
PHIPA demands a written retention policy, staff accountability, secure disposal, and ability to prove compliance to the IPC.
| Purpose of Data Collection | Typical Retention Period | Legal Basis for Extension |
|---|---|---|
| Appointment confirmation (same day) | 0–7 days | Delete after confirmation; no extension needed |
| Appointment recall reminders | 30 days | Delete after visit scheduled or declined |
| Billing reconciliation | 30–90 days | Extend if dispute pending; document reason |
| Insurance claim processing | 60–90 days | Extend per insurer's settlement timeline |
| Follow-up treatment or care | 30–90 days | Extend only if active treatment ongoing |
| Regulatory audit or legal hold | Until purpose ends | Document request and expiration date |
Mihron AI's AI voice receptionist, Maya, collects patient information (name, phone, appointment date, reason for visit) during inbound calls. We retain that data in a secure, Canadian-hosted environment for 90 days. This window covers all typical use cases: appointment confirmations, recall reminders, billing disputes, and minor follow-ups.
After 90 days, all patient data is automatically purged from our systems unless you request a specific extension with a documented business reason. You retain full control: you can request manual deletion at any time via our admin dashboard, or extend retention if you have an outstanding legal or billing reason.
Every access, retention, and deletion event is logged. You can download audit reports to prove compliance to regulators or your privacy officer. We also provide a signed Data Processing Agreement (DPA) at no extra cost, which details exactly how we handle PHI and what obligations both parties have.
Pricing: Mihron AI's compliance features are included in all plans. Starter ($299 CAD/mo), Growth ($499 CAD/mo), and Enterprise plans all include 90-day retention, audit logs, and DPA.
Mihron AI's 90-day default is a compliance-first design; you control extensions and deletions, and every action is audited.
A 90-day window is standard, but it's not a hard rule. If you have a documented legal, business, or regulatory reason, you can extend retention. Examples include:
The key is documentation. PIPEDA and PHIPA require you to be able to justify any retention beyond "reasonably necessary." A memo saying "extended due to outstanding claim #12345" is sufficient; vague notes like "might need it" are not.
Extensions are allowed if documented; undocumented indefinite retention is never defensible.
Keeping PHI longer than necessary creates compliance and reputational risk:
Keeping PHI longer than necessary increases legal, financial, and reputational risk; deletion is cheaper than defense.
PIPEDA does not specify a fixed retention period. Instead, it requires that PHI be retained only as long as reasonably necessary to fulfill the original purpose of collection. Once that purpose is met, PHI must be destroyed or de-identified unless there is a legal obligation to retain it.
Yes. PHIPA, Ontario's Health Information Protection Act, applies to health information custodians (hospitals, clinics, dental practices). It requires that health information be retained, used, and disclosed only as long as necessary for the purpose it was collected. Once the purpose is achieved, PHIPA mandates destruction or de-identification. The Information & Privacy Commissioner enforces PHIPA.
Mihron AI's 90-day retention window is a conservative default that covers typical healthcare workflows: appointment confirmations, follow-up recalls, dispute resolution, and billing reconciliation. After 90 days, PHI is automatically purged unless you request an extension for a specific legal reason. This approach balances compliance with operational needs and minimizes data breach risk.
Yes, if there is a documented legal or business reason. Common examples include: outstanding billing disputes (up to collection period), active litigation, regulatory audits, or contractual obligations. Under PIPEDA and PHIPA, you must document the reason and destroy PHI once the reason no longer applies.
Violations of PIPEDA retention rules can result in complaints to the Privacy Commissioner of Canada, investigation, mandatory corrective action, and reputational damage. PHIPA violations in Ontario can trigger investigations by the Information & Privacy Commissioner. Both laws also expose you to potential lawsuits from patients whose information was retained beyond necessity.
Yes. Mihron AI maintains full audit logs of all PHI access, retention, and deletion events. These logs are accessible via your admin dashboard and support compliance audits by regulators or your organization's privacy officer. We also provide a signed Data Processing Agreement (DPA) at no extra cost, which details our obligations as a data processor.
Yes. Dental practices follow provincial retention rules (PHIPA in Ontario, similar laws in other provinces). Legal firms handling client data may have longer retention obligations under provincial law. Insurance and billing disputes can extend retention obligations. You should verify your specific sector's rules with a privacy lawyer or your regulator to ensure Mihron AI's defaults align with your obligations.
Yes, if you collect PHI through Mihron AI's voice receptionist, we act as a data processor on your behalf. Mihron AI provides a signed DPA at no additional cost, which details how PHI is handled, retained, secured, and deleted. This DPA is a PIPEDA and PHIPA requirement for any organization handling personal or health information.
Mihron AI's Maya receptionist is built for Canadian healthcare from the ground up. PIPEDA and PHIPA compliance, 24-hour setup, bilingual support, and full audit logs—no hidden vendor black boxes.
Schedule a Demo Start Onboarding See FAQQuestions about compliance? Contact Mihron AI at [email protected] or call +1-437-367-8009. We're happy to review your retention requirements and show you how our 90-day default fits your workflow.