Law 25 and AI: what your clinic must know about patient data
Why it matters
The moment a tool handles a patient's name, phone number, or reason for calling, it is processing personal information. And in a clinic, that information is rarely trivial: "I'd like an appointment for back pain" is already health-related.
In Quebec, all of this is governed by Law 25, the reform of personal-information protection that came into force in stages between 2022 and 2024. It applies to every private enterprise — including your clinic, whatever its size or discipline.
So when the time comes to choose an AI receptionist, compliance is not a legal footnote. It is a selection criterion, right alongside voice quality and price. The good news: validating a vendor's compliance is not complicated if you know what to ask. This article gives you the checklist.
Law 25 in a nutshell
Without turning this into a law course, three ideas cover what concerns you:
- You are accountable. By default, the person with the highest authority in the business — often the clinic owner — is responsible for the protection of personal information. That responsibility can be delegated in writing, but it never disappears.
- There are concrete obligations. A published privacy policy, a confidentiality-incident register, reporting serious incidents to the Commission d'accès à l'information (CAI), and answering patients' access and correction requests.
- The penalties are real. The law provides for administrative and penal sanctions that can be heavy. Without being dramatic: this is no longer a symbolic text. It is a framework the CAI enforces.
What changes when an AI answers your phone
Take a concrete scenario. Mrs. Tremblay calls your dental clinic on a Tuesday evening, after closing. The AI agent answers, takes her name and number, understands she wants a cleaning, offers Thursday at 2 p.m., confirms the appointment, and sends a reminder text.
In three minutes, the tool has processed: an identity, contact details, a reason for the visit, an audio recording, and a transcript of the conversation.
The obvious questions follow:
- Where does that recording go?
- Who can read the transcript, and how long is it kept?
- Which subprocessors are in the chain (speech recognition, voice synthesis, telephony)?
- Does the vendor reuse these conversations to train its models?
Law 25 does not forbid you from using AI. It requires you to be able to answer these questions before plugging the tool into your phone line.
The principles that directly concern you
- Controller vs processor. The clinic remains responsible for its patients' data. The AI vendor acts as a processor and must commit by contract — the data-processing agreement — to protect that data, not use it for other purposes, and notify you of any incident.
- Minimization. Collect only what is needed to deliver the service: booking an appointment requires a name, a number, and a reason. Not a full medical history.
- Transparency and consent. Your patients must be able to know how their information is used. Your privacy policy should reflect the tools you actually use.
- Security and data location. The law requires reasonable security measures: encryption, strict access control. And before communicating personal information outside Quebec, it asks you to assess whether the information will receive adequate protection. Concretely: know where your vendor's database lives, and which subprocessors handle what, where.
- Individual rights. Access, correction, and deletion of their information on request. Your vendor must be able to execute those requests, not just talk about them.
- Confidentiality incidents. Keep a register, and report any incident presenting a risk of serious harm to the CAI. Your processing agreement should require the vendor to notify you quickly.
The 7 questions to ask any AI vendor
Before signing with any service — ours included — ask these questions in writing:
- Where is your database located? Look for a precise answer, not "in the cloud."
- Who are your subprocessors and where do they process data? Voice processing (transcription, synthesis) often runs through third-party services. A serious vendor names them.
- Do you sign a data-processing agreement compliant with Law 25?
- Is the data encrypted, in transit and at rest?
- How long do you keep recordings and transcripts, and is the purge automatic?
- Can you delete a patient's information on request, within a reasonable time?
- Do you use our conversations to train your AI models?
If a vendor hesitates, stays vague, or answers "we'll check" to more than one of these questions, that is a red flag. These answers should be written down somewhere, publicly.
Reassuring answers vs red flags
| Question | Reassuring answer | Red flag |
|---|---|---|
| Database location | Precise place named (e.g. "in Canada, Montreal region") | "In the cloud," no specifics |
| Subprocessors | Named, kept up to date in the privacy policy | "That's confidential" |
| Processing agreement | Ready-to-sign document, provided on request | "Our terms of service cover it" |
| Retention | Precise duration, automatic purge | "Indefinitely," or no answer |
| Deletion on request | Clear procedure with a timeline | "Email support," no commitment |
| Model training | No, or explicit consent required | Silence or an evasive answer |
Common objections
"We're a small clinic, Law 25 doesn't apply to us." False. The law applies to every private enterprise that collects personal information, with no size threshold. The measures expected are proportional to your activities, but the core obligations — a designated privacy officer, a policy, an incident register — apply to a solo practice as much as to a network.
"The vendor is responsible, not us." No. The vendor is a processor; you remain accountable to your patients and to the CAI. That is exactly why the processing agreement exists: it puts in writing what the vendor does on your behalf.
"Our current voicemail is fine, we're not changing anything." Your voicemail also records personal information, often with no defined retention period and no access control. The real question is not "AI or no AI" — it is: do you know where the data goes? A serious AI vendor documents all of this in black and white, often better than an answering machine or a generic call centre. For the broader comparison between options, see AI receptionist vs secretary.
"Compliance will get expensive." Asking the seven questions above costs one email. What gets expensive is a badly handled confidentiality incident, or a tool chosen blindly that has to be unplugged six months later.
How Allô Clinique handles it
Allô Clinique was built in Quebec, for Quebec clinics. Here is how we answer our own checklist, plainly:
- Database hosted in Montreal (AWS ca-central-1).
- Data encryption, in transit and at rest.
- Voice-processing subprocessors documented. Speech recognition and voice synthesis rely on specialized services; they are named in our privacy policy. We would rather say so clearly than pretend nothing ever leaves the country.
- Transcripts purged after 12 months. Not an intention — an enforced rule.
- Data-processing agreement available for your compliance file.
- Minimization. The agent collects what it takes to book the appointment — name, number, reason, availability — nothing more.
We genuinely invite you to run us through the seven-question test, like any other vendor.
Mini-FAQ
Does Law 25 apply to my clinic even with three employees?
Yes. It applies to every private enterprise, regardless of size. The measures expected are proportional to your activities, but the core obligations remain: a designated privacy officer, a privacy policy, an incident register.
Can an AI receptionist be used in compliance with Law 25?
Yes — provided you choose a transparent vendor: a precise database location, documented subprocessors, a signed processing agreement, clear retention periods. It is a verification exercise, not a roadblock.
Do I have to tell my patients that an AI answers the phone?
Transparency is the safe path. Update your privacy policy to reflect the tool, and favour an agent that introduces itself as a virtual assistant rather than passing itself off as human.
What happens to call transcripts at Allô Clinique?
They let you see the detail of every call in your dashboard, then they are purged after 12 months. The full detail is in our privacy policy.
Who is responsible if an incident happens at the vendor?
The clinic remains accountable to its patients; the vendor must notify you and cooperate. That is why a processing agreement that spells out incident notification matters so much.
Check for yourself
The best way to judge a tool is to try it and read its documentation — not its slogans. Call our demo agent at 438 815 6477 (it answers in English and French), book a mock appointment, then compare our privacy policy with any other vendor's.
And if your clinic wants to answer calls 24/7 without hiring while keeping control of its data, our design partner program offers 3 months free to 3 pilot clinics: become a pilot clinic.