Updated: May 2025
Freed’s Compliance with Canadian Privacy Laws with regard to Patient Health Information
Based on a legal review by attorneys in Canada, the following items should be noted with regard to Freed Inc.’s compliance with Personal Information Protection and Electronic Documents Act (PIPEDA) as well as provincial laws and regulations in Canada.
Data residency
Privacy laws applicable to Freed in Canada do not prohibit personal information from being retained and stored outside of Canada though it’s required that the information be sufficiently protected. Data security and encryption methods that comply with US SOC 2 and HIPAA standards are deemed sufficiently protected.
Consent
Privacy laws contain requirements regarding individual consent. Canadian customers of Freed are recommended to gain consent from their patients to use an AI scribe service. We can share a recommended best practice consent form if you’d like.
Breach notification
Canada’s PIPEDA and certain provincial privacy laws such as Quebec contain breach notification requirements.
Freed is required to provide US customers with breach notifications, and will do the same for Canadian customers.
Accountability
Privacy laws in Canada require designating an individual who is responsible for privacy compliance. Their name or title and contact information must be made publicly available. These laws also require developing and putting into practice policies and procedures to protect personal information and receive and respond to complaints.
Freed’s Chief Financial Officer and Chief Technology Officer together fulfill the role of Compliance Officer for the company. Their contact information is shared with Canadian customers.
Safeguards
Privacy laws, including PIPEDA, require Freed to use reasonable safeguards to protect personal information.
The safeguards should address physical security, technological security and administrative controls depending on the sensitivity of the information. Physical security includes restricting access to offices. Technological security includes using passwords, encryption. Administrative measures include limiting access on a "need to know" basis.
Freed is SOC2 compliant, which means that it has undergone a rigorous assessment of its systems, policies and procedures and maintains a high level of information security. A detailed document covering our security protocols, encryption methods, technology infrastructure, and related items can be shared separately.
Retention
Privacy laws, including PIPEDA, require keeping personal information only for as long as necessary to meet the original purposes unless required longer for legal or business purposes.
Customers have the option to opt in to a record (AI-generated notes) retention period of 30 days. This retention period can be increased or decreased to any reasonable time period based on customer requirements.
Access and Correction
Under the privacy laws, individuals have a right to access their health records with some exceptions. Individuals may also request correction of their records.
Freed-generated patient Instructions (after-visit summaries) can be shared directly with patients. Patients would be able to contact their clinician to request edits, and the clinician can make the requested adjustments. This workflow meets the standards of Canadian authorities.
Unauthorized collection, use and disclosure
Certain privacy laws in Canada restrict service providers from collecting, using and disclosing personal health information for unauthorized purposes. Service providers are also restricted from knowingly altering, concealing, destroying or falsifying records.
Freed takes privacy seriously and takes measures to handle information in accordance with its obligations and privacy laws.
Freed complies with each of these requirements.