Conducting an Artificial Intelligence Privacy Impact Assessment (PIA)

Privacy Horizon's CEO, Patrick Lo, co-authored an article with Shirley Fenton — president of the National Institutes of Health Informatics (NIHI) and co-founder of Waterloo MedTech — in the April 2026 issue of Canadian Healthcare Technology. The piece examines how Canadian healthcare organizations can adopt artificial intelligence responsibly, with the Privacy Impact Assessment (PIA) as the central tool for protecting patient privacy.

The overview below is Privacy Horizon's own. To read the authors' article in full, download the official reprint or visit Canadian Healthcare Technology.

What the article covers

As AI moves from pilots into everyday clinical work, it raises privacy questions a well-run PIA is designed to answer. The authors set out what a PIA is, how an AI-focused assessment extends a traditional one, how buying AI differs from building it, and the growing body of Canadian and international guidance that now applies.

Why a PIA still matters as AI enters healthcare

Health information is among the most sensitive data an organization holds, and AI can magnify the risk: these systems operate at scale, can be difficult to interpret, and change over time as models are retrained or updated. A PIA gives leaders a structured way to document what data a system uses, the authority for using it, the risks it creates, and the safeguards in place — evidence of due diligence before a tool reaches patient care.

How an AI PIA differs from a standard one

An AI PIA rests on the same foundations as any PIA — mapping data flows, confirming legal authority, identifying risks, and planning mitigations — but widens the lens to risks specific to machine learning, including:

• Training and secondary use — whether personal health information was used to train or tune a model, and under what authority.
• Inference and re-identification — outputs that can reveal more about a person than the original inputs.
• Transparency and explainability — clinicians and patients understanding what a system can and cannot do.
• Bias and equity — monitoring performance across different patient populations.
• Governance and ongoing change — managing model updates, drift, and accountability over time.

Buying AI vs. building it

A PIA is needed either way, but the focus shifts. For purchased or embedded AI, the emphasis falls on vendor due diligence and contractual controls — data residency, limits on secondary use, breach-notification terms, and audit rights. For systems built in-house, the organization carries more accountability, and the assessment extends across the development lifecycle, from data quality through testing, monitoring, and version control.

The Canadian guidance landscape

Canada has no dedicated federal AI statute yet, but PIA expectations already sit within existing privacy frameworks at several levels:

• Federal — the Privacy Act and Treasury Board requirements, the Directive on Automated Decision-Making, OPC guidance on responsible AI, and the Pan-Canadian AI for Health (AI4H) principles.
• Ontario — FIPPA and PHIPA obligations, with AI-specific guidance from the Information and Privacy Commissioner.
• Alberta — guidance from the Office of the Information and Privacy Commissioner, including materials on AI scribes under the Health Information Act.
• Quebec — the privacy impact assessment regime introduced under Law 25.
• Professional and international — guidance from medical colleges, plus the OECD AI Principles and the EU AI Act.

How Privacy Horizon can help

Conducting AI Privacy Impact Assessments is core to our practice. If your organization is evaluating or deploying AI that touches personal or health information, we can run the assessment, map your data flows, and help you put the right safeguards and governance in place.

“Conducting an Artificial Intelligence Privacy Impact Assessment (PIA)” was written by Patrick Lo (CEO, Privacy Horizon) and Shirley Fenton (president, National Institutes of Health Informatics; co-founder, Waterloo MedTech), and published in the April 2026 issue of Canadian Healthcare Technology (canhealth.com). Read the authors' full article via the reprint below.