PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada’s federal privacy law governing how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. Every Canadian dental clinic that collects patient information is subject to PIPEDA, which means every clinic that stores names, phone numbers, health histories, or appointment records.
Non-compliance with PIPEDA carries real consequences: investigations by the Office of the Privacy Commissioner of Canada (OPC), public findings that name your practice, and fines of up to $100,000 CAD for intentional violations. More practically, a privacy breach that exposes patient data will damage patient trust faster than almost any other incident.
This guide explains what the 10 PIPEDA principles mean for your dental practice, what they require from your recall and communication software, and how to audit your current setup.
The 10 PIPEDA Principles and What They Mean for Dental Practices
PIPEDA is built on 10 fair information principles that define how your practice must handle patient data, from the moment it is collected through to its secure deletion. Here is what each principle requires specifically from your recall and communication system.
Accountability
Designate a privacy officer and ensure all third-party recall software vendors have a signed Data Processing Agreement (DPA) in place.
Identifying Purposes
State on your intake form that patient contact information is collected to send appointment reminders, recall notices, and practice communications.
Consent
Obtain implied consent for transactional recall messages and express opt-in consent for any marketing or promotional SMS and email campaigns.
Limiting Collection
Collect only what recall software needs, name, phone, email, and appointment history. Health card numbers and clinical notes stay in your PMS, not your recall platform.
Limiting Use, Disclosure, and Retention
Use patient contact data only for recall purposes. Never share or sell it to third parties. Delete it when the patient relationship ends.
Accuracy
Keep phone numbers and email addresses current in your recall system, and remove patients who have opted out from all automated communication lists immediately.
Safeguards
Your recall software must encrypt data at rest and in transit, apply access controls, and have a documented breach detection and response process.
Openness
Maintain a plain-language privacy policy that covers what you collect, why, how it is stored, and who can access it, and make it available to patients on request.
Individual Access
Respond to patient data access requests within 30 days, and establish an internal process for handling them before you receive your first request.
Challenging Compliance
Provide a clear path for patients to challenge your privacy practices, whether through your designated privacy officer or a complaint filed with the OPC.
Among these principles, Accountability and Consent are the most commonly violated by dental recall systems. Accountability failures typically involve using a vendor with no DPA. Consent failures typically involve continuing to send automated messages to patients who have replied STOP.
Important
Non-compliance with PIPEDA can result in fines up to $100,000 CAD per violation. The Office of the Privacy Commissioner (OPC) has the authority to audit dental practices and publish findings publicly, meaning your clinic’s name can appear in a federal enforcement report visible to prospective patients.
DentRecall is built PIPEDA-compliant from the ground up
Express SMS consent capture, STOP opt-out handling, and Canadian data storage, every principle covered, no configuration needed.
PIPEDA and Recall Software: The Key Requirements
When evaluating recall software for PIPEDA compliance, confirm the following:
- Data residency: Patient data should be stored in Canada or a country with equivalent privacy protections. US-based storage is generally acceptable under PIPEDA as long as proper contractual safeguards are in place, but Canadian storage eliminates ambiguity.
- Consent tracking: The platform must track opt-out requests at the patient level and suppress automated messages immediately upon receiving a STOP or unsubscribe request.
- Data minimization: The platform should store only the minimum necessary patient data, name, contact info, appointment history. Clinical health information should not be required by the recall platform.
- Breach notification: The vendor must have a breach response process and must notify you promptly of any security incident that affects your patient data.
- Data deletion:You must be able to delete a patient’s data upon request without needing to contact the vendor.
| Requirement | What It Means | DentRecall Does This? |
|---|---|---|
| Collect SMS consent | Explicit opt-in before first SMS | ✓ Yes |
| Honor STOP requests | Remove from sends immediately | ✓ Yes |
| Store data in Canada/US (not China) | AI provider must be PIPEDA-safe | ✓ Yes (US/EU infrastructure) |
| Limit data collection | Only name, phone, appt date needed | ✓ Yes |
| Provide data access | Patients can request their records | ✓ Yes |
Key Insight
DentRecall uses an encrypted cloud database (encrypted at rest), TLS for all data in transit, and row-level security to ensure patient data from one clinic is never accessible to another. AI features run on US/EU cloud infrastructure, PIPEDA-safe by design.
PIPEDA vs. HIPAA: Do You Need Both?
Canadian dental practices are subject to PIPEDA. HIPAA is a US regulation that applies to US healthcare providers and their business associates. If you treat any patients who are covered by US health insurance plans, or if your software vendor is a US-based “business associate” under HIPAA definitions, HIPAA-aligned practices become relevant.
| PIPEDA (Canada) | HIPAA (USA) | |
|---|---|---|
| Applies to | All private-sector orgs | Healthcare covered entities |
| Consent required | Yes | Limited (treatment purposes exempt) |
| Breach notification | Required | Required within 60 days |
| Patient data access | Must provide on request | Must provide within 30 days |
| Enforcement | OPC + Federal Court | HHS Office for Civil Rights |
| Max fine | $100,000/violation | $1.9M/violation category |
| Do Canadian clinics need it? | Yes | Only if treating US patients |
Most Canadian dental clinics need PIPEDA compliance only. Practices with significant cross-border patient populations or US insurance billing relationships should consult a privacy lawyer about their specific obligations.
DentRecall is built to PIPEDA standards for Canadian practices and is HIPAA-aligned for US practices, allowing it to serve clinics on both sides of the border without requiring separate platform configurations.
Switching from a non-compliant recall system?
DentRecall replaces spreadsheets and manual follow-ups with an automated, PIPEDA-ready system. Concierge migration included for Founding 30 clinics.
How to Audit Your Current Recall Setup for PIPEDA
A practical audit you can complete in under two hours, work through each item with your office manager and your recall software vendor. Flag any item you cannot confirm as a compliance gap requiring immediate attention.
List every platform that stores or processes patient contact information, your PMS, recall software, email platform, and billing system.
Confirm each vendor has a Data Processing Agreement or Privacy Policy that commits them to PIPEDA-compatible practices.
Review your patient intake form to confirm it clearly identifies the purpose for collecting contact information, not buried in fine print.
Test your STOP opt-out process: send a test SMS from your recall system, reply STOP, and verify the patient is suppressed immediately with no further automated messages.
Confirm you have a written privacy policy in plain language that covers your digital communication practices and is accessible to patients on request.
Verify your recall software does not require clinical health information (health card numbers, diagnoses, treatment notes), only name, contact info, and appointment history.
Check whether your recall software vendor sells or shares anonymized patient data with third parties, ask the vendor directly and get the answer in writing.
Confirm your designated privacy officer is documented internally and that staff know who to escalate a data access request or breach to.
Verify that any AI features in your recall platform use infrastructure based in Canada, the US, or the EU, not China-based providers such as Alibaba or Baidu.
Review data retention: confirm you can delete a patient's data on request without needing to contact the vendor to do it for you.
Key Insight
If you find gaps during this audit, prioritize consent and opt-out gaps first, these are the most likely source of an OPC complaint from a patient. Vendor DPA gaps and data residency issues are important but less likely to result in immediate enforcement action.
Frequently Asked Questions
Does PIPEDA apply to dental practices in Ontario, Alberta, and BC?
Yes. PIPEDA is federal legislation that applies to all private-sector organizations in Canada engaged in commercial activity, including dental practices in all provinces. Alberta, BC, and Quebec also have provincial privacy legislation. In Alberta and BC, the provincial law (PIPA) applies instead of PIPEDA for provincially regulated private-sector activity. In practice, PIPA and PIPEDA are substantially similar in their requirements for dental practices.
What is the penalty for a PIPEDA violation by a dental practice?
Fines under PIPEDA are up to $100,000 CAD for intentional violations. The OPC can also issue public findings that name your practice, which can damage patient trust. In practice, most PIPEDA enforcement begins with an investigation and a remediation order before financial penalties are imposed.
Do I need CASL compliance as well as PIPEDA?
Yes. CASL governs the sending of commercial electronic messages (SMS, email), while PIPEDA governs the collection and use of personal data. Both apply to dental recall communications. See our CASL compliance guide for dental SMS reminders for a full explanation of CASL requirements.
Is patient data stored outside Canada a PIPEDA violation?
Not automatically. PIPEDA allows patient data to be stored in foreign countries if appropriate contractual protections are in place. However, you must inform patients that their data may be stored outside Canada, and you remain accountable for its protection regardless of where it is stored.
Make PIPEDA compliance a non-issue for your clinic
Every patient touchpoint in DentRecall, SMS, email, online booking, is built to PIPEDA and CASL standards. Founding 30 spots available now.
Summary
PIPEDA compliance for a dental practice is not complicated, but it requires deliberate attention to your intake process, your vendor contracts, and your software’s consent management capabilities. The most common gap we see is recall software that does not properly track opt-outs, meaning practices continue to send automated messages to patients who have replied STOP, which is a clear PIPEDA and CASL requirements for dental SMS reminders violation. For a comparison of how the leading platforms handle this, see our review of CareCru vs RecallMax vs DentRecall on compliance. Our guide on how automated dental recall software handles consent also explains what to look for in a compliant platform and the 5-touchpoint reminder protocol that runs within those consent rules.
DentRecall was built PIPEDA-first, with patient-level consent tracking, immediate STOP suppression, and data minimization built into the platform architecture, not added as an afterthought.
