This page describes how Gladstone handles personal health information, the safeguards that protect it, and how the platform aligns with PHIPA and with CPSO and CMPA guidance on AI-enabled clinical tools. It is written in plain language for practising physicians. The governing documents are linked at the end of the page.
The legal relationship between you and Gladstone determines how every piece of information is handled.
Under the Personal Health Information Protection Act, 2004 (PHIPA), you, your clinic, or your hospital is the Health Information Custodian. GladstoneMD acts as your agent. We process personal health information solely on your behalf, under your instructions, and never for purposes of our own. We do not determine what is collected, how it is used, or who sees it.
Several commitments follow from that relationship. We do not sell PHI, use it for advertising or marketing, profile patients, or attempt to re-identify de-identified information. We do not use your patients' information, including de-identified information derived from it, to train or fine-tune AI models.
Gladstone is also not an electronic medical record and does not hold the official chart. It is built as a personal tool for the physician, closer to your stethoscope or your notebook than to a hospital-provided IT system, and it sits beside you rather than inside your infrastructure: it has no connection to your EMR and no access to it. This positioning is what lets Gladstone assist across many parts of your workflow, and more over time, while you retain oversight and control over how it is used. Your designated system of record remains the official chart, and approved documentation is entered there by you, under your control.
This division of responsibility is set by PHIPA's custodian and agent framework, and it is the same framing the CPSO and CMPA use when describing physician accountability for AI tools.
The complete path of an encounter, from input to your record.
You speak, dictate, type, or photograph documents. Audio, text, and visual information enter the system only when you submit it, and recording an encounter requires patient consent.
All information travels over TLS-encrypted connections to Gladstone's backend services.
PHI is stored within Microsoft Azure's Canada Central region, encrypted at rest.
Transcription, OCR, and drafting services prepare your documentation. Canadian data services are used throughout, with the limited exception described in the residency section below.
Every output returns to you as a draft. Nothing is final until you have reviewed and approved it.
You transfer approved documentation into your EMR. Gladstone has no connection to the EMR and no ability to read from or write to it.
Where information is processed, and the one exception to Canadian processing.
Personal health information processed through Gladstone is stored in Canada, and Canadian data services are used for processing. There is one exception: certain advanced AI models have not yet been made available on Canadian servers, and functionality that depends on those models is processed outside Canada. Where that occurs, the data is encrypted, access is restricted, contractual controls limit what any provider may do with it, and we move processing to Canadian infrastructure as it becomes available.
Information processed outside Canada may be subject to the laws of the jurisdiction in which it is processed, including lawful access by courts or authorities there. This is true of any cloud-based clinical tool that relies on processing outside Canada. As custodian, you remain responsible for any patient notice this requires in your practice, and our documentation gives you what you need to provide it.
Gladstone is designed around data minimization. The schedule below summarizes what is kept, and for how long.
| What | How long | Why |
|---|---|---|
| Encounter transcripts | Temporary. Deleted once documentation and related processing are complete | Transcripts exist to produce your draft. Gladstone does not maintain an archive of patient conversations. |
| AI interaction context | Up to 14 days, then deleted or de-identified | Short-term workflow continuity and troubleshooting. |
| Clinical & workflow data | Duration of your customer relationship | Keeps your active work available. Deletable at your direction. |
| Audit logs | Minimum 6 years | Security investigation and accountability. Logs are designed to minimize PHI content. |
| After you leave | 30-day export window, then secure deletion from active systems | Residual backup copies age out through normal encrypted backup rotation. |
This design reflects College guidance that recordings and verbatim transcripts are draft aids rather than chart content. The durable record is the note you approve and file in your EMR.
Both organizations have published guidance on AI scribes and AI in clinical practice. Gladstone was designed against that guidance, summarized below.
"Physicians are ultimately accountable for their use of AI tools, including when using AI to support clinical decision-making or medical documentation."
CPSO, Advice to the Profession: Using Artificial Intelligence in Clinical Practice| The expectation | Source | How Gladstone supports it |
|---|---|---|
| Consent before recording | CPSO; CMPA | Recording occurs when you choose it, with the patient's agreement. Both regulators expect the consent discussion to be documented in the chart; practical guidance is provided below. |
| Review every note | CPSO; CMPA | Every output is a draft requiring your review, validation, and approval before clinical use or entry into a record. This requirement is structural, not a setting. |
| PHIPA-compliant handling | CPSO; PHIPA | Agent relationship under PHIPA, Canadian storage, encryption, role-based access, audit logging, and a maintained Privacy Impact Assessment available for review. |
| No secondary use of PHI | CMPA; PHIPA | PHI is used only to deliver the service. It is not used for model training, advertising, profiling, or sale. |
| Vendor transparency on limits | CMPA | Known limitations of AI documentation are described on this page and in our Privacy Impact Assessment. |
| Breach notification | PHIPA; CMPA | If an incident affects your data, we notify you at the first reasonable opportunity with what is known, what has been done, and recommended actions, so you can meet your own reporting obligations. |
The CMPA encourages physicians to ask vendors about validation, privacy safeguards, retention timelines, and liability before adopting any AI scribe. Our Privacy Impact Assessment exists so that your privacy officer or counsel can put those questions to us directly, and the PIA is available to any interested user on request at privacy@gladstonemd.com. The source guidance is available from the CPSO and the CMPA.
AI-assisted documentation has well-characterized failure modes. These are the ones we design and monitor against.
Generated drafts can include statements that were not made, or omit details that were. This risk is inherent to the technology. Clinician review is the primary control, and Gladstone is built so that review and approval is the only path to a finished note.
As draft quality improves, the temptation to skim grows. The CPSO holds physicians responsible for ensuring each note is a complete and accurate record of the encounter. Gladstone presents drafts clearly as drafts and keeps the review step explicit.
Adversarial input and cross-session contamination are recognized risks in AI systems. Gladstone applies session isolation, restricted workflow scopes, and monitoring to contain them, and treats this as an ongoing engineering discipline.
Customer PHI, including de-identified information derived from it, is never used to train or fine-tune AI models. Our subprocessor agreements carry the same restriction. Service improvement draws on product telemetry that contains no patient data.
A summary of the administrative, technical, and physical safeguards in place. Full detail is provided in the Privacy Impact Assessment and Terms of Service.
TLS encryption in transit and encryption at rest. Role-based access controls and least-privilege principles. Audit logging and monitoring. Segregated operational environments. Multi-factor authentication on all remote and administrative access to systems supporting the service, with RDP blocked by default.
A designated Privacy Officer and Security Lead. Workforce confidentiality obligations and role-appropriate privacy training. Vendor due diligence before any subprocessor is engaged, with periodic review. Documented incident response procedures.
Microsoft Azure facility controls, environmental safeguards, and monitoring. Automated encrypted backups with restoration testing. Periodic review of configurations, vulnerabilities, and safeguards as the platform and threat landscape evolve.
No system eliminates all risk. We maintain layered safeguards proportionate to the sensitivity of personal health information and review them on an ongoing basis.
Transparency with patients is a College expectation. The conversation is brief and most patients are receptive to it.
Before recording any encounter, ask the patient. For example: "I use a secure AI assistant that listens and drafts my notes so I can focus on you. I review everything before it goes in your chart. Are you comfortable with that?" Verbal consent is acceptable; documenting the consent discussion in the record is preferred.
Patients who have questions about how their clinic uses Gladstone, or who wish to access or correct their records, should contact their clinic directly. Under PHIPA, the clinical relationship and the record reside with the custodian, and we support your clinic with any such requests that involve us. OntarioMD publishes a patient consent toolkit for AI scribes that many practices use.
No to both. Gladstone is not an electronic medical record and is not the system of record for any patient chart. It also has no integration with, connection to, or access to your EMR.
Gladstone is built as a personal tool for the physician. In that respect it is closer to your stethoscope or your notebook than to a hospital-provided IT system: it belongs to your practice of medicine, you decide how it fits your workflow, and you retain oversight and control over how it is used. That positioning is also what allows Gladstone to assist across many parts of your day, from documentation to requisitions to correspondence, with more to come over time. It prepares the work; you transfer approved material into the official record yourself. The official record stays in your designated EMR, under your custodianship, subject to your documentation and retention obligations.
Audio from dictation or recorded encounters, typed and pasted text, and visual information such as photographs of documents, requisitions, and other clinical paperwork you choose to submit. In each case, information enters the system only when you provide it, and it is processed solely to produce the documentation you have requested.
PHI is stored in Canada, in Azure's Canada Central region, and Canadian data services are used for processing. The exception is functionality that depends on advanced AI models not yet available on Canadian servers; that processing occurs outside Canada under encryption, access restrictions, and contractual controls. The residency section above describes this in full.
No. Neither PHI nor de-identified information derived from PHI is used to train or fine-tune AI models. This commitment appears in our Terms of Service and is carried through to our subprocessor agreements.
We notify you at the first reasonable opportunity with a description of the incident, the types of information involved, the timing, the containment and remediation steps underway, and a contact for follow-up. We then cooperate with you on your own obligations. Under PHIPA, notification decisions involving patients and the IPC rest with the custodian, and you will have the information needed to make them.
Yes, with the prior approval and ongoing supervision of a licensed clinician, and where program and institutional policies permit. The supervising physician remains responsible for reviewing and approving all documentation before it enters the record.
You have a thirty-day window to export your data, after which it is securely deleted from active systems. Residual copies in encrypted backups age out through normal rotation. Because the official record was always in your EMR, ending your use of Gladstone does not affect any chart.
Yes. We maintain a PIA documenting our information flows, subprocessors, safeguards, and risk assessment, and we update it as the platform evolves. It is available to customers and to organizations evaluating Gladstone. Requests can be directed to privacy@gladstonemd.com.
This page is a plain-language summary. The documents below govern.
How we collect, use, disclose, retain, and protect information across the website and the application.
The agreement governing use of Gladstone, including clinical responsibility, data handling, and security commitments.
Our PHIPA-oriented assessment of information flows, subprocessors, safeguards, and residual risk. Available on request.
Privacy inquiries may be directed to our Privacy Officer at privacy@gladstonemd.com. If you are not satisfied with our response, you may contact the Information and Privacy Commissioner of Ontario.
If you are evaluating Gladstone for your practice, clinic, or institution, our team, including our Privacy Officer, is available to walk your stakeholders through the architecture, the Privacy Impact Assessment, and the contracts.
Contact our privacy team Return to gladstonemd.com