Privacy Policy

3.1 Clinician Consent

Clinicians must obtain express, informed consent from patients (or substitute decision-makers) for collection, storage, or use of PHI beyond immediate care.

3.2 Patient Consent to Server Storage

Before uploading any PHI (including video), clinicians must obtain the patient's (or substitute's) signature on a separate consent form specifying:

• That their PHI including video data will be stored on Kactis.Ai servers (Canada or international)

• The purpose: clinical support, AI-powered transcription, analysis, retention

• Their voluntary right to withdraw consent at any time

• That withdrawal triggers deletion or return of their data, subject to legal obligations

This is aligned with PHIPA/PIPEDA express consent requirements.

3.3 Express Consent for Video-Only Recording

Because video contains PHI, clinicians must also obtain express, informed consent in writing or recorded in the health record prior to recording any clinical encounter on video. The consent must clearly specify:

• That video-only recordings (no audio) will be captured

• Recording purpose (clinical documentation, AI support, etc.)

• Storage duration and location

• Who may access the recordings
  
   

4. Collection & Use

​

Kactis.Ai processes only PHI explicitly authorized by clinicians and consented to by patients.

Clinicians decide what data (including video) is shared; Kactis.Ai does not collect extraneous data.

Uses are limited to consented purposes.
 

​

5. Safeguards

​

• Encryption in transit and at rest

• Secure authentication (MFA), access control, and audit trails

• Regular privacy and security impact assessments

• Access limited to authorized personnel

• Clinicians and EMRs must deploy complementary safeguards
  
   

6. Retention & Destruction
 

Retained only as specified by the clinician and legally required (typically a minimum of 10 years post-encounter or 10 years after a minor turns 18).

Video recordings are clinical records and follow the same retention rules; non-record-of-care copies must be securely deleted once the clinical purpose is met.

Clinicians must implement retention and destruction protocols in their EMR systems.

 

7. Anonymized Data for Epidemiology & AI Training
 

Kactis.Ai may use anonymized/de-identified data—including video stripped of identifying features—for:

• Epidemiological research

• AI model training and improvement

All anonymization adheres to PHIPA standards:

• Removal of identifiers; re-identification strictly prohibited

• PIAs conducted for each use

• External access only via binding agreements

• Practices disclosed in public notices under PHIPA Decision 175
  
   

8. Access, Correction & Complaints
 

Individuals may access or correct their PHI (PHIPA/PIPEDA).

Kactis.Ai supports clinicians through logs or data exports.

Complaints may be submitted to Kactis.Ai or the federal/provincial privacy commissioners.

 

9. Breach Response & Notification
 

Kactis.Ai logs and notifies EMR vendors/clinicians of breaches.

Clinicians assess risk and notify individuals or regulators as required.

Post-incident reviews are conducted jointly.

 

10. Roles & Responsibilities Summary
 

Party

Responsibilities

Kactis.Ai

Provide technical safeguards, secure development, breach alerts, data deletion.

EMR Vendors

Implement secure design, audits, PIAs.

Clinicians

Obtain/retain all required consents (including video-only), supervise usage, manage retention, respond to requests/breaches.

Patients

Provide informed consent via signed documentation.

 

11. Policy Updates
 

Material updates will be communicated to clinicians and posted with updated timestamps.

 

12. Contact & Complaints

Privacy Officer – Kactis.Ai

Email: paul@kactis.ai

Complaints may also be filed with the Office of the Privacy Commissioner of Canada or provincial authorities.