Compliance

AivaMD handles health information as defined under the Alberta Health Information Act (HIA), RSA 2000, c H-5.

Health information you enter - including encounter notes, patient names, health card numbers, and diagnosis codes - is used solely to generate billing codes and claims on your behalf.

AivaMD does not sell, share, or disclose health information to third parties except as required to deliver the service (see Third-Party Processors below) or as required by law.

Production servers are hosted in Canada (Railway infrastructure, ca-central-1 region) to comply with Alberta HIA data residency requirements.

As a healthcare provider using AivaMD, you remain the custodian of your patients' health information and are responsible for ensuring your use of the platform complies with your obligations under HIA and the College of Physicians and Surgeons of Alberta (CPSA) standards.

An Information Manager Agreement (IMA) is available upon request. Email hello@aivamd.ca.

AivaMD complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), SC 2000, c 5, which governs the collection, use, and disclosure of personal information in the course of commercial activities.

We collect only the personal information necessary to provide the service: name, email address, Practitioner ID, practice details, and health information you submit.

You may request access to, correction of, or deletion of your personal information at any time by contacting hello@aivamd.ca.

We do not use personal information for purposes beyond what is disclosed in our Privacy Policy without obtaining additional consent.

H-Link is Alberta Health's electronic claim submission system. AivaMD is in the process of obtaining H-Link accreditation through Alberta Health (form AHC2210).

Until accreditation is complete, claims are stored and managed within AivaMD but are not electronically transmitted to Alberta Health. All users will be notified when live H-Link submission is enabled.

Once accredited, claims will be submitted via secure SFTP to Alberta Health in the H-Link EDI format as specified by the Electronic Claims Submission Specifications Manual.

AivaMD does not guarantee that claims submitted to Alberta Health will be accepted. Claim acceptance is governed by Alberta Health policies and your compliance with the Schedule of Medical Benefits (SOMB).

AivaMD uses the Anthropic Claude API to analyze encounter notes and extract billing codes. Encounter text is sent to Anthropic's API for processing.

Under Anthropic's API usage policy, customer data submitted via the API is not used to train Anthropic's models.

AivaMD does not train AI models on individual patient records or provider billing data.

Aggregated, anonymized usage data may be used internally to improve extraction accuracy.

All data is encrypted in transit using TLS 1.2 or higher.

Data at rest is encrypted using AES-256.

Access to health information is restricted to authenticated providers. Each API endpoint enforces provider-level isolation - you can only access your own claims and data.

Authentication is managed by Clerk using industry-standard JWT tokens verified on every request.

We conduct regular security reviews and follow OWASP guidelines for web application security.

Anthropic: Encounter note text is sent to Anthropic's Claude API for billing code extraction. Anthropic processes this data under their API data processing terms.

Clerk: User authentication and session management.

Stripe: Payment processing for subscriptions under their own PCI-DSS compliance program. AivaMD does not store full credit card numbers.

Railway: Backend API and database hosting in Canada.

Vercel: Frontend application hosting.

In the event of a privacy breach involving health information, AivaMD will notify affected users and, where required, the Office of the Information and Privacy Commissioner of Alberta (OIPC) in accordance with HIA breach notification requirements.

Notification will be provided as soon as practicable after the breach is discovered.

To report a suspected breach or security vulnerability, contact hello@aivamd.ca immediately.

For compliance inquiries, Information Manager Agreements, Privacy Impact Assessments, or to report a concern, contact us at hello@aivamd.ca.

Effective date: February 2026.