Feature · Privacy Impact Assessments

The IPC's February 2026 guidance names your AI feature. Are you ready?

Privacy Impact Assessments are now mandatory for AI systems, new vendor integrations, and significant system changes. CybershieldMaple turns the IPC's own PIA framework into a guided, documented workflow — not a blank template.

Get Your Accountability Benchmark See the platform live

Why PIAs matter now

The IPC's AI guidance arrives in February 2026. Health tech companies are specifically named.

The IPC's February 2026 guidance on artificial intelligence in health care explicitly addresses AI scribes, RPM platforms, diagnostic tools, and telemedicine systems. Organizations using AI that touches PHI will be expected to have a completed, documented PIA.

Under Law 25 in Quebec, Privacy Impact Assessments are already mandatory before deploying any technology that processes personal information. The obligation is active now.

PIA trigger events — when you need one

Deploying or upgrading an AI feature that processes PHI

Onboarding a new vendor who will access patient data

Implementing a new EMR or clinical system

Adding remote monitoring or telemedicine capabilities

Integrating with a hospital system or health information exchange

Any significant change to how PHI is collected, used, or disclosed

Capabilities

Guided PIA. Not a blank form.

IPC-guided PIA framework

CSM's PIA builder follows the IPC's own Privacy by Design framework. Each question is mapped to a specific IPC handbook control, so the output is directly defensible.

AI feature PIA module

Dedicated PIA workflow for AI systems — aligned to the IPC's February 2026 guidance. Covers training data, inference, output use, and patient transparency.

Vendor onboarding PIA

Trigger a PIA automatically when a new vendor is added to your BAA registry. The PIA and the BAA are linked — no documentation gap between the two.

Periodic review scheduling

PIAs require reassessment when systems change. CSM schedules and tracks periodic reviews, and flags PIAs that are overdue or triggered by a system change event.

Law 25 ÉFVP assessment

French-native ÉFVP (Évaluation des facteurs relatifs à la vie privée) workflow for Quebec. CSM generates the French-language assessment output required under Law 25.

Cross-framework mapping

Each PIA is mapped to the applicable frameworks — PHIPA, Law 25, or both. The same assessment produces evidence for both regulators without duplication.

Who uses this feature

PIA requirements apply across all audiences.

Health Tech Startups

AI features · Hospital procurement · IPC Feb 2026

Healthcare Clinics

New vendor PIAs · EMR upgrades · Law 25

Vendor BAA Registry

Linked to every new vendor BAA

Evidence Packages

PIA included in sealed audit packs

Privacy Impact Assessments

The IPC's guidance is coming. The PIA requirement is already here.

See the PIA workflow in CSM and get your accountability benchmark to understand your full governance posture.

Get Your Accountability Benchmark See the platform live