CANADIAN PROCUREMENT · 2026 LANDSCAPE · 7 min

Canadian Hospital AI Procurement in 2026

The Canadian healthcare AI compliance landscape has changed more between 2023 and 2026 than in the decade before. Quebec Law 25 is being enforced in earnest, Ontario PHIPA has been modernized, federal PIPEDA / CPPA amendments now treat AI consent as distinct, and the gap between cloud-vendor defaults and provincial expectations has widened. This is the buyer-side reading of what changed and what procurement should do differently.

Quebec Law 25 fines
$C2.3M

Aggregate Q1 2026 enforcement under Quebec's modernized privacy regime. The strictest penalty floor in Canada, and the most explicit algorithmic-transparency requirement.

Provincial overrides
4 of 10

Ontario, Quebec, Alberta, and BC have substantially-similar regimes that supersede PIPEDA for health information in their jurisdiction.

2026 AI-consent change
Distinct

PIPEDA / CPPA amendments clarify that consent for AI training and automated decision-making is distinct from consent for service delivery. Provincial regimes are catching up in parallel.

What changed between 2023 and 2026

Three legislative threads reshaped the Canadian procurement landscape in three years. Quebec Law 25 (formerly Bill 64) phased in from 2022, with the third and final phase taking effect in late 2024 — by Q1 2026 the CAI was issuing enforcement decisions at scale, with aggregate fines crossing $C2.3M. Section 12 obliges organizations using automated decision-making to disclose that use and explain the principal factors; for AI scribes specifically, that means the hospital owes the patient an explanation of how the draft note was produced.

Ontario PHIPA modernization in 2024–25 strengthened cross-border data-transfer documentation requirements and audit expectations. The result for procurement: an Ontario hospital signing a U.S.-cloud AI vendor in 2026 faces a substantially heavier paper trail than it did in 2023. The vendor's BAA does not, on its own, satisfy PHIPA Section 12's audit-trail expectations.

Federal PIPEDA / CPPA amendments under Bill C-27 introduced the AI-consent distinction. Consent for the hospital to deliver care using a vendor's AI tool is different from consent for the vendor to train a model on the resulting data. Most existing patient consent forms predate this distinction; updating them is one of the procurement-prep steps a hospital in 2026 has to do before signing.

The procurement playbook that worked in 2023 does not work in 2026

The 2023 playbook: a Canadian hospital evaluated three U.S. cloud AI scribes, picked one based on Epic integration and clinician preference, signed the standard BAA, and dealt with the residency conversation as a procurement formality. The compliance posture was mostly "the vendor is HIPAA-compliant in their cloud, the BAA covers PHI handling, the audit log exists." The 2023 playbook produced fine outcomes because enforcement was modest, AI consent rules were less explicit, and cross-border-transfer documentation expectations were lighter.

The 2026 playbook has to address four pressures the 2023 process did not weight enough:

PRESSURE 01
Specific residency commitments

"PHI lives in our cloud" is no longer sufficient under provincial regimes. The contract has to name the specific Azure / AWS / GCP region, commit to keeping data there, and provide audit telemetry the hospital can verify.

PRESSURE 02
AI-specific consent

Patient consent forms updated to distinguish service-delivery consent from AI-training and automated-decision consent. Quebec Law 25 Section 12 disclosure obligations made explicit.

PRESSURE 03
Audit telemetry on demand

PHIPA Section 12 and Law 25 documentation expectations are interpreted in 2026 as "the hospital must be able to demonstrate audit capability," not "the vendor's audit log exists somewhere."

PRESSURE 04
PIA before vendor selection

The Privacy Impact Assessment moves earlier in the process. The PIA is what demonstrates the rest of the compliance work is real; running it after procurement hardens is the most-cited 2026 failure pattern.

How this shifts the vendor shortlist

For Canadian residency-bound hospitals, the 2026 shortlist looks different from the 2023 list. Vendors that already operationalize specific-region commitments, transparent BAAs, data-minimal defaults, and clear no-training-on-customer-data postures climb the list:

  • checkNabla has a no-audio-stored-by-default privacy posture, 14-day medical-data retention, and the only peer-reviewed RCT result with statistically significant time-savings. Multi-region cloud hosting available; Canadian-region commitments are verifiable in contract.
  • checkHeidi Health offers transparent published pricing, multi-region cloud, and is operationally proven at New Zealand public-system scale — a useful proxy for the kind of public-sector deployment Canadian buyers face.
  • checkFreed commits to audio deletion after note generation by default and publishes pricing transparently. U.S.-anchored hosting requires explicit Canadian-region commitment for Canadian use.
  • closeOn-prem alternatives are increasingly on the shortlist specifically because the compliance work shifts from "negotiate contractual residency and verify it" to "describe the data path on our own infrastructure." Shorter PIA, simpler audit story, fewer cross-border-transfer artifacts.
  • closeU.S.-cloud-only vendors without explicit Canadian-region commitments require substantially more contractual choreography in 2026 than they did in 2023. They are not disqualified — but the work to make them compliant is heavier than it used to be.

The 2026 procurement timeline

The 2023 healthcare AI procurement timeline ran roughly four to eight weeks from RFP to signed contract. The 2026 timeline for a Canadian hospital should plan for eight to twelve weeks if the compliance work is treated seriously — and the additional time is concentrated in the front half of the process, where the leverage is greatest. The phases that get longer:

  • checkWeeks 1–3: Pre-procurement decisions and PIA scoping. The six pre-procurement decisions covered in the privacy-first adoption framework get documented before the demo. The PIA scope is defined.
  • checkWeeks 3–5: Vendor demos with the buyer's policy, not the vendor's product. The demo focus shifts to compliance posture — data path, BAA review, audit log artifact — rather than UI walkthroughs.
  • checkWeeks 5–7: PIA completion against the shortlist of two vendors. Running the PIA against two specific candidates produces better artifacts than running it against an abstract category.
  • checkWeeks 7–10: Contract negotiation with the strictest applicable timelines built in. Breach notification, audit access, residency commitments, AI-consent language all in writing.
  • checkWeeks 10–12: Pilot agreement and patient-consent update. Patient consent forms updated to reflect the specific vendor, data path, and automated-decision components.

Where this fits in the WalledCare directory

Pair this article with the Canadian compliance hub for the full regulatory map, the RFP-questions checklist for the procurement-document specifics, and the vendor side-by-side comparison to filter by residency posture. The privacy-first adoption framework covers the procurement-process choreography in more detail.

send Request a WalledCare pilot menu_book Back to blog