🔐Privacy & Security FAQ
Last updated: Jun 9, 2025
Last updated by: Meaghan Nolan
This document is for informational purposes only, and is not a legal document. Please refer to our Terms of Use and Privacy Policy for the most comprehensive and up-to-date information about our data handling and privacy and security practices.
Q: What do you do?
Mikata Health, Inc. (“Mikata”) is a technology company headquartered in Calgary, Alberta. We provide an automation platform that consists of a secure web-based software application for doctors, nurses, and staff at clinics to use, and a secure web-based application for their patients to use. This platform includes an AI-powered scribe - Mika AI - that reduces the time and effort of charting.
Clinics use our platform to automate time-consuming administrative and documentation tasks, which frees up doctors, nurses, and staff to spend more time caring for patients. Additionally, the platform makes it easier for patients to access care, communicate with the doctors, nurses, and staff at their clinic, and complete tasks related to their care.
We take our responsibility for the privacy and security of personal health information very seriously. We comply with all applicable provincial and federal regulations for the handling of personal health information.
Q: What healthcare and privacy legislation does Mikata comply with in Canada?
A: Mikata ensures compliance with all relevant provincial and federal healthcare and privacy legislation across Canada. This includes but is not limited to:
Personal Information Protection and Electronic Documents Act (PIPEDA)
Personal Health Information Protection Act (PHIPA) in Ontario
Health Information Act (HIA) in Alberta
Personal Information Protection Act (PIPA) in Alberta
Personal Health Information Act (PHIA) in Manitoba
Personal Information Protection Act (PIPA) in British Columbia
Personal Health Information Privacy and Access Act (PHIPAA) in New Brunswick
Personal Health Information Act (PHIA) in Newfoundland & Labrador
Personal Health Information Act (PHIA) in Nova Scotia
Health Information Act (HIA) in Prince Edward Island
Health Information Protection Act (HIPA) in Saskatchewan
Health Information Act (HIA) in Northwest Territories
Health Information Privacy and Management Act (HIPMA) in Yukon
Additionally Mikata ensures it is in compliance with other applicable legislation such as:
Criminal Code of Canada - The Criminal Code contains provisions related to the protection of privacy and security, including provisions on unauthorized access to computer systems and interception of communications. These provisions may apply to cases involving the unauthorized access or disclosure of personal health information.
Digital Privacy Act - The Digital Privacy Act introduced amendments to PIPEDA, including provisions related to data breach notification and reporting requirements. While not specific to healthcare, these amendments have implications for organizations handling personal health information.
Privacy Act (Federal) - While primarily governing the collection, use, and disclosure of personal information by federal government institutions, this act may apply to certain aspects of healthcare privacy when personal health information is collected.
Freedom of Information and Protection of Privacy Act (FIPPA) in British Columbia - While primarily governing how provincial public bodies in British Columbia collect, use, disclose and retain personal information this act may apply to certain aspects of healthcare privacy when personal health information is collected, used, or disclosed by provincial government ministries or agencies, post-secondary institutions or health authorities.
Freedom of Information and Protection of Privacy Act (FIPPA) in Manitoba - While primarily governing how provincial public bodies in Manitoba collect, use, disclose and retain personal information this act may apply to certain aspects of healthcare privacy when personal health information is collected, used, or disclosed by provincial government ministries or agencies, post-secondary institutions or health authorities.
Freedom of Information and Protection of Privacy Act (FIPPA) in Ontario - While primarily governing how provincial public bodies in Ontario collect, use, disclose and retain personal information this act may apply to certain aspects of healthcare privacy when personal health information is collected, used, or disclosed by provincial government ministries or agencies, post-secondary institutions or health authorities.
Q: What privacy and security legislation does Mikata comply with in the United States?
A: In the United States, Mikata adheres to stringent privacy and security regulations, including:
Health Insurance Portability and Accountability Act (HIPAA)
Q: Does Mikata have, or is it working towards any other specific security certifications?
A: Mikata’s third party service providers (e.g., cloud infrastructure providers, AI providers, etc.) are SOC2 certified, ISO27001 compliant, and HIPAA compliant.
Mikata is actively working towards achieving it’s own SOC2 certification, demonstrating our commitment to holding ourselves to the highest standards for privacy and security compliance.
Other third parties that we work with, including multiple electronic medical record (EMR) vendors, have performed detailed assessments of our privacy and security compliance program.
If your organization requires additional information about our privacy and security compliance program, we are happy to discuss your requirements and provide additional details.
Q What information do you collect?
A: For clinics and healthcare providers, we collect contact and billing information.
For patients, we collect registration information as well as diagnostic, treatment, and care information. We collect, use, store, and disclose the minimum amount of information required to provide our services and your clinic ultimately decides which services to use and how they are configured.
Your clinic may configure Mikata Services to collect the following information:
Patient information stored in your clinic’s EMR, such as patient name, date of birth, healthcare number, contact details, and appointment information
Information related to your patients’ physical and mental health, as well as their concerns and questions related to their care to provide health services (e.g., through a patient assistant request, forms, and Mika AI sessions)
Information related to your patients’ preferences, such as preferred language or contact method, to personalize your experience
Finally, we may collect additional personal information from patients, as needed, to verify their identity
Q: Does Mika AI make or keep an audio recording of the patient encounter?
A: No, we encrypt and stream the audio through the microphone on your device and then transcribe the audio into a text transcript in real-time.
No audio recording is ever made or kept.
Q: Where is information stored?
A: All information is securely encrypted and stored on secure servers located within Canada.
Q: How is information stored?
A: All information is securely encrypted during transmission and storage. Our application and databases are hosted on secure cloud infrastructure within Canada, which is regularly monitored and tested. We also keep auditable logs of application and database access and activity.
In addition to these and other technical safeguards, we have put in place comprehensive administrative and physical safeguards to protect the privacy and security of personal health information.
Q: Does Mikata disclose information or share it with third parties?
A: We never sell anyone’s data.
EMR Integration Partners:
Data may be exchanged with your electronic medical record (EMR) through a private and secure integration connection, but only if explicitly authorized by the clinic.
TELUS Health – If the Custodian requests integration with their TELUS Health EMR, we will enable the secure exchange of data between our system and their EMR.
QHR Accuro – If the Custodian requests integration with their QHR Accuro EMR, we will enable the secure exchange of data between our system and their EMR.
Third parties:
Mikata works with the following third party service providers. Third parties are subject to a rigorous review and contracting process to ensure they are held to the same standards for privacy and security compliance as Mikata itself.
These third parties are not able to use any of the data they process and/or store on Mikata’s behalf for their own purposes.
Amazon Web Services (AWS) – We use Canadian-based AWS infrastructure to process and store data. The data is encrypted in transit and at rest within a virtual private cloud (VPC) environment, preventing any third party, including AWS, from accessing the data.
Microsoft Azure – We use Microsoft Azure to process data only. Data is not stored, even temporarily, by Microsoft Azure. The data is encrypted in transit, preventing any third party, including Microsoft Azure from accessing the data while in transit.
Q: Do Mikata’s third party AI service providers store my data?
A: No.
Notably, and unlike many other vendors, Mikata ensures that personal health information is not retained (i.e., stored) for any amount of time or subject to human review by the third parties it uses to process data (e.g., its third party NLP and LLM service providers).
Q: Do Mikata’s third party AI service providers use my data to improve their AI models and services?
A: No. These third parties are not able to use any of the data they process and/or store on Mikata’s behalf for their own purposes such as training their underlying AI models.
Q: Does Mikata use my data to improve it’s AI models and services?
A: We do not use patients' personal health information (deidentified or otherwise) to improve our AI models or services.
We may use other types of anonymized and/or aggregated data to monitor and improve the services (e.g., number of sessions, templates used)
Q: How long does Mikata store information?
A: We store your data for as long as you have an account to access the Mikata platform, unless you have set a shorter data retention period, where available. In some cases, we may need to store some information longer to meet regulatory requirements.
Q: What security measures does Mikata have in place to protect patient information?
A: Mikata takes security and privacy seriously, implementing robust measures to safeguard patient information. These include encryption of data both in transit and at rest, access controls limiting who can view sensitive data, regular security audits and assessments, intrusion detection systems, and continuous monitoring of our systems for any suspicious activity.
Q: How often does Mikata conduct security assessments and audits?
A: Mikata conducts regular security assessments and audits to ensure that our security measures are effective and up-to-date. These assessments may include vulnerability scanning, risk assessments, and internal audits performed by qualified third-party security professionals. We also conduct regular employee training and awareness programs to promote a culture of privacy and security throughout the organization.
Q: How does Mikata update privacy and security practices?
A: Our privacy and security practices are continuously evolving to take into account the latest standards and regulations, best practices, technologies, and trends.
Q: How does Mikata handle data breaches or security incidents?
A: In the event of a data breach or security incident, Mikata has established incident response procedures to promptly detect, respond to, and mitigate the impact of such incidents. This includes notifying affected parties as required by applicable laws and regulations and cooperating fully with regulatory authorities and law enforcement agencies.
Q: How do I contact Mikata for additional privacy and security information
A: If you have any questions or concerns about Mikata’s privacy and security practices, please email us at privacy@mikatahealth.com or write to:
Mikata Health, Inc. Attn: The Privacy Officer Suite 201 - 838 11th Avenue SW Calgary, AB T2R 0E5 Canada
Email: privacy@mikatahealth.com
Last updated
Was this helpful?