← Hippo

PHIA Notice (Manitoba)

Effective date: 2026-04-17 · Last updated: 2026-04-17

This notice explains how Hippo handles personal health information ("PHI") under Manitoba's Personal Health Information Act (PHIA, C.C.S.M. c. P33.5). It supplements — and does not replace — our Privacy Policy.

1. Hippo's role under PHIA

Hippo is not a trustee under PHIA. We do not operate on behalf of a health-care facility, regional health authority, or health professional in the delivery of patient care. We provide educational productivity software to individual clinicians and trainees. Where an institution signs a data-processing agreement with us, we act as an information managerfor that institution with respect to the data the institution designates.

2. PHI is not required to use Hippo

Hippo is designed to operate without personal health information. Our case log, EPA, and dictation tools ask only for training-relevant data that does not identify a patient:

  • procedure name, category, approach, date (not combined with other identifiers),
  • your role, autonomy level, operative time, difficulty,
  • outcome and complication category (not narrative),
  • your own reflections and teaching notes.

We do not ask for patient names, medical record numbers, dates of birth, health numbers, addresses, or dates of service combined with other identifiers. If you voluntarily enter such information in a free-text field, you are responsible for having the legal authority to do so.

3. What we do to reduce PHI risk

  • Field design:numeric and categorical inputs by default; free-text fields carry a visible "no patient identifiers" reminder.
  • Automated scrubbing: free-text submissions are passed through a regex pre-filter for obvious identifiers (names, DOBs, MRN-shaped tokens, phone numbers, addresses, postal codes) before storage. Obvious matches are redacted and the author is warned.
  • AI preflight: before publishing a pearl or case share, an AI model reviews the draft for potential identifiers that the regex missed (rare combinations, hospital names, attending names). The author is shown the suggested scrub and may accept or reject it.
  • Audit logging: creation, modification, deletion, export, and disclosure of any record is logged with actor, timestamp, IP address, and user-agent. Audit entries are append-only and retained for up to 7 years.
  • Minimum retention: user-deletable data is deleted within 30 days of a deletion request. De-identified audit-log rows may be retained for legal and security purposes.
  • Data location: primary storage is in a Canadian region of our database provider. See Subprocessors.

4. AI features and PHI

Several features (Brief Me, Voice Log transcript parsing, EPA auto-suggest, AI O-score suggestion, dictation polish) transmit the text you submit to third-party AI providers — currently Google AI Studio (Gemini) as the primary provider and Groq (Llama 3.3)as a failover. Neither arrangement is currently covered by a signed data-processing agreement with Hippo that commits the provider to Canadian data residency or a "no training" contractual clause. Treat these features as if anything you type may be retained by the provider for operational or training purposes.

As a compensating control we apply a multi-layer scrub before any text leaves our servers: (a) a client-side regex filter that strips names, MRN-shaped tokens, dates of birth, phone numbers, addresses, and postal codes from the draft before submission; and (b) a server-side re-scrub performed at the LLM call site on every request. Matches are redacted and logged to the audit log. This is defense-in-depth, not a guarantee — regex cannot catch every combination of identifiers that might re-identify a patient.

Accordingly you must not enter personal health information into any Hippo field — AI-facing or otherwise. This includes names, MRNs, exact dates of birth or service, hospital identifiers combined with other quasi-identifiers, facial images, or any free-text detail that would allow a reasonable third party to re-identify a patient. See Terms of Use §6 for the full list of prohibited content.

You can disable AI features globally in Settings → AI features. Before Hippo is made available to programs under an institutional agreement, we will migrate AI processing to a provider arrangement with a signed BAA / DPA (Google Vertex AI, Anthropic commercial, or equivalent) and update this notice to reflect the change.

5. Your rights under PHIA

If PHIA applies to data you have stored with Hippo, you have the right to:

  • access the personal health information we hold about you;
  • request correction of inaccurate information;
  • obtain a record of disclosures we have made;
  • file a complaint with the Manitoba Ombudsman (ombudsman.mb.ca) if you believe we have not complied with PHIA.

Requests should be sent to our Privacy Officer (below) in writing. We will respond within 30 days, or explain why a 30-day extension is required.

6. Institutional use

If your residency program, hospital, or health authority deploys Hippo under an institutional agreement, that institution may be the trustee of any data it designates as PHI. In that case, Hippo operates as an information manager and processes the data only on the institution's written instructions. Contact your program administrator for institution-specific details.

7. Breach notification

If we experience a security incident affecting data that reasonably may be personal health information, we will notify affected users without unreasonable delay and in any event within 72 hours of confirmation. We will notify the Manitoba Ombudsman where PHIA requires. Our incident response process is summarized in our Security page.

8. Privacy Officer

Hippo's Privacy Officer is responsible for PHIA compliance and handles access requests and complaints: privacy@hippomedicine.com.

This notice summarizes our practices. It is not legal advice. If you believe you are required to enter PHI into Hippo for any reason, stop and consult your institution's privacy officer first.