We meet US HIPAA requirements. Check out these great articles about HIPAA and PHIPA.
All data is encrypted, patient sessions are anonymous (we don't know who your patients are) and no patient info is stored persistently. We use the AES cipher with 128-bit keys to encrypt audio/video, and HMAC-SHA1 to verify data integrity.
Doxy.me never has access to your camera. A patient can only see you when you're in a session with them. We only store hashed IP address - and this is mostly for just tracking and auditing purposes. For example if we see potential abuse on our system coming from the same IP address we can resolve the issue. This is a common approach for how to securely store user passwords as well.
We recommend talking to your local Canadian legal professional to see if we meet the Canadian requirements.