HIPAA vs PIPEDA, Mandatory Protection
HIPAA (USA) and PIPEDA (Canada) are enacted rules, regulations and legislation that govern the privacy of our data. In a world evolved with terabytes of data generated daily, we need protection particularly from security breaches of hackers who can not only alter our lives with this knowledge, but attempt to control our everyday IoT connected devices. Even unscrupulous businesses that profit over the knowledge that our health care cost can be directly related to the conditions for which we suffer, or compliance to our medications must be prevented from such use which do nothing to protect citizens nor do they provide better patient outcomes.
While it is important to know all about this protection, there are Key differences between HIPAA and PIPEDA that are particularly important. Within the context of global communications and free trade, Medipense ensures that your data is PIPEDA compliant, keeping all your Canadian PHI data safely and securely stored in Canada, and all American Data is HIPAA compliant and stored in the USA for our American clients.
Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), while similar to the Health Insurance Portability and Accountability Act (HIPAA) in the United States, has some significant differences.
What is HIPAA?
The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes the first national standards in the United States to protect patients’ personal or protected health information (PHI). The privacy rule also guarantees patients the right to receive their own PHI, upon request, from healthcare providers covered by HIPAA. (more info: Health Information Privacy)
The HIPAA Privacy Rule applies to organizations that are considered HIPAA-covered entities, including health plans, healthcare clearinghouses and healthcare providers. In addition, the HIPAA Privacy Rule requires covered entities that work with a HIPAA business associate to produce a contract that imposes specific safeguards on the PHI that the business associate uses or discloses.
- a patient’s name, address, birth date and Social Security number;
- an individual’s physical or mental health condition;
- any care provided to an individual; or
- information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe could be used to identify the patient.
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity. (More info: PIPEDA)
PIPEDA applies to all personal data, health or otherwise regardless of the entity. This data must be:
- collected with consent and for a reasonable purpose
- used and disclosed for the limited purpose for which it was collected
- accessible for inspection and correction
- stored securely
Under PIPEDA, the following is protected as sensitive or Personally Identifiable Information (PII):
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
We see that confines of PIPEDA extend well beyond just health data. However, withing the context of Medipense and our offerings, we focus on the PHI aspects in that once health data is collect, regardless of the province, industry, or the type, that the organization is now accountable and responsible for the protection of this data.
What are the Key Differences?
There are several key distinguishing factors that make PIPEDA more stringent than HIPAA. For example, the bite of HIPAA at this point in time is larger, with fines up to $1.5M per breach and jail terms.
Data uploaded by patients
In the US, HIPAA oversees covered entities’ use of health information, but it doesn’t cover data uploaded by citizens. For example, if you have a mobile health app in the Apple Store that allows citizens to manage their personal health and wellness, their data isn’t protected by HIPAA. Data protection is very likely to be governed by the contractual relationship between the citizen and the app company.
In Canada, PHI is PHI regardless of the source.
HIPAA-compliant companies usually keep data in the USA based HIPAA complaint servers. In Canada, some provinces have enacted legislation to ensure their data is stored in Canada. British Columbia and Nova Scotia have such regulations. In our many discussions with Canadian citizens and health care providers, we have not found many who are comfortable with their data residing outside of Canada. So, at the very least, a solid business decision, whether required by PIPEDA or not, is to retain all Canadian data in Canada; store all US data in the USA; all EU Data in the EU.
Sale of Data
The sale of health data is an ambiguous area. In many cases in the US, if information is collected by entirely legal means, that information can often be sold. However, American companies supporting custodians in Canada do not have the right to sell data. The sale of data in Canada is unique to those areas where there is individual consent provided by individuals.
Other differences: there are many in the references we reviewed below. Take a look at Canadian Privacy Laws and the Canadian Cloud: A Primer for Canadian Businesses and Expanding US Health IT Business to Canada in 2016.
Why you should care
Data is the new GOLD. Everyone wants your data. It defines your characteristics,behaviors and patterns. It quantifies what used to be qualitative. It enables companies to sell you, and folks like you, more. It determines the price you pay, or will pay for products and services. It also helps monitor the effectiveness of medications and supports the development of new ones.
Health information is particularly important to self guard. It identifies you personally, all your health conditions, medications, history, and compliance. It can be used to do good, or harm. As such it must be protected and used only with your explicit permission, for the intended purpose.
As with all forms of protection, we must be aware of how it works, to whom it applies and to feel confident that the measures taken to protect our privacy are more than adequate and consistently applied. HIPAA and PIPEDA are both great starts at forcing compliance by those who have access. PIPEDA takes it one step further by ensuring more of our data is protected by more people with access.