If you're here, you're likely already familiar with HIPAA. But did you know that the act created to establish a set of national standards for protecting health information has a Canadian counterpart called the PIPEDA, or the Personal Information Protection and Electronic Documents Act? While both laws are designed to protect consumer data from being accessed by unauthorized third parties, there are some critical differences between the two. We’ll look through all those similarities and differences in this article.
What is PIPEDA?
PIPEDA is Canada's version of HIPAA, and it is broader than HIPAA, covering more than just health information. It also includes banking, telecommunications, and other industries where personal data can be collected or stored.
PIPEDA's mission is to ensure that organizations are responsible and accountable for protecting all data collected, regardless of province, industry, or kind. Individuals also have the right to privacy over their information. They need to be able to view any information an organization collects and have the right to appeal the validity of the collected data.
Organizations must be transparent during the collection process when obtaining this information and explain why it's collected and how the organization will use it.
It is important to note that each province may additionally have its own laws, rules, and regulations regarding the gathering of this data.
PIPEDA's 10 Main Principles
While HIPAA has its own principles for the collection, storage, and destruction of personal data, PIPEDA mandates:
- An organization is held responsible for personal information under its management and must choose a designated individual or small team to manage the organization’s compliance. This information includes all data shared with third-party processors.
- An organization will explicitly state when personal information is being collected at the time of its collection.
- Individuals must give their permission to have that information collected, used, or disclosed unless such action is unjustified.
- The organization will only collect the minimal amount of personal information required for their stated purposes.
- There is complete transparency over the use of that personal information. It cannot be utilized or disclosed for any other reason than for which it's collected unless the individual gives consent (as required by law). After being collected, this information is stored only for as long as necessary to achieve the stated intended purpose.
- Personal information must be accurate, comprehensive, and up to date for the purpose for which it is being used.
- Personal information must be safeguarded by security measures that are appropriate to the information's sensitivity level.
- An organization must be accessible and willing to provide individuals with information about its policies and procedures that pertain to how personal information is handled.
- An individual has the right to access, on request, the existence, use, and disclosure of their personal information. An individual has the right to correct and verify any inaccurate or incomplete information disclosed to them.
- If an individual has a concern over how their information is being used, they can address that issue with those responsible for the organization's compliance.
What is HIPAA?
On the other hand, HIPAA is primarily concerned with health information and only covers certain entities such as healthcare providers and their related organizations (e.g., billing companies, health plans, pharmacies, etc).
Under HIPAA, any business that handles personal data must follow specific procedures outlined in the bill. The legislation establishes stringent standards that must be met by any organization engaged with personal data to safeguard patients and allow businesses to make informed judgments based on that information.
The collection, use, and sharing of health information in the United States is also covered by state laws. Still, when any data is sent outside the country, it is no longer protected under HIPAA.
HIPAA Main Principles Overview
The HIPAA Act includes similar principles to PIPEDA. Including respecting individuals' privacy, protecting the confidentiality/security of health records, disclosing only limited data without a patient's consent or authorization (except in certain situations), providing patients with access to their medical records upon request & waiving fees when patients themselves request records.
HIPAA also allows individuals who believe there has been an invasion of privacy or unauthorized use of their protected health information (PHI) to file suit against the violator.
What Information is Protected By Each Law?
Protected Health Information (HIPAA)
HIPAA covers any individually identifiable health information held or transmitted by a covered entity (or its third-party associate) in any form or medium, whether electronic, on paper, or oral. These types of personal information can include:
- Names (Full or last name and initials)
- Dates directly related to identity or service provided
- Contact Information (phone & fax numbers, email addresses)
- Social Security numbers
- Medical record information (including account numbers and personal & beneficiary health insurance information)
- Certification/license numbers
- Vehicle identification information (including license plate numbers)
- Device identifiers and serial numbers
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers (finger, retinal, and voice prints)
- Full-face photos and all comparable images
- Any other unique identifying characteristics or numbers
Personal Information (PIPEDA)
The definition of personal information under PIPEDA is broader than that provided by HIPAA. The term "personal information" refers to any data that, on its own or when linked to other data, may identify you:
- Demographic information (including name, age, social security & identification numbers, nationality, race, ethnicity, and marital status)
- Contact information (phone & fax numbers, and email address)
- Financial information (income, banking, credit & loan records, and any merchant & consumer disputes)
- Medical information (history, DNA identifiers, blood type, and any records and personal data)
- And personal history information (educational, employment, disciplinary actions, evaluations, intentions, opinions, or comments)
How are HIPAA and PIPEDA alike?
Both laws govern how organizations can collect and use personal data from individuals or customers for business purposes.
Each also sets guidelines around how information should be protected throughout its lifespan. Including when it's being collected/used by an organization, kept in storage, and once it has been destroyed.
Both HIPAA and PIPEDA require organizations to be accountable for the personal data they have under their management.
And, both laws state that individuals must consent before an organization can collect, use, or share any of their information unless it's legally required (HIPAA) or doing so is unjustified (PIPEDA).
How are they different?
HIPAA is a national law in the United States. Therefore it only applies to organizations located within the U.S. or those doing business with American consumers while operating outside of America (e.g., Canadian healthcare providers).
The most significant difference between HIPAA and PIPEDA, however, lies more in what each act protects. HIPAA's primary concern is protecting health information, while PIPEDA focuses on all types of personal data, including health information.
PIPEDA also covers information uploaded directly by individuals and not just reported by an entity.
HIPAA is also more specific about the types of entities it applies to, whereas PIPEDA covers a larger spectrum of organizations that collect or use personal data.
Who does PIPEDA apply to?
PIPEDA applies to organizations that collect or store personal information to provide commercial services and focus on all types of personal data, including healthcare records.
"Commercial activity" is defined as conducting any act or transaction that is regularly considered commercial in nature, including bartering, leasing, and selling.
PIPEDA protects the privacy of all Canadians, and it's important to know that these laws apply in any industry when the individuals involved are engaging in commercial services. Covered entities include private organizations like businesses or non-profit organizations, and they can also be government agencies such as ministries with jurisdiction over various areas--like health care delivery or labor relations legislation.
In comparison to HIPAA, which more specifically applies to healthcare providers and their related organizations, PIPEDA has a broader range of organizations under its jurisdiction.
Who are Canadian Health Custodians?
Doctors, nurses, hospitals, homes for special care, pharmacies, medical laboratories, local medical officers, ambulance services, community & long-term care centers (nursing homes), mental health programs (insurance programs), and the Ministry of Health are all considered Custodians.
Custodians of personal data operating in Ontario have additional obligations under the Personal Health Information Protection Act (PHIPA) on how to protect the data they collect on their clients or patients.
The difference between the PHIPA and PIPEDA is that PIPEDA (a federal law) applies to any company that collects, uses, and discloses personal information while engaging in commercial activities. In contrast, the PHIPA (a provincial law) applies to health custodians who collect, use, and disclose personal health information regardless of whether or not they conduct commercial activities.
PIPEDA's provisions continue to apply to all commercial activities involving the transfer of personal health information between provinces and territories, as well as international information transfers.
Both PIPEDA and HIPAA define "personal information" somewhat differently, but both play their roles in safeguarding confidentiality, trustworthiness, and accessibility.
Because these laws interact internationally where personal data crosses borders, it would be worthwhile for organizations operating in more than one country -- especially those who collect medical records electronically at home and abroad -- to make sure they understand all policies governing their collecting & handling sensitive customer information.
While the list of criteria is long, there are many solutions and strategies to guarantee that you meet the standards for both and ensure that your business is 100% compliant.
Unsure where to get started? Read more about HIPAA compliance requirements or schedule a call with one of our Compliance Specialists today. Let us show you how we can be a complete administrative solution to your Compliance needs!