Skip to main content

PHIPA, HIPAA, and PIPEDA Explained

PUBLISHED ON: 02.08.2019

A doctor showing a patient a computer screen with complex medical terminology on itAre you a Canadian facility wondering, “If I use a US-based mental health EHR, will my data be secure and PHIPA / PIPEDA compliant?!”  

Both Canadian and US federal legislatures have established rules for data privacy and security provisions regarding the collection, use, and disclosure of personal health information (PHI). 

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires compliance to ensure that proper security measures are taken, as does the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA) in Canada.

Are they all the same?! Let us break it down for you…

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted in 2000 as a way to safeguard personal information in electronic commerce. This privacy law requires organizations and health professionals to protect an individual’s data, as well as obtain consent from the individual when they collect, use, or disclose such information.

This information includes:

  • Demographic Data
  • Medical Information
  • ID Numbers
  • Credit Card Information

PIPEDA specifically applies to commercial use, which is defined as,

“Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists (Office of the Privacy Commissioner of Canada).”

This means that non-profits, charities, and politically affiliated associations are not required to protect an individual’s information.

Although PIPEDA applies to organizations involved in interprovincial and international transactions, Canada has allowed provinces that have similar privacy legislations, such as PHIPA in Ontario, to be exempt.

PHIPA

The Personal Health Information Protection Act (PHIPA) legislation was enacted on November 1, 2004, in Ontario as a way to ensure the privacy of personal health information. It outlines policies and practices for health information custodians, such as doctors, hospitals, or other healthcare provider facilities.

What’s the purpose of PHIPA?

PHIPA has three primary purposes to meet its security requirements:

  1. Establish regulations for collecting, using, and disclosing personal health information. This protects the confidentiality of the information and the privacy of the individuals in question.
  2. Provide individuals with the right to access their personal health information and patient records. Also, they should be able to correct or amend such information.
  3. Provide independent review and resolution of personal health information complaints (Certified Information Privacy Professional Guide)

Who is responsible for PHIPA compliance?

Under PHIPA, health information custodians are individuals or organizations responsible for protecting personal health information (PHI). Examples include healthcare practitioners, health service providers, and hospitals. Custodians are legally accountable for safeguarding PHI against theft, loss, unauthorized use, or disclosure. They must also ensure compliance with PHIPA and oversee anyone acting on their behalf, known as PHI agents. These agents may include employees, volunteers, or students authorized to handle PHI under the custodian’s direction.

What’s the difference between PIPEDA and PHIPA?

PIPEDA applies to healthcare organizations that collect and use personal information, particularly in commercial contexts. In contrast, PHIPA governs personal health information within Ontario and applies directly to custodians, not just organizations engaged in commercial activities. Organizations and individuals that comply with PHIPA are exempt from PIPEDA requirements. PHIPA is substantially similar to federal privacy legislation.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the United States in 1996 to safeguard medical information and to ensure the confidentiality and security of PHI by healthcare providers and organizations, electronically and on paper.

HIPAA regulations require establishing and adhering to procedures to protect personal health information. Further, the government mandates them.

Is electronic PHI protected under HIPAA?

Organizations must implement secure information practices and technical safeguards to protect e-PHI. These practices include maintaining an audit log, enforcing integrity controls, securing data transmissions, managing access controls, and establishing business associate agreements (BAAs). These measures ensure that only authorized individuals access e-PHI and that the information remains protected from improper alteration, destruction, or disclosure.

Access control mechanisms play a critical role in preventing unauthorized access. Organizations must take reasonable steps to monitor and limit access to sensitive information. Business associates of medical facilities or providers enter into contracts that clearly define how they will handle and protect any data they receive.

Conclusion

By enforcing regulations and adopting proactive security measures, organizations significantly reduce the risk of privacy breaches. This also safeguards the confidentiality and integrity of personal health information (PHI).

Just like PIMSY keeps our US clients HIPAA compliantwe keep our Canadian clients PHIPA / PIPEDA compliant too

Contact us for details: 877.334.8512, ext 1 or at hello@pimsyehr.com 

Sources

Office of the Privacy Commissioner of Canada

Compliancy Group: HIPAA

pehradmin
Author: pehradmin