877.334.8512 |      

EHR and practice management for mental / behavioral health

PHIPA, HIPAA, PIPEDA, Oh My!

Photo by rawpixel on Unsplash

By Jerica Rossi, 2.8.19 

Are you a Canadian facility wondering, “If I use a US-based mental health EHR, will my data be secure and PHIPA / PIPEDA compliant?!”  

Both Canadian and US federal legislature have established rules for data privacy and security provisions regarding the collection, use and disclosure of personal health information (PHI). In the US, the Health Insurance Portability and Accountability Act (HIPAA) requires compliance to ensure that proper security measures are taken, as does the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA) in Canada.

Are they all the same?! Let us break it down for you…

PIPEDA

PIPEDA was enacted in 2000 as a way to safeguard personal information in electronic commerce and requires organizations to protect the privacy of an individual’s data, as well as obtain consent from an individual when they collect, use or disclose such information. This information includes demographic data, medical information, ID numbers and credit information. 

PIPEDA specifically applies to commercial use, which is defined as, “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists (Office of the Privacy Commissioner of Canada).” This means that non-profits, charities and politically affiliated associations are not required to protect an individual’s information.

Although PIPEDA applies to organizations involved in interprovincial and international transactions, Canada has allowed provinces that have similar privacy legislations, such as PHIPA in Ontario, to be exempt. 

PHIPA

PHIPA was enacted on November 1, 2004, in Ontario as a way to ensure the privacy of PHI and outlines policies and practices for health information custodians, such as doctors, hospitals or other health care provider facilities. 

   What’s the purpose of PHIPA? 

PHIPA’s purpose is to a) establish regulations for the collection, use and disclosure of personal health information in a manner that protects the confidentiality of the information and the privacy of the individuals in question; b) provide individuals with the right to access personal health information about themselves and to correct or amend such information, subject to certain exceptions; and c) provide independent review and resolution of personal health information complaints (Certified Information Privacy Professional Guide).

     Who is responsible for PHIPA compliance?

Under PHIPA, a health information custodian is identified as a health care practitioner, health service provider, hospital, medical facility, pharmacy, laboratory and the board of health. These custodians are accountable for the protection of PHI from theft, loss, disclosure and unauthorized use, PHIPA compliance and their PHI agents. PHI agents are individuals authorized by the custodian to interact with PHI, such as facility employees, volunteers or students. 

     What’s the difference between PIPEDA and PHIPA?

While PIPEDA applies to organizations that collect and utilize personal information, PHIPA applies to those within Ontario and also applies to these custodians - not just organizations involved in commercial activities. Those who are compliant with PHIPA need not be compliant with PIPEDA, as PHIPA is seen as a substantially similar privacy legislation. 

HIPAA

HIPAA was enacted in the United States in 1996 to safeguard medical information to ensure the confidentiality and security of PHI by health care providers and organizations- electronically and on paper. HIPAA regulations require the development of, and adherence to, procedures that protect PHI and are mandated by the government. 

     Is electronic PHI protected under HIPAA?

Organizations must have technical safeguards to e-PHI, such as audit controls, integrity controls, transmission security, business associate agreements (BAAs) and access control. These measures ensure that only authorized persons have access to e-PHI; that information is properly altered, destroyed, shared or accessed without authorization; and that business associates of medical facilities / providers have a contract outlining how they will also handle and protect the data they receive. 

Just like PIMSY keeps our US clients HIPAA compliantwe keep our Canadian clients PHIPA / PIPEDA compliant too! Contact us for details: 877.334.8512, ext 1 – This email address is being protected from spambots. You need JavaScript enabled to view it.

Sources

Certified Information Privacy Professional Guide 

Office of the Privacy Commissioner of Canada

Compliancy Group: HIPAA

(Photo by rawpixel on Unsplash)

    Jerica Rossi is a Marketing Associate of PIMSY EHR

 

Jerica Rossi is a Marketing Associate of PIMSY EHR. For more information about electronic solutions for your practice, check out Behavioral Health EHR.

Kudos from Clients

  • Seth H.

    “PIMSY more than pays for itself by streamlining my office, improving efficiency and reducing billing times. I would recommend PIMSY to anyone looking for a good EMR company that will help you implement its program and help you with any questions you have along the way.”

    ~ Seth H., Business Owner

  • Karen B.

    “Love PIMSY! So much quicker to complete notes and easier for everyone working with clients to know current authorizations and track units.”

    ~ Karen B., Therapist

  • Dr. Carmen L.

    “I am extremely appreciative and am so glad I decided to go with PIMSY versus the other options I was considering. I was singing your praises to a colleague of mine today who is feeling overwhelmed with her paper process. I highly recommend all of you.”

    ~ Dr. Carmen L., Program Director

  • Kim T.

    “We are now functioning at a 50% faster recovery rate for money and a 50% lower denial rate. You should really give the PIMSY team time to demonstrate for you personally.”

    ~ Kim T., Business Director

Subscribe To Our Newsletter

Subscribe to the PIMSY newsletter
 
What topics are you most interested in?