PHIPA, HIPAA, PIPEDA, Oh My!
By Jerica Rossi, 2.8.19
Are you a Canadian facility wondering, “If I use a US-based mental health EHR, will my data be secure and PHIPA / PIPEDA compliant?!”
Both Canadian and US federal legislature have established rules for data privacy and security provisions regarding the collection, use and disclosure of personal health information (PHI). In the US, the Health Insurance Portability and Accountability Act (HIPAA) requires compliance to ensure that proper security measures are taken, as does the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA) in Canada.
Are they all the same?! Let us break it down for you…
PIPEDA was enacted in 2000 as a way to safeguard personal information in electronic commerce and requires organizations to protect the privacy of an individual’s data, as well as obtain consent from an individual when they collect, use or disclose such information. This information includes demographic data, medical information, ID numbers and credit information.
PIPEDA specifically applies to commercial use, which is defined as, “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists (Office of the Privacy Commissioner of Canada).” This means that non-profits, charities and politically affiliated associations are not required to protect an individual’s information.
Although PIPEDA applies to organizations involved in interprovincial and international transactions, Canada has allowed provinces that have similar privacy legislations, such as PHIPA in Ontario, to be exempt.
PHIPA was enacted on November 1, 2004, in Ontario as a way to ensure the privacy of PHI and outlines policies and practices for health information custodians, such as doctors, hospitals or other health care provider facilities.
What’s the purpose of PHIPA?
PHIPA’s purpose is to a) establish regulations for the collection, use and disclosure of personal health information in a manner that protects the confidentiality of the information and the privacy of the individuals in question; b) provide individuals with the right to access personal health information about themselves and to correct or amend such information, subject to certain exceptions; and c) provide independent review and resolution of personal health information complaints (Certified Information Privacy Professional Guide).
Who is responsible for PHIPA compliance?
Under PHIPA, a health information custodian is identified as a health care practitioner, health service provider, hospital, medical facility, pharmacy, laboratory and the board of health. These custodians are accountable for the protection of PHI from theft, loss, disclosure and unauthorized use, PHIPA compliance and their PHI agents. PHI agents are individuals authorized by the custodian to interact with PHI, such as facility employees, volunteers or students.
What’s the difference between PIPEDA and PHIPA?
While PIPEDA applies to organizations that collect and utilize personal information, PHIPA applies to those within Ontario and also applies to these custodians - not just organizations involved in commercial activities. Those who are compliant with PHIPA need not be compliant with PIPEDA, as PHIPA is seen as a substantially similar privacy legislation.
HIPAA was enacted in the United States in 1996 to safeguard medical information to ensure the confidentiality and security of PHI by health care providers and organizations- electronically and on paper. HIPAA regulations require the development of, and adherence to, procedures that protect PHI and are mandated by the government.
Is electronic PHI protected under HIPAA?
Organizations must have technical safeguards to e-PHI, such as audit controls, integrity controls, transmission security, business associate agreements (BAAs) and access control. These measures ensure that only authorized persons have access to e-PHI; that information is properly altered, destroyed, shared or accessed without authorization; and that business associates of medical facilities / providers have a contract outlining how they will also handle and protect the data they receive.