What are the rules in Canada when it comes to patient privacy? Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is comparable in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States. However, there are several differences to keep in mind. We’ve summarized the key takeaways from this excellent post by Canadian data expert Waël Hassan.
1. How is PIPEDA different from HIPAA?
HIPAA is a US federal law that governs the privacy and security of personal health information (PHI) for only certain entities in the health industry – mainly healthcare providers, health insurers, and health exchange organizations. On top of that, health information is also governed by any additional state laws.
In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity. Its purpose and scope are more similar to Europe’s General Data Protection Regulation (GDPR) law than the US HIPAA law. As this other helpful post explains: “once an organization collects data, regardless of the province, industry, or the type, that…organization is now fully accountable and responsible for the protection of said data.”
However, it is wise to note that the specifics of PIPEDA may not apply to every province. Each individual province has the right to have its own rules and regulations as long as they are “substantially similar” to PIPEDA. You can check out our list below which provinces choose to use PIPEDA and which have their own governances.
It’s useful to note that Ontario actually has it’s own equivalent of the US HIPAA law which applies specifically to PHI, called the Personal Health Information Protection Act, 2004 (PHIPA), which we’ll talk about more when discussing whether PHI has to stay in Canada. Hint: the short answer is “no.”
2. Do I need to sign a BAA with my service providers?
This depends on the services they provide. Remember HIPAA only applies to certain health industry entities in the US. So the purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any PHI that may be “touched” by a vendor and/or service provider. Most large healthcare systems have a standard agreement that they require their vendors who work with PHI to sign. Also, vendors themselves often have a standard HIPAA BAA they use for their customers’ convenience.
In Canada, these agreements are not standardized and their requirements may vary from province to province. Several provinces, including Ontario, have various classifications for service providers (e.g., information network providers, electronic service providers, agents, etc.). Whether a provider needs to sign a privacy protection agreement with a vendor depends on that particular provider’s classification.
3. Does Canadian PHI Really Need to Stay in Canada?
All Canadian provinces, with exception of British Columbia and Nova Scotia, allow health data to reside in the United States. So for providers who don’t practice in either British Columbia or Nova Scotia the locations of their servers is less of an issue. British Columbia* and Nova Scotia do not allow their residents’ health data to be stored in the USA, even when the data is encrypted, except in very limited cases
4. What about health data on mobile apps?
In the US, HIPAA applies to only certain “covered entities” that handle PHI, mainly healthcare providers, health insurers, and health exchange organizations. Data uploaded by citizens to private devices for personal use is a grey area. For example, if you use a FitBit and upload that data to the FitBit mobile health app, that data isn’t protected by HIPAA. Data protection in that case is very likely to be governed by the terms of agreement with FitBit.
5. What type of health data is protected?
HIPAA covers any personally identifiable information that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and relates to past, present, and future health conditions, treatments, or payments. Demographics would be a subset of identifiable health information.
In Canada, any data, including users, statistics, and volume, must be available to the covered entities in Canada. This data is important in accountability procedures in cases of privacy violations. In addition, sensitive or Personally Identifiable Information (PII) such as age, name, ID numbers, income, ethnic origin, or blood type, medical records, opinions, evaluations, comments, social status, payment information, etc.
6. Province-by-province highlights
Alberta has its Personal Information Protection Act, which is not significantly different than PIPEDA. Alberta is unique in that, instead of individual covered entities, the province’s entire health system is considered the Health Information Custodian.
British Columbia’s provincial law is called the Personal Information Protection Act. BC is one of only two provinces that do not allow PHI to be saved in the USA, even when encrypted.
Manitoba does not have its own provincial law, so only PIPEDA applies here.
New Brunswick’s law is the Personal Health Information Privacy and Access Act.
Newfoundland and Labrador are covered under the Personal Health Information Act.
Nova Scotia’s provincial law is the Personal Information International Disclosure Act . Like British Columbia, Nova Scotia forbids storing patient data in the USA, even if encrypted.
Ontario’s law is called the Personal Health Information Protection Act (PHIPA). It provides for several different classifications of service providers, so it’s important to know into which category a particular vendor might fit.
While it does allows for health data to be moved outside of the province when using a third-party vendor; however, it requires a patient’s express consent to release health information outside of Ontario.
The issue with this, Canadian privacy and regulatory law counsel David Young Law points out is “Organizations entering into outsourcing arrangements that may involve cross-border data transfer need to consider what notice should be given to the affected individuals, where no prior notice exists.”
The Ontario Information and Privacy Commissioner has provided guidance on considerations when choosing to use cloud computing services (including Software As A Service, like VSee). The “Know Your Legal and Policy Obligations” section notes:
There is no legal prohibition in Ontario against outsourcing computing services to a third party cloud service provider. This applies regardless of whether the third party stores personal information in a foreign jurisdiction. However, FIPPA* and MFIPPA* and their regulations do impose legal requirements that must be met regardless of where the data resides or is processed.
The critical question is whether your institution has taken reasonable steps to protect the privacy and security of the records in its custody and control.
*Freedom of Information and Protection of Privacy Act (FIPPA) and its municipal counterpart the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Here are other useful education material and guidances the Commissioner provides:
- Fact Sheet on Applying PHIPA & FIPPA to PHI
- Fact Sheet on the secure transfer of PHI
- PHIPA Privacy Assessment Guidelines
Prince Edward Island does not have its own provincial law, so only PIPEDA applies here.
Quebec has passed An Act Respecting the Protection of Personal Information in the Private Sector, in addition to a couple of other laws that make Quebec unique and significantly different from other provinces.
Saskatchewan does not have its own provincial law, so only PIPEDA applies here.
The Northwest Territories, Nunavut, and Yukon are territories, not provinces, so only PHIPA applies in these areas.
* British Columbia has several laws that govern privacy. The one that requires personal data to be stored in Canada is the Freedom of Information and Protection of Privacy Act (which applies to public bodies). Under section 30.1(a) there appears to be allowance for storing personal information outside of Canada as long as the individual has consented.
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
(c) if it was disclosed under section 33.1 (1) (i.1).
Here is some guidance that clarifies British Columbia’s cloud computing rules.
Find out more with comprehensive HIPAA guides here