What are the rules in Canada when it comes to patient privacy? Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is comparable in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States. However, there are several differences to keep in mind. We’ve summarized the key takeaways from this excellent post by Canadian data expert Waël Hassan.
1. How is PIPEDA different from HIPAA?
HIPAA is a US federal law that governs the privacy and security of personal health information (PHI) for only certain entities in the health industry – mainly healthcare providers, health insurers, and health exchange organizations. On top of that, health information is also governed by any additional state laws.
In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity. As this other great post states: “once an organization collects data, regardless of the province, industry, or the type, that…organization is now fully accountable and responsible for the protection of said data.” However, it is wise to note that the specifics of PIPEDA may not apply to every province. Each individual province has the right to have its own rules and regulations as long as they are “substantially similar” to PIPEDA. You can check out our list below which provinces choose to use PIPEDA and which have their own governances.
2. Do I need to sign a BAA with my service providers?
This depends on the services they provide. Remember HIPAA only applies to certain health industry entities in the US. So the purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any PHI that may be “touched” by a vendor and/or service provider. Most large healthcare systems have a standard agreement that they require their vendors who work with PHI to sign. Also, vendors themselves often have a standard HIPAA BAA they use for their customers’ convenience.
In Canada, these agreements are not standardized and their requirements may vary from province to province. Several provinces, including Ontario, have various classifications for service providers (e.g., information network providers, electronic service providers, agents, etc.). Whether a provider needs to sign a privacy protection agreement with a vendor depends on that particular provider’s classification.
3. Does Canadian PHI Really Need to Stay in Canada?
All Canadian provinces, with exception of British Columbia and Nova Scotia, allow health data to reside in the United States. So providers who don’t practice in either British Columbia or Nova Scotia don’t need to worry about the locations of their servers. British Columbia* and Nova Scotia do not allow their residents’ health data to be stored in the USA, even when the data is encrypted.
4. What about health data on mobile apps?
In the US, HIPAA applies to only certain “covered entities” that handle PHI, mainly healthcare providers, health insurers, and health exchange organizations. Data uploaded by citizens to private devices for personal use is a grey area. For example, if you use a FitBit and upload that data to the FitBit mobile health app, that data isn’t protected by HIPAA. Data protection in that case is very likely to be governed by the terms of agreement with FitBit.
5. What type of health data is protected?
HIPAA covers any personally identifiable information that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and relates to past, present, and future health conditions, treatments, or payments. Demographics would be a subset of identifiable health information.
In Canada, any data, including users, statistics, and volume, must be available to the covered entities in Canada. This data is important in accountability procedures in cases of privacy violations. In addition, sensitive or Personally Identifiable Information (PII) such as age, name, ID numbers, income, ethnic origin, or blood type, medical records, opinions, evaluations, comments, social status, payment information, etc.
6. Province-by-province highlights
Alberta has its Personal Information Protection Act, which is not significantly different than PIPEDA. Alberta is unique in that, instead of individual covered entities, the province’s entire health system is considered the Health Information Custodian.
British Columbia’s provincial law is called the Personal Information Protection Act. BC is one of only two provinces that do not allow PHI to be saved in the USA, even when encrypted.
Manitoba does not have its own provincial law, so only PIPEDA applies here.
New Brunswick’s law is the Personal Health Information Privacy and Access Act.
Newfoundland and Labrador are covered under the Personal Health Information Act.
Nova Scotia’s provincial law is the Personal Information International Disclosure Act . Like British Columbia, Nova Scotia forbids storing patient data in the USA, even if encrypted.
Ontario’s law is called the Personal Health Information Protection Act. It provides for several different classifications of service providers, so it’s important to know into which category a particular vendor might fit.
Prince Edward Island does not have its own provincial law, so only PHIPA applies here.
Quebec has passed An Act Respecting the Protection of Personal Information in the Private Sector, in addition to a couple of other laws that make Quebec unique and significantly different from other provinces.
Saskatchewan does not have its own provincial law, so only PHIPA applies here.
The Northwest Territories, Nunavut, and Yukon are territories, not provinces, so only PHIPA applies in these areas.
* British Columbia has several laws that govern privacy. The one that requires personal data to be stored in Canada is the Freedom of Information and Protection of Privacy Act (which applies to public bodies). Under section 30.1(a) there appears to be allowance for storing personal information outside of Canada as long as the individual has consented.
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies:
(a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction;
(b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act;
(c) if it was disclosed under section 33.1 (1) (i.1).
Here is some guidance that clarifies British Columbia’s cloud computing rules.