What is HIPAA equivalent in Canada?
US-based health IT companies seeking to expand their operations north of the border must determine how American health privacy requirements translate in Canadian jurisdictions.
This article is a followup on a previous post on translating HIPPA to PHIPA.
The US’s main instrument for regulating health privacy is the 1996 Health Insurance Portability and Accountability Act (HIPAA), which applies to healthcare providers and insurance companies. In the US, it is possible to become certified HIPAA-compliant, though this process is done through private certification companies rather than through the US government itself.
Across the border, the landscape is quite different. The provinces are responsible for setting their own privacy legal guidelines, and the Canadian federal government will only step in and apply regulations if the provincial laws do not reflect federal standards. As a result, there are some substantial differences between the way various provinces approach health information privacy, and this has a ripple effect on potential American businesses hoping to expand in Canada.
Privacy Compliance Officers need to carry this cheat sheet
All Canadian provinces, with exception of British Columbia and Nova Scotia, allow health data to reside in the United States. This is a way of saying that BC and Nova Scotia do not allow their residents’ health data to be stored in the US, even when the data is encrypted.
Language Used for Covered Entities
The term “covered entity” refers to the healthcare providers, companies, individuals, and other bodies HIPAA applies to. Provinces in Canada refer to their “covered entities” in slightly different language, though essentially they all refer to whomever holds residents’ personal health information. In some provinces, the covered entity is called a Health Information Custodian, or simply a custodian. In Alberta, the entire health system is the custodian.
Role of the Service Provider
Businesses in the US are used to signing business associate agreements (BAA) with healthcare service providers. These agreements require the businesses providing materials and services to healthcare providers to adhere to HIPAA rules, thus minimizing the risk of unauthorized disclosures of patient information. In Canada, these types of agreements are not standardized and their requirements may vary from province to province. Several provinces, including Ontario, have various classifications for service providers (e.g., information network providers, electronic service providers, agents, etc.). These classifications may not be enough to encourage BAA practices by themselves, but they do provide a language to begin thinking about these practices.
US service providers face heavy restrictions on use, disclosure, and even access to Canadian personal health information. Therefore, any American company whose BAAs contain provisions for the sale, harvest, or de-identification of data may have to change their agreements before doing business in Canada.
Patients and Funding
In Canada, public health care for military personnel is funded by the federal government, while other citizens (with a few exceptions) are funded by the provincial government. In the US, which does not have a single-payer public healthcare system, payment is split between charities, taxpayers, and patients’ own funds. This may create some differences in the likelihood that individual patients might pursue a privacy complaint, though patients in the US tend to be more litigious overall.
Data uploaded by patients
In the US, HIPAA oversees covered entities’ use of health information, but it doesn’t cover data uploaded by citizens. For example, if you have a mobile health app in the Apple Store that allows citizens to manage their personal health and wellness, their data isn’t protected by HIPAA. Data protection is very likely to be governed by the contractual relationship between the citizen and the app company.
In Canada, any research on health data must be first approved by research ethics boards, which are often regional or provincial bodies with the power to grant an entity the right to conduct research and publish the results.
System use data, such as user stats and volumes, must be available to the covered entities in Canada. This data is important in accountability procedures in cases of privacy violations.
Sale of Data
The sale of health data is an ambiguous area. In many cases in the US, if information is collected by entirely legal means, that information can often be sold. However, American companies supporting custodians in Canada do not have the right to sell data. The sale of data in Canada is unique to those areas where there is individual consent provided by individuals.
Canada’s primary instrument for the protection of health information, PHIPA or HIA, does not have a certification mechanism for covered entities to validate their compliance. Instead, every project or technology can be evaluated through privacy impact and threat risk assessments to determine the likelihood of a breach, and to identify the best possible means to address threats.
In the US, the Office of E-Health Standards and Services within the Centers for Medicare & Medicaid Services (CMS) enforces the transactions, code sets, and employer and provider identifier regulations of HIPAA.
In Canada the privacy laws are monitored and enforced by data protection authorities called Privacy Commissioners. Both federal and provincial Privacy Commissioners can issue rulings and penalties, though some cases are left to the courts for judgments on violations.
So what can be done to reconcile the Canadian legislative patchwork with federalized American uniformity? American businesses exploring the Canadian market would do best to check off three key goals before expanding:
- Develop a privacy and security architecture
- Conduct a Threat Risk Assessment
- Develop a Privacy Impact Assessment procedure
These three steps, which can be taken under the guidance of a third party, are essential to ensure that US businesses can transition smoothly into the Canadian market.
Aylin Manduric, Audrey Chen
About Waël Hassan:
Waël Hassan, PhD, is the founder of KI DESIGN MAGAZINE an online monthly magazine. In each issue we explore legislative and regulatory changes, new technologies, and the needs and challenges of data custodians provides insight into the development of our approaches to open data access strategies and models. It provides summaries, analyses, insights, and commentaries on business transformation in the areas of Governance, Risk & Compliance, Project & Portfolio Management, IT Strategy & Operations, and Technological Tool Management.