Rather than employing internal information technology support, numerous Canadian healthcare organizations are choosing to make use of outside information technology service providers to manage services such as email, cloud data storage, and IT installation and support. As we have discussed in previous posts, these are decisions that need to be examined carefully from the perspective of privacy and security. This is not only a matter of internal policy, but of legal compliance: in Ontario, information service providers to health information custodians (HICs) must comply with Ontario’s Personal Health Information Protection Act (PHIPA). Frequently, the service providers used by healthcare organizations for email and cloud data services are not local companies, but large American companies such as Google. It can be difficult to assess whether these companies are in compliance with provincial privacy laws and standards. Organizations often ask whether compliance with the US Health Insurance Portability and Accountability Act (HIPAA) is relevant in evaluating compliance with Canadian health care privacy laws. In other words, does legal compliance translate, in full or in part, from one jurisdiction to another?
HIPAA vs. PHIPA
It is difficult to compare HIPAA with Canadian laws such as PHIPA because they are written in different language. PHIPA focuses on objectives rather than methods, and uses general terms: for example, it states that HICs must take “reasonable steps” to protect PHI against theft, loss, and unauthorized use and disclosure, as well as unauthorized copying, modification, or disposal. HIPAA, on the other hand, describes specific required physical and electronic safeguards for health information, such as facility access controls, workstation security, electronic information access control and authentication, and transmission security.
However, PHIPA does have several specific requirements that are not included in HIPAA:
1. Information technology service providers to HICs must “notify the custodian of any breach of the restrictions on its use and disclosure of personal health information or unauthorized access.”
This means that email or cloud storage providers serving healthcare organizations in Ontario are obligated to notify them of any security breaches or other instances of unauthorized access or disclosure. HIPAA does not require IT service providers to notify healthcare clients of breaches. While a notification requirement could be included in a contract with an American service provider, many US service providers are reluctant to agree to notify their clients of breaches because of fears of liability and loss of reputation.
2. Information technology service providers to HICS must “make available to the public, information about the services provided to the custodian; any directives, guidelines and policies of the provider that apply to the services provided; and a general description of the safeguards that have been implemented.”
IT service providers to Ontario healthcare organizations should provide a plain language description to be published online and in print about the services they will be providing, the privacy and security directives, guidelines, and policies to which they have agreed, and the information safeguards they employ.
3. Information technology service providers to HICs must agree to comply with PHIPA.
This point is problematic when it comes to large American IT service providers. It is doubtful whether American companies would agree to assess and monitor compliance with Canadian laws. The possibility of having to maintain compliance with multiple sets of laws from different jurisdictions is a liability which many companies would not be willing to take on.
So does compliance translate?
HIPAA compliance does indicate that a service provider is aligned with certain industry standards for privacy and security, but does not necessarily indicate compliance with Canadian laws and standards. Perhaps even more importantly, Canadian health organizations have no assurance that they can enforce legal compliance by American service providers. Canadians do not have access to US legal processes for enforcing HIPAA, and cannot involve American companies in Canadian legal processes. If Canadian organizations choose to utilize American service providers, they need to make sure they retain control over privacy and security practices, user access, and changes to information. (We discuss this issue further in our previous article “American Cloud Services for Canadian Healthcare Organizations.”)
The simple answer is that American IT service providers compliant with HIPAA are not likely compliant with Canadian privacy law. In fact, because American companies are subject to the US Patriot Act, which basically allows American government agencies to access any data deemed relevant to national security, they almost certainly are not in compliance with Canadian law. Given these circumstances, IT services that involve Canadians’ personal health information – that is, health related information that can identify individuals – should not be managed by American companies.