HIPAA and PIPEDA represent two initiatives wherein lawmakers require organizations to exercise greater stewardship of consumer medical information. In fact, inexperienced IT managers occasionally confuse the contents of these two pieces of North American legislation.
Canada’s national consumer privacy laws – codified in PIPEDA – encompass more than individual medical records. But PIPEDA healthcare data restrictions mimic those compliance standards laid out in the United States’ HIPAA legislation.
For those organizations doing business in both the United States and Canada, understanding the differences between HIPAA and PIPEDA is crucial to cybersecurity compliance and risk management. And that’s why we’ve created this guide – to break down each set of healthcare-related consumer privacy laws, distinguish between the two, and recommend the next steps for making your organization HIPAA and PIPEDA compliant.
Table of Contents
- Cybersecurity in Healthcare
- What is HIPAA?
- What is PIPEDA?
- 5 Critical Differences Between HIPAA and PIPEDA
- Why Understanding the Differences Between HIPAA and PIPEDA is Important
- In Conclusion
Cybersecurity in Healthcare
Cybersecurity is critical in any industry. However, healthcare-related consumer data ranks as among the most sensitive personal information out there. As the healthcare industry modernizes, it has been able to treat patients with greater efficiency – but medical record digitization opens the door to new concerns.
Additionally, health and fitness apps entice consumers to volunteer their medical information. Organizations have a responsibility – ethically and legally – to protect that health-related information from falling into the wrong hands.
Two recent global measures specifically address consumer medical data – HIPAA and PIPEDA. Whether gathering, using, and selling consumer health information, organizations in the United States and Canada must ensure that their operations are compliant with their respective governing bodies.
As a disclaimer, many different compliance standards dictate how consumer medical information may or may not be used in North America. For example, individual states (U.S.A.) and provinces (Canada) may establish their own laws on consumer data privacy. Also, specific industries may have additional restrictions or requirements for organizations that collect, use, or distribute consumer medical data.
But understanding the differences and similarities between HIPAA and PIPEDA, will help your organization reduce cybersecurity risks. Adhering to these two legal codes can make it easier for your organization to comply with other applicable consumer-privacy laws.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act, also referred to as the “Privacy Rule.” Passed in 1996, the act standardized medical information management for purposes related to insurance and healthcare billing.
“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.” – U.S. Department of Health and Human Services
Before HIPAA legislation, it was difficult for employees to transition their health insurance after losing or switching their job. There were also rampant examples of employers, insurance companies, and patients misleading the healthcare industry about consumer medical information.
Thanks to HIPAA, patients can depend upon the protection and immutability of their medical information, even if they switch employers, healthcare, or insurance providers. Certain organizations operating within the United States must remain compliant to HIPAA standards or risk lawsuits and federal prosecution.
What Consumer Data is Protected Under HIPAA?
Protected health information (or PHI) is any information related to a patient or employee’s medical records regardless of the form it takes. In other words, completely digitized organizations must adhere to HIPAA regulations just as they did when managing paper files.
PHI includes an individual’s medical records, treatments, payments, and health conditions (past, present, and future). Consumer PHI, according to HIPAA, is highly sensitive information. As such, companies privileged with PHI must meet rigorous confidentiality and cybersecurity standards.
The act further prevents certain organizations from gathering more health-related information from patients and employees than is necessary. That said, there is an increasing number of MedTech products – health and wellness apps, for example – where consumers volunteer some medical information. Many of these companies do not fall under HIPAA jurisdiction.
To Whom Does HIPAA Apply?
As mentioned above, HIPAA only applies to certain organizations. Among those organizations that must adhere to HIPAA policies and procedures are:
- Health insurance companies
- Health maintenance organizations (HMOs)
- Healthcare clearinghouses
- Healthcare providers
- Any business associates or affiliates providing outsourced services to any of the above groups
If a consumer volunteers health-related information to an organization that does not meet one of the categories above, it is not accountable to HIPAA. That said, the Federal Trade Commission (FTC) does protect some consumer data. Additionally, many states maintain their own consumer privacy laws, such as California’s CCPA.
What Does it Mean to be HIPAA Compliant?
To be HIPAA compliant means that your organization understands the difference between authorized and non-authorized use of PHI. For example, you may share some PHI information without a patient’s permission to other HIPAA-compliant healthcare organizations. Other PHI uses must accompany the written consent of the consumer. For a full breakdown of what is authorized or non-authorized PHI use, you can consult HHS.gov here.
HIPAA compliance also means that you have reasonable security measures in place to protect PHI from becoming lost or stolen. Ensuring adequate cybersecurity processes and procedures may require you to enlist the help of virtual CISOs and rigorous penetration testing.
Lastly, organizations accountable to HIPAA must develop a process for “disclosures and requests for disclosures.” According to the U.S. Department of Health and Human Services,
“Covered entities must establish and implement policies and procedures (which may be standard protocols) for routine, recurring disclosures, or requests for disclosures, that limits the protected health information disclosed to that which is the minimum amount reasonably necessary to achieve the purpose of the disclosure.”
What Happens If You’re Not HIPAA Compliant?
While HIPAA financial penalties can go as high as $1.5 million, most infractions are less severe and receive punishments that match the appropriate level of negligence. If an organization is guilty of violating HIPAA compliance standards, the government may fine that organization anywhere from $100 to $50,000 per infraction.
For organizations demonstrating gross negligence or intentionally violating HIPAA laws, decision-makers face maximum fines ($1.5 million annually), criminal charges, and/or lawsuits from victims.
What is PIPEDA?
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. According to Canadian national laws, PIPEDA establishes consumer data privacy laws for all provinces that do not already have sustainable privacy laws of their own.
More commonly compared to the CCPA or GDPR, PIPEDA is an exhaustive set of consumer privacy standards that protect consumers from having their personal information collected, used, or distributed without their knowledge or consent.
What Consumer Data is Protected Under PIPEDA?
Technically, all Canadian consumer personal data falls under the jurisdiction of the PIPEDA. This data includes name, credit information, purchasing information, ethnicity, evaluation information, and more.
PIPEDA also oversees consumer privacy for all medical and healthcare billing information. The most critical part of the PIPEDA pertains to consumer consent. Organizations that manage an individual’s health or healthcare-related information may only do so with that individual’s consent after that organization has detailed its purposes.
Because of the broader scope of PIPEDA – compared to HIPAA – consumer data protection extends beyond employers, health insurance, and healthcare providers. Even MedTech companies, marketing agencies, and retailers must remain PIPEDA compliant if their operations include using consumer information. Either way, PIPEDA health information standards are explicit and far-reaching.
To Whom Does PIPEDA Apply?
PIPEDA applies to any for-profit or nonprofit entities operating within Canadian borders. However, some Canadian provinces have their own stricter privacy laws; in which case, the province exercises authority over consumer privacy compliance standards.
What Does it Mean to be PIPEDA Compliant?
Organizations seeking PIPEDA compliance must meet the law’s “ten fair information principles.” These ten principles are as follows:
- Accountability – Someone must be in charge of maintaining PIPEDA compliance standards.
- Purpose – Organizations state their purpose explicitly for using consumer data before securing that consumer’s consent.
- Consent – Any entity collecting, using, or distributing consumer information must have that consumer’s consent.
- Limitations – Organizations using consumer information may only do so per their previously disclosed purpose and that consumer’s consent.
- Duration – Organizations using consumer information may only do so within the time allotted per their previously disclosed purpose and that consumer’s consent.
- Accuracy – Any consumer information under review must be accurate.
- Protection – Organizations using consumer information are responsible for the safety and security of that data.
- Transparency – Organizations must disclose what information they have and how they’ve used a consumer’s information upon that consumer’s request.
- Access – A consumer may access their consumer information.
- Challenge – If a consumer suspects that an organization has not properly met PIPEDA regulations, they may challenge that organization and request a formal investigation.
Because the recent consumer privacy amendment to PIPEDA is more recent (2018), the PIPEDA provides more specific, modern-day guidelines than does HIPAA. Once again, PIPEDA applies to more than just the healthcare industry.
What Happens If You’re Not PIPEDA Compliant?
In the event of a consumer challenge, the Office of the Privacy Commissioner (OPC) of Canada may choose to launch a formal investigation. If the OPC finds an entity in violation of PIPEDA compliance standards – to include PIPEDA healthcare data guidelines – the OPC may fine that organization up to $100,000.
The OPC also has the authority to demand ongoing audits and remedial measures to ensure that entity’s PIPEDA compliance in the future. However, a business that loses its reputation may not survive long enough to meet OPC demands.
5 Critical Differences Between HIPAA and PIPEDA
HIPAA applies to patient data in the United States; PIPEDA applies to consumer data in Canada.
The greatest difference between HIPAA and PIPEDA is that one (HIPAA) applies to business operations in the United States, while the other (PIPEDA) applies to business operations in Canada.
HIPAA is restricted to consumer data that is healthcare-related; PIPEDA applies to all consumer data.
The HIPAA compliance standards only apply to certain organizations tasked with managing essential healthcare-related information, such as consumer health conditions, billing, and treatment. In contrast, PIPEDA oversees consumer privacy law in general, including consumer medical information.
HIPAA health information restrictions apply to a select group of organizations; PIPEDA health information restrictions apply to any organization.
Not every American entity that manages consumer health-related information falls under HIPAA law. For example, a consumer could volunteer medical information on a health and wellness app. That consumer data would fall under FTC or state privacy laws. PIPEDA, on the other hand, overseas consumer data for every organization – public or private – operating in Canada.
PIPEDA contains explicit, consumer-consent requirements; HIPAA does not.
Under PIPEDA law, organizations must explicitly state their purpose for using consumer data and get that consumer’s consent. In contrast, HIPAA allows some organizations under certain circumstances to collect, use, or distribute a patient’s medical data without that patient’s knowledge or consent.
Penalties for violating HIPAA are greater than for violating PIPEDA.
Though HIPAA restrictions may appear laxer on the surface, the United States tends to punish organizations more severely if they violate HIPAA laws. HIPAA fines operate on a per violation basis and can total as much as $1.5 million, plus criminal charges. PIPEDA penalties cap at $100,000 in addition to ongoing audits and third-party assessments.
Why Understanding the Differences Between HIPAA and PIPEDA is Important
Thanks to technology and trade agreements, there’s a chance that your American-based company may do business in Canada, and vice versa. When this occurs, you must be certain about how each country’s privacy laws apply to your business operations.
Thankfully, achieving one set of rigorous compliance standards can make it easier to meet another set of compliance standards. As your business scales its operations into new regions and countries, you must pay attention to what geo-specific consumer privacy laws apply.
The differences between HIPAA and PIPEDA laws reflect diverse goals within two countries. By ensuring that your business is both HIPAA and PIPEDA compliant, you and your clients can rest assured that any consumer health-related data in your care is safe.
At RSI Security, our virtual CISOs and cybersecurity teams can provide the guidance you need to operate legally in various parts of the globe. Contact an agent today to discuss whether your business meets the necessary compliance standards for your region and industry.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.