Protecting Personal Information: PIPEDA vs PHIPA vs HIPAA
Photo from Unsplash
Originally Posted On: https://iplum.com/blog/protecting-personal-information-pipeda-vs-phipa-vs-hipaa/
Every day, billions of personal information data exchange hands in the United States and Canada. With the amount of data in constant flow, how can patients be sure that their data is used responsibly?
In light of this problem, the US and Canadian governments have established their own solutions.
In the United States, HIPAA, or the Health Insurance Portability and Accountability Act was made into law in 1996. HIPAA regulation was pivotal in securing patient rights and preventing unwanted leaks of information.
The Canadian government enacted a similar piece of legislation entitled PIPEDA. It stands for the Personal Information Protection and Electronic Documents Act. While many of the goals are similar, PIPEDA is targeted at a wider array of industries. It doesn’t simply focus on healthcare.
Instead, any business involved in commercial operations and the storage of data needs to take notice. This is an essential consideration for nearly any Canadian company in a phase of growth.
In this article, we will walk through each piece of legislation, and learn about similarities and differences between PIPEDA vs PHIPA vs HIPAA. By the end, you’ll have an understanding of what it takes to be compliant in your business communications under each law.
Securing Individual Data in the Modern Age
For many readers in the American healthcare space, there is a common familiarity with HIPAA.
However, in Canada, there is a separate act established to create national standards for protecting patients. The analogous health information acts across the Canadian border are PIPEDA and PHIPA.
These laws attempt to protect patients’ general and health data. They aim to prevent access from unauthorized parties and leaks of sensitive data.
However, the two acts are distinct in a few important areas with critical differences. Here is a rundown of these two important pieces of legislation.
What Is PIPEDA?
PIPEDA is the Canadian version of American HIPAA legislation. It doesn’t only cover health information.
Instead, its aims are much broader. They include banking, communications, and other industries that store personal data.
The aim of this legislative act is to provide a measure of accountability to organizations storing information. This is put up for major companies regardless of their location, industry, or business goals.
It maintains that the individual has a right to his or her privacy even when data is being stored by an external company. Individuals must have the right to access their information as collected and stored by the organization. They also can appeal or question the justification or validity of storing their data.
For this reason, it is essential that Canadian organizations be transparent in their data collection and storage practices. They must tell consumers why they are storing data. They must also explicitly state how they intend to use this information.
One important difference about PIPEDA is that individual provinces may have additional or complementary legislation governing data storage practices.
10 Primary Principles
In the United States, HIPAA has a specified outline of goals for data storage.
Similarly, PIPEDA has outlined principles for storage, collection, and destruction practices of personal data. These include:
1. Individual organizations are responsible for individual information held under management. They must have a designated individual or team for managing compliance with PIPEDA. This includes information that is shared with external third-party processors.
2. Organizations must tell consumers explicitly when their information is being collected.
3. Consumers must offer their permission to have their information collected and stored.
4. Organizations must attempt to store the least amount of individual data as possible.
5. Organizations must maintain complete transparency in data handling. They must utilize data as outlined by their agreement with consumers. After collection, information must be stored only as long as is necessary to achieve the agreed purpose.
6. Consumer information must be comprehensive and accurate toward the purposes for which it is being held.
7. Specific security measures and safeguarding practices must be in place. The level of complexity of this protection must match the sensitivity level of the information held.
8. The organization must be able to provide individuals with clear policies and procedures about how personal information is kept and handled.
9. Individuals may request information about the existence, use, or disclosure of the information held. Individuals also maintain the right to correct and verify inaccuracies.
10. If individuals become concerned about the handling of their information, they may contact the organization’s PIPEDA compliance team.
So Which Organizations Does PIPEDA Cover?
PIPEDA governs organizations that collect or store data to provide services at the commercial level in almost every industry.
It uses the term “commercial activity” to describe transactions that are typically implied to be commercial in nature. These include leasing, selling, and trading.
The intention of this law is to protect the privacy of all Canadians. Anytime an organization engages in commercial activity, these laws apply to protect citizens.
As you might imagine, the number of organizations falling under this category is massive. Essentially any business involved in the storage of information must be compliant with PIPEDA.
Entities governed by this law include private businesses as well as nonprofit organizations. It also covers government agencies in healthcare and labor relations.
What Is PHIPA?
PHIPA is an additional piece of Canadian legislation that outlines data privacy laws specifically in the healthcare setting. It is specific to the province of Ontario. It functions as a supplement to PIPEDA with specific guidance regarding the handling of sensitive health information.
PHIPA outlines a series of laws regarding the protection of “personal health information.” The principles of PHIPA include protection of individual privacy when identifying information about the following:
- A person’s mental or physical health, including their personal or family medical history.
- Ongoing individual health care information
- Treatment plans
- Payments or eligibility for coverage
- Donation of body parts, organs, or bodily substances
- Health number
- Substitute decision making or legal transfers of autonomy
What Is HIPAA?
Similar to PHIPA, HIPAA is the American legislation designed at protecting consumer health data. This act is primarily focused on protecting health information.
It only covers organizations such as healthcare networks and related healthcare organizations. These include billing companies, pharmacies, and health plans.
The act designates that businesses that handle personal data must follow specified guidelines. The act creates strict standards for any organization collecting patient health data.
Similarly, the storage of health information in the United States is also regulated at the state level. Yet any data submitted outside of the US is no longer subject to HIPAA compliance.
The Primary Principles of HIPAA Regulation
The intentions of the HIPAA act align with those of PIPEDA. They include respecting individual privacy, protecting confidentiality, and disclosing limited data unless given patient consent. Providers must also provide patients with access to their records upon request.
The law also provides individuals the right to an investigation of invasion of privacy breaches. There are special protections in place for individuals to file suit against violating organizations.
PIPEDA vs PHIPA vs HIPAA: What Does Each Law Cover?
HIPAA governs individually identifiable patient information transmitted in any form. This includes electronic, oral, or paper documents.
This type of information includes names, dates of service, contact information including addresses, phone numbers, and email addresses. It also includes Social Security numbers, biometric identifiers, IP service numbers, and medical record information.
PHIPA causes providers and organizations to maintain safe practices regarding the same types of healthcare-specific information as discussed above.
PIPEDA casts a broader vision for the organizations and industries that it covers. It refers to personal information held with the consent of the consumer.
It is similar in that it includes demographic information, contact information, and medical information. It also includes financial information such as banking, credit or loan records, and additional personal history information.
What Are the Similarities Between PIPEDA vs HIPAA?
Both pieces of legislation govern how personal data is collected and stored.
They dictate specific procedures for how organizations must use and handle this information for business purposes. They provide clear boundaries for the protection of data throughout its lifespan with the company. This includes practices for collection as well as destruction strategies.
The intent of both pieces of legislation is to hold organizations accountable to personal data under in-house management.
They also provide individual rights to consent before the collection or storage of their information.
What Are the Differences Between The Two Laws?
First and foremost, the two laws are designed to be national law in different countries. Each law only specifies governance over organizations located within the US or Canada. For organizations that do business operating outside of the country, the laws do not apply.
Beyond this distinction, the most obvious difference is that PIPEDA is broader in scope. While HIPAA primarily concerns the protection of patient health records, PIPEDA focuses on personal data used in multiple industries. This does include health information but also much more.
Another difference is that PIPEDA governs information uploaded by individuals to an organization. This is in contrast to information reported by an outside party.
Because HIPAA focuses on healthcare organizations, it has clear guidance for companies in the space. PIPEDA includes broader language about a wider spectrum of industries that use personal data.
What Are the Differences Between PHIPA vs HIPAA?
HIPAA and PHIPA are also analogous pieces of legislation with similar goals in place. However, some key differences exist. For one, PHIPA was enacted specifically for the province of Ontario, while HIPAA applies to the entire U.S. healthcare system.
HIPAA regulates disclosure of protected health information by certain covered entities, while PHIPA outlines whom the law governs as Health Information Custodians (HIC). A HIC is someone who:
- Operates within an organization that provides individual health care
- Has access to sensitive individual health information.
HIPAA functions by enacting a privacy rule that must be maintained except under specific circumstances or if a patient has expressed willingness to disclose information in writing. PHIPA functions slightly differently under its Part IV.
Part IV of PHIPA requires that a HIC take “reasonable steps” to ensure the protection of the information from theft or loss under any terms.
The breach notification requirements are also slightly different between the two laws. What is required for reporting varies slightly between HIPAA and PHIPA.
Finally, requirements for the role of information technologist service providers working in the healthcare space vary somewhat between the two laws. PHIPA requires that these groups state transparently specific practices under which data management occurs.
How Does iPlum Help?
iPlum is an organization designed to improve security in communications. We help companies involved in the handling of individual data.
We have special offerings for healthcare companies. Our services improve safety in communicating patient data. We hold our services to the highest standard, which includes respecting these pivotal pieces of legislation.
We offer an array of services aimed at protecting individuals and keeping your company compliant. These include secure phone and fax lines, cloud phone systems, and other communication compliance solutions.
One of our flagship offerings is a HIPAA, PIPEDA, and PHIPA-compliant texting and calling system.
We provide an industry-standard, inexpensive service that is easy to set up.
We offer a second line on your mobile phone with its own calling, voicemail coming ring tone, and screen. Many other apps designed for HIPAA, PIPEDA, and PHIPA compliance require using the app at all times. Our service provides you with an actual phone number with full communication capabilities that are secured.
We want to give you personal privacy for your business communications as well as to protect your clients’ data. We make sure that HIPAA, PIPEDA, and PHIPA-compliant standards are maintained at all times.
Within our service, you can set up an auto-attendant to provide greetings and other extensions. This can improve any virtual mobile system for healthcare organizations.
Our service is designed for all types of healthcare organizations. These include physician practices, therapists, and healthcare business associates and partners.
The iPlum Virtual Mobile System
Our cloud phone system or auto-attendant serves as your virtual receptionist in the digital space. Mobile interactive voice response can be a game-changer for your organization.
It exists in a cloud storage system that can route callers to various phone numbers automatically. This helps businesses to become proficient in their communications.
At the same time, businesses can be sure that they are respecting patient privacy and staying HIPAA, PIPEDA, and PHIPA-compliant. Unlike having a live operator, our auto-attendant ensures that you will never miss a customer call.
You can also segment your call flows to filter and manage certain types of calls. The opportunities are endless.
There is no hidden cost to use this auto-attendant service. We provide our digital receptionists free with any iPlum toll-free or local phone number subscription.
Keeping Personal Information Secure
Every business in the healthcare space wants to ensure that personal information stays protected. Businesses in the US and Canada have slightly different standards to uphold. As discussed, there are some slightly different regulations outlined in PIPEDA vs PHIPA vs HIPAA.
In Canada, the PIPEDA legislation is the standard. The primary difference in PIPEDA vs HIPAA is that it is broader in scope. It aims to protect individuals giving their information to many different industries.
Any industry with commercial operations may be required to comply. This includes companies that are trading or completing transactions of any kind. There are ten primary focus areas toward which the business must aim for adherence.
PHIPA is an Ontario-specific piece of legislation outlining healthcare-specific data handling laws. In its terms, it is more analogous to HIPAA, although certain key distinctions exist between PHIPA vs HIPAA, as outlined above.
In the United States, HIPAA is the primary compliance law. The law ensures healthcare organizations keep responsible practices for data management. Patient information security is always at stake when data changes hands.
HIPAA regulation laws mirror PIPEDA/PHIPA’s goals in protecting individuals and providing them rights to access. They may also question the storage practices of companies holding their data.
At iPlum, we want to help your organization meet these standards. If you are interested in establishing a secure communication for your business, please contact us today