Healthcare Industry IT, Data Security and PIPEDA in Saskatchewan
Our Saskatoon IT Tips are from the Trusted professionals at Burnt Orange Solutions. We promise to have a one-hour response time for all your Saskatoon IT support needs. Honesty and respect are important to us. In our latest IT Expert tip Article, we discuss the rules in Canada when it comes to patient privacy and PIPEDA.
PIPEDA
Burnt Orange Solutions has extensive experience with healthcare IT and security. When it comes to the healthcare & medical field, information technology remains focused on two goals: allowing your staff to be productive without disruption and ensuring your patients’ confidential information is always secure. With the right technology, you can improve the efficiency of your workforce and gain the peace of mind that comes with knowing that your patients are always protected.
Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is comparable in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States. However, there are several differences to keep in mind.
We’ve summarized the key takeaways from this excellent post by Canadian data expert Waël Hassan.
1. How is PIPEDA different from HIPAA?
HIPAA is a US federal law that governs the privacy and security of personal health information (PHI) for only certain entities in the health industry – mainly healthcare providers, health insurers, and health exchange organizations. On top of that, health information is also governed by any additional state laws.
In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity. As this other great post states: “once an organization collects data, regardless of the province, industry, or the type, that…organization is now fully accountable and responsible for the protection of said data.” However, it is wise to note that the specifics of PIPEDA may not apply to every province. Each individual province has the right to have its own rules and regulations as long as they are “substantially similar” to PIPEDA. You can check out our list below which provinces choose to use PIPEDA and which have their own governances.
2. Do I need to sign a BAA with my service providers?
This depends on the services they provide. Remember HIPAA only applies to certain health industry entities in the US. So the purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any PHI that may be “touched” by a vendor and/or service provider. Most large healthcare systems have a standard agreement that they require their vendors who work with PHI to sign. Also, vendors themselves often have a standard HIPAA BAA they use for their customers’ convenience.
In Canada, these agreements are not standardized and their requirements may vary from province to province. Several provinces, including Ontario, have various classifications for service providers (e.g., information network providers, electronic service providers, agents, etc.). Whether a provider needs to sign a privacy protection agreement with a vendor depends on that particular provider’s classification.
3. Does Canadian PHI Really Need to Stay in Canada?
All Canadian provinces, with the exception of British Columbia and Nova Scotia, allow health data to reside in the United States. So providers who don’t practice in either British Columbia or Nova Scotia don’t need to worry about the locations of their servers. British Columbia* and Nova Scotia do not allow their residents’ health data to be stored in the USA, even when the data is encrypted.
4. What about health data on mobile apps?
In the US, HIPAA applies to only certain “covered entities” that handle PHI, mainly healthcare providers, health insurers, and health exchange organizations. Data uploaded by citizens to private devices for personal use is a grey area. For example, if you use a FitBit and upload that data to the FitBit mobile health app, that data isn’t protected by HIPAA. Data protection, in that case, is very likely to be governed by the terms of the agreement with FitBit.
5. What type of health data is protected?
HIPAA covers any personally identifiable information that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and relates to the past, present, and future health conditions, treatments, or payments. Demographics would be a subset of identifiable health information.
In Canada, any data, including users, statistics, and volume, must be available to the covered entities in Canada. This data is important in accountability procedures in cases of privacy violations. In addition, sensitive or Personally Identifiable Information (PII) such as age, name, ID numbers, income, ethnic origin, or blood type, medical records, opinions, evaluations, comments, social status, payment information, etc.
6. Province-by-province highlights
Alberta has its Personal Information Protection Act, which is not significantly different than PIPEDA. Alberta is unique in that, instead of individual covered entities, the province’s entire health system is considered the Health Information Custodian.
British Columbia’s provincial law is called the Personal Information Protection Act. BC is one of only two provinces that do not allow PHI to be saved in the USA, even when encrypted.
Manitoba does not have its own provincial law, so only PIPEDA applies here.
New Brunswick’s law is the Personal Health Information Privacy and Access Act.
Newfoundland and Labrador are covered under the Personal Health Information Act.
Nova Scotia’s provincial law is the Personal Information International Disclosure Act. Like British Columbia, Nova Scotia forbids storing patient data in the USA, even if encrypted.
Ontario’s law is called the Personal Health Information Protection Act. It provides for several different classifications of service providers, so it’s important to know into which category a particular vendor might fit.
Prince Edward Island does not have its own provincial law, so only PHIPA applies here.
Quebec has passed An Act Respecting the Protection of Personal Information in the Private Sector, in addition to a couple of other laws that make Quebec unique and significantly different from other provinces.
Last by not least:
Saskatchewan does not have its own provincial law, so only PHIPA applies here.
Additional reading here in a related Burnt Orange IT Tip: Healthcare Provider Data Security
We hope this article gave you some insight. If you want to ensure your business’s IT security, contact the Trusted Saskatoon IT professionals at Burnt Orange Solutions and we can take IT worries off your plate.
Burnt Orange IT Solutions Products & Services:
- Managed Networks
- Backup and Recovery
- Data and Network Security
- Hosted Services
- Telephone Systems
- Secure WiFi Networks
“IT Support You Can Trust and Understand”