What are the rules in Canada when it comes to patient privacy? Canada’s federal law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is comparable in many ways to the Health Insurance Portability and Accountability Act (HIPAA) in the United States. However, there are several differences to keep in mind.
PIPEDA’s 10 fair information principles form the ground rules for the collection, use and disclosure of personal information, as well as for providing access to personal information. They give individuals control over how their personal information is handled in the private sector.
In addition to these principles, PIPEDA states that any collection, use or disclosure of personal information must only be for purposes that a reasonable person would consider appropriate in the circumstances.
The OPC has determined that the following purposes would generally be considered inappropriate by a reasonable person (i.e., no-go zones):
collecting, using or disclosing personal information in ways that are otherwise unlawful;
profiling or categorizing individuals in a way that leads to unfair, unethical or discriminatory treatment contrary to human rights law;
collecting, using or disclosing personal information for purposes that may cause significant harm to someone;
publishing personal information with the intent of charging people for its removal;
requiring passwords to social media accounts for the purpose of employee screening; and
conducting surveillance on an individual using their own device’s audio or video functions.
This section sets out organizations’ responsibilities for each of the 10 fair information principles. It outlines how to fulfill these responsibilities and offers some tips.
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Personal information must be protected by appropriate security relative to the sensitivity of the information.
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.
1. How is PIPEDA different from HIPAA?
HIPAA is a US federal law that governs the privacy and security of personal health information (PHI) for only certain entities in the health industry – mainly healthcare providers, health insurers, and health exchange organizations. On top of that, health information is also governed by any additional state laws.
In Canada, PIPEDA applies to all personal data, health or otherwise regardless of the entity. Its purpose and scope are more similar to Europe’s General Data Protection Regulation (GDPR) law than the US HIPAA law. As this other helpful post explains: “once an organization collects data, regardless of the province, industry, or the type, that…organization is now fully accountable and responsible for the protection of said data.”
However, it is wise to note that the specifics of PIPEDA may not apply to every province. Each individual province has the right to have its own rules and regulations as long as they are “substantially similar” to PIPEDA. You can check out our list below which provinces choose to use PIPEDA and which have their own governances.
It’s useful to note that Ontario actually has it’s own equivalent of the US HIPAA law which applies specifically to PHI, called the Personal Health Information Protection Act, 2004 (PHIPA), which we’ll talk about more when discussing whether PHI has to stay in Canada. Hint: the short answer is “no.”
2. Do I need to sign a BAA with my service providers?
This depends on the services they provide. Remember HIPAA only applies to certain health industry entities in the US. So the purpose of the BAA in HIPAA is to ensure that there is an unbroken chain of responsibility for any PHI that may be “touched” by a vendor and/or service provider. Most large healthcare systems have a standard agreement that they require their vendors who work with PHI to sign. Also, vendors themselves often have a standard HIPAA BAA they use for their customers’ convenience.
In Canada, these agreements are not standardized and their requirements may vary from province to province. Several provinces, including Ontario, have various classifications for service providers (e.g., information network providers, electronic service providers, agents, etc.). Whether a provider needs to sign a privacy protection agreement with a vendor depends on that particular provider’s classification.
3. Does Canadian PHI Really Need to Stay in Canada?
All Canadian provinces, with exception of British Columbia and Nova Scotia, allow health data to reside in the United States. So for providers who don’t practice in either British Columbia or Nova Scotia the locations of their servers is less of an issue. British Columbia* and Nova Scotia do not allow their residents’ health data to be stored in the USA, even when the data is encrypted, except in very limited cases
4. What about health data on mobile apps?
In the US, HIPAA applies to only certain “covered entities” that handle PHI, mainly healthcare providers, health insurers, and health exchange organizations. Data uploaded by citizens to private devices for personal use is a grey area. For example, if you use a FitBit and upload that data to the FitBit mobile health app, that data isn’t protected by HIPAA. Data protection in that case is very likely to be governed by the terms of agreement with FitBit.
5. What type of health data is protected?
HIPAA covers any personally identifiable information that is created or received by a “health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse” and relates to past, present, and future health conditions, treatments, or payments. Demographics would be a subset of identifiable health information.
In Canada, any data, including users, statistics, and volume, must be available to the covered entities in Canada. This data is important in accountability procedures in cases of privacy violations. In addition, sensitive or Personally Identifiable Information (PII) such as age, name, ID numbers, income, ethnic origin, or blood type, medical records, opinions, evaluations, comments, social status, payment information, etc.
6. Province-by-province highlights
Alberta has its Personal Information Protection Act, which is not significantly different than PIPEDA. Alberta is unique in that, instead of individual covered entities, the province’s entire health system is considered the Health Information Custodian.
British Columbia’s provincial law is called the Personal Information Protection Act. BC is one of only two provinces that do not allow PHI to be saved in the USA, even when encrypted.
Manitoba does not have its own provincial law, so only PIPEDA applies here.
New Brunswick’s law is the Personal Health Information Privacy and Access Act.
Newfoundland and Labrador are covered under the Personal Health Information Act.
Nova Scotia’s provincial law is the Personal Information International Disclosure Act . Like British Columbia, Nova Scotia forbids storing patient data in the USA, even if encrypted.
Ontario’s law is called the Personal Health Information Protection Act (PHIPA). It provides for several different classifications of service providers, so it’s important to know into which category a particular vendor might fit.
While it does allows for health data to be moved outside of the province when using a third-party vendor; however, it requires a patient’s express consent to release health information outside of Ontario.
The issue with this, Canadian privacy and regulatory law counsel David Young Law points out is “Organizations entering into outsourcing arrangements that may involve cross-border data transfer need to consider what notice should be given to the affected individuals, where no prior notice exists.”
The Ontario Information and Privacy Commissioner has provided guidance on considerations when choosing to use cloud computing services (including Software As A Service, like VSee). The “Know Your Legal and Policy Obligations” section notes:
There is no legal prohibition in Ontario against outsourcing computing services to a third party cloud service provider. This applies regardless of whether the third party stores personal information in a foreign jurisdiction. However, FIPPA* and MFIPPA* and their regulations do impose legal requirements that must be met regardless of where the data resides or is processed.The critical question is whether your institution has taken reasonable steps to protect the privacy and security of the records in its custody and control.
*Freedom of Information and Protection of Privacy Act (FIPPA) and its municipal counterpart the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA)
Here are other useful education material and guidances the Commissioner provides:
Prince Edward Island does not have its own provincial law, so only PIPEDA applies here.
Quebec has passed An Act Respecting the Protection of Personal Information in the Private Sector, in addition to a couple of other laws that make Quebec unique and significantly different from other provinces.
Saskatchewan does not have its own provincial law, so only PIPEDA applies here.
The Northwest Territories, Nunavut, andYukon are territories, not provinces, so only PHIPA applies in these areas.
* British Columbia has several laws that govern privacy. The one that requires personal data to be stored in Canada is the Freedom of Information and Protection of Privacy Act (which applies to public bodies). Under section 30.1(a) there appears to be allowance for storing personal information outside of Canada as long as the individual has consented.
30.1 A public body must ensure that personal information in its custody or under its control is stored only in Canada and accessed only in Canada, unless one of the following applies: (a) if the individual the information is about has identified the information and has consented, in the prescribed manner, to it being stored in or accessed from, as applicable, another jurisdiction; (b) if it is stored in or accessed from another jurisdiction for the purpose of disclosure allowed under this Act; (c) if it was disclosed under section 33.1 (1) (i.1).
Here is some guidance that clarifies British Columbia’s cloud computing rules.