In this article:
Legalities and Data Protection
● HIPAA (US) HIPAA is a US federal law that governs the privacy and security of Personal Health Information (PHI) in the US.
● GDPR (EU) The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU). Any entity entering into a business relationship with a EU entity is subject to GDPR.
● PIPEDA (Canada) 1
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).
● Provincial Legislations 2
○ PIPA (BC), PIPA (AB), Privacy Act (QC) Private-sector privacy laws that have been declared substantially similar to PIPEDA. This means that these laws apply instead of PIPEDA in most cases.
○ PHIPA (Ont), PHIPAA (NB), PIHA (NL), PHIA (NS) Health-related privacy laws that have been declared substantially similar to PIPEDA with respect to health information.
○ HIPA (SK) Health-related privacy law, not declared substantially similar to PIPEDA. PIPEDA still applies to most cases in Saskatchewan
Compliance, Privacy and Security are often used interchangeably but refer to different things:
● Compliance refers to an organization's adherence to laws, regulations, guidelines and specifications relevant to its business processes.
● Privacy in this context refers to how personal information is obtained, used, and protected.
● Security refers to protections of the platform, network, applications, operating system, physical infrastructure and data.
Encryption is the mathematical process by which a message or a piece of information is encoded, rendering it accessible and comprehensible only to the authorized people.
In the context of compliance, encryption of data at-rest (while not in use) and in-transit (while being transmitted) mitigates the effects of data security breaches, meaning that even if a piece of information was leaked, its content would be unintelligible to anyone unauthorized.
● There are no compliance certification programs by regulatory bodies for PIPEDA in Canada and there are no compliance certification programs by regulatory bodies for HIPAA in the US.
● Some 3rd parties offer HIPAA (US) certifications, but these are not endorsed by any US governing body. Moreover, such certifications do not preclude a regulatory body from subsequently finding a security violation.
● To know if a service is compliant it is important to consider:
i. Where the service is located and what legislation applies to them and you
iii. What are the security standards of the service
iv. What are the Terms of Service for the service
A Business Associate Agreement (BAA) is a written arrangement between companies that specifies each party’s responsibilities when it comes to handling Personal Health Information (PHI).
Canadian healthcare organizations can obtain some legal protection by signing a Business Associate Agreement (BAA) with a U.S.-based information service provider. Typically BAAs are not signed between Canadian-based healthcare companies. It is important to note some service providers will not enter into a BAA (ex. Apple).
Additional guidance for security when working from home:
Disclaimer: This information is provided for educational purposes only. The general information provided should not be interpreted, or used as a substitute, for professional, legal consultation. Practitioners are responsible for ensuring all legal compliance requirements for their practice.