The Personal Information Protection and Electronic Document Act (PIPEDA) is Canada's federal law on patient privacy. It is comparable to the Health Insurance Portability and Accountability Act (HIPAA) in the United States, however, there are a few key differences to be aware of.
What is the biggest difference?
In the United States, HIPAA is a federal law that governs the privacy and security of personal health information for certain sectors in the health industry. These sectors mainly include health insurers, healthcare providers and health exchange organizations.
In Canada, PIPEDA applies to all personal data, whether in the healthcare industry or elsewhere, regardless of the entity. As Servercloud Canada explains it, once an organization collects data, regardless of the province, industry or type, that organization becomes fully responsible for the protection of the collected data. It is important to note that each Canadian province has the discretion to have its own rules and regulations as long as the core values of PIPEDA remain intact.
Where does the data go?
Much like HIPAA, data collected and protected by PIPEDA can be stored abroad. In the Canadian provinces of British Columbia and Nova Scotia, governmental restrictions make it mandatory for data to be stored in Canada only.
What health data is covered?
HIPAA protects any personally identifiable information that is created or received by:
- Healthcare provider
- Health plan authority
- Life insurer
- School or University
The data collected and protected covers past, present, and future health conditions, treatments or payments.
In Canada, any data, including users, statistics, and volume, must be available to the covered entities. This data is important in accountability procedures of privacy violations. PIPEDA also protects sensitive personally identifiable information such as age, name, ID numbers, income, ethnic origin, blood type, medical records, opinions, evaluations, comments, social statements, payment information and more.