Which healthcare privacy laws apply to my practice?
March 21, 2022
In a digital age, more and more healthcare services are moving online. From electronic patient logs to virtual counselling to an increasing array of medical devices and equipment, technology has become more critical than ever when it comes to providing care.
With an ever-expanding database of medical information at stake, it’s a good idea for Healthcare Professionals to refresh their responsibilities when it comes to data security. What’s a privacy breach? What does it mean to safeguard personal health information? And what are the consequences if you fail? To help you out, we’ve put together a guide on what you should know about Canada’s major health information privacy laws.
Disclaimer: Please note that the information presented herein is general in nature and provided for educational purposes only. It is not exhaustive nor is it a substitute for legal or insurance advice. For specialized guidance, please consult a lawyer.
What’s a privacy breach?
A “breach of security safeguards” is the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
RELATED: Privacy Breaches: Over 28 Million Canadians Affected in the Last 12 Months!
What’s “personal health information?”
While the exact definition of personal health information, or PHI, varies between legislations, it generally refers to any information, whether verbal or recorded, that may identify an individual. That includes any information concerning:
- An individual’s health number;
- An individual’s physical or mental condition (including family medical history);
- Any health services provided to an individual;
- The individual’s healthcare provider or substitute decision-maker;
- Payments or eligibility for healthcare or coverage of healthcare;
- The donation or testing of an individual’s body part or bodily substance;
- Information derived from the testing or examination of an individual’s body part or bodily substance; and
- Information that is collected, incidentally or not, in the course of providing health services to the individual.
How is personal health information protected in Canada?
In Canada, consumer data is governed by a federal law known as the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA outlines the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities and includes key rules for breach notification, record-keeping, and risk assessment. Compliance with PIPEDA is overseen by a federal regulator known as the Office of the Privacy Commissioner of Canada (OPC).
However, three provinces have enacted their own comprehensive privacy legislations, which have all been declared “substantially similar” to PIPEDA and will respond in place of federal law for all provincially regulated private sector organizations. Those provinces are:
Act: Personal Information Protection Act (PIPA)
Overseen By: Office of the Information and Privacy Commissioner of Alberta
Act: Personal Information Protection Act (PIPA)
Overseen By: Office of the Information and Privacy Commissioner for British Columbia
In addition to PIPEDA (or the applicable provincial legislation), all regulated Healthcare Professionals and health organizations in Canada must comply with various health information privacy laws at the provincial level, such as:
There is no corresponding legislation for health records in Nunavut.
For a full list of provincial and territorial laws and who is responsible for their oversight, click here.
RELATED: All About PIPEDA: How do privacy laws affect my business?
Which law applies to my practice?
That depends where you practice. Health-specific legislations in New Brunswick (PHIPAA), Newfoundland and Labrador (PHIA), Nova Scotia (PHIA), and Ontario (PHIPA) have also been declared “substantially similar” to federal law and supersede PIPEDA for matters involving PHI in their respective provinces.
However, any organizations that operate interprovincially and internationally are still subject to PIPEDA and/or its provincial counterpart if they engage in commercial activities involving:
- The collection, use, or disclosure of personal information that is not health-related (e.g. collecting banking information to process a sale that is unrelated to your duties as a Healthcare Professional); and
- The cross-border transfer of personal information (e.g. sending a mailing list or other patient data from one province to another).
In all other provinces, any individual or organization that provides healthcare or other medical services for “health-related purposes” or otherwise collects PHI must follow both PIPEDA and the appropriate provincial healthcare privacy law.
Additionally, there are numerous instances in which more than one privacy law could apply to health records collected by an organization, though this must be determined on a case-by-case basis. For more information regarding the application of PIPEDA and provincial privacy legislations, consult the OPC.
RELATED: The Consequences of a Breach: Can Your Business Survive a Cyberattack?
What are my obligations as a Health Professional?
The specific terms of data stewardship vary between legislations. But in general, all Healthcare Professionals and organizations are required to:
- Obtain informed consent from all individuals before collecting, using, or disclosing any PHI;
- Maintain the privacy of patient information;
- Implement reasonable security precautions to protect patient information from theft, loss, unauthorized use or disclosure;
- Report to the appropriate Privacy Commissioner any time a privacy breach poses a real risk of significant harm to individuals;
- Notify affected individuals about those breaches; and
- Keep accurate and up-to-date records of ALL breaches, even if there is no risk of significant harm.
Negligence or noncompliance with federal and provincial privacy legislations can lead to regulatory investigations, criminal prosecutions, and penalties of up to $10,000 ($100,000 for organizations). New updates to privacy laws have even hiked fines up to $1,000,000 per violation ($2,000,000 for organizations).
RELATED: Privacy Law Update: Are you ready for privacy law reforms?
What does this mean for virtual care?
Telemedicine must meet all requirements for data stewardship under applicable provincial legislations. Healthcare Professionals must ensure that all programs, platforms, and equipment used for virtual care are safe and secure to protect the privacy of PHI, while still being easily accessible and navigable for patients.
RELATED: How Can Healthcare Professionals Manage the Risks of Virtual Care?
How can I protect PHI?
We know it’s not easy to keep up with so many regulations. And while larger organizations may have pockets deep enough to outsource their cybersecurity needs, smaller facilities or independent practices don’t usually have the resources to do the same.
How can you protect yourself from cyber exposure? How do you know what protocols are right for your business? And how can you ensure compliance with so many different data security laws? Without proper protections, the consequences could be dire. And with little or no insurance coverage, your practice may not even recover.
To learn more about your risks, read: Healthcare Professionals are most vulnerable to a data breach. Why? For more information on cybersecurity measures, check out our helpful resources:
- How to Keep Employees Cyber-Safe While Working From Home
- Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
- Cyber Security & Privacy Breach Toolkit
- Sink or Swim: How Can Businesses Survive the Cybercrime Tsunami?
- Multi-Factor Authentication: Why Passwords Aren’t Enough Anymore
But for more comprehensive guidance, consult a licensed broker like PROLINK. With over 40 years of industry experience, we know privacy laws inside out. We can help your organization meet privacy requirements, adopt a proactive, tailored approach to cyber risk management, and align you with a comprehensive Data Security & Privacy Breach Insurance policy based on your operations and needs.
To learn more about your cyber exposures, connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.