In the province of Ontario, healthcare privacy specifically is guided by the Personal health Information Protection Act or PHIPA. Most American organizations are used to the HIPAA standard, which ultimately is a little different than PHIPA. HIPAA is also recognized by a lot of Canadian companies as well. Especially if they handle any American healthcare data. In this article we are going to go through some of the key differences and similarities between the two healthcare privacy standards.
What are some of the key differentiators between PHIPA and HIPAA?
Some of the main differences between the two compliances are in semantics. PHIPA may call something different than HIPAA, but could have the same or similar meaning. Then – and most are surprised about this – PHIPA has more stringent requirements for reporting a breach. Often times PHIPA takes a backseat to HIPAA even in Canada due to how many companies are still affected by the American compliance standard.
Under HIPAA, companies that have been breached have to report to the Secretary of Health and Human Services. However, when and how they disclose their breach is based on whether or the breach is considered “non-meaningful”. Something considered to be “non-meaningful” has affected less than 500 individual records. In that case, the organization affected must disclose their breach information to the Secretary no later than 60 days after the end of the calendar year.
If a breach of unsecured protected health information occurs and more than 500 people are affected then the organization must disclose the information to the Secretary, the individuals affected by the breach, and any news outlets in the states or areas affected.
As mentioned, under PHIPA the breach disclosure rules are quite a bit more strict. A notification should be sent to the Information and Privacy Commissioner in Canada if any of the following have occurred:
- If the health information custodian believes someone within the organization has provided health information to someone without the authority to do so.
- If personal health information has had unauthorized use and continued to be used after a disclosure.
- If the health information custodian believes the breach of information is part of a pattern of similar unauthorized use of data.
- The health information custodian must disclose information to the professional’s governing body or college. As it relates to the unauthorized use of personal health information.
As you can see, there is some clear differences between the two compliances and it largely has to do with HIPAA’s distinction between “non-meaningful” and “meaningful” breaches of information.
How are PHIPA and HIPAA similar?
At the end of the day, both of these compliances are trying to solve a major issue in the healthcare space. Both compliances aim to protect personal health information from being used for malicious reasons. As mentioned above, there are some simple verbiage differences – but for the most part the two are more similar than different.
PHIPA regulates the disclosure of information through a health information custodian. HIPAA is disclosed by a covered entity.
In addition, HIPAA’s Privacy Rule and PHIPA’s Part IV are very similar. In that if individuals affected may not want their information publicly disclosed, they may choose to do so.
As you can see, there are a lot of similarities between the two compliances. They both aim to solve the same problem. Canadian companies should be actively thinking about becoming compliant in both PHIPA and HIPAA standards. However, if you do absolutely no work with American personal health information then HIPAA likely doesn’t apply.