blog image


As the world of healthcare continues to digitize, it's more important than ever to have a firm understanding of the major privacy laws that impact healthcare organizations. In this blog post, we will take a close look at two of the most important privacy laws in the healthcare space—HIPAA and PIPEDA. We will compare and contrast the two laws, discuss the implications of each, and identify some of the challenges associated with compliance.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 is referred to as HIPAA. The Clinton Administration and legislative supporters of healthcare reform worked together to create HIPAA as a result of their efforts. The goals and objectives of HIPAA legislation are to streamline industry inefficiencies, reduce paperwork, make it easier to detect and prosecute fraud and abuse, and enable workers of all professions to change jobs, even if they (or family members) have pre-existing medical conditions.

HIPAA has 5 titles: I: Portability of Coverage, II: Fraud and Abuse Control, III: Tax-Related Health Provisions, IV: Application and Enforcement of Group Health Plans, and V: Administrative Simplification. HIPAA's "Administrative Simplification" subtitle requires HHS to issue regulations governing the electronic transmission of health information. These "transactions" standards are currently being phased in. When fully implemented, they will simplify how health information is exchanged between providers, health plans, and patients. The goal is a nationwide system that will decrease costs and increase efficiencies.

The 5 main components of HIPAA

HIPAA, the Health Insurance Portability and Accountability Act, is a US law that provides privacy protections for patients’ medical information.

HIPAA includes five main components:

1. The Privacy Rule: This rule establishes national standards for the protection of patient medical information.

2. The Security Rule: This rule sets standards for the electronic security of patients' medical information.

3. The Enforcement Rule: This rule establishes procedures for enforcement of the privacy and security rules.

4. The Breach Notification Rule: This rule requires covered entities to notify patients when their medical information has been breached.

5. The HITECH Act: This act strengthens the privacy and security protections established by HIPAA, and provides additional enforcement tools.

    HIPAA is an important law that protects patients’ medical information. However, HIPAA also has some potential drawbacks. For example, the Privacy Rule may make it more difficult for researchers to access patient medical information, which could negatively impact medical research. Additionally, the Security Rule may be costly for covered entities to implement and may cause delays in treatment if patient medical information is not properly secured.

    Despite these potential drawbacks, HIPAA is a vital law that protects patients’ medical information. Covered entities should take steps to ensure compliance with HIPAA, and patients should be aware of their rights under HIPAA.

    Pros and cons of HIPAA

    Pros: Sets strict standards for the protection of personal health information; covers a broad range of personal information, including genetic information- provides for civil and criminal penalties for violators.

    Cons: Does not cover all health care providers- enforcement can be difficult-compliance can be expensive.

    HIPAA's stricter standards and broad definition of protected information make it the better choice for most organizations.

    HIPAA Implications and Challenges

    To reflect changes in how businesses and people use and exchange protected health information ("PHI"), HIPAA's regulations have undergone multiple updates. The Privacy Rule, the Security Rule, and the Breach Notification Rule are the three principal requirements stipulated by HIPAA. Without obstructing the exchange of pertinent information between healthcare providers, the Privacy Rule seeks to safeguard the privacy of individuals' health information. This regulation strikes a balance between consumers' rights to data privacy and how healthcare professionals gather, share, and access crucial data about a patient's health in order to offer high-quality treatment. Protected health information refers to records of a person's health status, medical history, treatments, and medications.

    Despite having different interpretations based on who is asked, there is general consensus that HIPAA compliance is becoming increasingly difficult as more companies are now storing patient data in the cloud HIPAA has not kept up with modern technology challenges, and this leaves a big grey area for covered entities. One major challenge for companies is understanding what de-identification of patient data entails according to HIPAA. PHI can no longer be used or disclosed without patient authorization except in very specific circumstances defined by HIPAA. Business associates are required to comply with HIPAA just like covered entities and report any breach to the Department of Health and Human Services Office for Civil Rights regardless of fault. Photos, X-rays, lab results, medical histories are all examples of ePHI. Any entity that maintains or transmits ePHI must comply with HIPAA regulations. Those who do not adhere to these regulations may face severe penalties such as monetary fines or even jail time. Covered entities must also provide patients with their rights under HIPAA which include the right to access their own medical records, the right to have their PHI amended if it is inaccurate or incomplete, and the right to request restrictions on uses or disclosures of their PHI. Patients also have the right to receive accounting disclosures of disclosures of their PHI that have been made over a certain period of time upon request.

    Lastly, they have the right to complain if they believe their HIPAA rights have been violated by covered entities. Under HIPAA, covered entities must appoint a privacy official who will oversee compliance with HIPAA regulations within the organization, along with appointing a security official who will oversee the development and implementation of security measures to ensure ePHI is safeguarded. They are also required to develop policies and procedures regarding HIPAA compliance and train all employees on those policies and procedures. Employee complaints regarding potential HIPAA violations should be reported internally so that they can be investigated accordingly without the need to involve law enforcement or regulatory agencies unless absolutely necessary. Patients should feel confident that their healthcare providers are taking measures to protect their PHI in accordance with HIPAA guidelines so that they can focus on getting better instead of worrying about their privacy being invaded.

    What is PIPEDA?

    The Personal Information Protection and Electronic Documents Act is referred to as PIPEDA. The Act applies to any organization that collects, uses, or discloses personal information in the course of commercial activities. PIPEDA sets out the rules for how organizations must handle personal information, and gives individuals the right to access their personal information and request changes to incorrect or incomplete information. PIPEDA also includes provisions for investigating complaints and enforcing compliance with the Act.

    In general, PIPEDA requires organizations to obtain consent from individuals before collecting, using or disclosing their personal information. However, there are a number of exceptions to this rule, such as where the disclosure is necessary for the performance of a contract or for legal or security reasons. The Office of the Privacy Commissioner of Canada is authorized for PIPEDA administration.

    Under PIPEDA, organizations must take reasonable steps to ensure that personal information is accurate and complete. This means that organizations must update personal information when they are made aware of changes, such as a change of address. Organizations must also take reasonable steps to protect personal information from loss or unauthorized access, copying, modification, or disclosure. For example, an organization might keep personal information in a secure database, and only allow access to it on a need-to-know basis.

    Organizations that collect, use or disclose personal information in the course of commercial activities are required to comply with PIPEDA. This includes businesses of all sizes, as well as not-for-profit organizations. The Act applies to any type of personal information, including names, addresses, telephone numbers, email addresses, and financial information.

    PIPEDA came into effect on January 1, 2004. However, organizations that were subject to similar provincial privacy legislation before that date may continue to follow those laws instead of PIPEDA, as long as they provide substantially similar protection for personal information.

    PIPEDA's 10 Principles

    Ten "fair information principles" form the foundation of PIPEDA. These principles must always be followed by private sector entities.

    Here's a brief overview of the ten principles:

    1. Accountability: Private-sector organizations are responsible for the personal information under their control and must designate an individual or individuals who are accountable for compliance with PIPEDA.

    2. Identifying purposes: The organization must identify the reasons for collecting personal data at or before the time the data is acquired.

    3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except in certain circumstances.

    4. Limiting Collection: Personal information shall be limited to that which is necessary for the purposes identified. The information must be collected by fair and lawful means.

    5. Limiting use, disclosure, and retention: Except with the individual's consent or as required by law, personal information may not be used or shared for reasons other than those for which it was originally obtained. Personal data must only be kept for as long as it is required to achieve those goals.

    6. Accuracy: Personal information shall be accurate, complete, and up-to-date.

    7. Safeguards: Security measures that are appropriate for the sensitivity of the information must be used to protect personal information.

    8. Openness: Private-sector organizations shall make readily available to individuals specific information about their policies and practices relating to the management of personal information.

    9. Individual access: An individual has the right to seek access to and notification of the existence, usage, and disclosure of his or her personal information. A person must have the right to contest the veracity and comprehensiveness of the data and request that it be corrected as necessary.

    10. Challenging compliance: An individual shall be able to address a challenge concerning compliance with these principles to the designated individual or individuals responsible for the organization's compliance.

    For more information on PIPEDA, visit the website of the Office of the Privacy Commissioner of Canada.

    Pros and cons of PIPEDA

    Pros:- Applies to all organizations that collect, use or disclose personal information- provides individuals with a right to access their own personal information- establishes clear rules for handling the personal information.

    Cons:- Does not cover all types of organizations- some provisions are contested by business groups- compliance can be costly.

    PIPEDA may be a better fit for organizations that operate in multiple jurisdictions.

    PIPEDA Implications and Challenges

    PIPEDA has had a profound impact on the way organizations collect, use and disclose personal information. The act protects Canadians' privacy rights and establishes strict rules around how businesses must handle sensitive customer data.

    However, PIPEDA is not without its challenges. One of the biggest challenges is ensuring compliance with the act's stringent requirements. Businesses must be very careful about how they collect, use, and disclose personal information, or they risk violating the law.

    Another challenge is that PIPEDA is constantly evolving. As new technologies emerge, businesses must adapt their practices to ensure they are compliant with the latest changes to the law. This can be a difficult and time-consuming process.

    Finally, PIPEDA is not always easy to understand. The act's complex provisions can be confusing for businesses, which may struggle to interpret them correctly. This can lead to serious compliance problems down the road.

    Despite these challenges, PIPEDA is an important law that helps protect Canadians' privacy rights. Businesses must take care to comply with its requirements, or they could face serious consequences.

    Comparison between HIPAA and PIPEDA

    The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that was enacted in 1996. The law contains a set of regulations designed to protect the privacy of patient health information. HIPAA applies to all "covered entities," which include healthcare providers, health plans, and clearinghouses. Under HIPAA, covered entities must take measures to safeguard the confidentiality, integrity, and availability of protected health information (PHI). They must also ensure that PHI is only used for authorized purposes.

    The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that was enacted in 2000. PIPEDA applies to all organizations that collect, use, or disclose personal information in the course of commercial activity. Like HIPAA, PIPEDA contains regulations designed to protect the privacy of personal information. Under PIPEDA, organizations must take measures to safeguard the confidentiality, integrity, and availability of personal information. They must also ensure that personal information is only used for authorized purposes.

    There are several key similarities between HIPAA and PIPEDA. Both laws require covered entities to take measures to safeguard personal health information (PHI) or personal information (PI), respectively. Both laws also place restrictions on the use and disclosure of PHI or PI for unauthorized purposes. However, there are also some key differences between the two laws. Perhaps the most important difference is that HIPAA applies only to covered entities within the United States, while PIPEDA applies to all organizations—regardless of location—that collect, use, or disclose personal information in the course of commercial activity.


    As we can see from this comparison, there are both similarities and differences between HIPAA and PIPEDA. While both laws contain provisions designed to protect the privacy of personal information, they differ in terms of scope and applicability. Organizations operating in the healthcare space should be aware of both laws and take steps to ensure compliance with both sets of regulations.




    Subscribe to our newsletter and know all that’s happening at Cabot.