Ho Ho Ho - TBHI Holiday Special 40% off USE CODE

"Holiday21"

PIPEDA, Telehealth Providers, PHIPAAs barriers to entry were lifted during the early days of the COVID pandemic, many telehealth providers have had the experience of working with clients and patients who are in foreign states and perhaps countries. For providers serving Canadian citizens, two important Canadian laws apply. Compliance with the  Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Health Information Protection Act (PHIPA) is mandatory. See TBHI’s previous article about Email Privacy & Security Checklist: HIPAA, HITECH & PIPEDA for more information. 

Going Beyond HIPAA for Citizen of the United States

If you are one of those providers that have begun treating clients outside of your state(s) of licensure, you need to consider state health laws passed by largely consumer protection states, such as the Texas HB 300 and California Consumer Privacy Act (CCPA), as well as international laws if you are treating, say, Canadian residents. When operating in the United States, the state-based rules raise the bar for security and privacy compliance so that HIPAA serves as the floor, and state law applies over and above the HIPAA floor. Now that many states are removing the waivers that allowed the national emergency caused by COVID, apt attention to legal and ethical compliance is looming.

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal Canadian privacy law. PIPEDA imposes standards for any private company (including healthcare providers) that gathers, uses, or discloses the personal data of Canadian residents. The information regulated by PIPEDA Canada is not exclusive to healthcare, as is HIPAA. Rather, it includes any factual or subjective information about an identifiable individual, including:

  •       Age, name, ID numbers, income, ethnic origin, or blood type
  •       Medical records, credit records, loan records, employee files, the existence of a dispute between a consumer and a merchant, and intentions
  •       Credit card and bank account numbers

Businesses that are regulated under PIPEDA Canada must adopt ten fair information principles to protect personal information:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

Using a PIPEDA compliance checklist can help you determine whether or not you are meeting PIPEDA requirements.

What is PHIPA?

The Personal Health Information Protection Act (PHIPA) regulates providers treating patients in the province of Ontario, Canada. PHIPA does specifically address healthcare data. It imposes regulations regarding the use, disclosure, and collection of personal health information. Under PHIPA, personal health information includes any “identifying information” about a patient that:

  •       Relates to the individual’s physical or mental condition, including family medical history
  •       Relates to the provision of healthcare to the individual
  •       Is a plan of service for the individual
  •       Relates to payments, or eligibility for healthcare or coverage for healthcare
  •       Relates to the donation of any body part or bodily substance or is derived from the testing or examination of any such body part or bodily substance
  •       Is the individual’s health number
  •       Identifies a healthcare provider or substitute decision-maker for the individual.

Under PHIPA regulations, “health information custodians” – organizations that provide healthcare or organizations that have custody or control of personal health information – must take reasonable steps to prevent:

  •       Theft
  •       Loss
  •       Unauthorized use or disclosure; and
  •       Unauthorized copying, modification, or disposal of personal health information.

Regardless of where you practice, it is advised that you get the right information about privacy now. As states and countries begin resuming their previous levels of protection for their citizens, enforcement of laws is on the rise in steep and often surprising ways. See TBHI Telehealth.org’s related article:

Contributed by Compliancy Group

Need assistance with compliance? Compliancy Group can help! They help you achieve compliance with Compliance Coaches® guiding you through the entire process. Find out more about the Seal of Compliance® and Compliancy Group. Get compliant today!

Offering Telehealth? Develop Legal & Ethical Compliance

Improve Telehealth Competencies; Legal, Regulatory & Ethical Compliance

Is compliance an issue? Improve staff competency and compliance by offering evidence-based telehealth training with consultations. Make your telehealth services competitive. 

Introduction to Telehealth