HIPAA Canada: PIPEDA

By | April 3, 2020

HIPAA Canada: PIPEDA

The “HIPAA Canada” is known as the Personal Information Protection and Electronic Documents Act, or PIPEDA. This “HIPAA Canada” is notably different from HIPAA in several aspects. Most significantly, under PIPEDA, the data that is protected is not limited to individual health information. All personal data, health or otherwise, is protected by HIPAA Canada, or PIPEDA.

“HIPAA Canada”: What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA), colloquially referred to as “HIPAA Canada,” is a Canadian data privacy law that governs how private businesses collect, use, and disclose personal information in the course of conducting commercial business.

PIPEDA was passed:

  • To ensure the privacy of personal information collected, used, or disclosed in commercial transactions
  • To promote consumer trust in electronic commerce
  • To assure the European Union (EU) that Canada’s privacy laws were sufficiently robust to protect the personal information of EU citizens.

What Does PIPEDA Regulate?

“HIPAA Canada,” or PIPEDA, regulates the collection, use, and disclosure of personal information in the course of commercial activities conducted by private businesses for profit. PIPEDA, when drafted, applied to personal information held by private sector organizations that conduct businesses in:

  • Manitoba
  • New Brunswick
  • Newfoundland and Labrador
  • Northwest Territories
  • Nova Scotia
  • Nunavut
  • Ontario
  • Prince Edward Island
  • Saskatchewan
  • Yukon

 

Each of these provinces has the right to issue its own rules and regulations, provided that these rules and regulations are “substantially similar” to PIPEDA. The provinces of Alberta, British Columbia, and Quebec, for example, have issued their own rules and regulations, which have been deemed to be substantially similar to PIPEDA. Under Canadian law, organizations subject to a substantially similar provincial privacy law are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province. As such, for-profit entities in Alberta, British Columbia, and Quebec, are generally exempt from PIPEDA, and are subject to those provinces’ own specific laws.

The complete list of provinces with substantially similar laws, along with the names of those laws (and which parts of those laws that, as applicable, are substantially similar), is as follows:

  • British Columbia: The British Columbia Personal Information Protection Act.
  • Alberta: The Alberta Personal Information Protection Act
  • Québec: An Act Respecting the Protection of Personal Information in the Private Sector
  • Ontario: The Personal Health Information Protection Act (PHIPA), with respect to health information custodians.
  • New Brunswick: The Personal Health Information Privacy and Access Act, with respect to personal health information custodians.
  • Nova Scotia: The Personal Health Information Act, with respect to health information custodians.
  • Newfoundland and Labrador: The Personal Health Information Act, with respect to health information custodians. 

Under PIPEDA, “personal information” includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:

  • Age, name, ID numbers, income, ethnic origin, or blood type;
  • Opinions, evaluations, comments, social status, or disciplinary actions; and
  • Employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant; and “commercial intentions” (e.g., intent to acquire goods or services, or to change jobs). 

How Does PIPEDA different from HIPAA?

HIPAA governs the privacy and security of protected health information (PHI) and electronic protected health information (ePHI). The entities regulated by HIPAA include covered entities and business associates.

The regulatory scope of PIPEDA is considerably broader than that of HIPAA. PIPEDA, as seen by the definition of “personal information” above, applies to all personal data, health or otherwise, collected by any for-profit entity. 

There are also differences between HIPAA and PIPEDA when it comes to business associate agreements. Under HIPAA, business associate agreements between covered entities and their PHI-handling business associate vendors. PIPEDA does not have the equivalent of a “business associate agreement.” Rather, whether a service provider needs to sign a privacy protection agreement with a vendor, depends upon the particular provider’s classification. Different provinces classify vendors differently. Ontario, for example, classifies vendors as being information network providers, or electronic service providers, and so forth. Other provinces have similar classifications. Regardless of the particular classification or province, the general rule is that of the service provider is engaged in for-profit activities involving the use, collection, or disclosure of personal information, the provider may have to sign a privacy protection agreement with a vendor that handles this information.