I was asked by a good friend for my thoughts on whether or not Canadian companies which store, process, or transmit health information should implement HIPAA (Health Insurance Portability and Accountability Act) safeguards to protect their patients’ or customers’ health information. That includes Canadian organizations which conduct business with U.S. companies.
I was definitely intrigued by this thought especially given how close I work with compliance and audit, specifically PCI Compliance and Privacy. In fact I was so interested I decided to write a blog about it.
Before I proceed , I will first define some terms used in this article
- Personal/Protected Health Information (PHI) is health information that identifies an individual. Examples include, but are not limited to, an individual’s name, blood type, Care Card number and/or any illnesses the individual may have.
- Health Insurance Portability and Accountability Act (HIPAA) of 1996. The purpose of this United States legislation is to ensure a company’s PHI is reasonably secure and that user information has the appropriate data privacy.
- Personally Identifiable Information (PII) is information that can identify an individual. This includes, but is not limited to, name, date of birth, Social Insurance Number.
- Covered Entity as defined by HIPAA is any healthcare provider, clearinghouse, or plan which electronically transmits any health related information. It also pertains to any company which provides health insurance.
- Business Associate is any company or person which involves the use or disclosure of PHI on behalf of a covered entity, or provides services to a covered entity.
Canada does not have any federal legislation which specifically focuses on protecting health information. There are a few provinces which have developed their own privacy legislation applying to health information, but they lack details on how to safeguard PHI. Canada does have federal legislation which mandates the importance of protecting PII, but it is not focused on health information. This is where HIPAA’s guidelines can be used to influence how Canadian organizations protect PHI. Even though HIPAA is an American act, I feel it does have applicability within Canada.
Overall, HIPAA takes a more granular approach on how to secure protected health information than any of the Privacy and Health legislation in Canada. PIPEDA, Canada’s federal privacy legislation, and its provincial counterparts are quite broad in their requirements. For example, they all mandate PII and PHI must be protected with reasonable safeguards. This can become confusing to a company with little to no technical background on how to safeguard this information. That can be especially true if it gets audited. One auditor’s definition of safeguarding may be different than another’s. In my experience, I have found that interpretations of the same control vary by the person conducting the audit. This impacts the amount of time and resources that are spent to meet the control. The endeavour to become compliant can quickly become overwhelming to a covered entity or business associate. HIPAA makes things more clear on how to safeguard PHI. It eliminates ambiguity, specifically regarding privacy and security.
HIPAA’s Privacy rule mandates how a covered entity or business associate can use PHI. Its foundation is the “minimum necessary rule”. It states the PHI must not be used or disclosed by a covered entity except for the particular function or purpose it serves. For example, a doctor’s office may store a patient’s heart rate, blood pressure, and blood sugar level as a baseline to compare against when the patient is not feeling well. This information carries a purpose. A doctor’s office must not disclose this information to a marketing firm intending to target patients for prescription drug advertisements.
HIPAA’s Security rule focuses on electronic PHI used by any entity covered under HIPAA. It focuses on ensuring the confidentiality, integrity, and availability of the PHI remains intact. This is done by breaking the controls into a number of topics:
- Risk assessment: Conduct ongoing risk analysis for threats against a covered entity’s PHI. Apply reasonable safeguards against unmanageable risk.
- Administrative Safeguards: Focuses on security processes, personnel, training and periodic evaluation of these safeguards.
- Physical Safeguards: Focuses on workstation security, facility access and control.
- Technical Safeguards: Focuses on access, secure transport, audibility, and integrity of PHI.
- Organizational Requirements: Stresses the importance of having appropriate agreements with business entities, specifically on their security obligations and breach management.
- Policies and Procedures and Documentation Requests: Focuses on creating policies and procedures that support the Security Rule.
So – should HIPAA apply to Canadian companies? It already does, in my opinion, if a Canadian company conducts business with an American company where PHI is stored and/or transmitted between the two organizations. The Canadian company would be considered a business associate and would be bound to the agreement which sets out the safeguards business associates must have in place. Failure to do so may result in loss of business with the covered entity. Ultimately, it would be a hit to the Canadian company’s bottom line.
Another incentive to become HIPAA compliant or, at the very least, implement the various HIPAA safeguards, would be if a Canadian company plans to do business with a covered entity in the United States. This opens the door for covered entities to partner with Canadian companies as business associates since they have implemented the HIPAA safeguards. Fitbit, even though it is not a Canadian company, is a good example of an organization which became HIPAA compliant in order to get more business in the corporate space. HIPAA compliance opens up opportunities for Fitbit to work with companies on PHI which otherwise would not be available to Fitbit. If Canadian companies dealing with PHI wish to attract more business south of the border, then it would be in their best interest to implement HIPAA’s safeguards and market it themselves as having done so.
The 2013 Omnibus Rule expanded HIPAA’s requirements to business associates. Prior to this, HIPAA’s Security and Privacy rule applied primarily to covered entities. Now business associates are more heavily scrutinized by the government to ensure they have reasonable safeguards in place. This includes contractors and subcontractors. Now Canadian companies which are business associates have more at stake if they have not met the agreed upon security safeguards. This may not include hefty fines, however, because there is no jurisdiction for the US government to impose these fines. The main negative repercussion Canadian business associates will face for non-compliance is brand damage. No other covered entity would want to do business with a Canadian company if it failed to safeguard a covered entity’s PHI. The brand damage could also extend beyond covered entities in the United States: Canadian companies may also avoid working with the damaged brand.
Lastly, Canadian companies do not have a security framework to work within that is specifically focused on the details of adequately securing protected health information. The closest guidelines Canadian companies have to follow are privacy legislation, and some provincial legislation protecting PHI. All of those are, in my opinion, vague on how they recommend securing PHI. Until a security framework is developed which includes details on protecting Canadians’ PHI, the HIPAA safeguards are an ideal set of controls that Canadian companies may wish to implement. Or at the very least, use as a reference when building security controls. eHealth Ontario appears to have done just that. It has implemented the technical, physical, and administrative safeguards that HIPAA outlines. If other Canadian companies follow suit, they may find they have opened the door to new business opportunities in the United States. At minimum, the safeguards provide a starting point for what needs to be implemented in order to protect PHI.