I was asked by a good friend my thoughts on whether or not Canadian company’s which stores, processes, or transmits health information should implement HIPAA safeguards to protect their patient or customer’s health information. This includes Canadian organizations which conduct business with U.S. companies.
I was definitely intrigued by this thought especially given how close I work in compliance and audit. Specifically PCI Compliance and Privacy. In fact I was so interested I decided to write a blog about it.
Before I proceed, I will first define some terms used in this article
- Personal/Protected Health Information (PHI) is health information that identifies an individual. Examples include, but not limited to, an individual’s name, blood type, Care Card number and any illnesses the individual may have.
- Health Insurance Portability and Accountability Act (HIPAA) of 1996. The purpose of this United States legislation is to ensure a company’s PHI is reasonably secure and that user’s information has the appropriate data privacy.
- Personally Identifiable Information (PII) is information that can identify an individual. This includes, but not limited to, name, date of birth, Social Insurance Number.
- Covered Entity as defined by HIPAA is any Health Care provider, clearinghouse, and plan which electronically transmit any health related information. It also pertains to any company who provides health insurance.
- Business Associate is any company or person which involves the use or disclosure of PHI on behalf of a covered entity. Or provide services to a covered entity.
Canada does not have any federal legislation which specifically focuses on protecting health information. There are a few provinces which have developed their own privacy legislation as it applies to health information but they lack in details on how to safeguard PHI. We do have federal legislation which mandates the importance of protecting PII but it is hot focused on health information. This is where HIPAA’s guidelines can be used to influence how Canadian organizations protect PHI. Even though HIPAA is an American act, I feel it does have applicability within Canada.
Overall, HIPAA takes a more granular approach on how to secure protected health information then any of the Privacy and Health legislation in Canada. PIPEDA, Canada’s federal privacy legislation, and its provincial counterparts are quite broad in their requirements. For example, they all mandate PII and PHI must be protected with reasonable safeguards, This can become confusing to a company with little to no technical background on how to safeguard this information. Especially, if they get audited. One auditor’s definition of safeguarding may be different then another auditors. I have experienced auditor’s interpretation of the same control to vary by the person conducting the audit. This impacted the amount of time and resources spent to meet the control. The endeavour to become compliant can quickly become overwhelming to a covered entity or business associate. HIPAA makes things more clear on how to safeguard PHI so there is less ambiguity. Specifically, regarding Privacy and Security.
HIPAA’s Privacy rule mandates how a covered entity and business associate use PHI. This rule includes the foundation of the Privacy rule which is the “minimum necessary rule”. It states the PHI must not be used or disclosed by a covered entity except for the particular function or purpose it serves. For example, a doctor’s office may store a patient’s heart rate, blood pressure, and blood sugar level as a baseline to compare against when the patient is not feeling well. This information carries a purpose. A doctor’s office must not disclose this information to a marketing firm to target prescription drug advertisements.
HIPAA’s Security rule focuses on electronic PHI used by any entity covered under HIPAA. They focus on ensuring the Confidentiality, Integrity, and Availability of the PHI remains intact. This is done by breaking the controls into a number of topics:
- Risk assessment: Conduct ongoing risk analysis for threats against a covered entity’s PHI. Apply reasonable safeguards against unmanageable risk
- Administrative Safeguards: Focuses on security processes, personnel, training and periodic evaluation of these safeguards
- Physical Safeguards: Focuses on Workstation security and facility access and control
- Technical Safeguards: Focuses on access, secure transport, audibility, and integrity of PHI
- Organizational Requirements: This area stresses the importance of having appropriate agreements with business entities. Specifically on their security obligations and breach management
- Policies and Procedures and Documentation Requests: Create policies and procedures which support the Security Rule.
So would HIPAA apply to Canadian companies? It does, in my opinion, if a Canadian company conducts business with an American company where PHI is stored and/or transmitted between the two organizations. The Canadian company would be considered a business associate and would be bound to the agreement which sets out the safeguards business associates must have in place. Failing to do so may result in loss of business with the covered entity. Ultimately, it would be a hit to the Canadian company’s bottom line.
Another incentive to become HIPAA compliant or, at the very least, implement the various HIPAA safeguards is if a Canadian company plans to do business with a covered entity in the United States. This opens the door for covered entities to partner with Canadian companies as business associates since they have implemented the HIPAA safeguards. Fitbit, even though they are not a Canadian company, is a good example of an organization who became HIPAA compliant in order to get further business in the corporate space. HIPAA compliance opens up opportunities for FitBit to work with companies’ on PHI that must be HIPAA compliant which otherwise would not be available to FitBit. If Canadian companies dealing with PHI wish to attract more business south of the border then it would be in their best interest to implement HIPAA’s safeguards and market it as such.
The 2013 Omnibus Rule expanded HIPAA’s requirements to business associates. Prior to this, HIPAA’s Security and Privacy rule applied primarily to covered entities. Now business associates are more heavily scrutinized by the government to ensure they have reasonable safeguards in place. This includes contractors and sub-contractors. Now Canadian companies which are business associates have more at stake if they have not met the agreed upon security safeguards. This may not include any hefty fines because there is no jurisdiction for the US government to impose these fines but the negative repercussions Canadian business associates will face for non-compliance is brand damage. No other covered entity would want to do business with the Canadian company if they failed to safeguard the covered entity’s PHI. This damage may extend beyond covered entities in the United States to other Canadian companies that do not want to conduct business with this business associate.
Lastly, Canadian companies do not have a security frame work specifically focused on the details of adequately securing protected health information. The closest guidelines Canadian companies have to follow is privacy legislation and some provincial legislation protecting PHI. They are, in my opinion, vague on how it recommends securing PHI. Until a security frame work is developed which includes details on protecting Canadian’s PHI, the HIPAA safeguards are an ideal set of controls that Canadian companies may wish to implement. Or at the very least use as a reference when building security controls. Such as eHealth Ontario appear to have done. They have implemented the technical, physical, and administrative safeguards that HIPAA outlines. Doing so may open the door to new business opportunities in the United States for Canadian companies. At minimum, the safeguards provide a starting point on what needs to be implemented to protect PHI.