PIPEDA, Telehealth providers, PHIPA

Why You Should Care about PIPEDA As a Telehealth Provider?


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

As barriers to entry were lifted during the early days of the COVID pandemic, many telehealth providers have had the experience of working with clients and patients who are in foreign states and perhaps countries. For providers serving Canadian citizens, two important Canadian laws apply. Compliance with the  Personal Information Protection and Electronic Documents Act (PIPEDA) and Personal Health Information Protection Act (PHIPA) is mandatory. See Telehealth.org’s previous article about Email Privacy & Security Checklist: HIPAA, HITECH & PIPEDA for more information. 

Going Beyond HIPAA for Citizen of the United States

If you are one of those providers that have begun treating clients outside of your state(s) of licensure, you need to consider state health laws passed by largely consumer protection states, such as the Texas HB 300 and California Consumer Privacy Act (CCPA), as well as international laws if you are treating, say, Canadian residents. When operating in the United States, the state-based rules raise the bar for security and privacy compliance so that HIPAA serves as the floor, and state law applies over and above the HIPAA floor. Now that many states are removing the waivers that allowed the national emergency caused by COVID, apt attention to legal and ethical compliance is looming.

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal Canadian privacy law. PIPEDA imposes standards for any private company (including healthcare providers) that gathers, uses, or discloses the personal data of Canadian residents. The information regulated by PIPEDA Canada is not exclusive to healthcare, as is HIPAA. Rather, it includes any factual or subjective information about an identifiable individual, including:

  • Age, name, ID numbers, income, ethnic origin, or blood type
  • Medical records, credit records, loan records, employee files, the existence of a dispute between a consumer and a merchant, and intentions
  • Credit card and bank account numbers

Businesses that are regulated under PIPEDA Canada must adopt ten fair information principles to protect personal information:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

Using a PIPEDA compliance checklist can help you determine whether or not you are meeting PIPEDA requirements.

What is PHIPA?

The Personal Health Information Protection Act (PHIPA) regulates providers treating patients in the province of Ontario, Canada. PHIPA does specifically address healthcare data. It imposes regulations regarding the use, disclosure, and collection of personal health information. Under PHIPA, personal health information includes any “identifying information” about a patient that:

  • Relates to the individual’s physical or mental condition, including family medical history
  • Relates to the provision of healthcare to the individual
  • Is a plan of service for the individual
  • Relates to payments, or eligibility for healthcare or coverage for healthcare
  • Relates to the donation of any body part or bodily substance or is derived from the testing or examination of any such body part or bodily substance
  • Is the individual’s health number
  • Identifies a healthcare provider or substitute decision-maker for the individual.

Under PHIPA regulations, “health information custodians” – organizations that provide healthcare or organizations that have custody or control of personal health information – must take reasonable steps to prevent:

  • Theft
  • Loss
  • Unauthorized use or disclosure; and
  • Unauthorized copying, modification, or disposal of personal health information.

Regardless of where you practice, it is advised that you get the right information about privacy now. As states and countries begin resuming their previous levels of protection for their citizens, enforcement of laws is on the rise in steep and often surprising ways.

Contributed by Compliancy Group

Need assistance with compliance? Compliancy Group can help! They help you achieve compliance with Compliance Coaches® guiding you through the entire process. Find out more about the Seal of Compliance® and Compliancy Group. Get compliant today!

Is It Time to Earn Your Telehealth Certificate?

Telehealth Compliance Requirements Are Returning

Enforcement is headed our way. Improve staff competency and compliance with evidence-based telehealth BCTP® certificate training. Three levels available. Manage risk and distinguish your services now.

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x