Atlantic.Net Blog

Beyond HIPAA: International Health Data Protection in Europe and Canada

Sam Guiliano
by Atlantic.Net (82 posts) under HIPAA Compliant Hosting

HIPAA is the US’s answer to protecting vital patient data, but are there international “HIPAA” protections for Europeans, Canadians, and other countries – a sort of HIPAA in Europe or Canada? Although healthcare hosting compliance is a major concern of any businesses handling, storing, or transferring healthcare data in the United States, working with personal patient data of Canadian or European patients is subject to different rules. Let’s look at how the European Union’s (EU’s) Directive on Data Protection and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) regulate patient records and other sensitive information.

Various organizations operating in the United States must comply with the Health Insurance Portability & Accountability Act (HIPAA), which has major ramifications for the protection of every US citizen’s healthcare data. Not all of the Act has widespread relevance, but a broad spectrum of healthcare organizations are subject to the Privacy Rule and Security Rule (as outlined by the US Department of Health & Human Services. Below, we explore how this same health privacy question is handled in other countries.

Directive on Data Protection – guidelines for businesses in the European Union

The European Union adopted the Directive on Data Protection in 1998. It outlaws disclosure of any personal details held by a European company to any foreign entities that do not meet the EU’s data safeguard guidelines (the basis of various efforts to meet EU standards, such as the United States’ Safe Harbor program).

To understand the general EU policy in context, compared to the United States, the approach is more seamless and unified, as described by the US Department of Commerce. The US policy toward data is a piecemeal aggregate of different components: acts of Congress, regulatory agency code, and self-monitoring by businesses themselves. The approach by the European Union is more unified and far-reaching, including the following rules:

  • development of standalone agencies, the sole purpose of which is to safeguard personal information
  • requirement to file any new or continuing sensitive databases with the government
  • consent from the government, in certain situations, before sensitive data may be gathered.

Digital technology lawyers Morrison & Foerster provide specific advice to businesses operating in European Union countries, as follows (though described in terms of labor law, these basic principles apply broadly within the EU):

  1. Focus on the specific data you need. Because the EU standards and processes are so stringent, it’s necessary to have a completely organized system of metadata related to all the personal information you process. All data must be obtained and handled for an explicit and reasonable business purpose. In other words, streamline your personal information as much as possible within the EU.
  2. Analyze the way you process data. You need to have a system in place to correct any errors in personal data and to discard any information that has become outdated and unuseful. Also make sure those with access to data are properly trained.
  3. Consult a lawyer and/or legal codes. Countries external to the EU that regularly handle personal data from EU Member States should check legal requirements to do so, such as Safe Harbor certification in the United States.
  4. Stay up-to-date with revisions. The European Union has made and considered making changes to its data protection laws (with the 1998 Directive forming the basis). A primary concern is the General Data Protection Regulation (which, albeit, some sources say is “on hold” until 2015).

Canada’s Personal Information Protection and Electronic Documents Act – Overview

PIPEDA is an Act passed by the Canadian government in 2000 that set parameters for the administration of personal data by businesses. The goal of the Act is to define a set of standards, as outlined by the Office of the Privacy Commissioner of Canada, that both safeguard the personal data of Canadian citizens and allow businesses reasonable access and use of the data to achieve business ends.
Several of the basic stipulations described in PIPEDA are as follows:

  • Freedom of information – Individuals must be informed of any business’s reasoning to use personal data. That right extends to EMR (electronic medical records) but also applies to the full scope of sensitive information. It is also any Canadian’s right to be able to review personal data and have any errors rectified.
  • Consent – Organizations are required to obtain agreement from anyone in order to utilize personal details for almost any situation. However, criminal cases and emergency situations allow access without a person’s approval.
  • Complaints – Canadian citizens also can contact the Privacy Commissioner, an official who reports directly to Parliament, with any grievances.

This Canadian law, similarly to the EU one, is broader than the specific healthcare focus of HIPAA. Nonetheless, it does not cover all situations. Types of businesses and situations affected by this law include the following:

  • individuals conducting commerce
  • trade unions
  • nonprofit organizations (information related to donations and membership)
  • online transactions
  • face-to-face sales.

The core of PIPEDA is its Fair Information Principles, which can be summarized as follows:

  • It is unlawful for a business to gather anything that is not immediately needed for the current transaction. If the company wants any additional information for any reason, they must provide their reasoning to the customer, how the data will be used, and what organizations will have access to it. The customer must then agree to those terms.
  • As stated above, a Canadian citizen has the right to review any data a business gathers and have any information changed that is incorrect.

Clearly the nations of the Western world have similar perspectives toward privacy rights. If your organization handles or is considering handling health data or other sensitive personal information of citizens outside your country, it’s crucial to check the laws (as detailed by Security and Privacy Firm Information Shield) to avoid problems. Atlantic.Net offers full HIPAA Compliant Hosting on full SSD Cloud Servers in a variety of cloud or dedicated hosting solutions. Looking for an international data center as an alternative? Contact us to find out our world-class certified centers in Toronto and London.

Start Your HIPAA Project with a Free Fully Audited HIPAA Platform Trial!

HIPAA Compliant Compute & Storage, Encrypted VPN, Security Firewall, BAA, Offsite Backups, Disaster Recovery, & More!

Start My Free Trial

Looking for HIPAA Compliant Hosting?

We Can Help with a Free Assessment.

  • IT Architecture Design, Security, & Guidance.
  • Flexible Private, Public, & Hybrid Hosting.
  • 24x7x365 Security, Support, & Monitoring.
Contact Us Now!
Stevie Gold Award Med Tech Award

SOC Audit HIPAA Audit HITECH Audit

Case Studies

White Papers


HIPAA Partners

Recent Posts

Get started with 12 months of free cloud VPS hosting

Free Tier includes:
G3.2GB Cloud VPS Server Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year

New York, NY

100 Delawanna Ave, Suite 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Ashburn, VA

1807 Michael Faraday Ct,

Reston, VA 20190

United States

Orlando, FL

440 W Kennedy Blvd, Suite 3

Orlando, FL 32810

United States

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4


London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom