Beyond HIPAA: International Health Data Protection in Europe and Canada
HIPAA is the US’s answer to protecting vital patient data, but are there international “HIPAA” protections for Europeans, Canadians, and other countries – a sort of HIPAA in Europe or Canada? Although healthcare hosting compliance is a major concern of any business handling, storing, or transferring healthcare data in the United States, working with personal patient data of Canadian or European patients is subject to different rules. Let’s look at how the European Union’s (EU’s) Directive on Data Protection and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) regulate patient records and other sensitive information.
Various organizations operating in the United States must comply with the Health Insurance Portability & Accountability Act (HIPAA), which has major ramifications for protecting every US citizen’s healthcare data. Not all of the Act has widespread relevance. Still, a broad spectrum of healthcare organizations is subject to the Privacy Rule and Security Rule (as outlined by the US Department of Health & Human Services. Below, we explore how this same health privacy question is handled in other countries.
Directive on Data Protection – guidelines for businesses in the European Union
The European Union adopted the Directive on Data Protection in 1998. It outlaws disclosure of any personal details held by a European company to any foreign entities that do not meet the EU’s data safeguard guidelines (the basis of various efforts to meet EU standards, such as the United States’ Safe Harbor program).
To understand the general EU policy in context, compared to the United States, the approach is more seamless and unified, as described by the US Department of Commerce. The US policy toward data is a piecemeal aggregate of different components: acts of Congress, regulatory agency code, and self-monitoring by businesses themselves. The approach by the European Union is more unified and far-reaching, including the following rules:
- development of standalone agencies, the sole purpose of which is to safeguard personal information
- the requirement to file any new or continuing sensitive databases with the government
- consent from the government, in certain situations, before sensitive data may be gathered.
Digital technology lawyers Morrison & Foerster provide specific advice to businesses operating in European Union countries, as follows (though described in terms of labor law, these basic principles apply broadly within the EU):
- Focus on the specific data you need. Because the EU standards and processes are stringent, it’s necessary to have a completely organized metadata system related to all the personal information you process. All data must be obtained and handled for an explicit and reasonable business purpose. In other words, streamline your personal information as much as possible within the EU.
- Analyze the way you process data. You need to have a system in place to correct any errors in personal data and to discard any information that has become outdated and unuseful. Also, make sure those with access to data are properly trained.
- Consult a lawyer and/or legal codes. Countries external to the EU that regularly handle personal data from the EU Member States should check legal requirements, such as Safe Harbor certification in the United States.
- Stay up-to-date with revisions. The European Union has considered making changes to its data protection laws (with the 1998 Directive forming the basis). A primary concern is the General Data Protection Regulation (albeit some sources say, is “on hold” until 2015).
Canada’s Personal Information Protection and Electronic Documents Act – Overview
PIPEDA is an Act passed by the Canadian government in 2000 that set parameters for businesses’ administration of personal data. The Act’s goal is to define a set of standards, as outlined by the Office of the Privacy Commissioner of Canada, that both safeguard the personal data of Canadian citizens and allow businesses reasonable access and use of the data to achieve business ends.
Several of the basic stipulations described in PIPEDA are as follows:
- Freedom of information – Individuals must be informed of any business’s reasoning to use personal data. It is also any Canadian’s right to review personal data and have any errors rectified. That right extends to EMR (electronic medical records) and applies to the full scope of sensitive information.
- Consent – Organizations are required to obtain agreement from anyone to utilize personal details for almost any situation. However, criminal cases and emergencies allow access without a person’s approval.
- Complaints – Canadian citizens also can contact the Privacy Commissioner, an official who reports directly to Parliament, with any grievances.
This Canadian law, similarly to the EU one, is broader than the specific healthcare focus of HIPAA. Nonetheless, it does not cover all situations. Types of businesses and situations affected by this law include the following:
- individuals conducting commerce
- trade unions
- nonprofit organizations (information related to donations and membership)
- online transactions
- face-to-face sales.
The core of PIPEDA is its Fair Information Principles, which can be summarized as follows:
- It is unlawful for a business to gather anything that is not immediately needed for the current transaction. If the company wants any additional information, they must provide their reasoning to the customer, how the data will be used, and what organizations will have access to it. The customer must then agree to those terms.
- As stated above, a Canadian citizen has the right to review any data a business gathers and have any information changed that is incorrect.
Clearly, the nations of the Western world have similar perspectives toward privacy rights. If your organization handles or is considering handling health data or other sensitive personal information of citizens outside your country, it’s crucial to check the laws (as detailed by Security and Privacy Firm Information Shield) to avoid problems. Atlantic.Net offers full HIPAA Compliant Hosting on full SSD Cloud Servers in a variety of cloud or dedicated hosting solutions. Looking for an international data center as an alternative? Contact us to find out about our world-class certified centers in Toronto and London.
Get a $250 Credit and Access to Our Free Tier!
Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year