Various organizations operating in the United States must comply with the Health Insurance Portability & Accountability Act (HIPAA), which has major ramifications for the protection of every US citizen’s healthcare data. Not all of the Act has widespread relevance, but a broad spectrum of healthcare organizations are subject to the Privacy Rule and Security Rule (as outlined by the US Department of Health & Human Services.
Although HIPAA compliance is a major concern of any businesses handling, storing, or transferring healthcare data in the United States, working with personal patient data of Canadian or European patients is subject to different rules. Let’s look at how the European Union’s (EU’s) Directive on Data Protection and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) regulate patient records and other sensitive information.
Directive on Data Protection – guidelines for businesses
The European Union adopted the Directive on Data Protection in 1998. It outlaws disclosure of any personal details held by a European company to any foreign entities that do not meet the EU’s data safeguard guidelines (the basis of various efforts to meet EU standards, such as the United States’ Safe Harbor program).
To understand the general EU policy in context, compared to the United States, the approach is more seamless and unified, as described by the US Department of Commerce. The US policy toward data is a piecemeal aggregate of different components: acts of Congress, regulatory agency code, and self-monitoring by businesses themselves. The approach by the European Union is more unified and far-reaching, including the following rules:
- development of standalone agencies, the sole purpose of which is to safeguard personal information
- requirement to file any new or continuing sensitive databases with the government
- consent from the government, in certain situations, before sensitive data may be gathered.
Digital technology lawyers Morrison & Foerster provide specific advice to businesses operating in European Union countries, as follows (though described in terms of labor law, these basic principles apply broadly within the EU):
- Focus on the specific data you need. Because the EU standards and processes are so stringent, it’s necessary to have a completely organized system of metadata related to all the personal information you process. All data must be obtained and handled for an explicit and reasonable business purpose. In other words, streamline your personal information as much as possible within the EU.
- Analyze the way you process data. You need to have a system in place to correct any errors in personal data and to discard any information that has become outdated and unuseful. Also make sure those with access to data are properly trained.
- Consult a lawyer and/or legal codes. Countries external to the EU that regularly handle personal data from EU Member States should check legal requirements to do so, such as Safe Harbor certification in the United States.
- Stay up-to-date with revisions. The European Union has made and considered making changes to its data protection laws (with the 1998 Directive forming the basis). A primary concern is the General Data Protection Regulation (which, albeit, some sources say is “on hold” until 2015).
Personal Information Protection and Electronic Documents Act – Overview
PIPEDA is an Act passed by the Canadian government in 2000 that set parameters for the administration of personal data by businesses. The goal of the Act is to define a set of standards, as outlined by the Office of the Privacy Commissioner of Canada, that both safeguard the personal data of Canadian citizens and allow businesses reasonable access and use of the data to achieve business ends.
Several of the basic stipulations described in PIPEDA are as follows:
- Freedom of information – Individuals must be informed of any business’s reasoning to use personal data. That right extends to EMR (electronic medical records) but also applies to the full scope of sensitive information. It is also any Canadian’s right to be able to review personal data and have any errors rectified.
- Consent – Organizations are required to obtain agreement from anyone in order to utilize personal details for almost any situation. However, criminal cases and emergency situations allow access without a person’s approval.
- Complaints – Canadian citizens also can contact the Privacy Commissioner, an official who reports directly to Parliament, with any grievances.
This Canadian law, similarly to the EU one, is broader than the specific healthcare focus of HIPAA. Nonetheless, it does not cover all situations. Types of businesses and situations affected by this law include the following:
- individuals conducting commerce
- trade unions
- nonprofit organizations (information related to donations and membership)
- online transactions
- face-to-face sales.
The core of PIPEDA is its Fair Information Principles, which can be summarized as follows:
- It is unlawful for a business to gather anything that is not immediately needed for the current transaction. If the company wants any additional information for any reason, they must provide their reasoning to the customer, how the data will be used, and what organizations will have access to it. The customer must then agree to those terms.
- As stated above, a Canadian citizen has the right to review any data a business gathers and have any information changed that is incorrect.
Clearly the nations of the Western world have similar perspectives toward privacy rights. If your organization handles or is considering handling health data or other sensitive personal information of citizens outside your country, it’s crucial to check the laws (as detailed by Security and Privacy Firm Information Shield) to avoid problems. Atlantic.Net offers full HIPAA Compliant Hosting on full SSD Cloud Servers in a variety of cloud or VPS Hosting Solutions.