The Health Insurance Portability and Accountability Act (HIPAA) is a United States legislation that clearly outlines, establishes, and provides rules and provisions concerning the safeguarding, security, and data privacy of medical information. This includes the gathering, storage, use, transfer, exposure, and destruction of all medical data from all types of medical establishments and from all parties which have access to said medical data. HIPAA has become one of the main laws that dictate how medical software works and what security features and measures are used with it in the United States. Businesses that do not comply with HIPAA guidelines face hefty financial penalties. In Canada, the comparable legislation is the Personal Information Protection and Electronic Documents Act (PIPEDA).
HIPAA is a Federal United States legislation that governs the privacy and security of personal health information within the healthcare industry, specifically with healthcare providers, healthcare insurers, and healthcare exchange organizations. The legislation outlines clear requirements that must be followed for any organization that is working with personal data, as this aids in protecting patients and allows organizations to make informed decisions with that information. Health information within the United States is also governed by state laws, but when any data is transferred outside of the United States, the data is no longer protected by HIPAA.
In Canada, the PIPEDA applies to all personal data, including health data. The purpose and scope of PIPEDA are to enforce organizations to accept full responsibility and accountability for the protection of all collected data, regardless of the province, industry, or type of data that is collected. The legislation also recognizes that individuals have a right of privacy with respect to their personal information and gives them the ability to access any personal information an organization collects, know who is responsible for collecting it, why it is being collected and may challenge the accuracy of collected data. Similarly to HIPAA, each province has its own rules, regulations, and governances with regards to the collection of said data.
If you are a business within the province of Ontario, there is equivalent legislation to HIPAA in the Personal Health Information Protection Act (PHIPA). The PHIPA sets out rules that health custodians must follow when collecting, using, and disclosing personal information.
Health custodians being doctors, nurses, hospitals, homes for special care, pharmacies, medical laboratories, local medical officers, ambulance services, community care centres, long-term care homes, mental health programs, and the Ministry of Health.
The key difference between the PHIPA and PIPEDA is that PIPEDA applies to any organization that collects, uses, and discloses personal information while partaking in commercial activities, while the PHIPA, applies to health custodians that collect, use, and disclose personal health information, regardless of whether it is in the course of commercial activities.
What Is Defined as a Commercial Activity Under PIPEDA?
Any particular transaction, conduct, act, or regular course of conduct that is of a commercial character, including selling, bartering, and leasing.
What Protected Health Information is Covered by HIPAA?
The HIPAA legislation is concerned with protected health information and electronically protected health information. These include the following pieces of collected data.
As PIPEDA is broader than HIPAA, the personal information defined under the legislation is any information that on its own or combined with other pieces of data, will identify you.
Under HIPAA, a covered entity is any specialist who is working in the healthcare industry and has access (directly or indirectly) to personal health information. Most common examples are doctors, nurses, and medical officers.
Under PIPEDA, a covered entity is any private organization that collects personal information (of any kind) during the course of commercial activity. PIPEDA also includes federally regulated organizations as well, businesses, and interprovincial or international transfer of personal information. Under this, organizations within aerospace, banking, transportation, telecommunications, offshore drilling, and radio/television broadcasts are also included.
This is any non-medical specialist that works with covered entities who may also have access to personal health information or electronic personal health information. This can be an individual like a lawyer or information technologist specialist (IT).
The 3 main rules behind HIPAA.
It is important to note that HIPAA does have a lot of other rules within it that impacts companies. Primarily these address workflow, the physical protection of workplaces, internal networks, and policies around violation but these are not directly related to compliance of the software itself.
A comparable list to HIPAA’s 3 main rules, is PIPEDA’s 10 main principles. This is just an overview look at these so that you can see what the compliance guidelines are when creating software in Canada.
Now that you know and understand the main principles behind the HIPAA and PIPEDA legislation, we can go through and create a software checklist to ensure that your project is compliant, regardless of whether you are in the United States or Canada.
If you are in the United States, HIPAA requires you to use the most up to date and modern technologies available to secure both your healthcare software and the data it uses. However, HIPAA does not narrow down or name any precise technologies that are “must-use” giving you the freedom to use tools that are not going to become outdated in a few years. What does this mean? You can use any toolset, security features, or technology stack with your project as long as it complies to HIPAA.
What are the terms of compliance?
While the toolsets and security technologies may not be set in stone, there are requirements that have to be met. This includes ensuring that your software has a secure authentication system, the ability to securely transfer, store, backup and encrypt data, control access, and more. We go over these in more depth below.
While the list of requirements is lengthy, there are plenty of modern toolsets, technologies, and methods that can be used to ensure that your software is compliant with all HIPAA or PIPEDA regulations. Protecting your software and the personal information that you collect will ensure that your users will feel safe and that you avoid hefty financial fines for non-compliance. It’s worth taking the time to ensure your healthcare software is 100% compliant.
You can learn much more things by Research & Development activity and create HIPAA and PIPEDA compliant Smart diagnostic Systems and Telehealth consultation platforms. For more details and queries, you can contact us.