A Refresher on the HIPAA and PIPEDA
No matter what country you operate out of, the regulations that govern personal information are a big deal. As healthcare providers, you are trusted and expected to store patient data securely, and the consequences are immense if you don’t.
The HIPAA (Standards for Privacy of Individually Identifiable Health Information) is the enacted rule in the United States that regulates the protection of patients’ personal or protected health information. The PIPEDA (Personal Information and Protection of Electronic Documents Act) is the legislation that governs the gathering of consent when practices want to use or disclose a patient’s collected information, in Canada.
This blog is only meant to serve as a guide and does not replace or supersede the legislature it discusses. Please refer to the original laws to ensure you understand the full scope of each and seek legal counsel if you have questions.
Keeping track of the guidelines and laws surrounding the collection of your patients’ information can get confusing and at worst, overwhelming. We’ve put together a quick overview of the legislation in North America so you can make sure that all your marketing endeavours are within the law.
All Federally regulated organizations that conduct business in Canada are subject to PIPEDA. The act also applies to their employees’ information.
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
Business’ responsibilities under PIPEDA are outlined in the 10 fair information principles. They are:
- Identifying Purposes
- Limiting Collection
- Limiting Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
HIPAA (United States of America)
HIPAA is part of the Health Insurance Portability and Accountability Act, passed in 1994 that serves to enforce privacy standards relating to individually identifiable health information. That information includes:
- The patient’s name, address, birthday, or social insurance number
- The patient’s past, present, or future mental or physical health condition
- Any services or care you’ve provided to the patient in the past or are currently providing the patient
- Any other information that one might reasonably believe could be used to identify your patient
You need a patient’s written consent to include them in marketing campaigns, so be careful that your patient is not just implying their consent.
One More Caution
While the federal legislation applies to all federally regulated businesses (like eye care practices), many provinces, territories, and states have their own legislation that deals with privacy and the use of personal information. Keeping up to date with your location’s legislation is pivotal in your efforts to keep your patients’ information safe while keeping them informed of the information they need. As always, if you want guidance on your marketing efforts, or just want to speak to the experts, contact us here.