Canadian and American Legislation Regulating Private Sector Organizations
Health data privacy is a crucial topic in today’s digital age. It involves protecting sensitive health information from unauthorized access, use and disclosure. Why should this be shielded against unapproved access? Health data privacy is essential for safeguarding personal security, patient trust, legal and ethical obligations, prevention of discrimination, public health and medical research. Protecting health data is not just a matter of compliance; it is also about respecting individuals’ rights and freedom, and ensuring they feel safe and unharmed while sharing their health information.
Management of Medical Data for Compliance with Laws
For compliance with laws, shortened hereafter are some principles for managing medical data:
- Ensure data encryption at rest and in transit;
- Apply data residency obligations (in Canada and in the province);
- implement strong access control;
- collect and store only the required medical data;
- instigate regularly employee training;
- assiduously practice monitoring;
- use techniques such as data anonymization, data masking and tokenization;
- safeguard strict policy for data transfer.
Some Basic Components of Health Data
Health data1 comprises any information related to a person’s physical or mental health, medical history, medical conditions, treatments, diagnostic tests, medications, and other health-related information. Some examples are namely: medical records (documents that contain details about your medical history, diagnoses, treatment plans, laboratory test results and progress notes); genetic information (data about your genetic makeup which can include information from genetic tests that may indicate susceptibility to certain diseases); lifestyle information (data about your daily habits and lifestyle choices such as diet, exercise and smoking patterns which can impact your health); health insurance records (details about your health insurance coverage, insurance claims history and billing information). Protecting this information is crucial because it contains highly sensitive details that can impact a human being’s privacy and security if misused.
[1] Joseph C. Segen, MD. McGraw-Hill Concise Dictionary of Modern Medicine. Paperback 1st Edition published on the 17th of November 2006 by McGraw-Hill Professional Publishing, Two Penn Plaza, New York, USA, 765 pages. https://openlibrary.org/books/OL18513143M/Concise_dictionary_of_modern_medicine
The Advent of Health Care Digitalization
Health care digitalization1, also known as health care digital transformation, refers to the integration of digital technologies into healthcare systems and services. The advent of this digital shift aims to improve the efficiency, accessibility, and quality of health care. Summarized below are significant characteristics of health care digitalization:
- Electronic Health Records (EHRs): Digitalizing patient records allows for easier access, sharing, and management of medical information, leading to better coordination of health care.
- Telemedicine: Remote consultations and treatments enable patients to receive care from the comfort of their homes, increasing accessibility and convenience.
- Wearable Devices: Devices like fitness trackers and smartwatches monitor health metrics in real-time, providing valuable data for preventive care and personalized treatment plans.
- Artificial Intelligence (AI): AI algorithms can analyze vast amounts of medical data to assist in diagnosis, treatment planning, and predicting patient outcomes and prognosis.
- Big Data Analytics: Analyzing large datasets helps identify trends, improve patient outcomes, and optimize healthcare operations.
- Mobile Health Apps: Apps provide patients with tools for managing their health, tracking medications, and accessing health information.
Digitalization in health care has the potential to make healthcare systems more efficient, sustainable, and inclusive. Nevertheless, such a digital transition in the medical field also raises concerns about health data privacy and security which must be addressed to ensure patient trust and compliance with regulations. In terms of health data confidentiality, what are the Canadian and American legislative frameworks regulating organizations within the private sector? In the form of an overview, our January 2025 Newsletter has been written to answer this question. N.B.: with reference to the American legislative framework, this newsletter focusses on the national (federal) level and it does not cover legislation enacted distinctively by the 50 American States.
[1] Ian P. McLoughlin, Karin Garrety & Rob Wilson. The Digitalization of Health Care: Electronic Records and the Disruption of Moral Orders. Hardcover 1st Edition published on the 2nd of April 2017 by Oxford University Press, Oxford, UK, 212 pages. https://global.oup.com/academic/product/the-digitalization-of-health-care-9780198744139?qn
Canadian Legislative Framework: Health Data Privacy for Private Sector Organizations
The following table briefly delineates important laws enacted across the 10 provinces and 3 territories of Canada:
Canadian Legislative Framework Regulating Health Data Privacy for Private Sector Organizations |
|
Health Records Management Across Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) |
|
Provinces & Territories
in Alphabetical Order |
Designations of Laws in Force across Canada |
Alberta |
Health Information Act (HIA AB) & Personal Information Protection Act (PIPA AB) |
British Columbia |
Freedom of Information and Protection of Privacy Act (FIPPA BC)
Personal Information Protection Act (PIPA BC) E-Health Act: Personal Health Information Access and Protection of Privacy Act (PHIAPPA BC) |
Manitoba | Personal Health Information Act (PHIA MAN) |
New Brunswick | Personal Health Information Privacy and Access Act (PHIPAA NB) |
Newfoundland and Labrador |
Personal Health Information Act (PHIA NL) |
Nova Scotia | Personal Health Information Act (PHIA NS)
Personal Information International Disclosure Protection Act (PIIDPA NS) |
Northwest Territories | Health Information Act (HIA NWT) |
Nunavut | Access to Information and Protection of Privacy Act (ATIPPA NU) |
Ontario | Personal Health Information Protection Act (PHIPA ON) |
Prince Edward Island | Health Information Act (HIA PEI) |
Québec | Bill 3 – An Act respecting health and social services information and amending various legislative provisions |
Saskatchewan | Health Information Protection Act (HIPA SK) |
Yukon | Health Information Privacy and Management Act (HIPMA YN) |
Brief Dissection of Canadian Legislations Related to Health Data Privacy
ALBERTA
The Health Information Act (HIA)1 of Alberta is a legislation that governs the collection, use, disclosure, and access to health information in the province. Here are some major points about this Act:
- Access to Information: It provides individuals with the right to access their own health information and request corrections if needed.
- Privacy and Confidentiality: The Act ensures the privacy and confidentiality of health information.
- Electronic Health Records: It regulates information accessible through Alberta’s Electronic Health Record (Alberta Netcare).
- Custodians and Affiliates: The Act applies to custodians such as hospitals, nursing homes, physicians, pharmacists, and other health service providers. It also covers affiliates like employees, volunteers, and contractors working for these custodians.
BRITISH COLUMBIA
The Personal Health Information Access and Protection of Privacy Act2 (often referred to as the E-Health Act) of British Columbia is a law that oversees the compilation, usage, divulgence, and protection of personal health information across the province. Some substantial elements are encapsulated hereafter:
- Access to Information: The Act gives individuals the right to retrieve their own health information and request rectifications if necessary.
- Privacy and Confidentiality: It guarantees the privacy and confidentiality of personal health information.
- Health Information Banks: It establishes and regulates health information banks, which are responsible for managing personal health information.
- Disclosure Directives: Individuals can make disclosure directives to control how their personal health information is shared.
- Data Stewardship Committee: The Act establishes a Data Stewardship Committee to oversee the management and protection of personal health information.
- Whistle-blower Protection: It includes legal provisions requirements to protect individuals who report violations of the Act.
MANITOBA
The Personal Health Information Act (PHIA)3 of Manitoba is legislation that administers the assembling, use, release, and safeguard of personal health information throughout the province. Main sections of the Act are:
- Access to Information: It provides individuals with the right to access their own personal health information and ask for adjustments when required.
- Privacy and Confidentiality: It warrants the privacy and confidentiality of personal health information.
- Health Information Banks: It establishes and regulates health information banks, which are responsible for managing personal health information.
- Disclosure Directives: Individuals can make disclosure directives to control how their personal health information is shared.
- Data Stewardship Committee: The Act establishes a Data Stewardship Committee to oversee the management and protection of personal health information.
- Whistle-blower Protection: It includes legal provisions requirements to protect individuals who report violations of the Act.
NEW BRUNSWICK
The Personal Health Information Privacy and Access Act (PHIPAA NB)4 of New Brunswick is legislation that controls the pooling, utilization, reporting, and security of personal health information within the province. Some parts of the Act are shortened as follows:
- Access to Information: It provides individuals with the right to access their own personal health information that has been collected, used, or disclosed by a “custodian” (e.g., doctors, dentists, pharmacists).
- Privacy and Confidentiality: The Act insures the privacy and confidentiality of personal health information.
- Custodians: Custodians are responsible for handling personal health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Fees: Custodians can charge a fee for providing access to personal health information.
- Complaints: Individuals can file a complaint with the Access to Information and Privacy Commissioner if they feel their rights have not been respected.
NEWFOUNDLAND AND LABRADOR
The Personal Health Information Act (PHIA NL)5 of Newfoundland and Labrador is legislation that regulates the compilation, use, disclosure, and protection of personal health information throughout the province. This Act comprises, among others, the following legal provisions:
- Access to Information: It provides individuals with the right to access their own personal health information and request corrections if needed.
- Privacy and Confidentiality: It guarantees the privacy and confidentiality of personal health information.
- Custodians: Custodians, such as health care professionals (e.g., physicians, pharmacists, nurses), health authorities, and certain government departments, are responsible for handling personal health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Disclosure: The Act outlines circumstances under which personal health information can be disclosed without consent, such as for health care purposes, health research, and legal requirements.
- Complaints: Individuals can file a complaint with the Information and Privacy Commissioner if they feel their rights have not been respected.
NOVA SCOTIA
The Personal Health Information Act (PHIA NS)6 of Nova Scotia is legislation that governs the collection, use, disclosure, retention, disposal, and destruction of personal health information across the province. Legal characteristics of this Act:
- Access to Information: It provides individuals with the right to access their own personal health information and request rectifications if necessary.
- Privacy and Confidentiality: It warrants the privacy and confidentiality of personal health information.
- Custodians: Custodians, such as health care professionals and health authorities, are responsible for handling personal health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Disclosure: The Act outlines circumstances under which personal health information can be disclosed without consent, such as for health care purposes, health research, and legal requirements.
- Complaints: Individuals can file a complaint with the Information and Privacy Commissioner if they feel their rights have not been respected.
NORTHWEST TERRITORIES
The Health Information Act (HIA)7 of the Northwest Territories is legislation that oversees the collection, use, disclosure, and protection of health information throughout the territory. Legal stipulations of this Act cover:
- Access to Information: It provides individuals with the right to access their own health information and ask for adjustments when required.
- Privacy and Confidentiality: The Act indemnifies the privacy and confidentiality of health information.
- Custodians: Custodians, such as health care professionals and health authorities, are responsible for handling health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Disclosure: The Act outlines circumstances under which health information can be disclosed without consent, such as for health care purposes, health research, and legal requirements.
- Compliance: Custodians must comply with standards, policies, and procedures set out in the Act to ensure the protection of health information.
NUNAVUT
The Personal Information Protection and Electronic Documents Act (PIPEDA)8 regarding Nunavut is a federal law in Canada that administers the collection, use, and disclosure of personal information by private-sector organizations in the course of commercial activities. The PIPEDA applies to organizations engaged in business operations across Canada, with the exception of provinces that have enacted substantially similar legislation. The PIPEDA is designed to balance the need for organizations to collect and use personal information for legitimate purposes with the privacy rights of individuals. The law is administered and enforced by the Office of the Privacy Commissioner of Canada. Organizations found in violation of the PIPEDA may face penalties and corrective measures to ensure compliance.
While the PIPEDA applies across Canada, including Nunavut, it sets out rules to certify that personal information is handled responsibly and in agreement with privacy. Hereafter are some key features about the PIPEDA:
- Fair Information Principles: The PIPEDA is based on 10 principles organizations must follow to protect personal information, namely: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
- Application: It applies to private sector organizations that collect, use, or disclose personal information in the course of their commercial activities.
- Provincial Laws: Some provinces, such as Alberta, British Columbia, and Quebec, have their own privacy laws that are deemed substantially similar to the PIPEDA. Organizations in these provinces are generally exempted from the PIPEDA for business activities within the province.
- Electronic Documents: The PIPEDA also includes legal provisions related to the use of electronic documents and electronic signatures.
The 10 Personal Information Privacy Principles Demarcated in the PIPEDA
- Accountability: Organizations are responsible for the personal information under their control and must designate individuals accountable for their compliance with the principles of the PIPEDA.
- Identifying Purposes: The purposes for which personal information is collected must be identified by the organization at or before the time of collection.
- Consent: Individuals must be informed of the purposes for the collection, use and disclosure of their personal information and must provide their consent for such actions.
- Limiting Collection: The collection of personal information must be limited to what is necessary for the identified purposes. Information must be collected by fair and lawful means.
- Limiting Use, Disclosure and Retention: Personal information should not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. The information should be retained only as long as necessary for the fulfillment of those purposes.
- Accuracy: Personal information must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Organizations must take appropriate measures to safeguard personal information against unauthorized access, disclosure, copying, use, and modification.
- Openness: Organizations must be open about their policies and practices regarding the management of personal information.
- Individual Access: Upon request, individuals must be informed of the existence, use, and disclosure of their personal information and be given access to it. They also have the right to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging Compliance: Individuals have the right to challenge an organization’s compliance with the above principles. They can address any concerns about an organization’s privacy practices to the designated individual accountable for the organization’s compliance.
ONTARIO
The Personal Health Information Protection Act (PHIPA)9 of Ontario is legislation that controls the compilation, use, disclosure, and safeguard of personal health information throughout the province. Condensed hereunder are some highlights about the Act:
- Access to Information: It provides individuals with the right to access their own personal health information and request corrections if needed.
- Privacy and Confidentiality: The Act ensures the privacy and confidentiality of personal health information.
- Health Information Custodians: Custodians, such as health care practitioners, hospitals, and other health service providers, are responsible for handling personal health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Consent: The PHIPA requires health information custodians to obtain consent from individuals before collecting, using, or disclosing their personal health information, except in certain circumstances.
- Complaints: Individuals can file a complaint with the Information and Privacy Commissioner of Ontario if they feel their rights have not been respected.
PRINCE EDWARD ISLAND
The Health Information Act (HIA)10 of Prince Edward Island is legislation that regulates the assembling, usage, release, and protection of health information across the province. Legal obligations stipulated in the Act:
- Access to Information: It provides individuals with the right to access their own health information and request rectifications if needed.
- Privacy and Confidentiality: The Act guarantees the privacy and confidentiality of health information.
- Custodians: Custodians, such as health care providers and health care facilities, are responsible for handling health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Disclosure: The Act outlines circumstances under which health information can be disclosed without consent, such as for health care purposes, health research, and legal requirements.
- Compliance: Custodians must comply with standards, policies, and procedures set out in the Act to ensure the protection of health information.
QUÉBEC
The Québec Bill 3 – An Act respecting health and social services information and amending various legislative provisions11 is legislation that establishes a legal framework for health and social services information in Quebec. This Act entrenches the following lawful provisions:
- Purpose: The Act aims to warrant the protection of health and social services information while enabling its optimal use. It excludes the sale or any other form of alienation of the information and ensures its timely communication.
- Scope: The Act applies to every health and social services body that holds such information.
- Information Use: It introduces rules to govern the collection and use of health and social services information, including cases where the information may be used without the consent of the person concerned for purposes other than those for which it was collected.
- Privacy: The Act sets out principles to ensure that the use and communication of health and social services information are done in a way that minimizes the risk of identifying the person concerned.
- Access and Rectification: It establishes the right of individuals to access their health and social services information and request corrections if needed.
- Third-Party Access: Rules are introduced regarding access to health and social services information by third parties, such as professionals offering health services and researchers.
Law 25 – The Privacy Law of Québec
The Québec Law 25 is officially entitled An Act to modernize legislative provisions as regards the protection of personal information12. It was officially enacted on September 22, 2021. Its primary goal is to modernize the province’s privacy laws and strengthen the protection of personal information for Québec companies. Some fundamental clauses of Law 25 are summarized as follows:
- Strengthened Privacy Rights: Enhances individuals’ rights to access, rectify, and withdraw consent for the use of their personal information.
- Data Protection Officer (DPO): Requires organizations to appoint a DPO responsible for ensuring compliance with privacy laws.
- Privacy Impact Assessments (PIAs): Mandates PIAs for projects involving the collection, use, or communication of personal information.
- Breach Notification: Requires organizations to notify the Quebec Commission d’accès à l’information (CAI) and affected individuals in case of a data breach.
- Administrative Monetary Penalties (AMPs): Introduces penalties of up to CAD$10 million for non-compliance or 2% of the organization’s worldwide turnover.
Impact on Businesses:
- Organizations must update their privacy policies, conduct risk assessments, and ensure robust data security measures.
- Failure to comply can result in significant fines and reputational damage.
The Québec Law 25 represents a noteworthy shift towards stronger data protection in Québec, aligning with broader trends in privacy legislation globally.
SASKATCHEWAN
The Health Information Protection Act (HIPA)13 of Saskatchewan is legislation that governs the collection, use, disclosure, and protection of personal health information throughout the province. Elemental sections of the Act:
- Access to Information: It provides individuals with the right to access their own personal health information and ask for adjustments if necessary.
- Privacy and Confidentiality: It guarantees the privacy and confidentiality of personal health information.
- Custodians: Custodians, such as health care providers and health authorities, are responsible for handling personal health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Disclosure: The Act outlines circumstances under which personal health information can be disclosed without consent, such as for health care purposes, health research, and legal requirements.
- Compliance: Custodians must comply with standards, policies, and procedures set out in the Act to ensure the protection of health information.
YUKON
The Health Information Privacy and Management Act (HIPMA)14 of the Yukon is a law that oversees the pooling, utilization, divulgence, and security of health information in the territory. Some key points about the Act:
- Purpose: The Act aims to improve the quality and accessibility of health care in Yukon by facilitating the management of personal health information and enabling the establishment of an electronic health information network.
- Access to Information: It provides individuals with the right to access their own health information and request corrections if needed.
- Privacy and Confidentiality: The Act insures the privacy and confidentiality of health information.
- Custodians: Custodians, such as health care providers and health authorities, are responsible for handling health information and must follow specific rules regarding its collection, use, disclosure, retention, and secure destruction.
- Disclosure: The Act outlines circumstances under which health information can be disclosed without consent, such as for health care purposes, health research, and legal requirements.
- Compliance: Custodians must comply with standards, policies, and procedures set out in the Act to ensure the protection of health information.
[1] Government of Alberta – Office of the Information and Privacy Commissioner of Alberta. Government Legislation Directorate. Health Information Act (HIA AB). https://oipc.ab.ca/legislation/hia/?form=MG0AV3
[2] Government of British Columbia – British Columbia Laws. E-Health Act: Personal Health Information Access and Protection of Privacy Act (PHIAPPA BC). https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/00_08038_01?form=MG0AV3
[3] Government of Manitoba – Ministry of Health of Manitoba. The Personal Health Information Act (PHIA MAN). https://www.gov.mb.ca/health/phia/resources.html?form=MG0AV3
[4] Government of New Brunswick – Department of Health. Personal Health Information Privacy and Access Act (PHIPAA NB). https://www2.gnb.ca/content/gnb/en/services/services_renderer.201227.Access_to_Personal_Health_Information.html?form=MG0AV3
[5] Government of Newfoundland and Labrador – Health and Community Services. Personal Health Information Act (PHIA NL).https://www.gov.nl.ca/hcs/phia/?form=MG0AV3
[6] Government of Nova Scotia – Department of Health and Wellness. Personal Health Information Act (PHIA NS). https://novascotia.ca/DHW/PHIA/?form=MG0AV3
[7] Government of the Northwest Territories – Department of Justice. Health Information Act (HIA NWT) https://www.justice.gov.nt.ca/en/files/legislation/health-information/health-information.a.pdf
[8] Office of the Privacy Commissioner of Canada – Privacy Law in Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA). https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/?form=MG0AV3
[9] Government of Ontario – Laws and Statutes of Ontario. Personal Health Information Protection Act (PHIPA ON). https://www.ontario.ca/laws/statute/04p03
[10] Government of Prince Edward Island – Legislative Counsel Office. Health Information Act (HIA PEI). https://www.princeedwardisland.ca/sites/default/files/legislation/h-01-41-health_information_act.pdf?form=MG0AV3
[11] Government of Québec – National Assembly of Québec. Bill 3 – An Act respecting health and social services information and amending various legislative provisions. https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2023/2023C5A.PDF?form=MG0AV3
[12] Government of Québec – National Assembly of Québec. Bill 64 – Law 25: An Act to modernize legislative provisions as regards the protection of personal information. https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF
[13] Government of Saskatchewan – Office of the Saskatchewan Information and Privacy Commissioner. The Health Information Protection Act (HIPA SK). https://oipc.sk.ca/legislation-main/hipa/?form=MG0AV3
[14] Government of the Yukon – Consolidation of the Statutes of Yukon. Health Information Privacy and Management Act (HIPMA YN). https://www.canlii.org/en/yk/laws/stat/sy-2013-c-16/latest/sy-2013-c-16.html
Synopsis and Concise Analysis of the HIPAA: American Legislation Concerning Health Data Privacy
The Health Insurance Portability and Accountability Act (HIPAA)1,2 is a complex and technical law enacted across the United States of America in 2024. The HIPAA primarily aims to:
- Protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
- Ensure that individuals can maintain their health insurance coverage when they change or lose jobs.
- Establish standards for the electronic exchange, privacy, and security of health information.
The HIPAA encompasses an extensive range of rules and regulations including:
- Privacy Rule: Protects the privacy of individually identifiable health information.
- Security Rule: Sets standards for the security of electronic protected health information.
- Breach Notification Rule: Requires covered entities and business associates to provide notification following a breach of unsecured protected health information.
Judicious compliance with the HIPAA is essential for healthcare providers, insurers and any U.S. or foreign entity handling Protected Health Information (PHI). The HIPAA is quite a complex and technical legislation, but it fundamentally ensures that patients’ medical information stays confidential and secure.
Some Distinctive Components of the American HIPAA
- Privacy Rule:
- Objective: Protect the privacy of individuals’ health information.
- Scope: Applies to health plans, healthcare clearinghouses, and healthcare providers.
- Requirements: Limits the use and disclosure of Protected Health Information (PHI) without the consent of patients.
- Security Rule:
- Objective: Ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI).
- Scope: Pertains to ePHI that is created, received, used, or maintained by covered entities.
- Requirements: Includes administrative, physical, and technical safeguards to protect ePHI.
- Breach Notification Rule:
- Objective: Mandate the notification to individuals, the U.S. Department of Health and Human Services (HHS), and, in some cases, the media when a breach of unsecured PHI occurs.
- Scope: Applies to covered entities and their business associates.
- Requirements: Specific guidelines on the timing, content, and manner of notifications.
- Enforcement Rule:
- Objective: Establish procedures for investigations and the imposition of penalties for the HIPAA violations.
- Scope: Applies to covered entities and business associates.
- Requirements: Includes provisions for compliance reviews, complaint investigations, and civil money penalties.
- Omnibus Rule:
- Objective: Implement and expand the provisions of the HIPAA.
- Scope: Strengthens privacy and security protections for PHI.
- Requirements: Extends requirements to business associates and enhances patient rights.
Abridged Dissection of the American HIPAA
For the purposes of our general overview, here is an abridged dissection of the USA HIPAA law:
- Impact on Healthcare: The HIPAA has significantly impacted how healthcare organizations handle patient information. It has created a framework for maintaining the privacy and security of health information.
- Challenges: Organizations face challenges in compliance, such as adapting to evolving regulations and ensuring all employees are trained about the HIPAA requirements.
- Benefits: Patients have greater control over their personal health information, leading to increased trust in healthcare providers.
- Technological Integration: Due to the growth of Electronic Health Records (EHRs), security measures of the HIPAA are decisive in protecting patient data from cyber threats and ransomware attacks.
Taken as a whole, the HIPAA plays a vital role in safeguarding patient information and ensuring that healthcare providers maintain high standards of privacy, monitoring, cautiousness and security.
HIPAA Significant Future Developments
With reference to the USA3, the future of health information privacy is poised to see significant developments, some of which are abridged hereafter:
- Proposed Updates to the HIPAA Security Rule: The U.S. Department of Health and Human Services (HHS) is expected to propose updates to the HIPAA Security Rules, which could substantially change the security obligations of HIPAA-regulated entities.
- State Laws Regulating Health-Related Information: More states are likely to pass laws regulating consumer health data. For example, Washington, DC, and Michigan have introduced bills to protect health and reproductive health data.
- Court Challenges to HIPAA Privacy Rule: There are ongoing legal challenges related to reproductive care information, with significant filings expected in early 2025.
- State Genetic Privacy Developments: More states are expected to propose bills regulating the use of consumers’ genetic information.
- FTC Scrutiny: The Federal Trade Commission (FTC) is likely to continue scrutinizing the use and disclosure of health information by digital health companies, especially for advertising purposes.
[1] Authenticated U.S. Government Information – The U.S. Government Printing Office (GPO) – The U.S. House of Congress. Health Insurance Portability and Accountability Act (HIPAA) of 2024. https://www.hhs.gov/blog/2025/01/07/2024-hipaa-accomplishments-wrap-up.html
[2] U.S. Department of Health and Human Services (HHS) – U.S. Office for Civil Rights. Health Information Privacy in Compliance with the HIPAA. https://www.hhs.gov/hipaa/index.html
[3] Libbie Canter and Elizabeth Brim. Health Privacy Developments to Watch in 2025: Updates on Developments in Data Privacy and Cybersecurity. Inside Privacy. Publication date: the 12th of December 2024. https://www.insideprivacy.com/health-privacy/health-privacy-developments-to-watch-in-2025/?form=MG0AV3
Conclusion
How will health data privacy potentially evolve in Canada? The future of health data privacy in Canada1 looks promising, with a number of strategic developments on the horizon shortened as follows:
- Enhanced Digital Health Systems: There is a strong push towards modernizing health care information systems to improve access to electronic health records. This includes initiatives to allow patients to access their health information online, which can lead to better patient experiences and more efficient care.
- Patient-Centric Care: Canadians are increasingly demanding a healthcare system that is interconnected and patient-centered. This means that health information should seamlessly follow from one healthcare provider to another, empowering patients to take a more active role in managing their health.
- Privacy Protections: Health Canada is committed to improving privacy protections under the Access to Information Act and the Privacy Act. This includes efforts to enhance transparency, manage privacy breaches, and ensure that personal health information is securely shared among healthcare providers. Moreover, Bill C-272, also known as the Digital Charter Implementation Act, 2022, was a proposed federal law in Canada aimed at strengthening privacy protections and regulating artificial intelligence (AI). The bill included three key components: the Consumer Privacy Protection Act, the Artificial Intelligence and Data Act, and the Personal Information and Data Protection Tribunal Act. Nevertheless, with the prorogation of the Parliament of Canada until the 24th of March 2025, Bill C-27 has effectively “died,” meaning it will not proceed further in its current form.
- Technological Innovations: The adoption of innovative technologies, such as e-prescriptions and digital health solutions, is expected to continue growing. These technologies not only improve convenience for patients but also reduce administrative burdens on healthcare providers.
[1] Government of Canada – Department of Health Canada. Health Canada Annual Report on the Access to Information Act and the Privacy Act: 2023 to 2024. https://www.canada.ca/en/health-canada/corporate/about-health-canada/reports-publications/access-information-privacy/2023-2024-annual-report-access-information-privacy-act.html?form=MG0AV3
[2] Government of Canada – Innovation, Science and Economic Development Canada. Bill C-27 Summary: Digital Charter Implementation Act, 2022. https://ised-isde.canada.ca/site/innovation-better-canada/en/canadas-digital-charter/bill-summary-digital-charter-implementation-act-2020
Resources and References
Joseph C. Segen, MD, FCAP. McGraw-Hill Concise Dictionary of Modern Medicine. Paperback 1st Edition published on the 17th of November 2006 by McGraw-Hill Professional Publishing, Two Penn Plaza, New York, USA, 765 pages. https://openlibrary.org/books/OL18513143M/Concise_dictionary_of_modern_medicine
Ian P. McLoughlin, Karin Garrety & Rob Wilson. The Digitalization of Health Care: Electronic Records and the Disruption of Moral Orders. Hardcover 1st Edition published on the 2nd of April 2017 by Oxford University Press, Great Clarendon Street, Oxford, United Kingdom (UK), 212 pages. https://global.oup.com/academic/product/the-digitalization-of-health-care-9780198744139?qn
Government of Alberta – Office of the Information and Privacy Commissioner of Alberta. Government Legislation Directorate. Health Information Act (HIA AB). https://oipc.ab.ca/legislation/hia/?form=MG0AV3
Government of British Columbia – British Columbia Laws. E-Health Act: Personal Health Information Access and Protection of Privacy Act (PHIAPPA BC). https://www.bclaws.gov.bc.ca/civix/document/id/complete/statreg/00_08038_01?form=MG0AV3
Government of Manitoba – Ministry of Health of Manitoba. The Personal Health Information Act (PHIA MAN). https://www.gov.mb.ca/health/phia/resources.html?form=MG0AV3
Government of New Brunswick – Department of Health. Personal Health Information Privacy and Access Act (PHIPAA NB). https://www2.gnb.ca/content/gnb/en/services/services_renderer.201227.Access_to_Personal_Health_Information.html?form=MG0AV3
Government of Newfoundland and Labrador – Health and Community Services. Personal Health Information Act (PHIA NL).https://www.gov.nl.ca/hcs/phia/?form=MG0AV3
Government of Nova Scotia – Department of Health and Wellness. Personal Health Information Act (PHIA NS). https://novascotia.ca/DHW/PHIA/?form=MG0AV3
Government of the Northwest Territories – Department of Justice. Health Information Act (HIA NWT) https://www.justice.gov.nt.ca/en/files/legislation/health-information/health-information.a.pdf
Office of the Privacy Commissioner of Canada – Privacy Law in Canada. The Personal Information Protection and Electronic Documents Act (PIPEDA). https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/?form=MG0AV3
Government of Ontario – Laws and Statutes of Ontario. Personal Health Information Protection Act (PHIPA ON). https://www.ontario.ca/laws/statute/04p03
Government of Prince Edward Island – Legislative Counsel Office. Health Information Act (HIA PEI). https://www.princeedwardisland.ca/sites/default/files/legislation/h-01-41-health_information_act.pdf?form=MG0AV3
Government of Québec – National Assembly of Québec. Bill 3 – An Act respecting health and social services information and amending various legislative provisions. https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2023/2023C5A.PDF?form=MG0AV3
Government of Québec – National Assembly of Québec. Bill 64 – Law 25: An Act to modernize legislative provisions as regards the protection of personal information. https://www.publicationsduquebec.gouv.qc.ca/fileadmin/Fichiers_client/lois_et_reglements/LoisAnnuelles/en/2021/2021C25A.PDF
Government of Saskatchewan – Office of the Saskatchewan Information and Privacy Commissioner. The Health Information Protection Act (HIPA SK). https://oipc.sk.ca/legislation-main/hipa/?form=MG0AV3
Government of the Yukon – Consolidation of the Laws and Statutes of Yukon. Health Information Privacy and Management Act (HIPMA YN). https://www.canlii.org/en/yk/laws/stat/sy-2013-c-16/latest/sy-2013-c-16.html
Authenticated U.S. Government Information – The U.S. Government Printing Office (GPO) – The U.S. House of Congress. Health Insurance Portability and Accountability Act (HIPAA) of 1996. https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf
U.S. Department of Health and Human Services (HHS) – U.S. Office for Civil Rights. Health Information Privacy in Compliance with the HIPAA. https://www.hhs.gov/hipaa/index.html
Authenticated U.S. Government Information – The U.S. Government Printing Office (GPO) – The U.S. House of Congress. Health Insurance Portability and Accountability Act (HIPAA) of 2024. https://www.hhs.gov/blog/2025/01/07/2024-hipaa-accomplishments-wrap-up.html
Government of Canada – Department of Health Canada. Health Canada Annual Report on the Access to Information Act and the Privacy Act: 2023 to 2024. https://www.canada.ca/en/health-canada/corporate/about-health-canada/reports-publications/access-information-privacy/2023-2024-annual-report-access-information-privacy-act.html?form=MG0AV3
Government of Canada – Innovation, Science and Economic Development Canada. Bill C-27 Summary: Digital Charter Implementation Act, 2022. https://ised-isde.canada.ca/site/innovation-better-canada/en/canadas-digital-charter/bill-summary-digital-charter-implementation-act-2020
Libbie Canter and Elizabeth Brim. Health Privacy Developments to Watch in 2025: Updates on Developments in Data Privacy and Cybersecurity. Inside Privacy. Publication date: the 12th of December 2024. https://www.insideprivacy.com/health-privacy/health-privacy-developments-to-watch-in-2025/?form=MG0AV3
Contributions
Special thanks for the financial support of the National Research Council Canada and its Industrial Research Assistance Program (IRAP).
Executive Editor: Alan Bernardi, SSCP, PMP, Lead Auditor for ISO 27001 and ISO 27701
Author, Computer Scientist & Certified Professional Translator:
Ravi Jay Gunnoo (C.P.T. ISO 17100)
B.Sc. Computer Science, McGill University
B.Sc. & M.A. Professional Translation, University of Montreal