Privacy protection applies to all the interactions that therapists have with the public during the marketing phase.
Q: What is the difference between personal information and protected health information?
Personal Information (PI): Any recorded information, other than contact information, that uniquely identifies you is considered personal information. This includes your name, age, sex, race, religion, sexual orientation, disability, fingerprints or blood type. It also includes information about your health care, educational, financial, criminal or employment history. It also includes anyone else's opinions about you and your own views or opinions.
Protected Health Information or Personal Health Information (PHI): PHI generally includes demographic information, medical histories, test and laboratory results, mental health conditions, insurance information, and other data that a healthcare professional collects to identify an individual and determine appropriate care.
Q: Is there a Canadian law that is like HIPAA in the US?
Personal Information Protection and Electronic Documents Act (PIPEPA): In Canada, the federal law which gives people a right to access their personal information is PIPEDA. It requires organizations to obtain individuals’ consent to the collection, use or disclosure of their personal information. This law is more similar to the European GDPR law than it is to HIPAA because it applies to all personal information, not just health information.
As an online service provider in Canada, you are required to comply with PIPEDA. When you obtain personal information about a potential client, you are expected to protect that information with three types of safeguards:
- Administrative safeguards identify all written, spoken or electronic PI and prevent that information from being shared with people who should not have access to it. For example, a consent form for the release of information is an administrative safeguard.
- Physical safeguards like locked doors and employee badges prevent unauthorized people from being able to access workstations and electronic media.
- Technical safeguards, like user IDs, passwords and data encryption, keep the data hidden until an authorized recipient opens it.
In Canada, we have provincial privacy laws that are more stringent than our federal laws. Note that there is no federal law requiring Canadian service providers to keep their data on servers in Canada.
Q: How is HIPAA similar to PIPEDA?
Health Insurance Portability and Accountability Act (HIPAA): This US law applies specifically to health information. The purpose of HIPAA is to improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure, and patients are notified of breaches of their health data. Code sets are used along with patient identifiers, which helps with the efficient transfer of healthcare data between healthcare organizations and insurers, streamlining eligibility checks, billing, payments, and other healthcare operations.
HIPAA and PIPEDA have similar requirements for privacy protection, specifically the need for administrative safeguards, physical safeguards and technical safeguards.
