top of page

Privacy and Security

Medini ensures your client's and patient's information is closely protected and abides by the polices in place for HIPAA, PHIPA and PIPEDA.

Compliance

PIPEDA

  • Scope:

    • Applies to private-sector organizations across Canada that collect, use, or disclose personal information in the course of commercial activities.

    • Also applies to employee information of federally regulated businesses.

​

  • Ten Fair Information Principles:

    • Accountability: Organizations are responsible for personal information under their control and must designate an individual to ensure compliance.

    • Identifying Purposes: The purposes for collecting personal information must be identified by the organization at or before the time of collection.

    • Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

    • Limiting Collection: The collection of personal information must be limited to that which is necessary for the purposes identified by the organization.

    • Limiting Use, Disclosure, and Retention: Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

    • Accuracy: Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.

    • Safeguards: Personal information must be protected by security safeguards appropriate to the sensitivity of the information.

    • Openness: Organizations must make readily available to individuals specific information about their policies and practices relating to the management of personal information.

    • Individual Access: Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information.

    • Challenging Compliance: An individual can challenge an organization's compliance with the above principles to the designated individual accountable for the organization's compliance.

​

  • Provincial Privacy Laws:

    • Alberta, British Columbia, and Quebec have their own private-sector privacy laws deemed substantially similar to PIPEDA.

    • In provinces with such laws, PIPEDA applies to federally regulated organizations and to personal information in interprovincial or international transactions.

​

  • Cross-Border Information:

    • PIPEDA applies to personal information that crosses provincial or national borders in the course of commercial activities.

​

For comprehensive guidance on PIPEDA compliance, visit the Office of the Privacy Commissioner of Canada's website.

PHIPA

  1. What PHIPA Protects:

    • PHIPA applies to personal health information (PHI), including any data related to physical/mental health, healthcare services provided, payments, health numbers, and health history.

    • PHI must be collected, used, and disclosed only for legitimate healthcare purposes with proper consent.

  2. Consent Framework:

    • Consent Types: Implied for routine healthcare and express for non-healthcare purposes or third-party disclosures.

    • Knowledgeable Consent: Individuals must know the purpose of data use and that they can withhold or withdraw consent.

  3. Custodians and Agents:

    • Custodians: Include healthcare providers, hospitals, long-term care homes, and others responsible for PHI.

    • Agents: Employees or contractors acting on behalf of custodians must comply with PHIPA.

  4. Collection, Use, and Disclosure:

    • Only collect the minimum necessary PHI for the purpose.

    • Disclosure without consent is limited to specific cases, such as emergencies or legal obligations.

  5. Access and Correction:

    • Individuals have the right to access and request corrections to their PHI.

    • Custodians must respond to access requests within 30 days and may refuse access only under specific conditions, such as legal privilege or risk of harm.

  6. Security and Safeguards:

    • Implement administrative, technical, and physical safeguards to prevent theft, loss, or unauthorized access to PHI.

    • Notify individuals of any breaches affecting their PHI.

  7. Breach and Enforcement:

    • Violations may result in fines: up to $50,000 for individuals and $250,000 for organizations.

    • The Information and Privacy Commissioner (IPC) oversees compliance and investigates complaints.

  8. Transparency and Accountability:

    • Custodians must designate a privacy officer and publish information practices for PHI management.

    • Individuals must be informed of how to access their PHI, request corrections, or lodge complaints.

  9. Data Retention and Disposal:

    • PHI must be retained securely and only as long as necessary for the purpose.

    • Secure disposal is required when PHI is no longer needed.

  10. Exceptions and Special Cases:

    • Disclosure without consent is allowed in cases like public health emergencies, legal investigations, or preventing serious bodily harm.

    • Health information network providers have additional obligations, such as breach reporting and conducting privacy impact assessments.

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. federal law designed to protect the privacy and security of individuals' medical information while allowing the flow of health information necessary for high-quality healthcare.

​

  1. Privacy Rule:

    • Protects individuals' medical records and other personal health information (PHI).

    • Applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates.

    • Requires safeguards to ensure the confidentiality of PHI and sets limits on its use and disclosure without patient consent.

    • Grants patients rights over their PHI, including the right to access and request corrections.

  2. Security Rule:

    • Focuses on electronic protected health information (ePHI).

    • Requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure ePHI confidentiality, integrity, and security.

    • Examples of safeguards:

      • Administrative: Security training, risk analysis, incident response plans.

      • Physical: Access controls to facilities, workstation security.

      • Technical: Encryption, secure user authentication, access control.

  3. Breach Notification Rule:

    • Requires covered entities to notify individuals, the U.S. Department of Health and Human Services (HHS), and sometimes the media of breaches of unsecured PHI.

    • Business associates must notify the covered entity of any breach.

    • Breaches affecting more than 500 individuals require immediate reporting to HHS.

  4. Enforcement Rule:

    • Establishes procedures for investigating HIPAA violations and sets penalties for non-compliance.

    • Penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million, depending on the level of negligence.

  5. Omnibus Rule:

    • Strengthens privacy and security protections.

    • Extends compliance obligations to business associates and subcontractors.

    • Introduces new requirements for PHI usage in marketing, fundraising, and research.

​

Who Must Comply with HIPAA?

  1. Covered Entities:

    • Healthcare providers (e.g., doctors, hospitals, clinics).

    • Health plans (e.g., insurance companies, Medicare).

    • Healthcare clearinghouses (e.g., entities processing health information).

  2. Business Associates:

    • Companies or individuals handling PHI on behalf of covered entities (e.g., billing companies, cloud storage providers).

  3. Subcontractors:

    • Entities that perform functions involving PHI for business associates.

​

Steps to Achieve HIPAA Compliance

  1. Risk Assessment:

    • Conduct regular risk analyses to identify vulnerabilities in handling PHI.

  2. Develop Policies and Procedures:

    • Establish clear guidelines for using, disclosing, and safeguarding PHI.

  3. Employee Training:

    • Train staff on HIPAA requirements and internal policies.

  4. Implement Safeguards:

    • Administrative, physical, and technical safeguards tailored to the organization’s needs.

  5. Sign Business Associate Agreements (BAAs):

    • Ensure all business associates and subcontractors comply with HIPAA.

  6. Breach Management and Reporting:

    • Develop a plan for identifying, mitigating, and reporting breaches.

  7. Documentation and Audits:

    • Maintain records of compliance efforts and be prepared for HHS audits.

 

Common HIPAA Violations

  • Failing to encrypt ePHI or use secure communication methods.

  • Unauthorized access to PHI by employees.

  • Lack of a Business Associate Agreement with vendors.

  • Failure to notify HHS or affected individuals of a breach.

  • Insufficient access controls (e.g., shared passwords).

 

Why is HIPAA Compliance Important?

  • Patient Trust: Ensures the confidentiality of patient information.

  • Legal Obligation: Avoids costly fines and legal actions.

  • Reputation: Protects the organization’s credibility and integrity.

  • Operational Efficiency: Reduces risks associated with data breaches and non-compliance.

Compliance with HIPAA is an ongoing process requiring regular reviews, updates, and commitment to best practices.

bottom of page