HIPAA vs. PIPEDA – A Comparison
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a 2000 Canadian law that regulates the use, disclosure, and collection of consumer personal information by entities engaged in commerce. The Health Insurance Portability and Accountability Act (HIPAA) is a United States law regulating the use, access, and disclosure of what the law defines as “protected health information,” or PHI.
The laws are similar in that both were turn-of-the-century efforts by the Canadian and American governments to protect individuals’ data privacy. The similarities, though, more or less end there. A HIPAA vs. PIPEDA scorecard would note that the two laws are noticeably different regarding what information is regulated.
HIPAA vs. PIPEDA – What Information is Regulated?
A PIPEDA vs. HIPAA comparison of what each law regulates is revealing. PIPEDA governs the use, disclosure, and collection of what PIPEDA calls “personal information.” The term “personal information” is defined extremely broadly. PIPEDA personal information includes any factual or subjective information, recorded or not, about an identifiable individual (that is, a specific person).
This includes information in any form, such as:
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status, or disciplinary actions
- Employee files, credit records, loan records, medical records, the existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
HIPAA vs. PIPEDA: Personal Information vs. Protected Health Information
On the HIPAA vs. PIPEDA scorecard, PIPEDA easily wins the “which law regulates more information” contest. Under PIPEDA, personal information includes health-related information, just as HIPAA does. Personal information also includes non-health-related information.
A HIPAA vs. PIPEDA comparison of what factual information is regulated is notable. PIPEDA regulates a fair amount of factual information, such as social status, disciplinary actions, employee files, and credit card disputes, that HIPAA does not. A PIPEDA vs. HIPAA comparison of what non-factual information is regulated by each, reveals a wide imbalance.
While HIPAA regulates opinions, the regulated opinions are those made by doctors when rendering treatment and offering diagnoses. PIPEDA regulates a much wider variety of opinions. An individual’s views or opinions about an employee (i.e., performance appraisals, comments in internal investigation files, and complaints against employees in which an opinion about the employee is made) all qualify as personal information.
On the PIPEDA vs. HIPAA ledger, the HIPAA side of what information is regulated is considerably smaller. HIPAA regulates protected health information (PHI). Protected health information that “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual,” that is:
- Transmitted by electronic media
- Maintained in electronic media
- Transmitted or maintained in any other form or medium
PHI is information limited by subject – it is health or healthcare-related information. To qualify as PHI, a healthcare provider, health plan, healthcare clearinghouse, or business associate must create or receive the information.
In addition, to qualify as PHI, the information must contain at least one of the following 18 identifiers:
- Name
- Address (including subdivisions smaller than a state such as a street address, city, county, or zip code)
- Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89
- Telephone number
- Fax number
- Email address
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate/license number
- Vehicle identifiers, serial numbers, or license plate numbers
- Device identifiers or serial numbers
- Web URLs
- IP address
- Biometric identifiers such as fingerprints or voiceprints
- Full-face photos
- Any other unique identifying numbers, characteristics, or codes
HIPAA vs. PIPEDA: Fact vs. Opinion
Note that in the HIPAA vs. PIPEDA “What is Regulated” contest, it really isn’t even a contest. Personal information under PIPEDA includes a wide array of opinions. The opinions regulated by HIPAA are those in the forms of diagnoses, prognoses, and other subjective information about patient health or health condition. PHI does not include employment files. It does not include complaints about employees, or information revealed through the investigation of an employee.
HIPAA vs. PIPEDA: Content Follows Purpose
The lopsidedness of the HIPAA vs. PIPEDA information inventory exists for a reason. The two laws were developed with vastly different purposes in mind. PIPEDA was developed to promote consumer trust in electronic commerce.
The purpose of PIPEDA is stated in the law itself:
“The purpose of PIPEDA is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use, and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”
To facilitate this purpose, PIPEDA broadly defined “personal information” and declared that individuals were entitled to certain privacy rights with respect to how their information was exchanged, collected, and used.
HIPAA was created with a more modest purpose: to increase efficiency. Title II of HIPAA requires HHS to increase the efficiency of the healthcare system by creating national standards for the use and dissemination of healthcare information. These standards are the Privacy Rule, the Security Rule, and the Breach Notification Rule. These rules contain privacy measures, but they were also designed to speed the transmission and sharing of healthcare information between and among the various players in the healthcare system, including patients, providers, and health plans.
The differences in the regulatory scope of PIPEDA vs. HIPAA can be traced to the rules each law developed to fulfill these purposes. PIPEDA vs. HIPAA distinctions also exist in terms of who is regulated. PIPEDA vs. HIPAA distinctions also exists as to how individuals can enforce their rights under the law. These main PIPEDA vs. HIPAA distinctions lie in exactly what information must be protected under each law.
