Once a custodian becomes aware of the theft, breach, or unauthorized access, the custodian must notify affected individuals.
How does PHIPA Differ from HIPAA?
PHIPA differs from HIPAA in several aspects. PHIPA imposes a number of requirements that HIPAA does not.
HIPAA Breach Notification Requirements vs. PHIPA Breach Notification Requirements
Under HIPAA, covered entities are required to report breaches of unsecured protected health information. A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individual, or fewer than 500 individuals.
If a breach of unsecured protected health information affects 500 or more individuals, that breach is considered a “meaningful breach” under HIPAA, and must be reported within 60 calendar days of its discovery, to the following:
- The Secretary of Health and Human Services.
- Individuals affected by the breach.
- Prominent media outlets in the states and jurisdictions where the breach victims reside.
If a breach of unsecured protected health information affects less than 500 individuals, the breach is considered to be a “non-meaningful” breach under HIPAA. In the event of a non-meaningful breach, the covered entity may notify the Secretary no later than 60 days after the end of the calendar year in which the breach is discovered.
Under PHIPA, the requirements for reporting a breach are more stringent. A health information custodian must notify the Information and Privacy Commissioner whenever (among other circumstances):
- The HIC has reasonable grounds to believe that personal health information (PHI) was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.
- The HIC has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of PHI in the HIC’s custody or control, the PHI was or will be further used or disclosed without authority.
- The loss or unauthorized use or disclosure of PHI is part of a pattern of similar losses or unauthorized uses or disclosures of PHI in the custody or control of the HIC.
- The HIC is required to give notice to a regulated health professional’s governing body or College, in accordance with PHIPA, as it relates to the loss or unauthorized use or disclosure of PHI.
MSP vs. Information Technology Service Provider Education Requirements
Under HIPAA, entities that manage a company’s IT infrastructure and data services are called Managed Service Providers (MSPs). Under PHIPA, managed service providers are called “information technology service providers.” PHIPA requires that information technology service providers to health information custodians, make certain information publicly available. This includes information about the services provided to the custodian; any directives, guidelines and policies of the provider that apply to its services, and a general description of the safeguards that the information technology service service provider has implemented. HIPAA does not impose a similar requirement on MSPs.
Need Help with HIPAA Compliance?
Canadian healthcare organizations doing business in American must be compliant with PHIPA as well as HIPAA. Compliancy Group simplifies your compliance allowing you to confidently focus on your business. Our cloud-based compliance software, the Guard™ can be accessed from any device, anywhere, that is connected to the internet. In addition, the Guard stores all that you need to prove your “good faith effort” towards HIPAA compliance in one convenient location. Find out more about how Compliancy Group can help you with your HIPAA compliance needs!