Canadian Healthcare and U.S. Cloud Services: Is HIPAA Compliance Good Enough for Canadian Health Data?

Many Canadian healthcare organizations are asking questions about using U.S.-based cloud service providers to manage services such as email and databases. Cloud service providers in the U.S. and public organizations in Canada often ask whether compliance with the Health Insurance Portability and Accountability Act (HIPAA), or with Federal Trade Commission (FTC) recommendations, is relevant in evaluating compliance with Canadian privacy laws. In other words, does legal compliance translate, in full or in part, from the U.S. to Canada?

Among Canadian organizations, public healthcare providers have particularly complex information technology needs. They store large volumes of personal data that need to be easily accessible, yet also protected by strong privacy safeguards. They need private and secure means for communication and data sharing. In addition, they often de-identify or anonymize data for use in research and system planning. Cloud services appear to be a promising option to meet some of these needs. They offer to eliminate the expense of maintaining secure servers, and deliver easy but secure data access and improved features. Cloud services are also typically more interoperable than local systems. It seems a cost-effective and convenient solution.

Numerous Canadian healthcare organizations are, in fact, choosing to make use of cloud services to manage email, databases, and other systems. This is a decision that needs to be examined carefully from the perspective of privacy and security. Most cloud service providers are based in the U.S. It can be difficult to assess whether these companies are in compliance with Canadian privacy laws and standards. Organizations often ask whether compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), or with Federal Trade Commission (FTC) recommendations, is relevant in evaluating compliance with Canadian privacy laws. In other words, does legal compliance translate, in full or in part, from one jurisdiction to another?

HIPAA vs. PHIPA

Both in Canada and in the U.S., healthcare is recognized as a sector that requires specific privacy legislation. In the U.S., healthcare privacy is regulated by the Health Insurance Portability and Accountability Act (HIPAA). In Canada, most provinces have dedicated healthcare privacy legislation.

Does HIPAA compliance have any relevance to Canadian healthcare organizations? It is difficult to compare HIPAA with Canadian healthcare privacy laws such as Ontario’s Personal Health Information Protection Act (PHIPA) and Alberta’s Health Information Act (HIA) because they are written in different language. Canadian privacy laws generally focus on objectives rather than methods, and use general terms: for example, Ontario’s PHIPA states that Health Information Custodians (HICs) must take “reasonable steps” to protect personal health information against theft, loss, and unauthorized use and disclosure, as well as unauthorized copying, modification, or disposal. HIPAA, on the other hand, describes specific required physical and electronic safeguards for health information, such as facility access controls, workstation security, electronic information access control and authentication, and transmission security.

HIPAA compliance does indicate alignment with certain industry standards for privacy and security, but HIPAA differs from Canadian healthcare privacy laws on a number of specific points. For example, Ontario’s PHIPA has several requirements that are not included in HIPAA:

1. Information technology service providers to HICs must “notify the custodian of any breach of the restrictions on its use and disclosure of personal health information or unauthorized access.”

This means that email or cloud storage providers serving healthcare organizations in Ontario are obligated to notify them of any security breaches or other instances of unauthorized access or disclosure. HIPAA does not require IT service providers to notify healthcare clients of breaches. While a notification requirement could be included in a contract with an American service provider, many U.S. service providers are reluctant to agree to notify their clients of breaches because of fears of liability and loss of reputation.

2. Information technology service providers to HICS must “make available to the public, information about the services provided to the custodian; any directives, guidelines and policies of the provider that apply to the services provided; and a general description of the safeguards that have been implemented.”

IT service providers to Ontario healthcare organizations should provide a plain language description to be published online and in print about the services they will be providing, the privacy and security directives, guidelines, and policies to which they have agreed, and the information safeguards they employ.

3. Information technology service providers to HICs must agree to comply with PHIPA.

This point is problematic when it comes to large U.S.-based IT service providers. It is doubtful whether American companies would agree to assess and monitor compliance with Canadian laws. The possibility of having to maintain compliance with multiple sets of laws from different jurisdictions is a liability which many companies are not willing to take on.

The U.S. National Security Caveat

The state of privacy in the U.S. cannot be understood apart from its national security legislation. Many Canadians hold privacy concerns about U.S. national security agencies’ broad access to data held by major internet companies. The USA PATRIOT Act and the U.S. National Security Agency’s PRISM project are frequently cited as privacy violations. It is often noted that this legislation permits more extensive surveillance of foreign citizens than of U.S. citizens. Yet the U.S. Cybersecurity Information Sharing Act (CISA), passed in 2015, may be even more problematic. CISA’s stated goal is to develop procedures for the federal government to share classified and declassified information on cybersecurity threats with private companies, lower levels of government, and the public. In practice, this could legally justify the existence of a catch-all database recording internet traffic, accessible to multiple levels of government and corporations. Several privacy provisions included in the draft bill were removed shortly before the bill was passed.

It is largely because of concerns about surveillance that two Canadian provinces, British Columbia and Nova Scotia, have passed laws prohibiting public bodies, such healthcare and educational institutions, from storing personal information outside of Canada. While other provinces do not explicitly prohibit this practice, it is clear that from a privacy perspective it is not ideal for Canadians’ personal information to be managed by U.S. companies.

The current reality is that U.S.-based cloud service providers are generally not in compliance with Canadian legal requirements and have no plans to achieve compliance. Canadian organizations considering using American cloud services should carefully consider how to ensure legal compliance and enforce contracts. If Canadian organizations choose to utilize U.S.-based service providers, they will need to retain enough power and control to monitor legal compliance and effect changes needed to bring systems into alignment with Canadian laws.

How to Protect Canadian Health Data

For healthcare organizations in provinces that permit the use of U.S.-based cloud services, contractual and technical safeguards can mitigate some of the privacy risks.

1. Sign a Business Associate Agreement

The HIPAA Privacy Rule recognizes that most healthcare providers employ third party service providers, including information service providers. HIPAA allows healthcare providers to disclose protected health information to these “business associates” if the providers “obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”[1] These assurances are to be documented in a contract or agreement, commonly known as a Business Associate Agreement (BAA). Business associates that have signed a BAA are directly liable under HIPAA rules.

The U.S. Department of Health and Human Services website lists requirements for a BAA, and offers a list of sample provisions. Ki Design’s experts in international privacy law can help your organization to draft a specialized BAA to protect Canadian health information managed by U.S.-based cloud service providers.

2. Segregate data assets and support

Whether your organization chooses to procure cloud application services (software as a service – SaaS), cloud platform services (PaaS), or cloud infrastructure services (IaaS), personal health data need to be segregated from other cloud customers’ data at all three levels: application, platform, and infrastructure. Healthcare organizations should also choose cloud service providers with support services located in Canada or the U.S., and support technicians’ access to health data should be segregated.

3. Choose database-level encryption

When healthcare organizations employ cloud services, it is essential that health data be encrypted at the database level, before data leave the source computer. Database-level encryption tools may be built into the original database, or may function as a separate engine, producing an encrypted version of the database.

Using cloud services, and especially cloud services based in another country, to manage personal health data brings certain technical and legal risks. However, legal agreements and strong technical safeguards can mitigate some of the most significant risks. Contact Ki Design for a consultation on how your organization can use cloud services safely.

[1] http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/

Our Privacy Impact Assessment Approach

Privacy Impact Assessments (PIAs) are a key tool for demonstrating compliance with privacy laws. We outline our approach to basic institutional PIAs, as well as PIAs for multi-institutional or multi-jurisdictional data initiatives.

The KI Design approach to a single institutional privacy impact assessment falls in line with the provincial and federal requirements in Ontario and Alberta. The basic purpose of a PIA is to assess the impact of the collection, use, and disclosure of personal information on privacy and to justify this impact. Our approach begins with an analysis guided by the four-part test for necessity and proportionality established in R. v. Oakes (based on the Office of the Privacy Commissioner of Canada guideline):

  1. Is the measure demonstrably necessary to meet a specific need?
  2. Is it likely to be effective in meeting that need?
  3. Is the loss of privacy proportional to the need?
  4. Is there a less privacy-invasive way of achieving the same end?

In addition to answering the above questions, we help to collect documentation to demonstrate compliance with the ten principles that form the core of PIPEDA:

Accountability – Governance structure, PIA protocols, auditing, training, legal consultation

Identifying Purposes – Purposes of data collection, legislative authority for collection, description of data collected

Consent – Notification process or exceptions to consent

Limiting Collection – Justification for each data element collected, and indication that data taken from other departments are purged of all but essential data elements

Limiting Use, Disclosure, and Retention – Use cases, proposed disclosures, data sharing agreements, retention and disposition policies

Accuracy – Processes for correcting data and monitoring changes to records

Safeguards – Physical and electronic safeguards, Threat Risk Analysis, encryption practices, access policies

Openness – Public communications regarding privacy practices

Individual Access – Processes for individual access to or correction of personal information

Challenging Compliance – Privacy complaint procedures, compliance audits

Once privacy risks have been identified and mitigating measures proposed, we help to develop an Action Plan that provides a timeline and assigns responsibilities for the implementation of these measures. We will also help to set up processes for ongoing updates of assessments, auditing and monitoring compliance with privacy policies, and retention and disposition of data.

Multi-Jurisdictional Privacy Impact Assessments

An increase in information sharing initiatives, such as Electronic Health Records (EHR), has led to a growing need for multi-institutional and multi-jurisdictional PIAs. Guidelines from the Office of the Privacy Commissioner recommend that such PIAs include a clear business case for information sharing, a common communications strategy to inform the public of information sharing, and a set of expected privacy practices shared by all institutions participating in the data sharing initiative.

Our unique approach builds on these basic requirements to define a clear, seven-step process that we use both to guide our clients as they develop privacy policy prior to EHR adoption, and to conduct PIAs in an EHR context.

  1. Purpose: We begin by defining the reasons for which health information custodians collect, use, retain and disclose personal health information.
  2. Custodianship: A key next step to ensuring privacy protective information sharing is the definition of a custodianship model. In the context of an EHR initiative, a steward will be designated to review and revise policies, processes, and procedures and to ensure the proper operation of shared records.
  3. Liability: In order to establish liability, we help to define the roles, responsibilities, and accountabilities of EHR participants. We define different EHR participants’ right and ability to manage (collect, retain, disclose, and correct) personal health information.
  4. Data Management: We define policies for management of data quality, records management, assurance of accuracy, retention and archiving, and secondary use of data.
  5. Controls: We define policies for the application of legislative requirements, including management of information safeguards, compliance auditing, identity validation and management, implementation of consent rules, breach management, and proactive and reactive monitoring of technology assets. Controls also include frameworks such as provider agreements, patient disclaimers, and mandatory and discretionary requirements that define the roles of EHR participants.
  6. Process: We apply privacy policy to workflows and interactions throughout care delivery processes, including service model, delivery model, management of consent, reporting procedures, circle of care management, and incident management.
  7. Adoption: In this final step we develop instruments for the implementation of privacy policy during the adoption and ongoing development of EHR, such as provider agreements, patient disclaimers, mandatory and discretionary requirements, and system feedback.