Jane Guide.

Here's all the help you need to use Jane.


PIPEDA and Other Privacy Laws in Canada

Most practitioners have heard of Canada’s federal regulation on the privacy of health records: Personal Information Protection and Electronic Document Act (PIPEDA). This is the federal legislation for private-sector organizations that sets the rules for how businesses must handle personal information. In addition to the federal law, there are different laws that apply in each province, such as PIPA, PHIPA, PHIA, and FIPPA. The ways that federal and provincial laws relate to one another determines what exactly your clinic is responsible for when it comes to health record privacy.

In many cases, provincial privacy laws take precedence in matters involving health records, but it’s important to understand the relationship between federal PIPEDA and provincial law in your specific province. In some provinces, local law is applied first, and any gaps between provincial law fall back to the federal PIPEDA. In other provinces, PIPEDA applies always when health records are at stake either because there is no provincial law regarding health records or because provincial law is not as stringent as the federal PIPEDA. In more complex situations, sometimes both federal and provincial laws apply for different components of one single issue at hand.

You can see this gets complicated fast, and the laws you need to comply with will be highly dependent on which province you practice in. To begin deciding what is best for individual clinic, you should first be aware of the laws that apply to you and your clinic.

In this Guide document we get you started off right by making clear:

  • Which federal privacy laws apply in Canada and

  • Which additional privacy laws apply within each province.

This information is not a legal interpretation of the law and is not binding on the Office of the Privacy Commissioner of Canada. This information is not intended to nor should it ever replace formal legal counsel.

Federal Law in Canada

If you are located in Canada, your clinic or practice will ultimately be subject to Canadian privacy laws. There are two primary privacy laws in Canada:

1. The Privacy Act

  • This law applies to federal/governmental practices.

2. The Personal Information Protection and Electronic Documents Act (PIPEDA)

  • PIPEDA applies to private-sector practices, including all commercial activity for businesses and most allied health clinics.

Provincial Law in Canada

In addition to these federal laws there are many provincial laws. What’s interesting about the provincial laws is that some of them present several ways to be compliant with PIPEDA, even if you aren’t referencing the federal law directly. This is because provincial laws sometimes meet or exceed the federal PIPEDA. Others require that you directly comply with PIPEDA. Let’s look a little more closely at how that works.

In each province, you’ll come across one or both of two different categories of privacy laws:

1. Laws that have been deemed “Substantially Similar” to PIPEDA.

  • These provincial laws are essentially used, in their respective province, in place of the federal PIPEDA.

2. Laws that have NOT been deemed “Substantially Similar” to PIPEDA.

  • These laws are applied locally in most cases, but in general, federal PIPEDA will legally take precedent in any litigation or court proceeding that reveals a gap in the law.

In all cases, it should be noted that the presence of provincial legislation that has privacy-related provisions does not necessarily mean that PIPEDA does not apply.

Let’s break this down province-by-province:

Which Provinces Have Laws “Substantially Similar” to PIPEDA?

There are 7 provinces with laws that are “Substantially Similar” to PIPEDA:

  1. British Columbia

  2. Ontario

  3. Nova Scotia

  4. New Brunswick

  5. Newfoundland & Labrador

  6. Alberta

  7. Québec

In these provinces, clinics and practitioners may choose to follow provincial law regarding allied health records. Scroll down to see the specifics in your province.

Pro Tip: Ontario’s PHIPPA does not legally apply anywhere outside of Ontario, but generally speaking, it is a more stringent application of privacy law regarding electronic health records than has been laid out in the other provinces. PHIPPA has also been legally deemed “Substantially Similar” to PIPEDA. Thus, clinics who practice in any of the other Canadian provinces sometimes choose to build their privacy and health record security policies and standards based on Ontario’s PHIPPA. Doing this is never a substitute for ensuring you are absolutely in compliance with your regulating college bylaws as well as your provincial laws and ultimately Canadian PIPEDA. In practice, however, clinics following Ontario’s PHIPPA in relation to their health records, in most cases, will be adhering to a sufficient (sometimes more stringent) set of requirements and thus should be in compliance with all local regulations. If you are uncertain, we always recommend seeking legal counsel.

British Columbia

The laws in BC are:

PIPA BC Personal Information Protection Act - for the private sector, including allied health clinics. This is the law that is deemed “substantially similar” to PIPEDA and thus used in place of national law.

For more information on how your clinic can actually comply with BC law, read our Guide doc: Privacy: Compliance for Clinics in British Columbia

E-Health BC Personal Health Information Access and Protection of Privacy Act – BC’s privacy law for health records meant to specifically and only apply to government health databases. This law has not been deemed “sufficiently similar” to PIPEDA, thus the only law in BC which allied health records should fall under is PIPA BC. But in practice, many associations and allied health organization are increasingly beginning to follow requirements outlined in this law, particularly, the requirement for Canadian allied health records to ONLY be stored on databases within Canada.

If practicing in government or the public sector:

FIPPA BC Freedom of Information and Protection of Privacy Act - for public-sector practices in government, law enforcement, etc.

Ontario

There are a number of privacy laws that apply in Ontario depending on the type of business and nature of the information in question. Most allied health practices will follow:

PHIPA Personal Health Information Protection Act – Ontario’s provincial law specifically for health records. It has legally been deemed “Substantially Similar” to PIPEDA, and this is the law allied health clinics in Ontario will need to follow.

If practicing in government or the public sector:

FIPPA Freedom of Information and Protection of Privacy Act – applies to the public sector only (government, public works, etc.).

MFIPPA Municipal Freedom of Information and Protection of Privacy Act - for municipal government only.

Nova Scotia

Most clinics will follow:

PHIA Personal Health Information Act - Nova Scotia’s law regarding health records that has been deemed “Substantially Similar” to PIPEDA.

If practicing in government or the public sector:

FIPPA Freedom of Information and Protection of Privacy Act - public sector privacy laws.

Municipal Government Act Part XX of the Municipal Government Act - privacy laws for municipal government.

PIIDPA Personal Information International Disclosure Protection Act - privacy laws for public records and court files.

New Brunskwick

PHIPAA Personal Health Information and Access Act - privacy law for health records that is “Substantially Similar” to PIPEDA.

If practicing in government or the public sector:

RIPPA Right to Information and Protection of Privacy Act – public sector.

Newfoundland & Labrador

PHIA & Pharmarcy Network Regulations Personal Health Information Act and Pharmacy Network Regulations - health records law deemed “Substantially Similar” to PIPEDA.

If practicing in government or the public sector:

AIPPA Access to Information and Protection of Privacy Act – public sector.

Alberta

Most clinics will follow:

PIPA Personal Information Protection Act – deemed “Substantially Similar” to PIPEDA.

For health records, Alberta also has:

HIA Health Information Act – privacy law relating to health records, but this law has NOT been deemed “sufficiently similar” to PIPEDA. If there are any gaps, clinics would ultimately be responsible to PIPA AB and PIPEDA.

If practicing in government or the public sector:

FOIP Freedom on Information and Protection of Privacy Act – public sector laws.

Québec

APPIPS Act Respecting the Protection of Personal Information in the Private Sector – private sector law deemed “Substantially Similar” to federal law.

If practicing in government, the public sector or social services:

Public Documents Act Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information – public sector.

AAHIA An Act to Amend the Act respecting health services and social services and other laws – Québec’s health records law, not substantially similar to PIPEDA.

Which provinces must follow PIPEDA?

There are 5 provinces where NO part of provincial privacy law is deemed “substantially similar” to PIPEDA.

  1. Northwest Territories
  2. Nunavut
  3. PEI
  4. Saskatchewan
  5. Yukon

Northwest Territories, Saskatchewan and Yukon have each enacted legislation regarding the privacy of health records, but because that legislation has not been deemed “Substantially Similar” to PIPEDA, the provincial laws do not replace PIPEDA. In many cases, both provincial law and PIPEDA will apply at the same time (concurrently). In PEI and Nunavut, no specialized legislation has been passed for the private or health sector, and privacy compliance must follow PIPEDA.

Northwest Territories

Organizations in the Northwest Territories are subject to PIPEDA.

HIA Health Information Act - for health records, but not deemed substantially similar to PIPEDA.

If practicing in the public sector or government:

ATIPP Access to Information and Protection of Privacy Act – public sector.

Nunavut

Organizations in Nunavut are subject to PIPEDA.

The Information and Privacy Commissioner of Nunavut uses AIPPA for public sector and applies PIPEDA for all provincial private sector privacy issues.

PEI

PEI has no direct law relating to public health records, and all clinics need to comply with PIPEDA.

FOIPP Freedom of Information and Protection of Privacy Act – public sector privacy law.

Saskatchewan

HIPA Health Information Protection Act – health records law, not substantially similar to PIPEDA.

If practicing in the public sector or government:

FIPPA Freedom of Information and Protection of Privacy Act – public sector only

Yukon

Organizations in Yukon are subject to PIPEDA.

Yukon also has: HIPMA Health Information Privacy and Management Act – for health records, but not substantially similar to PIPEDA.

If practicing in the public sector or government: ATIPP Access to Information and Protection of Privacy Act – public sector.