On this blog, you often read about HIPAA and what Hushmail services do to help healthcare practices support their compliance. This is because the majority of our customers are located in the US, and HIPAA is the legislation that most determines their decisions about security and privacy.
However, HIPAA isn’t the only law that affects practitioners in the US. It's also important to consider that our customers in Canada and the European Union have their own laws they must follow. With customers in multiple jurisdictions, it isn’t just HIPAA we’re thinking about when we develop our encrypted services. We also make sure we comply with the EU’s GDPR, Canada’s PIPEDA and provincial privacy laws, and California’s CCPA, among others.
Complying with these laws helps us deliver services that are the best when it comes to protecting your clients’ and patients’ data. During this time of global uncertainty, when much of our lives is moving online, adhering to these regulatory requirements and helping our customers do the same is more important than ever.
Hushmail complies with multiple laws. Here is a list of some of the most notable. If you’re concerned with a law that isn’t on this list, ask us about it.
General Data Protection Regulation (GDPR)
The GDPR lays out in clear terms rules about what personal data (not just health data) is and how it can be used. In doing so, it places the right to personal data protection in the same category as freedom of expression and the right to a fair trial. The GDPR is enforced in all EU member states. However, even if you aren’t an EU citizen, if you conduct business with EU clients, your organization must be compliant.
The GDPR can be broken down into three key concepts:
- Consent and control. Under the GDPR, an individual has a basic right to control over their personal data and is required to give consent by clear affirmative action to any entity wishing to collect their data and to any use of their data. The individual is also entitled to withdraw their consent as easily as it was given.
- Transparency. In case of a security breach when data may have been compromised, the regulators and individuals whose information may have been compromised must be notified and provided full disclosure.
- Granting of individual rights. Under the GDPR, individuals are given comprehensive rights to access, correct, port, erase, and object to the processing and storage of their data.
You can read more about the GDPR in our blog post: Understanding the importance of the GDPR and its impact on privacy.
Health Insurance Portability and Accountability Act (HIPAA)
Most of us are familiar with HIPAA, the federal legislation that sets forth the rules determining how healthcare practitioners in the US handle protected health information (PHI). These three rules are of primary concern for healthcare practitioners:
- The HIPAA Security Rule requires healthcare practices to have certain administrative, physical, and technical safeguards in place to protect PHI from leaks, breaches, cybercrimes, and other web vulnerabilities.
- The HIPAA Privacy Rule requires secure communication of PHI
- The HIPAA Breach Notification Rule ensures that those who are affected by a breach are informed so they can take steps to protect themselves.
Covered entities in the US are required to obtain a signed Business Associate Agreement (BAA) from vendors that handle their clients’ data. A BAA is a signed document that affirms a third-party service provider's willingness to comply with the HIPAA requirements when they handle PHI on the practitioner’s behalf.
You can read more about HIPAA in our blog post: Giving thanks for HIPAA.
California Consumer Privacy Act (CCPA)
The CCPA went into effect Jan. 1, 2020, with enforcement beginning this July. Similar to the GDPR, the CCPA gives California residents clearly defined rights when it comes to their personal data. These rights can be broken down into a few categories:
- Ownership. Individuals know what type of personal data is collected, when the data is collected, where it’s stored, and how it’s used – for what purpose and by whom.
- Control. Individuals are able to review, change, delete, and opt out of the sale of their personal data at any time.
- Non-discrimination. Individuals have the right to exercise their privacy rights without fear of discrimination in the form of changes to the terms of price or service.
The CCPA is likely a precursor to future data protection legislation in the US. You can read more about CCPA in our blog post: California's new privacy legislation - what you need to know about the CCPA.
Other US legislation
Hushmail complies with numerous other US laws that can affect healthcare practitioners. Some of these are the CFR42 Part 2 Confidentiality of Substance Use Disorder Patient Records; the confidentiality provisions of the Violence Against Women Act, the Family Violence Prevention and Services Act, and the Victims of Crime Act; and the Family Educational Rights and Privacy Act (FERPA), but there are many others. If you have questions about a law or regulation and want to know if our services are in compliance, please contact us.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA generally regulates the collection, use, and disclosure of personal information in the course of a commercial activity and across borders and also applies within provinces without substantially similar legislation.
Under PIPEDA, businesses, including healthcare organizations, must abide by 10 fair information principles:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure, and retention
- Individual access
- Challenging compliance
You can read the law in its entirety here: Personal Information Protection and Electronic Documents Act
Provincial privacy legislation
PIPEDA does not apply in certain situations where a province has a privacy law that’s substantially similar. You can read about these exceptions to PIPEDA here.
Hushmail complies with PIPEDA as well as the various provincial laws, including those that have been determined to be substantially similar to PIPEDA
For example, just as US customers will receive a signed Business Associate Agreement (BAA) with their Hushmail for Healthcare account as required by HIPAA, customers conducting business in Alberta will receive a signed Information Management Agreement (IMA) as required by Alberta’s Health Information Act (HIA). Customers in the other nine provinces, however, receive a BAA.
Although some of these laws have been relaxed during the COVID-19 pandemic, we are steadfastly maintaining our compliance so our customers can too.
We maintain the conviction that securing our customer’s personal data, including their protected health information (PHI), is important, no matter what’s going on in the world. When you sign up for a Hushmail account, including a Hushmail for Healthcare account, you can be assured that our services meet the requirements of the laws and regulations listed above.
If you have questions about laws that aren’t mentioned here, please ask us about them.
Need an email and web forms service that’s compliant?