In the US, all medical facilities, doctors, nurses, and other so-called "covered entities" as well as everyone who works directly or indirectly with those entities (so-called "business associates") have to comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule for handling protected health information (PHI). The purpose of the Security Rule is to avoid breaches of patient data, and non-compliance can result in stiff fines. The HIPAA Security Rule obliges health service providers to implement the following safeguards in their organizations:
- Technical safeguards that impose healthcare software standards
- Physical safeguards that cover physical access to ePHI
- Administrative safeguards, which entail organizational data protection measures
We cover all HIPAA requirements in greater detail in our article on how to become HIPAA-compliant. Maintaining compliance is critical, as non-compliance may lead to large penalties and harm a company’s reputation. For instance, in 2020, the Washington state-based health insurance company Premera Blue Cross paid $6.8 million for leaking ePHI of 10.4 million individuals.
Each country has its own legislation to ensure healthcare data privacy. In this post, we’ll compare HIPAA with health data security rules in Canada, the UK, Australia, the United Arab Emirates (UAE), the Kingdom of Saudi Arabia (KSA), and Qatar. If you want to enter these markets with your healthcare software, our article will be especially relevant for you. The table below shows commonalities and differences in healthcare data privacy requirements between these countries.
Now, we’ll discuss each country in detail. Let’s begin with health data standards in Canada.
PHI protections in Canada
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates private sector entities that collect, use, or disclose personal information for commercial purposes. These entities might include physicians who work in private practices and get paid directly by their patients or are reimbursed by patients’ provincial health plans or employment insurance plans.
PIPEDA pertains not only to medical data but also to such personal information as age, name, ID numbers, income level, ethnicity, credit records, loan records, and social status. Fines for breaking PIPEDA can be up to CAD$100,000 (~US$82,500).
In our graphic below, we’ve outlined the core of PIPEDA’s 10 fair information principles.
In contrast to the HIPAA privacy rule, which applies to the whole US, PIPEDA does not apply to the provinces of Quebec, British Columbia, and Alberta. For example, private businesses in Quebec have to comply with the Quebec Act Respecting the Protection of Personal Information in the Private Sector (the Privacy Act 1993). Its principles and penalties are mostly in line with PIPEDA’s, though the Quebec Privacy Act relates to all private sector organizations, not only to those engaged in commercial activities.
That’s why before considering Canada as a new business landscape, take into account the provinces your business will operate in and their specific privacy laws. For instance, Ontario has additional legislation (apart from PIPEDA) called the Personal Health Information Protection Act (PHIPA) that covers only PHI. Penalties for non-compliance with PHIPA for individuals can be up to CAD$200,000 (~US$165,000) and for healthcare organizations can be up to CAD$1 million (~US$826,000).
Similarly to HIPAA, PHIPA regulates health information custodians (HICs) and PHI agents. HICs are equivalent to HIPAA’s covered entities, and PHI agents are similar to HIPAA’s business associates. At its core, PHIPA is largely like HIPAA.
However, there are a few differences:
- PHIPA offers a more general overview of data security safeguards. It requires healthcare custodians to take reasonable steps to protect data privacy but doesn’t provide clear examples of these steps.
- PHIPA obliges IT service providers to notify custodians of all privacy breaches. It also requires IT services to provide (upon request) a record of all accesses and transfers of PHI associated with the custodian.
Just like HIPAA, PIPEDA and other privacy laws in Canada’s provinces don’t limit organizations in the measures they take to ensure the security of patients’ data as long as these measures protect patients’ data lawfully and properly.
PHI requirements in the UK
In the UK, protecting health data is more complicated and demanding than in the US. Healthcare organizations must comply with lots of acts, complete assessments, and adhere to standards. The UK government has developed a wide range of in-depth guides and policies to ease these procedures for healthcare businesses.
The general law guiding data privacy in the UK is the Data Protection Act 2018. It includes overall requirements for the protection of personal information including health data. PHI is also regulated by the UK GDPR:
- Article 6 of the UK GDPR includes conditions organizations have to follow to handle sensitive data.
- Article 9 describes cases when organizations have a right to process sensitive data.
In the UK, the National Health Service (NHS) regulates not only how organizations handle PHI but also digital health products. Before launching in the UK market, all healthcare software solutions must:
- Be registered in the NHS Apps Library
- Successfully pass an NHS health app assessment
- Meet NHS digital, data, and technology standards
Сheck out this guide to good practice for digital and data-driven health technologies to learn how to comply with all of the abovementioned requirements and ensure a proper level of health data privacy.
If an organization breaks the law and causes a data breach, the Information Commissioner can impose fines of up to £17 million (~US$24 million) or four percent of global turnover (for the most serious data breaches).
PHI requirements in Australia
In Australia, the main law regulating data privacy is the Privacy Act 1988. The essence of this act lies in the 13 Australian Privacy Principles (APPs). Some APPs deal specifically with PHI. Australian and Norfolk Island government agencies and most private sector organizations (collectively referred to as APP entities) must follow these principles when they handle personal information. Penalties for data breaches can be up to AU$2.1 million (US$1.6 million).
Compared to HIPAA, the Privacy Act 1988 covers a broader spectrum of personal information and regulates more entities. APP entities include:
- Organizations such as individuals (sole traders), corporate bodies, and partnerships
- Agencies such as ministries, federal courts, and the Australian Federal Police
- Businesses with an annual turnover of $3 million or more
- All private health service providers including private hospitals, pharmacists, gyms and weight loss clinics, and childcare centers
In Australia, health service providers have to follow all steps described in the Office of the Australian Information Commissioner’s Guide to health privacy. These steps are:
Healthcare data security is taken particularly seriously in Australia. According to the Notifiable Data Breaches Report (July – December 2020), the healthcare domain reported the highest number of data breaches (23 percent of all data breaches in Australia) between July and December 2020. Plus, most of them (57 percent) occurred due to human error, while another 41 percent were due to malicious or criminal attacks.
According to a report on the psychology of human error at work, some of the most common causes of human error that lead to data breaches are:
- Falling for phishing emails. Such emails often look quite legitimate and seem to come from senior executives or respected brands.
- Sending emails to the wrong recipients. Distraction, stress, or fatigue in a fast-paced work environment are often the root cause of such errors.
PHI requirements in MENA countries
According to APCO’s MENA Tech Trends report, MENA’s digital healthcare market is rapidly expanding. Countries in the MENA region are accommodating more and more technologies such as IoT, AI, machine learning, and telemedicine.
In this section, we’ll outline healthcare regulatory in the United Arab Emirates, the Kingdom of Saudi Arabia, and Qatar.
The UAE is the first country in the MENA region that has developed a separate law for handling PHI. In May 2019, the Health Data Law 2019 came into effect, covering all healthcare entities in the UAE and the free zones including Dubai, Abu Dhabi, and Sharjah.
Key takeaways of the Health Data Law 2019:
- Data processing. Health service providers must ensure that they handle data accurately, securely, and only for a specific purpose.
- Data security. Healthcare providers must have in place technical, operational, and organizational security measures for keeping health data confidential.
- Data localization. Transferring data outside the UAE is prohibited unless allowed by the UAE Minister of Health and Prevention.
- Data retention. Health data must be retained for 25 years after the last interaction with the client.
- Penalties. Non-compliance with the law may result in fines ranging from AED 1,000 to AED 1 million (from ~US$272 to US$273,000)
However, as a free zone, Dubai has an additional Health Data Protection Regulation (HDPR) issued by the Dubai Healthcare City Authority (DHCA). This regulation is more detailed and covers all healthcare professionals in Dubai. It requires every organization to assign at least one data protection officer (DPO) who will be responsible for compliance with data protection policies. HDPR also contains health data protection principles governing the manner and purpose of data collection, data access, and secure data storage.
Saudi Arabia is an ambitious country that is getting closer to its Saudi Vision 2030 every year. This vision outlines the following goals pertaining to the healthcare industry:
- Invest in private organizations and small and medium enterprises (SMEs) in all sectors, including healthcare
- Enhance online services and the knowledge base in the healthcare domain to become an effective e-government
Saudi Arabia is a great place for healthcare businesses to bring in new technologies and innovative ideas. Let’s learn how the KSA regulates this business sphere and particularly PHI.
There isn’t comprehensive data protection legislation in Saudi Arabia. The main law is Sharia law, which stems from the Quran, though the government has changed it a lot to fit the modern world. As a derivative of Sharia law, the Saudi Basic Law of Governance came into force. This law partially covers the handling of personally identifiable information. However, the government has also issued a few separate laws for different industries including healthcare.
There are a few laws governing the healthcare domain in Saudi Arabia:
- The Private Health Institutions Law
- Saudi Health Information Exchange (SeHE) Policies
- The Executive Regulations of Private Health Institutions Law
- The Executive Regulations of Health Practice Law
- The Law of Practicing Healthcare Professions (PHP)
PHP requires all healthcare professionals to protect their patients’ data and disclose it only with a patient’s permission. Violating this law may lead to fines of no more than SAR 20,000 (~US$5,333). This law, however, doesn’t specify how to collect, store, or transfer PHI. When it comes to transferring health data, SeHE policies come into effect. As we can see, each law covers only a certain part of health data privacy. That’s why you should get familiar with all of them if you’re considering developing healthcare software for the Saudi market.
Currently, these healthcare laws don’t offer such detailed and clear guidance on properly collecting, processing, and transmitting PHI as HIPAA does. As per the Saudi Vision 2030, however, new laws will appear as the country evolves.
In Qatar, data privacy in all sectors including healthcare is regulated by the Personal Data Privacy Protection Law (PDPPL) of 2016.
The single authority in charge of PDPPL is the Compliance and Data Protection (CDP) department. Fines for non-compliance can range from QAR 1 million to 5 million (~$US275,000 to $US1.3 million).
Similar to HIPAA’s safeguards, PDPPL requires all organizations handling personal information to establish three types of protections:
- Administrative protections include measures that ensure all employees have an equal understanding of data privacy and stick to the same security measures.
- Technical protections cover the implementation of technologies necessary for maintaining a sufficient level of data privacy in the organization.
- Financial protections underpin investments in products or services that are important for delivering data privacy.
Most countries include health data requirements in their general legislation on data privacy, though not all highlight specific measures to protect this sensitive data. Some countries such as Australia and the UK provide detailed guidelines on how to interpret data protection acts as well as tips on how to comply in the best way. Countries from the MENA region are still changing and updating their laws following global digitalization trends.
Yalantis offers extensive expertise in building holistic healthcare solutions. Check out how we ensured HIPAA compliance for our Healthfully project. We’ll gladly back you up in building a secure healthcare product.