HIPAA vs PIPEDA: Understanding Health Data Privacy in Canada

HIPAA Does Not Apply in Canada

If you are running a healthcare business in Canada or handling Canadian health data, you need to know this upfront: HIPAA does not apply to you. The Health Insurance Portability and Accountability Act is a United States federal law. It governs how covered entities and their business associates in the US handle protected health information (PHI). It has no legal force in Canada.

This is one of the most common misconceptions in North American health data privacy. Businesses operating in Canada sometimes assume that because HIPAA is the most well-known health privacy law on the continent, it must apply everywhere. It does not. Canada has its own comprehensive framework for protecting personal information, including health data, and the rules are different in important ways.

Why the Confusion Exists

The confusion typically comes from three places.

First, many Canadian businesses deal with American clients, partners, or insurers. When those US entities ask about HIPAA compliance, Canadian businesses assume they need to comply too. In reality, the US entity is responsible for its own HIPAA obligations. The Canadian business needs to comply with Canadian law.

Second, some Canadian healthcare professionals are trained using American materials or work for organizations with US operations. The HIPAA framework becomes familiar, and the assumption follows that it applies universally.

Third, the concepts overlap. Both HIPAA and PIPEDA address how personal health information should be collected, used, disclosed, and protected. The goals are similar, but the legal mechanisms, enforcement structures, and specific requirements are different.

What Canadian Law Actually Requires

In Canada, health data privacy is governed by a combination of federal and provincial legislation. The framework has two layers.

PIPEDA: The Federal Baseline

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law. It applies to organizations that collect, use, or disclose personal information in the course of commercial activity. Health data falls squarely within PIPEDA's definition of personal information.

Under PIPEDA, organizations must:

• Obtain meaningful consent before collecting, using, or disclosing personal information, including health data
• Limit collection to what is necessary for the identified purpose
• Protect personal information with appropriate security safeguards
• Respond to access requests within 30 days
• Allow individuals to challenge the accuracy of their personal information and have it corrected

PIPEDA treats health information as sensitive personal information, which means a higher standard of protection applies. Organizations handling health data are expected to implement stronger safeguards, obtain more explicit forms of consent, and limit access more strictly than they would for less sensitive categories of data.

For a full overview of PIPEDA's access request requirements, see our PIPEDA jurisdiction guide.

Provincial Health Privacy Laws

Several Canadian provinces have enacted their own health-specific privacy legislation that applies to health information custodians within their jurisdiction. These laws generally take precedence over PIPEDA for the organizations they cover.

Ontario — Personal Health Information Protection Act (PHIPA): PHIPA applies to health information custodians in Ontario, including physicians, hospitals, pharmacies, laboratories, and long-term care facilities. It governs the collection, use, and disclosure of personal health information and gives individuals the right to access their own health records. Custodians must respond to access requests within 30 days. The Information and Privacy Commissioner of Ontario oversees enforcement.

Alberta — Health Information Act (HIA): Alberta's HIA applies to custodians such as physicians, pharmacists, optometrists, and Alberta Health Services. It establishes rules for how health information is collected, used, disclosed, and protected. Access requests must be responded to within 30 days, with a possible 30-day extension. The Office of the Information and Privacy Commissioner of Alberta handles complaints.

Other Provinces: New Brunswick, Newfoundland and Labrador, and Nova Scotia also have health-specific privacy legislation. British Columbia's Personal Information Protection Act (PIPA) covers health data in the private sector, though the province does not have a standalone health privacy statute in the same mould as Ontario or Alberta.

Quebec's Law 25 (formerly Bill 64) modernized Quebec's broader privacy framework and applies to health data held by private-sector organizations operating in Quebec. For more on Quebec's requirements, see our Quebec Law 25 guide.

HIPAA vs PIPEDA: Side-by-Side Comparison

The following table summarizes the key differences between the two frameworks.

| Requirement | HIPAA (US) | PIPEDA (Canada) | |---|---|---| | Scope | Covered entities (health plans, health care providers, clearinghouses) and their business associates | All private-sector organizations conducting commercial activity | | Type of data covered | Protected health information (PHI) | All personal information, including health data | | Consent model | Authorization required for most uses and disclosures beyond treatment, payment, and healthcare operations | Meaningful consent required for collection, use, and disclosure; higher standard for sensitive data | | Access request deadline | 30 days, with one 30-day extension | 30 days, with limited extensions | | Fee for access | Reasonable, cost-based fee permitted | Minimal or no charge; must not be a barrier to access | | Breach notification | Within 60 days of discovery for breaches affecting 500+ individuals; annual reporting for smaller breaches | As soon as feasible; report to the Privacy Commissioner and notify affected individuals if there is a real risk of significant harm | | Penalties | Civil penalties up to $2,067,813 per violation category per year (adjusted annually for inflation); criminal penalties possible | Federal Court can award damages; fines up to CAD 100,000 per offense for certain violations | | Enforcement body | US Department of Health and Human Services, Office for Civil Rights (OCR) | Office of the Privacy Commissioner of Canada (OPC) | | Business associate agreements | Required for third-party service providers handling PHI | Not required by statute, but contractual safeguards are expected under PIPEDA Principle 7 |

What Canadian Healthcare Businesses Actually Need to Do

If you are a healthcare business operating in Canada, your compliance checklist looks like this:

1. Determine which laws apply to you. If you are a health information custodian in Ontario, Alberta, or another province with health-specific legislation, that provincial law is your primary obligation. PIPEDA may still apply to your commercial activities that fall outside the scope of the provincial law. If your province does not have a substantially similar health privacy law, PIPEDA applies directly.

2. Implement appropriate consent mechanisms. PIPEDA and the provincial health privacy laws require consent for the collection, use, and disclosure of health data. The form of consent depends on context — express consent is generally required for health information, though implied consent may be acceptable in some treatment contexts under provincial health statutes.

3. Establish access request procedures. Individuals have the right to access their own health information. You need a process for receiving access requests, verifying identity, searching your records, and responding within 30 days. This applies whether you are governed by PIPEDA, PHIPA, HIA, or another provincial statute.

4. Implement security safeguards. Both PIPEDA and provincial health privacy laws require organizations to protect personal health information with safeguards appropriate to the sensitivity of the data. This includes physical, technical, and administrative measures.

5. Prepare for breach reporting. Under PIPEDA, you must report breaches involving personal information to the OPC and notify affected individuals where there is a real risk of significant harm. Provincial health privacy laws have their own breach notification requirements, which may differ in detail.

Cross-Border Data Transfers: When Both Frameworks Matter

The one situation where HIPAA becomes relevant for a Canadian organization is when personal health information crosses the border. If a Canadian healthcare provider shares patient data with a US entity — for example, a specialist consultation, a clinical trial, or a cloud service provider based in the United States — both legal frameworks come into play.

The Canadian organization remains responsible under PIPEDA (or the applicable provincial law) for ensuring that personal information transferred to a third party is adequately protected. This means:

• You must inform individuals that their data may be processed in the US and therefore subject to US laws, including potential access by US government authorities
• You should have contractual arrangements with the US entity that require them to protect the data to a standard consistent with Canadian law
• The US entity, if it qualifies as a covered entity or business associate under HIPAA, will have its own obligations under HIPAA for the data it receives

This is a two-way street. US healthcare organizations that receive data from Canadian sources need to comply with HIPAA. Canadian organizations that send data to the US need to comply with PIPEDA and ensure their transfer arrangements are adequate.

The Office of the Privacy Commissioner of Canada has stated that organizations cannot contract out of their PIPEDA obligations by transferring data to another jurisdiction. You remain accountable for the data even after it leaves Canada.

Common Mistakes to Avoid

Assuming HIPAA compliance equals PIPEDA compliance. Even if your organization happens to meet HIPAA standards, that does not automatically satisfy PIPEDA. The consent models, breach notification timelines, and enforcement mechanisms differ. You need to assess compliance against Canadian law specifically.

Ignoring provincial health privacy laws. PIPEDA is the federal baseline, but if you operate in a province with its own health privacy statute, that provincial law is likely your primary obligation for health information. Operating under PIPEDA alone when PHIPA or HIA applies is a compliance gap.

Overlooking access request rights. Canadian individuals have the right to access their health data, and the 30-day deadline is strict. Failing to respond or treating access requests as optional is a violation that can lead to complaints to the OPC or the relevant provincial commissioner.

Neglecting cross-border transfer obligations. If you use US-based cloud services, electronic health records systems, or share data with US partners, you need to address the cross-border transfer requirements under PIPEDA. Individuals must be informed, and appropriate safeguards must be in place.

References

• PIPEDA: Office of the Privacy Commissioner of Canada — PIPEDA overview. OPC PIPEDA guidance
• HIPAA: US Department of Health and Human Services — HIPAA overview. HHS HIPAA guidance
• Ontario PHIPA: Information and Privacy Commissioner of Ontario — PHIPA guidance. IPC Ontario
• Alberta HIA: Office of the Information and Privacy Commissioner of Alberta — HIA guidance. OIPC Alberta

Related Guides

• PIPEDA Jurisdiction Guide — full PIPEDA access request requirements
• Privacy Laws in Canada: Overview — the broader Canadian privacy landscape
• Quebec Law 25 Guide — Quebec's modernized privacy framework