How to Make Sure Your App or Website is HIPAA, PIPEDA & GDPR Compliant

The General Data Protection Regulation (GDPR) is a key data and privacy law from the EU. Yet, taking into account its global impact, the GDPR is definitely one of the top regulations in this field that you can’t help but consider.

The GDPR applies to individuals and companies (including websites and mobile apps, of course) that process personal data of EU citizens.

What’s more: it doesn’t matter whether your company operates from within or outside of the EU, or has any presence in the EU — the GDPR still applies.

Detailed info on this matter can be found in Chapter 1 of GDPR.

PIPEDA

PIPEDA is a Canadian law that establishes a data privacy framework organizations should comply with. Thus, the regulation applies to Canadian private sector organizations that collect, disclose, or use personal information for commercial purposes.

PIPEDA defines a commercial activity as any particular act, conduct, or transaction that’s of a commercial character: bartering, selling, leasing of donor, membership plans, etc.

What about mobile apps and websites? According to the Office of the Privacy Commissioner of Canada, gathering, disclosing, and using personal information to improve user experience — and that indirectly contributes to the commercial success of the website or application — can still be recognized as a commercial activity.

Unlike GDPR, the Canadian regulation doesn’t specifically mention foreign companies, some of them got penalties in the past. It means that foreign companies also must comply with PIPEDA if they’re collecting, using, or disclosing personal data of Canadian users.

Non-profit organizations as well as educational and healthcare institutions are outside of the PIPEDA’s jurisdiction as long as they aren’t engaged in any commercial activities.

Finally, organizations that operate strictly within provinces of Quebec, Alberta, and British Columbia have to comply with the local privacy laws that are quite similar to PIPEDA. At the same time, such organizations are generally exempt from PIPEDA itself.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal U.S. law that introduces national standards to protect personal health data, which is particularly relevant when you build a medical app. The law sets a number of criteria to define covered entities and business associates that must comply with the regulation.

A covered entity is one of the following:

• but only if they transfer any protected health information in an electronic form in connection with a transaction for which the United States Department of Health & Human Services (HHS) has adopted a standard. The list isn't exhaustive.

You can also use this tool by the Centers for Medicare & Medicaid Services to check whether you’re a covered entity or not.

A business associate is an organization or a person that provides certain services for a covered entity, involving the disclosure or use of protected health information.

You can check this short video to get a better understanding of the concept:

As you can see, failing to meet the GDPR compliance requirements can hit anyone: from global non-EU companies like Google to small online retailers.

Penalties for PIPEDA non-compliance 💵

Organizations that don’t comply with PIPEDA or obstruct the authorities in the investigation of a complaint can be fined:

• up to C$10,000 — for an offense punishable on summary conviction;
• up to C$100,000 — for an indictable offense.

The Office of the Privacy Commissioner can also demand remedial measures and ongoing audits to ensure that the organization is PIPEDA-compliant.

HIPAA violation & breach fines 💸

There are 4 HIPAA violation penalty tiers based on the level of perceived negligence within the organization that led to the violation. The fines can range from $100 to $50,000 per violation or per record, with up to $1.5 million per year for each violation.

What is the GDPR compliance? Basically, it means 2 things:

• providing individuals with control over their personal data;
• improving the way businesses manage personal data of their customers.

The regulation itself can be found here. It consists of 99 articles and introduces new requirements that need special attention from your side. But let’s start with the basics!

📊 What’s the personal data under the GDPR?

We’ve already used the term “personal data” a few times but it’s important to clarify it.

The EU’s definition of the term is quite broad. As stated in Article 4, personal data is

any information relating to an identified or identifiable natural person.

If we translate it from legal into human language, it includes almost any user-related data, for example:

• name
• location data
• identification number
• phone number
• browsing history
• IP address
• and any other types of data that relate to the user's economic, social, cultural, physiological, mental, physical, or genetic identity.

According to the same article, procession of personal data is also used in its widest meaning: from collection and storage to use and erasure.

Key elements of the GDPR 📖

In this paragraph, we’ll review the key requirements for GDPR website compliance and GDPR app compliance. Actually, the requirements are the same disregarding the platform, operating system, business size or type and so on — that’s why it’s important to pay attention either way.

Principles 🤝

All the requirements for the GDPR IT compliance are based on 6 privacy principles from Chapter 2:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality.

Below you can see a brief overview of these concepts:

Let’s see what you should do to comply with these principles!

⚖️ Lawfulness, fairness, and transparency

This principle includes 3 sub-principles:

Let’s take a look at Uber Privacy Notice and see how compliance works in real life.

For example, Uber has clearly explained its legal basis for collecting and processing personal data in paragraph III.F — and that matches the Lawfulness principle:

This privacy policy meets other requirements as well. The Transparency principle is covered in the following paragraphs:

• III.B ➡️ Why Uber needs to use personal data and how it uses such data
• II.B ➡️ entities responsible for data collection and procession

🔎 Purpose limitation

It’s not enough to notify users of what data you gather — you should also clearly explain how you’ll use it. The goal of this principle is to make sure that companies won’t use personal data in ways that haven’t been agreed with customers.

Thus, you should always have a relevant reason when asking for any kind of personal data. Pay attention, that the GDPR relates to all users’ personal data, not only your end customers.

Let’s say you represent an on-demand delivery platform. It means that you’re responsible not only for the personal data of your customers but couriers as well. What personal data and for what purposes can you ask your couriers?

• Personal identifiers like name and profile pic to display it to users.
• Contact details like email and phone number so your managers and customers can get in touch with couriers.
• Identity documents (ID or driving license) and biometric data (facial scans) to verify the courier’s identity and prevent fraud.
• Financial data like payment details for billing and invoicing.
• Location data to track the deliveries.

Stuart — one of leading Europe’s on-demand logistics platforms — puts purpose limitations in a nice table:

At the same time, you shouldn’t use the mentioned data in any other way.

📲 Data minimization

The principle is quite simple: you must only ask for the personal data that is necessary to fulfill your purpose. In other words, you must process the minimum possible volume of personal data.

🎯 Accuracy

Data processors should also take steps to ensure data accuracy. It may be challenging if we’re talking about personal data submitted by the customers about themselves. Yet, there are still some steps you may take, in particular:

• Ensure that you record data accurately.
• Record the source of information.
• Add a special clause regarding data accuracy provided by users into your privacy policy. Note the importance of providing accurate information and the right of the user to update out-of-date or correct inaccurate personal information.
• If personal data turns out to be misleading, incorrect, or inaccurate, you should take all necessary steps to correct or erase it as quickly as possible.

💾 Storage limitation

The principle is quite simple: don’t store data any longer than necessary. The GDPR itself doesn’t specify the minimum or maximum storage period. Yet, what you should do is to document how long you’re storing data and justify the reason for this exact term.

Take a look at how GOV.UK provides a brief explanation of the storage period:

🤫 Integrity and confidentiality

Finally, the last principle is quite obvious. It’s also known as the security principle and states that you must have appropriate security measures in place to prevent any possible damage to personal data.

However, the EU doesn’t specify what measures you should take. Actually, it’s your own responsibility since the Union is interested in keeping the data of its citizens safe while choosing the right means for it is up to you.

Many companies prefer to specify what security measures they take in their privacy policy. For example, this is how this principle is implemented in the privacy policy of Pandora, a radio app:

Under this principle companies also should notify relevant supervisory authorities and affected users about data loss or breach within 72 hours.

---

Except for the principles, the GDPR Regulation introduces a few new privacy requirements and user rights. Let’s briefly review them, too!

🤝 Informed сonsent

The GDPR has also changed the old approach to acquiring the user’s consent for collecting and using his personal data. According to Recital 42, it must be active, informed, and acquired before you start processing personal data.

So as to achieve the GDPR app compliance with this rule, you must provide users with a possibility to give their direct consent to collect and use their data — for example, a checkbox or a button.

Yet, you can’t pre-tick such checkboxes or assume that continued use of your website or application means that active and informed consent.

Also, you must inform users on ways to withdraw their consent at any time.

Let’s compare how this rule is followed by two popular European low-cost airlines.

When signing up for Ryanair, they assume that “By signing up, you agree to Ryanair’s Privacy Policy and Terms of Use” without directly asking for the user’s consent.

To sign up for Wizz Air, users have to provide their active consent by ticking checkboxes. Otherwise, they’ll be unable to proceed. Moreover, Wizz Air asks users’ consent for three separate purposes — to subscribe for a newsletter, to accept the Privacy Notice, and to agree to the Wizz Account Terms and Conditions.

This example seems far more GDPR compliant.

✅ Rights of users

Finally, to achieve the GDPR website compliance, you’ll need to take into account the rights of users introduced by the regulation. You can find them in Chapter 3 but we’ll briefly go over them in this article as well.

Right to access data 📩

If a user makes an information request on what of his personal data you store and process, you need to fulfill the request within 1 month. If the requested data is too complicated or too large, this period may be extended to 2 months.

You should also clearly describe how users can get a copy of their data or access it themselves in your privacy policy.

For example, Google has a separate page where users can request a copy of all personal data it has on them:

Right to rectification 🔄

Users should have the right to change the data if it turns out to be incomplete, inaccurate, or out-of-date.

Where possible, provide users with the possibility to update their personal data in real-time and on their own, without spending your resources on this process.

Right to object ❌

The GDPR gives users the right to object to the processing of personal data at any time unless you provide “compelling legitimate grounds for the processing” which override this right.

In cases when personal data is processed for direct marketing purposes, you must immediately stop processing the data upon such a request.

Right to erasure (or the “Right to be forgotten”) 🧹

Under the GDPR, your website or mobile app users have the right to request the erasure of their personal data in case:

• it’s no longer necessary for initial purposes;
• the user withdraws consent for collecting and processing his personal data — and it was the only legal ground for the processing;
• user refers to his right to object;
• the data have been unlawfully processed;
• it’s needed for compliance with a legal obligation in Union or Member State law to which the user is subject.

Yet, Article 17 also names cases in which personal data shouldn’t be erased, so we recommend carefully checking the GDPR.

Take a look at how this right is implemented in the Spotify Privacy Policy:

Right to restriction of processing 🔒

This right is somewhat similar to the right to erasure. Upon a user's request, you must immediately stop processing personal data (but not delete it!).

The GDPR specifies 4 lawful grounds for that:

• the user believes personal data to be inaccurate and waits until you verify it;
• the processing is unlawful but a user insists on restriction to use his personal data over its erasure;
• the data is no longer needs to be processed for initial purposes but shouldn’t be erased as a user needs it for establishment, exercise, or defense of legal claims;
• a user has used his right to object and waits for the solution.

Right to data portability 📲

Finally, users should be able to transmit their personal data to another app, website, or business without any interference from your side. It also means that you must provide his data in a structured, commonly used, and machine-readable format.

For example, Facebook offers its users to download their personal data in two popular formats: HTML and JSON.

📋 GDPR Compliance Checklist

We’ve also prepared a GDPR compliance checklist based on the mentioned principles. Here it is:

Alternatively, there is an unofficial version of HIPAA that presents the same standards in one document. It can be found here.

Before we move to the contents of HIPAA, let’s review what information it actually protects.

🧬 What information is covered under HIPAA?

Unlike GDPR that covers all types of personal information, HIPAA focuses on protected health information (PHI) — all "individually identifiable health information" that is transmitted or maintained in any format or medium. To understand the concept of the PHI, one should first take a look at the concept of health information.

Health information is any information that is received or created by a covered entity, school or university, life insurance company or employer, and relates to:

• treatment provided to a person;
• a person's past, present, or future mental/physical state or condition;
• past, present, or future payment for healthcare this person receives.

For example, it may be medical test results, prescriptions, diagnoses, and treatment information.

Yet, HIPAA considers as PHI only individually identifiable information that can be tied to a particular person. Thus, it should have at least one or more of the following 18 identifiers:

The health data without these identifiers (if they’re initially missing or removed on purpose) is considered de-identified and can’t be subject to HIPAA.

PHI relates to a person's medical records, payments, treatments, and health conditions (past, present, and future) that are linked to individually identifiable information and can be used to identify a specific person.

Also, notice that PHI relates only to the personal data of health plan members and patients. Yet, it doesn’t include information from employment or educational records.

Key elements of HIPAA 📕

HIPAA compliance actually means compliance with its 5 main Rules — U.S. standards for collecting, transferring, storing, and using PHI. These rules make up the core of the regulation:

• Privacy Rule
• Security Rule
• Breach Notification Rule
• Enforcement Rule
• Patient Safety Rule

Let’s briefly review them!

# 1: Privacy Rule 🗄

The Privacy Rule established a set of national standards for the protection of PHI. Its main goal is to protect sensitive health information and the privacy of people who seek care.

This Rule defines general principles of uses and disclosures of PHI. Thus, covered entities are allowed to use or disclose PHI only as the Privacy Rule requires or permits, or in the way the subject of PHI (a person or its representative) authorizes in writing.

The Rule clearly defines cases when you can use or disclose PHI without any additional person’s authorization. These are:

1. To the person himself/herself.
2. For treatment, health care operations, and payments.
3. By asking the person and providing him or her with the opportunity to agree or object.
4. Incident to an otherwise permitted disclosure and use.
5. Benefit activities and public interest (e.g. in cases required by law, or to prevent a serious threat to safety or health, for researches and workers’ compensation).
6. As a limited data set from which specified identifiers have been removed.

Take a look at example of how the Tend dental studio from New York specifies this rule in its privacy policy:

The Rule also introduces a few following requirements:

• For use and disclosure in any other case except for the mentioned 6, you must get a person’s written authorization.
• You must ask for the minimum amount of PHI needed to accomplish your purpose.
• Covered entities must implement procedures, policies, and protocols for recurring requests for PHI disclosures
• Users should have the right to access, amend, restrict the use of their PHI.

More details on the Privacy Rule can be found on this HHS’s page.

# 2: Security Rule 🔒

The Security Rule addresses specific technical and non-technical safeguards that covered entities must put in place to comply with the Privacy Rule. Moreover, this Rule focuses specifically on electronic protected health information (e-PHI) which is the PHI that’s created, maintained, or transmitted in electronic form. Thus, this rule is the key to HIPAA website compliance and HIPAA app compliance.

The Security Rule implements administrative, physical, and technical safeguards for protecting e-PHI:

More details on the Security Rule can be found on this HHS’s page.

# 3: Breach Notification Rule 📧

The regulation introduces specific measures to be taken in case of a breach. Moreover, under HIPAA there are 2 different protocols for cases when the breach affected fewer than 500 people and 500 or more people.

If it’s impossible to calculate the number of affected people for sure, the covered entity should provide an estimate and then apply the protocol that fits the situation.

For breaches with 500+ affected people, the covered entity must notify the Secretary of the breach and no later than 60 calendar days from the discovery of the breach.

For breaches affecting fewer than 500 people, the covered entity must notify the Secretary of the breach no later than within 60 days of the end of the calendar year in which the breach was discovered.

More details on the Breach Notification Rule as well as links for submitting breaches can be found on this HHS’s page.

# 4: Enforcement Rule 👨‍⚖️

This rule outlines the procedures that take place when the covered entity is investigated as a possible HIPAA violator.

We won’t focus on that as it’s not what you need to become HIPAA-compliant. If needed, more details on the Enforcement Rule can be found on this HHS’s page.

# 5: Patient Safety Rule 😷

The Rule introduces a framework by which covered entities may voluntarily report information to Patient Safety Organizations (PSOs) for the aggregation and analysis of patient safety events. Such information must be provided on a confidential basis.

It doesn’t play any big role when we’re talking about app or web compliance with HIPAA so we won’t focus on this part either.

More details on the Patient Safety Rule can be found on this HHS’s page.

📋 HIPAA Compliance Checklist

If you’re looking for how to become HIPAA compliant, take a look at the checklist below:

Also note that if you change the purpose of gathering specific information, you’ll need to obtain new consent from your customers. The organization must keep a record of all consents and purposes, and be able to provide them in case of an investigation.

# 3: Consent ✅

It’s obvious that you should get prior consent before collecting or using the personal data of Canadian users. PIPEDA defines two forms of consent — express and implied.

Express is a more favorable form of consent so you should mostly rely on it. Also, organizations are required to ask for only express consent if:

• it authorizes the collection and processing of sensitive data;
• the purpose for the collection and processing may be outside of the reasonable expectations of the user;
• the collection and processing create a meaningful risk of significant harm.

You should also provide users with a right to withdraw their consent at any time, and with a right to proceed without consent for non-essential purposes (for example, if you’re collecting personal data solely for marketing purposes).

# 4: Limiting Collection 📥

To comply with this PIPEDA principle, organizations must ask only for the minimum necessary amount of personal data they need to process.

How do you find out whether it’s a minimum possible amount or not? You should be able to explain why you need this exact type of personal information.

Moreover, by asking only for the really necessary you lower the cost of storing, processing, and archiving the data as well as reduce the risk and
possible damage from breaches.

# 5: Limiting Use, Disclosure, and Retention ✅

PIPEDA allows organizations that work with users’ personal data to use or disclose it for 3 purposes:

1. According to identified purposes.
2. If a user consents to use it otherwise.
3. To meet the law.

For example, memrise, a language learning app, specifices how exactly it will use personal data:

You shouldn’t keep personal data for a longer period of time than you need it. You should also provide users and employees with guidelines for deleting and retaining such information. The regulation also suggests setting minimum and maximum retention periods.

# 6: Accuracy 🎯

Under PIPEDA, organizations must minimize the possibility of using out-of-date or incorrect personal information.

The Office of the Privacy Commissioner of Canada offers the following PIPEDA compliance checklist for this principle to keep the information accurate and double-check whether it needs any amendments:

🔲 Have a list of data that you use and specify those items that need the most attention.

🔲 Specify where this information can be found and how it can be accessed.

🔲 Always record the date when you first get or update personal data.

🔲 Have a protocol (set of steps and rules) on how you verify the accuracy of data.

🔲 Develop a schedule to review the information and keep it updated.

# 7: Safeguards 🔒

It’s your direct responsibility to keep personal data safe and protected against loss, theft, or any illegal access, disclosure, or use. Yet, PIPEDA doesn’t specify particular safeguards you should implement to comply — it’s up for you to choose as long as they’re efficient.

Yet, the regulation suggests to implement a 3-level security system similar to the one mentioned in the HIPAA’s Security Rule:

• Physical level includes measures like setting up an alarm system, locking filing cabinets, and installing a video surveillance system.
• Technological level requires taking steps like implementing encryption, protecting data with passwords, using firewalls, etc.
• Organizational level relates to administrative steps you can take: limit access to specific offices, organize security clearances, hold staff training, and so on.

# 8: Openness 🗃

Your policies and guidelines must be easily available and easily understandable. Avoid complex legal language as people need to be able to make an informed decision on whether to provide consent or not.

Pay special attention to the most important parts of your privacy policy: accountable data protection officer, users’ rights, types of information you collect and use, the legal basis for such actions, etc.

# 9: Individual Access 💻

Your users should have easy access to their personal data that you collect, store, and use. If needed, you must explain how you obtained, used, and disclosed it.

PIPEDA sets up a 30-day timeframe to answer such a request. In some cases you may use additional 30 days — but only if you can provide a reasonable explanation for the delay.

# 10: Challenging Compliance 👨‍⚖️

Finally, the organization should provide full support to a user even when he or she challenges its compliance with PIPEDA. In other words, you should explain to users how they can file a complaint, describe the investigation procedures, and inform on how they protect their data privacy rights with help from regulatory bodies.

Thus, you should have a person in charge who will handle complaints and investigations within the company.

---

You can also check this page by the Office of the Privacy Commissioner of Canada for more details on the mentioned PIPEDA principles. We’ve also prepared a PIPEDA compliance checklist — take a look!

📋 PIPEDA Compliance Checklist

Note that it’s not an exhaustive list of things you need to do to comply with PIPEDA. The aim of this checklist is to sum up the key ideas of PIPEDA’s principles and focus your attention on things that require the most attention.