✅ How to Define Whether You Must Comply with GDPR, PIPEDA, and HIPAA?
👮♂️ What Are the Consequences of the GDPR, PIPEDA, and HIPAA Violation?
📖 GDPR, PIPEDA & HIPAA Compliance: Key Things to Know
Cybersecurity is crucial for any industry. Today most countries have their own data privacy regulations that you have no choice but to comply with. In the modern globalized world, things are even trickier: you may be a legal entity of country A, mostly operate in country B but have most customers from country C.
GDPR, PIPEDA, and HIPAA are a few big names in this field so you’re likely a subject to some or even all of them if you operate within European or North American markets.
In this article, we’ll help you define whether you should comply with these regulations and what it actually means to be HIPAA-, PIPEDA- and GDPR-compliant.
Let’s start by finding out who is subject to these regulations and whether your mobile application or website must comply with them.
The General Data Protection Regulation (GDPR) is a key data and privacy law from the EU. Yet, taking into account its global impact, the GDPR is definitely one of the top regulations in this field that you can’t help but consider.
The GDPR applies to individuals and companies (including websites and mobile apps, of course) that process personal data of EU citizens.
What’s more: it doesn’t matter whether your company operates from within or outside of the EU, or has any presence in the EU — the GDPR still applies.
Detailed info on this matter can be found in Chapter 1 of GDPR.
PIPEDA is a Canadian law that establishes a data privacy framework organizations should comply with. Thus, the regulation applies to Canadian private sector organizations that collect, disclose, or use personal information for commercial purposes.
PIPEDA defines a commercial activity as any particular act, conduct, or transaction that’s of a commercial character: bartering, selling, leasing of donor, membership plans, etc.
What about mobile apps and websites? According to the Office of the Privacy Commissioner of Canada, gathering, disclosing, and using personal information to improve user experience — and that indirectly contributes to the commercial success of the website or application — can still be recognized as a commercial activity.
PIPEDA is one of the key data privacy regulations (image by Matt Anderson)
Unlike GDPR, the Canadian regulation doesn’t specifically mention foreign companies, some of them got penalties in the past. It means that foreign companies also must comply with PIPEDA if they’re collecting, using, or disclosing personal data of Canadian users.
Non-profit organizations as well as educational and healthcare institutions are outside of the PIPEDA’s jurisdiction as long as they aren’t engaged in any commercial activities.
Finally, organizations that operate strictly within provinces of Quebec, Alberta, and British Columbia have to comply with the local privacy laws that are quite similar to PIPEDA. At the same time, such organizations are generally exempt from PIPEDA itself.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal U.S. law that introduces national standards to protect the personal health data of U.S. citizens. The law sets a number of criteria to define covered entities and business associates that must comply with the regulation.
A covered entity is one of the following:
🏥 Health сare Provider*
📋 Health Plan
🔄 Health care Clearinghouse
Health insurance companies
Entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
Health maintenance organizations
Company health plans
Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs
You can also use this tool by the Centers for Medicare & Medicaid Services to check whether you’re a covered entity or not.
A business associate is an organization or a person that provides certain services for a covered entity, involving the disclosure or use of protected health information.
You can check this short video to get a better understanding of the concept:
The Privacy Rule lists some of the activities and services that make an organization or person a business associate. It includes but not limited to billing, data analysis, consulting, quality assurance, claims processing and administration, etc.
A few real-life cases may look as follows:
If a business associate helps a covered entity carry out its healthcare functions and activities, it must have a written contract in which it’s specified what the business associate has been engaged to do.
At the same time, HIPAA isn’t applicable to businesses that may still deal with health information but are neither covered entities nor business associates. To name a few examples:
More details on business associates, contracts, and exceptions can be found at the HHS’s website.
Finally, the Federal Trade Commission has an interactive tool to define whether your mobile app is subject to key data protection federal laws — HIPAA, FD&C Act, and FTC Act. You can check it out here.
Now you have a better understanding of what regulations may apply to your business. But what are the possible consequences of not complying with them? We hope you never learn it on your own experience so let’s take a look at the regulations themselves and real-life cases.
Fines for failing GDPR IT compliance and data breach are one of the biggest compared to other similar regulations.
According to Article 83, violators may be fined up to either €20 million or 4% of the annual global turnover of the preceding financial year (whichever is higher!).
It’s quite important to figure out how to comply with EU GDPR as the Union is quite strict disregarding the size or status of the violators. To name a few cases:
💰 Fine Amount
🛩 British Airways
Poor security of user data resulted in a web skimming attack that affected 500,000 customers.
🤖 Google LLC (twice)
1️⃣ Insufficient consent, control, and transparency over the processing of personal data for the purposes of behavioral advertising;
🏦 UniCredit Bank Romania
Failed to implement required organizational and technical measures.
🛍 Unnamed online retailer
Nonconformity with users’ rights to erasure, and non-cooperation with the supervisory authority.
As you can see, failing to meet the GDPR compliance requirements can hit anyone: from global non-EU companies like Google to small online retailers.
Organizations that don’t comply with PIPEDA or obstruct the authorities in the investigation of a complaint can be fined:
The Office of the Privacy Commissioner can also demand remedial measures and ongoing audits to ensure that the organization is PIPEDA-compliant.
There are 4 HIPAA violation penalty tiers based on the level of perceived negligence within the organization that led to the violation. The fines can range from $100 to $50,000 per violation or per record, with up to $1.5 million per year for each violation.
🔎 Violation type
📒 Each violation
🗂 Violations of an identical provision in a calendar year
Individual didn’t know they violated HIPAA
100 – $50,000
Reasonable cause and not willful neglect
$1,000 – $50,000
Willful neglect but corrected
$10,000 – $50,000
Willful neglect and isn’t corrected
Talking about a few real-life cases:
In some cases, HIPAA violations may lead to criminal penalties. For example, for offenses with the intent to transfer, use, or sell personal health data for personal gain, commercial advantage, or malicious harm.
Now as you know whether you’re subject to the mentioned regulations as well as possible penalties, let’s take a closer look at the documents that are relevant to you.
The GDPR stands for the General Data Protection Regulation. As we’ve mentioned earlier, this regulation was adopted by the European Union and affects all businesses and individuals that collect or process personal data of EU citizens.
The GDPR is a main EU regulation on data privacy (image by Desmoulin)
What is the GDPR compliance? Basically, it means 2 things:
The regulation itself can be found here. It consists of 99 articles and introduces new requirements that need special attention from your side. But let’s start with the basics!
We’ve already used the term “personal data” a few times but it’s important to clarify it.
The EU’s definition of the term is quite broad. As stated in Article 4, personal data is
any information relating to an identified or identifiable natural person.
If we translate it from legal into human language, it includes almost any user-related data, for example:
According to the same article, procession of personal data is also used in its widest meaning: from collection and storage to use and erasure.
In this paragraph, we’ll review the key requirements for GDPR website compliance and GDPR app compliance. Actually, the requirements are the same disregarding the platform, operating system, business size or type and so on — that’s why it’s important to pay attention either way.
All the requirements for the GDPR IT compliance are based on 6 privacy principles from Chapter 2:
Below you can see a brief overview of these concepts:
Let’s see what you should do to comply with these principles!
This principle includes 3 sub-principles:
✅ How to comply
It’s illegal to use personal data of EU citizens in any way unless you have a lawful basis.
You must process personal data in ways that won’t cause unreasonable negative consequences for users.
Make sure that the way you use personal data doesn’t create any field for situations that can lead to user’s moral, financial, or any other kind of damage.
You must clearly and explicitly explain how you’re going to process users’ personal data.
Let’s take a look at Uber Privacy Notice and see how compliance works in real life.
For example, Uber has clearly explained its legal basis for collecting and processing personal data in paragraph III.F — and that matches the Lawfulness principle:
Shot from the Uber website
It’s not enough to notify users of what data you gather — you should also clearly explain how you’ll use it. The goal of this principle is to make sure that companies won’t use personal data in ways that haven’t been agreed with customers.
Thus, you should always have a relevant reason when asking for any kind of personal data. Pay attention, that the GDPR relates to all users’ personal data, not only your end customers.
Let’s say you represent an on-demand delivery platform. It means that you’re responsible not only for the personal data of your customers but couriers as well. What personal data and for what purposes can you ask your couriers?
Stuart — one of leading Europe’s on-demand logistics platforms — puts purpose limitations in a nice table:
Shot from the Stuart website
At the same time, you shouldn’t use the mentioned data in any other way.
The principle is quite simple: you must only ask for the personal data that is necessary to fulfill your purpose. In other words, you must process the minimum possible volume of personal data.
✅ Ok to ask
❌ Not ok to ask
Email/mobile phone number
ID photo (unless you provide services that imply age limitations or need to verify the identity of the user)
Card number if you allow in-app payments
Card number if you allow cash-only payments
Medical records for the telemedicine platform
Medical records for the fitness tracking app that’s used to track calories and steps
Data processors should also take steps to ensure data accuracy. It may be challenging if we’re talking about personal data submitted by the customers about themselves. Yet, there are still some steps you may take, in particular:
The principle is quite simple: don’t store data any longer than necessary. The GDPR itself doesn’t specify the minimum or maximum storage period. Yet, what you should do is to document how long you’re storing data and justify the reason for this exact term.
Take a look at how GOV.UK provides a brief explanation of the storage period:
Shot from the GOV.UK website
Finally, the last principle is quite obvious. It’s also known as the security principle and states that you must have appropriate security measures in place to prevent any possible damage to personal data.
However, the EU doesn’t specify what measures you should take. Actually, it’s your own responsibility since the Union is interested in keeping the data of its citizens safe while choosing the right means for it is up to you.
Shot from the Pandora website
Under this principle companies also should notify relevant supervisory authorities and affected users about data loss or breach within 72 hours.
Except for the principles, the GDPR Regulation introduces a few new privacy requirements and user rights. Let’s briefly review them, too!
The GDPR has also changed the old approach to acquiring the user’s consent for collecting and using his personal data. According to Recital 42, it must be active, informed, and acquired before you start processing personal data.
So as to achieve the GDPR app compliance with this rule, you must provide users with a possibility to give their direct consent to collect and use their data — for example, a checkbox or a button.
Yet, you can’t pre-tick such checkboxes or assume that continued use of your website or application means that active and informed consent.
Also, you must inform users on ways to withdraw their consent at any time.
Let’s compare how this rule is followed by two popular European low-cost airlines.
Shot from the Ryanair website
To sign up for Wizz Air, users have to provide their active consent by ticking checkboxes. Otherwise, they’ll be unable to proceed. Moreover, Wizz Air asks users’ consent for three separate purposes — to subscribe for a newsletter, to accept the Privacy Notice, and to agree to the Wizz Account Terms and Conditions.
Shot from the Wizz Air website
This example seems far more GDPR compliant.
Finally, to achieve the GDPR website compliance, you’ll need to take into account the rights of users introduced by the regulation. You can find them in Chapter 3 but we’ll briefly go over them in this article as well.
If a user makes an information request on what of his personal data you store and process, you need to fulfill the request within 1 month. If the requested data is too complicated or too large, this period may be extended to 2 months.
For example, Google has a separate page where users can request a copy of all personal data it has on them:
Shot from the Google Takeout website
Users should have the right to change the data if it turns out to be incomplete, inaccurate, or out-of-date.
Where possible, provide users with the possibility to update their personal data in real-time and on their own, without spending your resources on this process.
The GDPR gives users the right to object to the processing of personal data at any time unless you provide “compelling legitimate grounds for the processing” which override this right.
In cases when personal data is processed for direct marketing purposes, you must immediately stop processing the data upon such a request.
Under the GDPR, your website or mobile app users have the right to request the erasure of their personal data in case:
Yet, Article 17 also names cases in which personal data shouldn’t be erased, so we recommend carefully checking the GDPR.
Shot from the Spotify website
This right is somewhat similar to the right to erasure. Upon a user's request, you must immediately stop processing personal data (but not delete it!).
The GDPR specifies 4 lawful grounds for that:
Finally, users should be able to transmit their personal data to another app, website, or business without any interference from your side. It also means that you must provide his data in a structured, commonly used, and machine-readable format.
For example, Facebook offers its users to download their personal data in two popular formats: HTML and JSON.
Shot from the Facebook website
We’ve also prepared a GDPR compliance checklist based on the mentioned principles. Here it is:
But now let’s move to another regulation — HIPAA.
HIPAA stands for the Health Insurance Portability and Accountability Act that standardizes protected health information management in the U.S.
The document is noticeably bigger than GDPR. Moreover, it’s presented in a form of separate chapters and subchapters.
If you’d like to check the official version of the regulation, you should use this link (Parts 160, 162, and 164 of Subchapter C of Subtitle A of Title 45 of Code of Federal Regulations — what’s not to like about bureaucratic language 🙃).
HIPAA is a key regulation to comply with for healthcare providers and businesses (image by Baten )
Alternatively, there is an unofficial version of HIPAA that presents the same standards in one document. It can be found here.
Before we move to the contents of HIPAA, let’s review what information it actually protects.
Unlike GDPR that covers all types of personal information, HIPAA focuses on protected health information (PHI) — all "individually identifiable health information" that is transmitted or maintained in any format or medium. To understand the concept of the PHI, one should first take a look at the concept of health information.
Health information is any information that is received or created by a covered entity, school or university, life insurance company or employer, and relates to:
For example, it may be medical test results, prescriptions, diagnoses, and treatment information.
Yet, HIPAA considers as PHI only individually identifiable information that can be tied to a particular person. Thus, it should have at least one or more of the following 18 identifiers:
Type of identifiers
👤 Basic Data
☎️ Contact Details
💊 Medical Data
💰 Banking Data
🚗 Driving-related Data
💻 Technical Data
🧬 Biometric data
📋 Other Data
The health data without these identifiers (if they’re initially missing or removed on purpose) is considered de-identified and can’t be subject to HIPAA.
PHI relates to a person's medical records, payments, treatments, and health conditions (past, present, and future) that are linked to individually identifiable information and can be used to identify a specific person.
Also, notice that PHI relates only to the personal data of health plan members and patients. Yet, it doesn’t include information from employment or educational records.
HIPAA compliance actually means compliance with its 5 main Rules — U.S. standards for collecting, transferring, storing, and using PHI. These rules make up the core of the regulation:
Let’s briefly review them!
The Privacy Rule established a set of national standards for the protection of PHI. Its main goal is to protect sensitive health information and the privacy of people who seek care.
This Rule defines general principles of uses and disclosures of PHI. Thus, covered entities are allowed to use or disclose PHI only as the Privacy Rule requires or permits, or in the way the subject of PHI (a person or its representative) authorizes in writing.
The Rule clearly defines cases when you can use or disclose PHI without any additional person’s authorization. These are:
The Rule also introduces a few following requirements:
More details on the Privacy Rule can be found on this HHS’s page.
The Security Rule addresses specific technical and non-technical safeguards that covered entities must put in place to comply with the Privacy Rule. Moreover, this Rule focuses specifically on electronic protected health information (e-PHI) which is the PHI that’s created, maintained, or transmitted in electronic form. Thus, this rule is the key to HIPAA website compliance and HIPAA app compliance.
The Security Rule implements administrative, physical, and technical safeguards for protecting e-PHI:
👩💼 Administrative Safeguards
A covered entity should have a security official in charge who will be responsible for the development and implementation of security policies and protocols.
🚪 Physical Safeguards
Covered entities must **limit physical access **to its facilities, especially the ones from where e-PHI can be stolen. For that purpose, you may do something as complex as the implementation of specific security systems (e.g. video surveillance) to smaller steps like using better window and door locks.
🤖 Technical Safeguards
Covered entities must implement procedures that make it possible to access e-PHI only for authorized persons. You should also introduce technical measures to prevent unauthorized access. This will require the implementation of specific authentication features from password protection to biometric verification.
More details on the Security Rule can be found on this HHS’s page.
The regulation introduces specific measures to be taken in case of a breach. Moreover, under HIPAA there are 2 different protocols for cases when the breach affected fewer than 500 people and 500 or more people.
If it’s impossible to calculate the number of affected people for sure, the covered entity should provide an estimate and then apply the protocol that fits the situation.
For breaches with 500+ affected people, the covered entity must notify the Secretary of the breach and no later than 60 calendar days from the discovery of the breach.
For breaches affecting fewer than 500 people, the covered entity must notify the Secretary of the breach no later than within 60 days of the end of the calendar year in which the breach was discovered.
More details on the Breach Notification Rule as well as links for submitting breaches can be found on this HHS’s page.
This rule outlines the procedures that take place when the covered entity is investigated as a possible HIPAA violator.
We won’t focus on that as it’s not what you need to become HIPAA-compliant. If needed, more details on the Enforcement Rule can be found on this HHS’s page.
The Rule introduces a framework by which covered entities may voluntarily report information to Patient Safety Organizations (PSOs) for the aggregation and analysis of patient safety events. Such information must be provided on a confidential basis.
It doesn’t play any big role when we’re talking about app or web compliance with HIPAA so we won’t focus on this part either.
More details on the Patient Safety Rule can be found on this HHS’s page.
If you’re looking for how to become HIPAA compliant, take a look at the checklist below:
HIPAA compliance checklist (image by DNSstuff)
Finally, let’s check on what step you can take to become PIPEDA compliant — if that’s your case, too!
PIPEDA stands for the Personal Information Protection and Electronic Documents Act. This is a Canadian data privacy law, adopted in 2000. The regulation introduces a set of consumer privacy standards which makes this law more similar to GDPR than to HIPAA.
Under PIPEDA, personal data is any factual or subjective information about an identifiable individual.
The definition is quite wide as it includes anything from a name, age, ethnicity, ID number and IP addresses to such things as employee files, medical or credit records, and even opinions, comments, and disciplinary actions.
Thus, it doesn’t matter that much what kind of a website or mobile application you’re building — most likely you’ll collect some information that can be recognized as personal data.
Note that PIPEDA has its own exceptions. Examples of sensitive data not covered by the regulation are:
Canadian regulation consists of 10 principles that make up the core of the document. In this paragraph, we’ll briefly review them and highlight key things you should consider to be PIPEDA-compliant.
The principles are somewhat similar to GDPR ones:
Also, you can check the full document by following this link.
The first principle requires organizations to comply with all 10 PIPEDA principles. It means that you must:
Your privacy management program should be available to both employees and customers: for example, on your website, within the app, or in a downloadable format.
Finally, don’t forget to regularly review the program and update it. Especially when you introduce new technologies and initiatives that relate to personal data management.
This principle is similar to the one you can find in GDPR. It obliges organizations to explain the purposes for collecting and processing personal data to customers. The key requirement here is that your purpose must be clear and reasonable.
Here's how Zoom identifies its purposes for sharing personal data:
Shot from the Zoom website
Also note that if you change the purpose of gathering specific information, you’ll need to obtain new consent from your customers. The organization must keep a record of all consents and purposes, and be able to provide them in case of an investigation.
It’s obvious that you should get prior consent before collecting or using the personal data of Canadian users. PIPEDA defines two forms of consent — express and implied.
Express is a more favorable form of consent so you should mostly rely on it. Also, organizations are required to ask for only express consent if:
You should also provide users with a right to withdraw their consent at any time, and with a right to proceed without consent for non-essential purposes (for example, if you’re collecting personal data solely for marketing purposes).
To comply with this PIPEDA principle, organizations must ask only for the minimum necessary amount of personal data they need to process.
How do you find out whether it’s a minimum possible amount or not? You should be able to explain why you need this exact type of personal information.
Moreover, by asking only for the really necessary you lower the cost of storing, processing, and archiving the data as well as reduce the risk and
possible damage from breaches.
PIPEDA allows organizations that work with users’ personal data to use or disclose it for 3 purposes:
For example, memrise, a language learning app, specifices how exactly it will use personal data:
Shot from the Memrise website
You shouldn’t keep personal data for a longer period of time than you need it. You should also provide users and employees with guidelines for deleting and retaining such information. The regulation also suggests setting minimum and maximum retention periods.
Under PIPEDA, organizations must minimize the possibility of using out-of-date or incorrect personal information.
The Office of the Privacy Commissioner of Canada offers the following PIPEDA compliance checklist for this principle to keep the information accurate and double-check whether it needs any amendments:
🔲 Have a list of data that you use and specify those items that need the most attention.
🔲 Specify where this information can be found and how it can be accessed.
🔲 Always record the date when you first get or update personal data.
🔲 Have a protocol (set of steps and rules) on how you verify the accuracy of data.
🔲 Develop a schedule to review the information and keep it updated.
It’s your direct responsibility to keep personal data safe and protected against loss, theft, or any illegal access, disclosure, or use. Yet, PIPEDA doesn’t specify particular safeguards you should implement to comply — it’s up for you to choose as long as they’re efficient.
Yet, the regulation suggests to implement a 3-level security system similar to the one mentioned in the HIPAA’s Security Rule:
Your policies and guidelines must be easily available and easily understandable. Avoid complex legal language as people need to be able to make an informed decision on whether to provide consent or not.
Your users should have easy access to their personal data that you collect, store, and use. If needed, you must explain how you obtained, used, and disclosed it.
PIPEDA sets up a 30-day timeframe to answer such a request. In some cases you may use additional 30 days — but only if you can provide a reasonable explanation for the delay.
Finally, the organization should provide full support to a user even when he or she challenges its compliance with PIPEDA. In other words, you should explain to users how they can file a complaint, describe the investigation procedures, and inform on how they protect their data privacy rights with help from regulatory bodies.
Thus, you should have a person in charge who will handle complaints and investigations within the company.
You can also check this page by the Office of the Privacy Commissioner of Canada for more details on the mentioned PIPEDA principles. We’ve also prepared a PIPEDA compliance checklist — take a look!
Note that it’s not an exhaustive list of things you need to do to comply with PIPEDA. The aim of this checklist is to sum up the key ideas of PIPEDA’s principles and focus your attention on things that require the most attention.
We hope now you know & understand more about how to comply with GDPR, PIPEDA, or HIPAA. Despite we highlighted all the key rules of these regulations in this article, we still strongly recommend either reaching out to experts in data privacy or carefully studying the original texts of regulations on your own.
But if you’re looking for a reliable Tech-Partner to support you with your Website or Mobile App Development — we’re here to help! Drop us a line by clicking a button below and we’ll see how we can contribute to your idea!
Was it helpful?
Top 5 Best Practices for Integrating ChatGPT in Your App
End-to-end Testing In-App Purchases in React Native Apps: Everything You Need to Know
How to Build SaaS App Like Spotify
Our clients say
They make the whole business work for us, and their improvements are fundamental to our operations. They’re reliable, honest, and willing to try new things that will help us. We appreciate how flexible and easygoing they are.
Pietro Saccomani, Founder