How to Make Sure Your App or Website is HIPAA, PIPEDA & GDPR Compliant

Cybersecurity is crucial for any industry. Today most countries have their own data privacy regulations that you have no choice but to comply with. In the modern globalized world, things are even trickier: you may be a legal entity of country A, mostly operate in country B but have most customers from country C.

GDPR, PIPEDA, and HIPAA are a few big names in this field so you’re likely a subject to some or even all of them if you operate within European or North American markets.

In this article, we’ll help you define whether you should comply with these regulations and what it actually means to be HIPAA-, PIPEDA- and GDPR-compliant.

✅ How to Define Whether You Must Comply with GDPR, PIPEDA, and HIPAA?

Let’s start by finding out who is subject to these regulations and whether your mobile application or website must comply with them.

GDPR

The Privacy Rule lists some of the activities and services that make an organization or person a business associate. It includes but not limited to billing, data analysis, consulting, quality assurance, claims processing and administration, etc.

A few real-life cases may look as follows:

• A pharmacy benefits manager that manages a health plan’s pharmacist network.
• An independent medical transcriptionist that provides transcription services to a physician.
• A third-party administrator that assists a health plan with claims processing.

If a business associate helps a covered entity carry out its healthcare functions and activities, it must have a written contract in which it’s specified what the business associate has been engaged to do.

At the same time, HIPAA isn’t applicable to businesses that may still deal with health information but are neither covered entities nor business associates. To name a few examples:

• gyms and fitness clubs;
• many mobile apps used for health and fitness purposes;
• those who conduct screenings at pharmacies, shopping centers, health fairs, or other public places for blood pressure, cholesterol, spinal alignment, and other conditions.

More details on business associates, contracts, and exceptions can be found at the HHS’s website.

Finally, the Federal Trade Commission has an interactive tool to define whether your mobile app is subject to key data protection federal laws — HIPAA, FD&C Act, and FTC Act. You can check it out here.

👮‍♂️ What Are the Consequences of the GDPR, PIPEDA, and HIPAA Violation?

Now you have a better understanding of what regulations may apply to your business. But what are the possible consequences of not complying with them? We hope you never learn it on your own experience so let’s take a look at the regulations themselves and real-life cases.

Fines for GDPR breaches 💶

Fines for failing GDPR IT compliance and data breach are one of the biggest compared to other similar regulations.

According to Article 83, violators may be fined up to either €20 million or 4% of the annual global turnover of the preceding financial year (whichever is higher!).

It’s quite important to figure out how to comply with EU GDPR as the Union is quite strict disregarding the size or status of the violators. To name a few cases:

Talking about a few real-life cases:

• In September 2020, the Premera Blue Cross health insurer paid $6.85 million due to a breach affecting over 10.4 million people.
• In July 2020, Lifespan agreed to pay $1,040,000 as a result of an unencrypted stolen laptop breach.
• In May 2019, MIE paid $100,000 and agreed to take corrective action in order to settle potential HIPAA violations. MIE is an Indiana company that provides software and electronic medical record services to healthcare providers.

In some cases, HIPAA violations may lead to criminal penalties. For example, for offenses with the intent to transfer, use, or sell personal health data for personal gain, commercial advantage, or malicious harm.

📖 GDPR, PIPEDA & HIPAA Compliance: Key Things to Know

Now as you know whether you’re subject to the mentioned regulations as well as possible penalties, let’s take a closer look at the documents that are relevant to you.

🇪🇺 GDPR

The GDPR stands for the General Data Protection Regulation. As we’ve mentioned earlier, this regulation was adopted by the European Union and affects all businesses and individuals that collect or process personal data of EU citizens.

But now let’s move to another regulation — HIPAA.

🇺🇸 HIPAA

HIPAA stands for the Health Insurance Portability and Accountability Act that standardizes protected health information management in the U.S.

The document is noticeably bigger than GDPR. Moreover, it’s presented in a form of separate chapters and subchapters.

If you’d like to check the official version of the regulation, you should use this link (Parts 160, 162, and 164 of Subchapter C of Subtitle A of Title 45 of Code of Federal Regulations — what’s not to like about bureaucratic language 🙃).

Finally, let’s check on what step you can take to become PIPEDA compliant — if that’s your case, too!

🇨🇦 PIPEDA

PIPEDA stands for the Personal Information Protection and Electronic Documents Act. This is a Canadian data privacy law, adopted in 2000. The regulation introduces a set of consumer privacy standards which makes this law more similar to GDPR than to HIPAA.

🔎 What personal data does PIPEDA protect?

Under PIPEDA, personal data is any factual or subjective information about an identifiable individual.

The definition is quite wide as it includes anything from a name, age, ethnicity, ID number and IP addresses to such things as employee files, medical or credit records, and even opinions, comments, and disciplinary actions.

Thus, it doesn’t matter that much what kind of a website or mobile application you’re building — most likely you’ll collect some information that can be recognized as personal data.

Note that PIPEDA has its own exceptions. Examples of sensitive data not covered by the regulation are:

• info processed by federal government entities listed under the Privacy Act;
• business-related contact details (name, title, email, address, phone number, etc.) that are used solely for communication in relation to their profession or employment;
• information gathered solely for personal purposes (e.g. personal greeting card list);
• information gathered solely for literary, journalistic, or artistic purposes.

Key elements of PIPEDA 📙

Canadian regulation consists of 10 principles that make up the core of the document. In this paragraph, we’ll briefly review them and highlight key things you should consider to be PIPEDA-compliant.

The principles are somewhat similar to GDPR ones:

1. Accountability.
2. Purpose.
3. Consent.
4. Limitations.
5. Duration.
6. Accuracy.
7. Protection.
8. Transparency.
9. Access.
10. Challenge.

Also, you can check the full document by following this link.

# 1: Accountability 🤝

The first principle requires organizations to comply with all 10 PIPEDA principles. It means that you must:

• Develop privacy policies and procedures and implement all necessary practices to protect personal data.
• Appoint a data protection officer or another person who’ll be in charge of your website or app PIPEDA compliance.

Your privacy management program should be available to both employees and customers: for example, on your website, within the app, or in a downloadable format.

Finally, don’t forget to regularly review the program and update it. Especially when you introduce new technologies and initiatives that relate to personal data management.

# 2: Identifying Purposes 📲

This principle is similar to the one you can find in GDPR. It obliges organizations to explain the purposes for collecting and processing personal data to customers. The key requirement here is that your purpose must be clear and reasonable.

Here's how Zoom identifies its purposes for sharing personal data:

💡 Takeaways

We hope now you know & understand more about how to comply with GDPR, PIPEDA, or HIPAA. Despite we highlighted all the key rules of these regulations in this article, we still strongly recommend either reaching out to experts in data privacy or carefully studying the original texts of regulations on your own.

But if you’re looking for a reliable Tech-Partner to support you with your Website or Mobile App Development — we’re here to help! Drop us a line by clicking a button below and we’ll see how we can contribute to your idea!