Which Healthcare Laws Apply to Healthcare App/Software in Canada?

4 years ago

Healthcare laws have been a major challenge. What makes it a real challenge is the ‘many’ numbers of healthcare laws. Things get worse with no suggested ways to implement these laws.

Whether it is HIPAA, PHIPA or PIPEDA, there are many differences which you should know if you are planning to develop a healthcare app or software. However, according to our internal data, 3 out of 5 healthcare entities and entrepreneurs struggle with healthcare laws in Canada.

Thus, we’ve introduced our dedicated healthcare compliance consulting service to help healthcare entities and entrepreneurs avoid healthcare laws violation fine by following all laws and regulations in the healthcare industry.

Our other useful research:

Major Healthcare Laws People Are Confused At

This is what all entrepreneurs and healthcare entities are complaining about. Both the Canadian federal government and state governments have imposed different healthcare laws which surely promote data privacy but also increase the complexity at ground level.

These are the 3 most popular healthcare laws where people are most confused.


HIPAA (Health Insurance Portability and Accountability Act) was imposed by the USA federal government. Thus, it is only applicable in the USA.

Read this blog to know more about HIPAA and other laws that may apply to your healthcare app in the USA.


PIPEDA (Personal Information Protection and Electronic Documents Act) was imposed by the Canadian federal government. Thus, it is only applicable in Canada. However, it applies to all organizations that collect, use and share personal information during commercial activities.


PHIPA (Personal Health Information Protection Act) was imposed by the Ontario state government. Thus, it is only applicable in Ontario, Canada. PHIPA Ontario applies to only healthcare organizations that collect, use, and disclose personal health information whether or not during commercial activities.

The Difference Between HIPAA and PIPEDA

HIPAA and PIPEDA are the major laws respectively applicable in the USA and Canada which ensure data security and privacy. However, there are many factors that draw a line between HIPAA and PIPEDA.


  • HIPAA governs the privacy and security of PHI for certain sectors in the healthcare industry.
  • Health insurers, healthcare providers and health exchange organizations are supposed to follow this law.
  • It protects the data related to patients’ past, present, future health conditions, treatments and payments.


  • PIPEDA applies to all personal data in all industries including healthcare.
  • All kinds of businesses that collect, use and share personal information during commercial activities are supposed to follow this law.
  • It protects all kinds of personal data of users such as name, ID number, blood type, income, opinions, medical records, comments, social statements, payments and ethnic origin.

The Difference Between HIPAA and PHIPA

The goal of HIPAA and PHIPA is the same - ePHI security. However, there are certain areas where they don’t have parity.


  • HIPAA focuses on methods. It suggests different ways to ensure ePHI such as facility access controls, workstation security, authentication etc.
  • It is not required for IT service providers such as cloud or email service providers to notify healthcare clients of breaches.
  • IT service providers aren’t obligated to provide a plain-language description of the service.
  • IT service providers should meet portions of HIPAA law. They should adhere to HIPAA’s Security Rule and sign a “business associate agreement” with each healthcare client.

PHIPA Ontario:

  • PHIPA focuses on objectives. It only asks healthcare providers to take ‘responsible steps’ to protect ePHI.
  • PHIPA makes it compulsory for IT service providers to notify healthcare clients of breaches.
  • IT service providers should provide a plain-language description of the service.
  • IT service providers providing IT service to healthcare organizations should follow PHIPA.

Healthcare App Development Laws in Canada's Top Provinces

Each Canada’s province has imposed a separate healthcare law which is somewhere similar to the healthcare law imposed by the federal government - PIPEDA. The following are the top Canadian provinces with separate privacy laws.


The Personal Information Protection Act was imposed in Alberta on January 1, 2004. It enables individuals to request access to their personal information. It also provides a framework for private organizations to collect, use and disclose personal information securely.

Read this PDF to know more about PIPA in Alberta.

British Columbia:

The Personal Information Protection Act was imposed in British Columbia on October 23, 2003. It governs the following activities.

  • Collection of Personal Information
  • Use of Personal Information
  • Disclosure of Personal Information
  • Access to and Correction of Personal Information
  • Administration
  • Care of Personal Information

Click here to know more about PIPA in British Columbia.


Act Respecting The Protection Of Personal Information In The Private Sector is applicable in Quebec, but only on the private entities.

Click here to know the requirements of the law.


The Personal Health Information Protection Act (PHIPA) was established in November 2004. It was designed with an aim to give individuals greater control over their data and protect personal information across the healthcare sector.

Click here to download the PHIPA guideline.

New Brunswick:

The Personal Health Information Privacy and Access Act was imposed in New Brunswick on June 19, 2009. This act applies to personal health information that is collected, used and disclosed by the healthcare organizations.

Click here to know all requirements of the act.

Nova Scotia:

The Personal Information International Disclosure Protection Act (PIIDPA) is Nova Scotia’s provincial law. If an individual violates this law, he becomes liable for the fine up to $2,000. The same fine increases to $25,000 for businesses and $500,000 for corporations.

To know more, read FAQs about PIIDPA.

Can You Store PHI Outside of Canada?

Except for British Columbia and Nova Scotia, all Canadian provinces allow healthcare entities to store PHI outside of Canada.

Whereas, British Columbia and Nova Scotia restrict healthcare entities from storing PHI outside of Canada, even when the data is encrypted.

Who Has to Follow Healthcare Laws?

Healthcare laws are established to keep the healthcare sector safe from intruders and hackers.

Meaning, any organization that is storing, using and sharing crucial healthcare and personal data should adhere to healthcare laws and regulations.

Healthcare laws in Canada classify organizations in two different classes. Both of them need to follow healthcare laws.

Covered Entities

Covered entities are those who provide healthcare services to users and carry out financial and administrative transactions electronically.

Business Associates

Business associates are those who tie-up with covered entities to provide additional IT and non-IT services.

In other words, business associates store, use and disclose ePHI on behalf of covered entities. AWS is the best example of a business associate.

The Roles of Our Healthcare Compliance Consultants (you can hire them)

If your digital healthcare product including mobile app or software is storing, using and sharing personal information of the patients electronically, it should work in the best way suggested by the federal and state governments in different healthcare laws.

However, it is a daunting task to develop a healthcare laws compliant healthcare digital product and carry out a regular compliance audit.

Here is where a healthcare compliance consultant plays his roles.

  • Carry out security standard audit, asset & device audit, and security risk assessment
  • Discover the app/software security gaps which leave ePHI open for unauthorized users
  • Find out the workable solutions to fill those security gaps
  • Assist the development team to implement those workable solutions
  • Create an organization-wide security policy
  • Carry out compliance audits
  • Help you address regulations imposed by non-government regulatory bodies

To see the healthcare compliance consultants in action, read our case study which reveals how we helped a development firm to fill 47 security gaps to develop a HIPAA compliant healthcare app.

You can connect to Canada’s best healthcare compliance consultant by filling out the following form.

Schedule One-on-One- Meeting