Skip to main content

How Do HIPAA Laws Apply to Canadians, and What Is PIPEDA?

By Joseph Abear ·

HIPAA does not apply in Canada; it is a United States law. Canadian organizations handling personal health information are governed by PIPEDA at the federal level and by provincial laws such as Ontario's PHIPA. A Canadian provider only encounters HIPAA when it acts as a business associate to a US covered entity, in which case the Business Associate Agreement (BAA) contractually imposes HIPAA obligations.

TL;DR: Quick answer

  • HIPAA is a US law and does not apply to Canadian organizations.
  • Canada's federal PIPEDA and provincial laws like Ontario's PHIPA govern health data there.
  • A Canadian vendor can still be bound to HIPAA contractually via a BAA with a US client.
  • Canadian providers should comply with their own laws first, then any BAA obligations.

Does HIPAA apply in Canada?

No. HIPAA governs US covered entities and their business associates. A Canadian clinic, hospital, or vendor operating only in Canada is not subject to HIPAA. Their obligations come from Canadian law.

What is PIPEDA, and how does it relate to PHIPA?

PIPEDA, the Personal Information Protection and Electronic Documents Act, is Canada's federal private-sector privacy law and applies to personal information, including health information, in many commercial contexts. Some provinces have their own health-privacy laws that apply instead, such as Ontario's PHIPA. Which law governs depends on the province and the type of organization.

When does a Canadian organization deal with HIPAA?

Only by contract. If a Canadian company processes PHI for a US covered entity, it signs a BAA and takes on HIPAA obligations for that work. In that situation the Canadian organization must satisfy both Canadian law and the HIPAA requirements in the BAA.

Frequently asked questions

Does HIPAA apply in Canada?

No. HIPAA is a US law. Canadian organizations follow PIPEDA or applicable provincial health-privacy laws.

What is the Canadian equivalent of HIPAA?

There is no single equivalent. PIPEDA applies federally, and provinces like Ontario have specific health-privacy laws such as PHIPA.

Can a Canadian company sign a BAA?

Yes. A Canadian company serving a US covered entity can sign a BAA and meet HIPAA requirements for that engagement.

Where to go from here

For a direct comparison, see HIPAA vs PHIPA and is HIPAA universally applicable.

This guide is general information, not legal advice. Confirm your obligations under PIPEDA, provincial law, or a BAA with qualified counsel.

← Back to all posts