Hushmail is HIPAA, GDPR, and PIPEDA compliant. How compliant do you need to be?

As a company that offers a secure, private, encrypted email service to individuals and businesses around the globe, it’s important that Hushmail is compliant with the privacy laws that govern our customers’ personal data.

In recent posts, we’ve talked quite a bit about the importance of maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA) in the United States. We’ve also addressed the importance of compliance with the European Union’s General Data Protection Regulation (GDPR) when it goes into effect this May.

Equally important to our customers is the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the Canadian privacy legislation.

In comparison, HIPAA applies only to protected health information as handled by healthcare entities. PIPEDA is similar to the GDPR in that it applies to all personal information and governs all commercial entities, healthcare related and otherwise.

PIPEDA went into effect in 2000 and sets clear guidelines for the collection, use, and disclosure of personal information during any commercial activity.

Under PIPEDA, personal information has a variety of broad meanings including specific facts, such as names, ID numbers, and medical and credit records, but also less specific information such as opinions, evaluations, and comments.

PIPEDA is much wider in scope than HIPAA, but it is also not completely standardized across Canada, giving individual provinces some say in how the provisions are applied. If you’re interested in reading about the differences province to province, you can read about them here.

The main PIPEDA provisions are fairly straightforward and will sound familiar to those versed in HIPAA and the GDPR. PIPEDA places control of personal information with the individual by bestowing clearly defined rights:

  • An individual’s consent must be given before their personal information is collected, used, or disclosed by a commercial entity.
  • An individual has the right to access their personal information when held by an entity.
  • An individual has the right to challenge the accuracy of their personal information.
  • An individual’s personal information may only be used for the purpose for which it was originally given. Additional consent is required for additional uses.

Similar to HIPAA and the GDPR, PIPEDA requires businesses to put in place and inform customers of safeguards that will protect their personal information. Businesses are also required to notify their customers and the Privacy Commissioner of Canada if a breach occurs.

The ultimate goal of PIPEDA, HIPAA, and the GDPR is to protect individuals’ personal data. This is a goal that Hushmail thoroughly supports by being fully compliant with PIPEDA, HIPAA, the GDPR, and other applicable privacy legislation. It is important to us that our customers feel secure knowing that their personal information is safe with Hushmail.

We can also help you and your business secure your customers’ information as required. Because so much personal data is transferred over email and web forms, one of the first steps to becoming compliant with any of these laws is to ensure the security of your communications. Whether you are a private practice therapist or an ecommerce business, Hushmail provides numerous services that maintain the confidentiality and security of your emails and web forms.

Visit Hushmail's business plans

Subscribe to our newsletter

Enter your email address in the box below to receive regular updates.