PHIPA, PIPEDA, and Skin Health Data: What Patients Should Know
Two federal and provincial privacy laws govern how dermatologists and AI-assisted tools handle your skin health data in Canada. Here is what they protect, where they differ, and what you can do if something goes wrong.
As of July 9, 2024.
When you photograph a mole and send it to a dermatology platform, you are handing over something highly personal: an image of your body tied to a potential medical concern. Canadian law draws a clear boundary around that data. Two overlapping frameworks govern what happens next: PHIPA (Personal Health Information Protection Act) at the provincial level in Ontario, and PIPEDA (Personal Information Protection and Electronic Documents Act) at the federal level. Understanding both helps you ask the right questions before you share.
DermaDex is built on the premise that AI (Artificial Intelligence)-assisted dermatology should be trustworthy, not just fast. That means being transparent about how the laws that protect you actually work. Learn more about us or contact our privacy team if you have specific questions about your data.
Is Canada HIPAA or PIPEDA?
Short answer: Canada uses PIPEDA, not HIPAA. PIPEDA is Canada's federal private-sector privacy law, and provinces like Ontario have layered PHIPA on top for health-specific contexts. These two systems address similar goals but operate under different scopes and enforcement bodies.
In the United States, the Health Insurance Portability and Accountability Act sets a single national standard for protected health information. Canada took a different path. PIPEDA, passed in 2000 and fully in force by 2004, covers all personal information collected, used, or disclosed by private-sector organizations in the course of commercial activity. It applies coast to coast but was designed as a broad baseline, not a health-specific statute. Ontario responded with PHIPA in 2004, a detailed provincial law aimed at health information custodians: hospitals, physicians, pharmacists, and any organization that collects health data on their behalf. When both laws apply to the same situation in Ontario, PHIPA generally takes precedence because it is the more specific statute. Other provinces have their own health privacy legislation. The result is a patchwork that patients encounter without always knowing which law applies. Health Canada summarizes federal privacy governance at canada.ca.
What does PIPEDA not cover?
Short answer: PIPEDA does not apply to non-commercial activities, personal or journalistic use, or the core health functions of provincially regulated public institutions like public hospitals. Those gaps matter for patients who assume one federal law covers all their health data.
Public hospitals, provincial health authorities, and publicly funded long-term care facilities fall outside PIPEDA's scope for their core clinical functions. They are subject instead to provincial freedom-of-information and health privacy statutes. In Ontario, that means PHIPA governs those institutions. Federally regulated employers such as airlines and banks that collect employee health data are covered by PIPEDA, but the physicians treating those employees are not. For patients using private dermatology platforms, PIPEDA almost certainly applies to the platform itself. If the platform operates in Ontario or handles Ontario residents' data, PHIPA may apply simultaneously. A dermatology app that processes skin images for commercial AI analysis is exactly the kind of private-sector activity PIPEDA was designed to govern. Canada's federal privacy framework overview is published at canada.ca.
What is a HIPAA violation called in Canada?
Short answer: The equivalent is a privacy breach. Under PHIPA, unauthorized use or disclosure of personal health information is called a privacy breach. Under PIPEDA it is called a breach of security safeguards. Both trigger mandatory notification requirements and carry substantial financial penalties.
Under PHIPA, a health information custodian who loses control of personal health information must notify affected individuals and the Information and Privacy Commissioner of Ontario. Fines for organizations can reach $500,000 per offence. Under PIPEDA breach notification regulations in force since November 2018, private-sector organizations must report breaches that create a real risk of significant harm to both the Privacy Commissioner of Canada and affected individuals. Skin health data is especially sensitive. A dermatology image that reveals a hereditary condition or a medication's side effect can affect insurance eligibility and employment. The threshold for what counts as significant harm is lower than most patients expect. If your data is involved in a breach, you have a right to receive direct notification. The CMA (Canadian Medical Association) publishes guidance on physician obligations at cma.ca.
What is the PIPEDA in Canada?
Short answer: PIPEDA (Personal Information Protection and Electronic Documents Act) is Canada's federal private-sector privacy law, passed in 2000 and fully in force by 2004. It establishes 10 fair-information principles that every covered organization must follow when collecting, using, or disclosing personal information, including health data collected by dermatology platforms.
The 10 principles are: accountability, identifying purposes, consent, limiting collection, limiting use and disclosure, accuracy, safeguards, openness, individual access, and challenging compliance. For dermatology patients, the most actionable are consent, individual access, and safeguards. Consent means the platform must tell you what it will do with your skin images before it does so. Individual access means you can request a copy of all data held about you and ask for corrections within 30 days. Safeguards means the organization must protect your data with security proportional to its sensitivity, which for identifiable health images is high. A 2022 study in PMC examined how Canada's layered privacy framework performs for health data: pmc.ncbi.nlm.nih.gov. The Canadian Dermatology Association also maintains patient-facing guidance at dermatology.ca.
How do PHIPA and PIPEDA protect skin health data specifically?
Short answer: Both laws treat photographs, AI analysis results, EMR (Electronic Medical Record) entries, and EHR (Electronic Health Record) fields about skin conditions as sensitive personal information that requires explicit consent, strict storage limits, and breach notification. Together they create a two-layer protection for dermatology data in Ontario.
The table below compares the two frameworks across dimensions that matter most for dermatology patients.
| Dimension | PHIPA (Ontario) | PIPEDA (Federal) |
|---|---|---|
| Scope | Health information custodians in Ontario and their agents | Private-sector organizations across Canada in commercial activity |
| Data covered | All personal health information: diagnoses, images, AI scan results | All personal information including health data in commercial contexts |
| Consent model | Express consent for sensitive uses; implied consent for treatment | Meaningful consent; express consent for sensitive information |
| Patient access right | Request records within 30 days | Request access; organization has 30 days to respond |
| Breach notification | Notify IPC Ontario and affected individuals | Notify Privacy Commissioner and affected individuals if real risk of harm |
| Enforcement body | Information and Privacy Commissioner of Ontario | Office of the Privacy Commissioner of Canada |
| Maximum fine | $500,000 per offence | $100,000 per summary conviction offence |
| Retention | As long as needed to exhaust legal recourse | Only as long as necessary for identified purpose |
For a patient using a private dermatology platform in Ontario, both rows apply simultaneously if the platform qualifies as a health information agent under PHIPA.
What rights do patients have over their skin health records?
Short answer: You have the right to access your records, correct inaccuracies, withdraw consent for non-treatment purposes, and file a complaint with the relevant commissioner. Exercising these rights costs nothing, and organizations cannot refuse or charge excessive fees for complying.
In practice, exercising these rights starts with a written request to the platform or provider holding your data. Under PHIPA, custodians must respond within 30 days. They can charge a reasonable fee for producing the records but cannot refuse simply because the request is inconvenient. If a platform is using your de-identified skin images to train an AI model, it must have obtained your separate consent for that purpose. Many platforms bundle this into lengthy terms of service. Under PIPEDA's principle of identifying purposes, they are required to state the purpose at or before the time of collection in language you can reasonably understand. Complaints about a private dermatology platform go to the federal Privacy Commissioner. Complaints about a physician or hospital go to the Information and Privacy Commissioner of Ontario. A peer-reviewed study on Canadian health data privacy regulations published on PubMed provides further background: pubmed.ncbi.nlm.nih.gov.
Sources
- Health Canada. Access to information and privacy. canada.ca (updated July 2022)
- Canadian Medical Association. CMA home page. cma.ca
- Canadian Dermatology Association. dermatology.ca
- Sarabdeen J et al. Creating standards for Canadian health data protection during and after COVID-19. PMC, 2022. pmc.ncbi.nlm.nih.gov
- Sarabdeen J. Health information privacy regulations in Canada. PubMed, 2022. pubmed.ncbi.nlm.nih.gov