Michael Nikitin
CTO & Co-founder AIDA, CEO Itirra
The Health Insurance Portability and Accountability Act is the primary source of privacy regulations for US healthcare providers, health insurers, and many employers. But from 2018, organizations whose patients or clients are EU residents must have been following different rules. The General Data Protection Regulation (GDPR) was enacted to strengthen the privacy of EU citizens and give them more control over how their data is used.
If you process the personal data of EU citizens, you need to ensure compliance with GDPR, even if your practice or company is located in the US. While it is true that there is a lot of overlap between HIPAA and GDPR, there are some key differences – businesses should not assume that if they are already compliant with HIPAA, they will automatically be on the right side of European regulators.
Here, we’ll take a closer look at the GDPR, what it says about health information, how it differs from HIPAA, and what US organizations can do to become and stay compliant.
What is GDPR?
General Data Protection Regulation (GDPR) is one of the world’s strictest privacy and security laws. GDPR became law on May 25, 2018, after the EU took its data protection reforms seriously and created a unified regulatory framework across Europe. GDPR empowers citizens to control how their data is used and requires companies to implement data protection measures to protect personal data from theft, fraud, and misuse.
GDPR requires companies to protect the privacy of customers residing in the EU, but it can also protect the privacy of personal data processed outside territories such as the EEA (European Economic Area).
In addition to protecting consumer data, businesses are committed to following GDPR requirements as it helps avoid hefty fines for non-compliance, which can cost offending companies as much as 4% of their annual global revenue. GDPR-compliant companies that confirm their commitment to improving data security demonstrate that they value customer privacy.
What is HIPAA?
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive data protection legislation. It provides a set of customer privacy and confidentiality requirements for healthcare providers, health insurers, third-party vendors, and employees who handle personal health information.
The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) enforces HIPAA. If your company does not comply, you risk substantial fines and damage to your company’s professional reputation.
Under HIPAA, organizations that handle PHI must take necessary security measures, such as implementing data governance procedures to protect customers’ personal information. Privacy, security, and breach notification rules are all part of the law. Together, these three rules safeguard people’s privacy and allow them access to their personal information.
What are the key differences between GDPR and HIPAA?
Does HIPAA compliance automatically make my organization GDPR compliant? What are the key points to consider when pursuing GDPR and HIPAA compliance? Which data protection regulation takes precedence over the other – GDPR or HIPAA?
Controlling access to sensitive information, ensuring corporate privacy, and detecting unauthorized changes to personal data are some of the things HIPAA and GDPR have in common. However, upon closer inspection, their differences become more apparent. Let’s take a closer look at the most important distinctions.
Protected information
GDPR protects Personally Identifiable information (PI), while HIPAA deals with the security of Personal Health Information (PHI). PI refers to data that can identify an individual. At the same time, PHI includes, in addition to personal information, information created or collected by a HIPAA Covered Entity about an individual’s health, care, or payment.
Coverage
GDPR applies to organizations that process or deal with the personal data of EU citizens. In contrast, HIPAA defines and applies to Business Associates and Covered Entities that handle PHI, including healthcare providers, health plans, and clearinghouses.
Scope
Geographically, HIPAA applies to companies within the United States, while GDPR applies globally to organizations that process the personal data of EU citizens.
HIPAA’s privacy rules are designed to protect patient PHI created and handled by healthcare providers, insurance providers, and clearinghouses. The GDPR is much broader in scope. It is designed to protect any information by which an individual can be directly or indirectly identified, such as contact information and copies of correspondence, which HIPAA may not cover.
The GDPR also covers all controllers and processors of this data. This means that organizations operating in the broad healthcare space, such as health and fitness app providers, must ensure GDPR compliance — even if they are outside the scope of HIPAA.
Data processing
HIPAA is very descriptive when it comes to data disclosure. It states that you can disclose PHI without the patient’s consent, but only for treatment purposes, securing payment, and in connection with the work of a healthcare provider. For all other purposes, you must obtain the patient’s express consent.
GDPR takes a different approach. Affected entities need to identify all data processing activities, not only disclosure but also storage and movement within their organizations. For each activity, there must be a legal basis for it. Here are some examples of how it works:
Obtain financial information to secure patient payments. Its legal basis is the performance of the contract with the patient.
Use the contact information to send marketing and fundraising messages to patients. Both HIPAA and GDPR require specific consent to do so.
Data storage. HIPAA requires that clinical records must be retained for a minimum of six years. Therefore, the appropriate legal basis for retaining records during this period is to enable you to comply with your legal obligations.
Consent
HIPAA allows the disclosure of PHI without patient consent in certain circumstances. Still, the GDPR does not allow sharing and using information without the express permission of the party in question.
Under HIPAA, healthcare providers can share personal health information with other healthcare providers and even with other business partners for treatment purposes without the patient’s consent. However, according to the GDPR guidelines, any interaction with personal data not directly related to the customer must be done with the customer’s express consent.
Consumer rights
GDPR gives consumers complete control over how their personal data is used. Customers have a right to know where their data is being used and request to have their data deleted. HIPAA regulations, on the other hand, do not establish such rights for individuals.
Data breaches
Healthcare providers that care for patients and comply with different frameworks and regulations are concerned about data breaches and what to do if they happen. According to GDPR, violations of individual rights must be reported to the relevant supervisory authority within 72 hours, regardless of their size or impact, and service providers must report violations to their regulators.
In comparison, the HIPAA breach notification rules require affected companies and business partners to notify potentially affected individuals when unsecured PHI has been compromised. It states that if more than 500 people are affected, you must notify each affected person and the OCR within 60 days. For minor violations, you must notify the OCR and those involved within the annual reporting period.
Penalties
GDPR and HIPAA impose hefty fines in case of non-compliance. The former carries a fine of up to 20 million euros or 4% of global annual turnover, whichever is higher. The latter, by contrast, established penalties for violations based on the degree of negligence, ranging from $100 to $50,000 per violation (or record) and up to $1.5 million per year for repeat violations.
How to comply with GDPR and HIPAA?
Organizations looking to be GDPR- and HIPAA-compliant, especially those involved in healthcare, need to map the requirements of both regulations to establish conditions that go hand in hand. We recommend that you start your compliance efforts with the following steps.
Evaluate and assess data
Organizations must first conduct a data assessment to understand the volume and type of sensitive data they handle. This helps them scope environments and develop policies to protect sensitive data, and it also makes it easier to prioritize data based on its sensitivity and risk exposure. Sensitive data needs to be continuously inventoried and assessed to ensure that organizations understand where all sensitive data resides and where it is vulnerable.
Identify data risks
Organizations should assess the security posture of their environment to assess their risk exposure and resilience to threats. This should be evaluated against regulatory requirements to identify gaps and required controls. Assessments help plan the implementation of security controls and measures to ensure data security and compliance.
Develop privacy frameworks
Organizations must design and develop privacy policies, procedures, and frameworks based on compliance goals. Once the data and risk exposure assessments have been performed, the organization can create appropriate policies and procedures to meet the requirements based on the identified gaps.
Are there similarities between HIPAA and GDPR?
GDPR and HIPAA are strict regulations requiring organizations to take the necessary steps to protect the security, integrity, and confidentiality of personal data. Organizations that are HIPAA- or GDPR-compliant already have similar safeguards in place to protect data. While there are more differences than similarities between HIPAA and GDPR, there are some framework overlaps as both require:
controlled access to sensitive data
methods to detect unauthorized changes to PHI
encryption of PHI at rest and in transit
a designated Data Protection Officer
organizations to have security that ensures customer and patient data privacy
HIPAA and GDPR compliance are legal requirements that benefit organizations and the people they serve. While each involves different rules and regulations, they overlap in their goals and processes for protecting data subjects.
If your clinic or healthcare company is already HIPAA-compliant, you may have several technical safeguards in place to protect patient data, bringing you closer to GDPR compliance. Both legislations require control over access to sensitive data, methods to detect unauthorized changes to PHI, and encrypt PHI at rest and in transit.
Conclusion
Despite fundamental differences, the two frameworks have some areas of overlap, notably concerning data subject privacy protection. If your organization is already HIPAA- or GDPR-compliant, you already have several safeguards in place to protect your data. Understanding the difference between GDPR and HIPAA compliance can be challenging, especially when focusing on business operations and growth.
HIPAA and GDPR have significantly impacted the healthcare industry, but by adhering to modern IT security standards, healthcare providers can reduce internal and external threats to their PHI. However, lack of encryption, insecure communication channels, and inconsistent access controls are common problems with healthcare software. Even something as trivial as a push notification can lead to a HIPAA violation, and developing secure and HIPAA-compliant software is always a challenge.
At Itirra, we know how to build secure software for healthcare companies that need it. Our team has extensive experience in building comprehensive healthcare solutions. Contact us today to learn how to achieve and maintain HIPAA compliance while building software for your business.