In the compliance world, a source of many questions is how GDPR and HIPAA are different. Many people are required to comply with both if their work relates to the healthcare system in the United States or with any personal data in the United Kingdom. In this article we’ll do a quick breakdown of the key distinctions between these two legislations.
The GDPR governs the use of all personal data of the persons that fall within its scope, while HIPAA has a much more focused scope, only applying to protected health information (PHI). Below we’ll break down the core points of what HIPAA and GDPR do.
Personal Data: Any data that relates to, or can lead to the identification of a living person. This includes:
Protected Health Information: Any information about health status, care, or payment that is created or collected by a HIPAA Covered Entity (or a Business Associate of a Covered Entity), that can be linked to a specific individual. This includes:
In GDPR, you’re either a data processor or a data controller. The structures don’t mirror each other 100% but controllers, like covered entities, are the organizations that ultimately own personal data. Whereas processors, like business associates, provide services, or data processing, for controllers. GDPR defines controllers as a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.” GDPR defines entities based on the ownership of data.
You’re either a Covered Entity (CE) or a Business Associate (BA). For example: subcontractors are just business associates of business associates. A hospital would be considered a covered entity and a software company offering a service to a hospital would be a business associate. HIPAA strictly defines covered entities based on functions in healthcare as providers, payers, and clearinghouses. HIPAA defines entities based on the function of the organization.
This law sets compliance standards for all entities that fall within its scope. That scope is:
This regulation sets standards for covered entities and their business associates. HIPAA applies to anyone dealing with PHI of US citizens and any entity or business intending to do business and deliver their services in the United States.
Explicit consent is required for the processing of personal health data (which falls under sensitive data). However, the data may be processed without consent if it meets one of the conditions of processing in Article 9 of the GDPR and a legal basis applies.
Allows disclosure of some PHI for “treatment purposes” without the consent of the individual. More clarification on this can be found here.
Under the GDPR, individuals (Data Subjects) have the right to be forgotten (or to have their data deleted upon request).
On the other hand, HIPAA does not grant this right to be forgotten. The PHI belongs to the doctor who doesn’t have to comply with that request compared to GDPR where it is required. Part of this is due to the nature of healthcare related services where patient or insurance records are required to be kept for years on end.
The Supervisory Authority must be notified within 72 hours. Affected persons must also be notified.
Organizations must protect PHI and limit disclosure under the HIPAA Privacy Rule. Covered entities must also notify affected individuals of security breaches. If more than 500 people are affected, both affected individuals and the Department of Health must be informed within 60 days.