HIPAA and GDPR Compliance: A comparison
Organizations that operate in the United States typically know that they have to take all of the steps to reach HIPAA compliance. After they’ve done this, the next question is often “Does that mean I’m GDPR compliant too?” Since companies don’t want to be restricted in who can be their clients based on location, they are seeking to be compliant with both regulations. If you will be accessing the sensitive data of EU residents at any point, then you are subject to GDPR.
The short answer to that key question is that reaching HIPAA compliance does not give you GDPR compliance. However, these two laws do have a great deal of overlap and the safeguards and policies you have put in place for HIPAA will make it much easier to also become GDPR compliant.
First we’ll do a quick overview of the Health Insurance Portability and Accountability Act of 1996 which is the key data protection legislation in the United States. HIPAA was passed to help transferability and efficiency in the healthcare industry while ensuring that protected health information (PHI) is kept entirely secure.
Related: HIPAA Compliance Requirements
The General Data Protection Regulation, or GDPR, is a law regarding data protection and privacy within the European Union (EU). This regulation is designed to make sure that an individual’s personally identifiable information (PII) is protected. GDPR was adopted in 2016 and became enforceable in May of 2018, making it considerably newer than the HIPAA policies that many organizations already know of.
Answering Common Questions
What Kind of Information is Protected?
The type of information that relates to HIPAA compliance is narrowly defined as protected health information, or PHI. In this context, PHI is any medical information that could potentially be used to identify the individual and is created, used, or disclosed in the course of providing healthcare services. This definition includes the 18 specific identifiers that appear in medical records, billing information, insurance records and other identifiable health information.
Under GDPR compliance standards, sensitive personal data is defined much more broadly than it is under HIPAA as it is not restricted to just the healthcare industry. PII, personally identifiable information within GDPR refers to any data concerning health plus ethnic origin, political affiliations, religious beliefs, genetic data, etc. Unlike HIPAA, this is not exclusive to information obtained by the organizations underneath the law.
What Organizations Must be Compliant?
Since GDPR covers a broader range of identifiable information, it also covers all processors and carriers of that information. The law refers to them as Data Controllers and Data Processors as the ones who control how the data is processed and those who act on behalf of the controllers, respectively. Although it is more comprehensive, these organization definitions are roughly just the European version of the HIPAA organizations.
As we have mentioned before, HIPAA specifically applies to covered entities and their business associates. A covered entity is any organization that provides treatment, payment or operations in healthcare whether that makes them healthcare providers, health plans or health care clearinghouses. On the other hand, a business associate is any person or organization that provides a service to the covered entity that requires them to create, store or disclose PHI through this job function.
What is the Cost of Noncompliance?
All of the requirements for certain organizations putting safeguards in place to keep PHI secure are incredibly important for the patients as well as for the organizations to avoid the high cost of noncompliance.
HIPAA has a 4-tier approach to fines for noncompliance based on the perceived level of negligence of the organization leading up to the breach of information. These tiered fines can go all the way up to $1.5 million a year. In addition to monetary penalties, punishment can also be seen in the form of criminal charges and even jail time.
Under GDPR, there are only two tiers of penalties for organizations that are found to be noncompliant with the regulation. Although there are less tiers, they come at a much higher financial cost. GDPR fines can go all the way up to 4% of the company’s annual global revenue or 20 million euros for the most serious form of violation.
Major Differences Between the Two
As we have mentioned above, the key difference between these two regulations is the type of information that they focus on with HIPAA being specific to PHI versus GDPR more broadly protecting personal data. This difference does affect the organizations that need to be in compliance with one or both of these laws.
Another major difference from HIPAA to GDPR is when express consent is needed from the patient before using or disclosing their personal data. Under HIPAA, healthcare providers are able to send or use PHI amongst providers freely as long as it is used for “treatment purposes.” GDPR requires explicit consent from the EU patients for any disclosure of this information that is not part of direct patient care. Those definitions may sound similar, but HIPAA defines treatment more broadly which allows more types of communications to be included within treatment purposes. GDPR providers must have patients consent to be opted in for any email or text messaging and certainly for advertising purposes.
For organizations that operate in the healthcare industry across the globe, being aware of and compliant with the necessary privacy regulations is extremely important. Luckily, if you have taken all the necessary steps and achieved HIPAA compliance through Accountable, then you have already set up policies to protect most forms of personal data, assigned staff members to manage compliance, and completed training for all employees. All of these pieces and more have put you much closer to reaching compliance with GDPR.