What is the difference between HIPAA and GDPR? What’s the jurisdiction and scope of both laws? Do you have to comply with HIPAA and GDPR rules separately?
This article will discuss the key differences between HIPAA and GDPR and offer guidance on ensuring your digital healthcare solution complies with both.
Information Covered Under HIPAA
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, was enacted in 1996 to ensure the privacy and security of individuals’ health-related data, also called Protected Health Information (PHI).
Examples of PHI include:
- Individual’s full name.
- Residential details include city, street, country, and postal code (anything more detailed than the state).
- Key life events and related dates, such as birth, hospital admission, discharge, passing away, and precise age for those 90 or older, except year details.
- Contact numbers, both landline and mobile.
- Numbers associated with fax machines.
- Email contact details.
- Social security numbers.
- Medical record numbers.
- Number related to an individual’s health plan benefits.
- Banking or financial account identifier.
- Numbers associated with licenses or certificates.
- Identification of automobiles and their associated serial numbers, including registration plate data.
- Identifiers associated with devices and their related serials.
- Website addresses.
- IP addresses used for internet connections.
- Biometric identifiers like voice or fingerprint patterns.
- Photographic images and other unique identifying features.
- Any distinguishing feature or detail that could single out the individual.
HIPAA compliance software can help you ensure that PHI is protected so you can focus on other aspects of your healthcare application.
Who Needs to Be HIPAA-Compliant?
The following categories fall under the scope of HIPAA and must adhere to its regulations:
- Covered Entities (CEs):
- Healthcare Providers: This includes doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and even pharmacies. Essentially, any healthcare organization or individual that offers medical services or treatment.
- Health Plans: These entities provide or pay for medical care, such as health insurance companies, health maintenance organizations (HMOs), company health plans, and government programs like Medicare and Medicaid.
- Healthcare Clearinghouses: Organizations that process or facilitate the processing of health information received from another entity into a standard format.
- Business Associates (BAs):
Any individual or organization that performs certain functions or activities involving the use or disclosure of PHI on behalf of, or providing services to, a Covered Entity. This includes:
- Third-party Administrators that assist in handling health plans.
- IT Providers and consultants who have access to electronic PHI.
- Billing and coding companies.
- Answering services.
- Medical transcription services.
- Digital health platforms that store or process PHI.
- Subcontractors and Vendors:
Entities or individuals hired by Business Associates who might come into contact with, process, or store PHI must also be HIPAA-compliant.
Information Covered Under GDPR
The General Data Protection Regulation (GDPR), enacted in May 2018, represents the European Union’s efforts to safeguard its citizens’ personal data.
Unlike HIPAA, which is specifically tailored to health information, GDPR covers a broader range of personal data and applies to all 27 European Union member countries (EU).
The following data is termed Personally Identifiable Information (PII) according to GDPR:
- Email addresses
- Location information
- Biometric data
- Religious beliefs
- Web cookies
- Political affiliations/opinions
- Pseudonymous data (if it’s easy to identify someone from it)
Who Needs to Be GDPR-Compliant?
If your company falls under one of the following categories, GDPR applies:
- Companies in the EU: Any business operating within the EU that processes personal data, irrespective of the location of the actual data processing.
- Non-EU Companies: Those outside the EU that offer goods or services to EU residents or monitor their behaviors.
If data processing isn’t a central part of your business and doesn’t risk individuals’ privacy, certain GDPR aspects, like appointing a Data Protection Officer (DPO), may be exempt.
But if data processing is inherently tied to your business activities, then you are squarely under GDPR’s domain.
HIPAA vs. GDPR
|Regulated Data||Specific to healthcare data (PHI)||Applies to all personal data (PII). Broader scope than HIPAA.|
|Application of Regulation||Covers entities handling PHI, irrespective of location||Applies to processing personal data of EEA residents, irrespective of organization’s location.|
|Consent||Obtain consent for certain purposes (e.g., marketing) with exceptions||Must obtain explicit consent with clear information on data usage.|
|Breach Notification||Varies by breach size. Notify individuals and OCR, either immediately or annually||Report to supervisory authority within 72 hours. Inform service providers.|
|Penalties||Fines vary based on fault, ranging from $100 to $50,000 per violation, maxing out at $1.5 million annually for repeated violations||Hefty fines up to 20 million euros or 4% of global annual income, whichever is higher.|
|Privacy/Data Protection Officer||Mandatory HIPAA Privacy Officer for covered entities||Data Protection Officer (DPO) required for certain organizations under GDPR|
|Assessments||Annual risk assessment required for all PHI processing||DPIA required only for high-risk processing to individuals|
Let’s take a look at some important distinctions between HIPAA and GDPR.
The main difference between HIPAA and GDPR regarding regulated data is that HIPAA is specific to healthcare data (PHI), while GDPR applies to all personal data (PII). This means that GDPR has a much broader scope than HIPAA.
Application of Regulation (Coverage)
HIPAA applies to covered entities and business associates handling PHI, regardless of location. GDPR applies to organizations that process the personal data of individuals located in the EEA, regardless of the organization’s location.
In other words, organizations not located in the US may still be subject to HIPAA if they handle the PHI of US residents. Similarly, organizations not located in the EEA may still be subject to GDPR if they process the personal data of individuals in the EEA.
Under HIPAA, individuals have the right to:
- View and get copies of their personal health records.
- Ask for corrections to their health data if errors are found.
- Receive a notice describing how their health data might be used or shared.
- Choose whether to give consent before their health data is used or shared for specific activities, such as marketing.
- Ask for limits on how their health information is used or shared.
- Get a report showing when and why their health information was shared for certain purposes.
- File a complaint to HHS if they believe their privacy rights have been violated.
Under GDPR, individuals have the right to:
- Know how their personal data will be used.
- View and request copies of their data.
- Ask for their information to be corrected if it’s wrong.
- Request their data be erased, with some legal exceptions.
- Ask for their data to be transferred to another organization or given to them in a readable format.
- Request limits on how their data is used.
- Take back permission they’ve given to use their data.
- Object to the use of their data.
- Refuse decisions made solely based on automated processing of their data.
According to HIPAA, organizations must obtain patient consent before using or disclosing their PHI for certain purposes, such as marketing or research. However, there are several exceptions. For example, organizations do not need to obtain consent to use or disclose PHI for treatment, payment, or healthcare operations.
However, under GDPR, organizations must obtain express consent from individuals before processing their personal data. GDPR also requires organizations to provide individuals with clear and concise information about how their personal data will be used before they obtain their consent.
Under GDPR, a breach must be reported to the supervisory authority within 72 hours, no matter how big or small. Service providers also need to tell their regulators.
On the other hand, HIPAA has different rules based on the size of the breach. If a breach affects more than 500 people, the company must inform each person and tell the Office for Civil Rights (OCR) within 60 days. For smaller breaches, the company needs to tell the OCR and the affected people once a year.
Under GDPR, companies can be fined up to 20 million euros or 4% of their global annual income, depending on which amount is larger. HIPAA fines are set based on how much the company was at fault. Fines can range from $100 to $50,000 for each violation and go up to $1.5 million annually if the same violations happen multiple times.
Privacy or Data Protection Officer
A Data Protection Officer (DPO) is required for certain organizations under the GDPR, especially those processing large amounts of EU residents’ data or handling sensitive data.
A HIPAA Privacy Officer is mandatory for entities covered by HIPAA, like healthcare providers, health plans, and healthcare clearinghouses, to ensure compliance with privacy regulations related to health information in the US.
A Data Protection Impact Assessment (DPIA) is only required for processing that is likely to result in a high risk to individuals. A HIPAA risk assessment is required annually for all processing of PHI, regardless of the level of risk.
Similarities Between GDPR and HIPAA
GDPR and HIPAA focus on protecting personal data. They have a few similarities:
- They want only certain people to access sensitive data.
- They both need ways to spot if someone changes health information without permission.
- They say that health information should be encrypted, whether stored or sent.
- Both require a person in charge of data protection.
- They ensure that companies keep customer and patient data private.
- Both laws emphasize the importance of regular training sessions for staff to understand and follow data protection best practices.
If your healthcare business follows HIPAA, you’ve already done a lot to keep patient data safe. This means you’re on the right track for GDPR, too.
However, being HIPAA-compliant in and of itself is not sufficient for complying with GDPR. Organizations must also follow specific requirements in GDPR.
HIPAA and GDPR, while rooted in the same intent of data protection, have distinct guidelines and scopes. Healthcare companies should focus on adhering to both regulations separately.
MedStack is your one-stop solution for complying with all healthcare privacy laws. Join the hundreds of digital health companies who already trust MedStack to ensure their applications meet the top compliance standards.