GDPR vs. HIPAA: Differences and Compliance

If you process health data, you must comply with the GDPR requirements on sensitive data. You are also among the covered entities and business associates to whom HIPAA applies, so you have to follow those requirements as well.

GDPT and HIPAA are, on the surface, very different data privacy laws. If you look under the surface, they share several similarities.

In this article, we will explain the similarities and differences between HIPAA and GDPR to help you understand them and prepare you for compliance with both laws at once.

What is GDPR?

The General Data Protection Regulation of the European Union is considered to be the world's most comprehensive data protection law. It came into effect in 2018 and has changed the digital landscape since then.

It forced businesses to take better care of data protection. Some companies were fined huge penalties, making it to mainstream media news and bringing fear to all non-compliant companies as a result.

The GDPR applies to all EU companies and foreign companies serving EU citizens.

When it comes to comparisons with HIPAA, it is worth mentioning that the GDPR recognizes health data as sensitive personal data and requires precautions before processing it.

What Is Required for GDPR Compliance?

When it comes to the processing of health data, the most important GDPR requirements include:

• Processing personal data only if you have a legal basis, which in many cases means execution of a contract, explicit consent, sometimes vital interests or public interests;
• Process only the minimum amount of data needed and only for the purposes for which it has been collected.
• Implementation of robust data security measures to ensure that the data is safe at all times;
• Post a comprehensive privacy policy to inform data subjects about privacy practices;
• Conduct a data protection impact assessment, if required, or do it as a good practice anyway;
• Respond to data subject requests within 30 days.
• Have a data breach response plan in place;
• Train personnel on data protection;
• Have a data breach notification response plan in place and inform data subjects and authorities of a data breach within 72 hours.
• Determine how long health data will be stored.
• Ensure that data processors process the data based on written contracts with precise instructions.
• Appoint a Data Protection Officer;
• Not transfer the data to unsafe countries or organizations.

GDPR requires other measures for personal data in general, but these are the requirements that all organizations must implement for processing health data.

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, is a US law designed to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers. This information is called protected data under the law. It prescribes the protection and confidential handling of protected health information (PHI). The Department of Health and Human Services is responsible for developing this law.

HIPAA consists of several key components around privacy and security:

• Privacy Rule, establishing national standards for the protection of PHI. It requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made without patient authorization.
• Security Rule, which sets standards for the security of electronic protected health information (e-PHI). It prescribes a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.
• Transactions and Code Sets Rule, requiring the adoption of standard unique identifiers for health care providers and employers. It also establishes standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers.
• Enforcement Rule, providing guidelines for investigations into compliance, the imposition of penalties, and procedures for hearings.

HIPAA applies to covered entities and their business associates, demanding compliance to ensure the confidentiality, integrity, and availability of protected health information.

What is required for HIPAA compliance?

Here's a brief overview of the HIPAA requirements for covered businesses:

• Implement policies and procedures to protect the privacy of protected health information (PHI);
• Implement data security measures to ensure the confidentiality, integrity, and availability of electronic PHI (e-PHI) through administrative, physical, and technical safeguards;
• Provide notice of privacy practices to patients, detailing how their information can be used and their rights concerning their PHI.
• Ensure patients' rights to request privacy protections, access their PHI, request amendments to their PHI, and receive an accounting of disclosures;
• Use or disclose the minimum amount of PHI necessary to accomplish the intended purpose;
• Train workforce members on HIPAA policies and procedures and manage them to ensure compliance;
• Enter into contracts with business associates to ensure they protect the PHI they create, receive, maintain, or transmit;
• Implement procedures to identify, respond to, and document security incidents and breaches and notify affected individuals and authorities as required;
• Maintain documentation of HIPAA compliance efforts, including policies, procedures, and training materials, for a minimum of six years;
• Regularly review and update HIPAA policies and procedures to comply with changes in the law and ensure continuous protection of PHI.

GDPR vs. HIPAA: Similarities and Key Differences

The main difference between the GDPR and HIPAA is that HIPAA applies only to the processing of health data, while the GDPR applies to all personal data. And this looks like a huge difference.

However, when comparing the requirements of both laws about health data, it becomes clear that they follow very similar, if not the same, standards for health data protection.

Now onto the details. Both laws require the following:

• The implementation of robust data security measures to prevent data breaches and unauthorized access to protected data;
• Process only the minimum amount of data for the purposes you have for processing.
• Responding to requests to know, access, or erase their data and other types of requests by patients and data subjects;
• Serving data subjects with privacy notices explaining data privacy practices;
• Data breach reporting;
• Having data breach notification policies in place;
• Training the workforce on data security and privacy;
• Have written contracts with data processors or business associates, i.e., third-party persons who get access to the protected data.

In addition, the GDPR also requires appointing a Data Protection Officer and bans unsafe international data transfers.

Unlike HIPAA, GDPR sets requirements related to conducting a data protection impact assessment for processing sensitive data. It may not be explicitly required in every single case, but it will be a good practice in all cases.

HIPAA is focused on health-related data only. It does not apply to all the personal information, but only to the one related to patients.