GDPR compliance and HIPAA have been topics of international discussion as health care organizations prepare to meet the demands of the new regulation.
The EU General Data Protection Regulation (GDPR) is a new data security regulation that’s slated to take effect in the European Union on May 25, 2018. Compared to its American counterpart, the US Health Insurance Portability and Accountability Act of 1996 (HIPAA), there are several key distinctions in the way data must be securely handled.
GDPR compliance has a broader scope than HIPAA and does not deal exclusively with health information. GDPR regulation sets standards for “sensitive personal data” and includes oversight for “data concerning health,” which is comparable to regulatory requirements for HIPAA.
What Kind of Information is Protected?
GDPR compliance addresses standards for all personal data, which is defined as any data that can be used to directly or indirectly identify a living person. HIPAA has a much narrower definition of the data it governs, which is limited to HIPAA protected health information (PHI).
PHI is any demographic information that can be used to identify a patient. This includes name, date of birth, address, financial information, social security number, full facial photo, or insurance information. PHI only includes information gathered by a HIPAA-beholden entity.
GDPR and HIPAA have very different metrics for determining protected information. Under GDPR compliance standards, “sensitive personal data” includes racial or ethnic origin, religious or philosophical beliefs, political affiliations, union memberships, biometric or genetic data, sexual practice or orientation, and any data concerning health.
This last part about “data concerning health” is where HIPAA and GDPR have some overlap. GDPR defines data concerning health as any personal data relating to the physical or mental health of an individual. This includes any health care services a person seeks, which may reveal information about the person’s health status.
GDPR Compliance and HIPAA Compliance
HIPAA regulation sets standards for the exchange of PHI between covered entities and business associates. A covered entity is a health care provider, such as a physician, and includes insurance companies and health care clearinghouses. Covered entities are beholden to the full extent of the regulation, and must ensure any PHI they create or store is kept private and secure. A business associate is any organization hired by a covered entity that handles or contacts PHI in any way. This includes organizations such as billing companies, EHR platforms, practice management, and attorneys, to name a few.
Conversely, GDPR compliance applies to organizations established within or outside of the EU that process EU residents’ personal data. This includes any organizations that monitor the behavior of data subjects within the EU, or that offer goods or services to individuals within the EU.
That means that GDPR will potentially apply to all international organizations that handle personal data of residents within the EU. Where HIPAA only applies to the relationship between covered entities and business associates, GDPR sets standards for entire industries that deal with consumer data.
Refer to this chart below for more details about GDPR HIPAA compliance: