GDPR vs. HIPAA:Differences and Compliance

The General Data Protection Regulation of the European Union is considered to be the world's most comprehensive data protection law. It came into effect in 2018 and has changed the digital landscape since then.

It forced businesses to take better care of data protection. Some companies were fined huge penalties, making it to mainstream media news and bringing fear to all non-compliant companies as a result.

The GDPR applies to all EU companies and foreign companies serving EU citizens.

When it comes to comparisons with HIPAA, it is worth mentioning that the GDPR recognizes health data as sensitive personal data and requires precautions before processing it.

What Is Required for GDPR Compliance?

When it comes to the processing of health data, the most important GDPR requirements include:

• Processing personal data only if you have a legal basis, which in many cases means execution of a contract, explicit consent, sometimes vital interests or public interests;
• Process only the minimum amount of data needed and only for the purposes for which it has been collected.
• Implementation of robust data security measures to ensure that the data is safe at all times;
• Post a comprehensive privacy policy to inform data subjects about privacy practices;
• Conduct a data protection impact assessment, if required, or do it as a good practice anyway;
• Respond to data subject requests within 30 days.
• Have a data breach response plan in place;
• Train personnel on data protection;
• Have a data breach notification response plan in place and inform data subjects and authorities of a data breach within 72 hours.
• Determine how long health data will be stored.
• Ensure that data processors process the data based on written contracts with precise instructions.
• Appoint a Data Protection Officer;
• Not transfer the data to unsafe countries or organizations.

GDPR requires other measures for personal data in general, but these are the requirements that all organizations must implement for processing health data.

What is HIPAA?

HIPAA, the Health Insurance Portability and Accountability Act, is a US law designed to protect patients' medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers. This information is called protected data under the law. It prescribes the protection and confidential handling of protected health information (PHI). The Department of Health and Human Services is responsible for developing this law.

HIPAA consists of several key components around privacy and security:

• Privacy Rule, establishing national standards for the protection of PHI. It requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made without patient authorization.
• Security Rule, which sets standards for the security of electronic protected health information (e-PHI). It prescribes a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of e-PHI.
• Transactions and Code Sets Rule, requiring the adoption of standard unique identifiers for health care providers and employers. It also establishes standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers.
• Enforcement Rule, providing guidelines for investigations into compliance, the imposition of penalties, and procedures for hearings.

HIPAA applies to covered entities and their business associates, demanding compliance to ensure the confidentiality, integrity, and availability of protected health information.