What is HIPPA? Are there similarities and differences between it and GDPR? And does your organisation need to ensure it is compliant with both?
HIPAA is the Health Insurance Portability and Accountability Act 1996. It was designed to prevent patient-sensitive data (Protected Health Information or PHI) from being disclosed without the patient’s consent or knowledge. A federal law, it applies to the PHI of US citizens, irrespective of where that data is held.
If, therefore, an international company processes US PHI data, it is as bound by HIPPAA as an organisation in Maine, Montana or Mississippi.
HIPAA imposes administrative, physical and technical safeguards on US patient data. It sets boundaries for the release of health records and requires healthcare providers and related entities to have comprehensive security measures in place, covering areas like access controls, encryption, and employee training. It gives patients more control over their personal information.
The General Data Protection Regulation (GDPR) grants individuals a wider range of rights than HIPPA. GDPR gives data subjects a range of rights including the right to access their data, the right to be forgotten, and the right to data portability. Additionally, the rights conferred by GDPR extend beyond healthcare settings.
HIPAA violations can result in significant penalties, ranging from fines to criminal charges. The level of culpability determines the fine tier, and the tier determines the fine per violation.
At time of writing, for example, the minimum penalty for a tier 1 violation, that is, a violation due to a lack of knowledge, could attract as little as $137. In contrast, a tier 4 violation (i.e. one which features willful neglect not corrected within 30 days of being made aware of the violation) could attract the maximum penalty per year of $2,067,813.
GDPR’s maximum fine operates on a different scale (literally), with companies liable for €20 million or 4% of annual global turnover, whichever is greater.
HIPPA applies to the data of US citizens. GDPR applies to the data of EU residents. Here’s what that means in practice:
◦ Noah is a US citizen but he’s spending a year studying in Paris and is therefore an EU resident. His PHI is protected by HIPAA — no matter where that data is processed — because he remains a US citizen. All his personal data is protected by GDPR — no matter where that data is processed — because he is resident in the EU. It will remain protected for as long as he remains in the EU.
◦ Isabella is originally from Spain. She’s currently living and working in Boston for a few months. Her PHI is not protected by HIPAA because she is not a US citizen. Her personal data is not protected by GDPR either because she is not currently an EU resident.
◦ XYZ Inc is a US organisation based in Tampa that handles lots of personal data, some of it relating to EU residents, some to US citizens. It is bound by GDPR, even though it is not based in the EU. If the data it processes is health related, it will be bound by HIPPA too.
◦ ABC AG is a German company based in Dusseldorf. It processes personal health information of US citizens and EU residents. It is bound by HIPPA because the data it holds is PHI-related. It is also bound by GDPR, because the personal health data it holds also qualifies as personal data for the purposes of GDPR.
Only in a fairly loose sense. They are both data protection laws. Both are mandatory. Both have extraterritorial reach (that is they apply everywhere the data they protect is processed).
Both laws also place stringent consent requirements on organisations that handle personal data. GDPR places a strong emphasis on obtaining explicit and informed consent for data processing activities. This ensures that individuals are aware of how their data will be used and have the choice to grant or withhold consent.
HIPPA requires health providers to gain patient consent to the use of PHI in all but routine circumstances.
Beyond these, however, it’s almost surprising how little HIPPA and GDPR overlap. The main reason for that is the approach to their drafting. HIPPA’s legislators took a risk-based approach. As a consequence, you’ll find plenty of language within the law that says things like:
“Entities must:
◦ Detect and safeguard against anticipated threats to the security of the information
◦ Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
◦ Certify compliance by their workforce”
In contrast, GDPR takes a rights-based approach and places strong emphasis on obtaining explicit and informed consent for data processing activities. This ensures that individuals are aware of how their data will be used and have the choice to grant or withhold consent.
We speak with many organisations looking to ensure cross-legislation compliance, who anticipate that meeting their obligations for one standard will largely mean meeting them for all. As our examination of HIPAA & GDPR demonstrates, that’s not the case.
While HIPAA primarily focuses on safeguarding the health data of USA citizens, GDPR extends its protective umbrella beyond health in a more holistic approach to individuals’ rights. While compliance with both laws does share some basic DNA, there are significant differences.
GDPRLocal can help ensure you correctly comply with the data protection legislation of all the territories in which you trade. Get expert help in managing your data protection here, appoint your Article 27 GDPR rep, or call +1 303 317 5998.