What is HIPPA? Are there similarities and differences between HIPPA vs GDPR? And does your organisation need to ensure it is compliant with both?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. It was designed to prevent the disclosure of patient-sensitive data (Protected Health Information, or PHI) without the patient’s consent or knowledge. A federal law, it applies to the PHI of US citizens, irrespective of where that data is held.
Therefore, if an international company processes US PHI data, it is as bound by HIPPAA as an organisation in Maine, Montana, or Mississippi.
HIPAA imposes administrative, physical and technical safeguards on US patient data. It sets boundaries for releasing health records and requires healthcare providers and related entities to have comprehensive security measures in place, covering areas like access controls, encryption, and employee training. It gives patients more control over their personal information.
HIPAA compliance is required for all “covered entities” and their “business associates.” Covered entities are healthcare providers (like doctors, clinics, and hospitals), health plans (like insurance companies), and clearinghouses. Business associates are defined as any third parties that handle Protected Health Information (PHI) on behalf of a covered entity, for example, billing companies, cloud storage providers, or IT contractors. If these organizations process or access the PHI of U.S. citizens, regardless of their location, they must comply with HIPAA requirements.
GDPR is the General Data Protection Regulation, a data privacy law enacted by the European Union in 2016 and enforced from May 25, 2018. It was created to protect the personal data of individuals within the EU and EEA and to give them more control over how their data is collected, used, and stored. The law applies regardless of where the data processor or controller is located. Thus, if a company outside the EU handles the personal data of EU citizens, it must comply with GDPR just as a company based in France, Finland, or Germany would.
Any organization, whether inside or outside the EU, must comply with GDPR if it collects or processes data of people located in the EU or EEA. This includes businesses, non-profits, public authorities, and third parties that store, manage, or analyze such data. Both data controllers (who determine how and why data is used) and data processors (who handle data on behalf of controllers) are obligated to meet GDPR requirements.
GDPR imposes strict rules on collecting, processing, and storing personal data. It grants individuals several key rights, including the right to access, correct, delete, or restrict the use of their data. Organizations must implement strong data protection measures, conduct impact assessments, report breaches, and gain explicit consent when needed. Ultimately, GDPR aims to increase transparency, accountability, and trust in handling personal information.
The General Data Protection Regulation (GDPR) grants individuals a wider range of rights than HIPPA. GDPR gives data subjects the right to access their data, the right to be forgotten, and the right to data portability. Additionally, the rights conferred by GDPR extend beyond healthcare settings.
HIPAA violations can result in significant penalties, ranging from fines to criminal charges. The level of culpability determines the fine tier, and the tier determines the fine per violation.
At the time of writing, for example, the minimum penalty for a tier 1 violation, that is, a violation due to a lack of knowledge, could be as little as $137. In contrast, a tier 4 violation (i.e., one that features willful neglect not corrected within 30 days of being made aware of the violation) could attract the maximum yearly penalty of $2,067,813.
GDPR’s maximum fine operates on a different scale (literally), with companies liable for €20 million or 4% of annual global turnover, whichever is greater.
HIPPA applies to the data of US citizens. GDPR applies to the data of EU residents. Here’s what that means in practice:
◦ Noah is a US citizen but spends a year studying in Paris and is therefore an EU resident. His PHI is protected by HIPAA — no matter where that data is processed — because he remains a US citizen. All his personal data is protected by GDPR — no matter where that data is processed — because he is a resident of the EU. It will remain protected for as long as he remains in the EU.
◦ Isabella is originally from Spain. She’s currently living and working in Boston for a few months. Her PHI is not protected by HIPAA because she is not a US citizen. Her personal data is not protected by GDPR either because she is not currently an EU resident.
◦ XYZ Inc. is a US organisation based in Tampa that handles a lot of personal data, some of it relating to EU residents and some to US citizens. It is bound by GDPR even though it is not based in the EU. If the data it processes is health-related, it will be bound by HIPPA, too.
◦ ABC AG is a German company based in Dusseldorf. It processes the personal health information of US citizens and EU residents. It is bound by HIPPA because the data it holds is PHI-related. It is also bound by GDPR because the personal health data it holds also qualifies as personal data for the purposes of GDPR.
Only in a fairly loose sense. They are both data protection laws. Both are mandatory. Both have extraterritorial reach (that is, they apply it everywhere the data they protect is processed).
Both laws also require organisations that handle personal data to obtain stringent consent. GDPR strongly emphasises obtaining explicit and informed consent for data processing activities. This ensures that individuals are aware of how their data will be used and have the choice to grant or withhold consent.
HIPPA requires health providers to gain patient consent to the use of PHI in all but routine circumstances.
Beyond these, however, it’s almost surprising how little HIPPA and GDPR overlap. The main reason for that is the approach to their drafting. HIPPA’s legislators took a risk-based approach. As a consequence, you’ll find plenty of language within the law that says things like:
Entities must:
◦ Detect and safeguard against anticipated threats to the security of the information
◦ Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
◦ Certify compliance by their workforce”
In contrast, GDPR takes a rights-based approach and strongly emphasises obtaining explicit and informed consent for data processing activities. This ensures that individuals are aware of how their data will be used and have the choice to grant or withhold consent.
We speak with many organisations looking to ensure cross-legislation compliance. They anticipate that meeting their obligations for one standard will largely mean meeting them for all. As our examination of HIPAA and GDPR demonstrates, that’s not the case.
While HIPAA primarily focuses on safeguarding the health data of US citizens, GDPR extends its protective umbrella beyond health in a more holistic approach to individuals’ rights. While compliance with both laws does share some basic DNA, there are significant differences.
GDPRLocal can help ensure you correctly comply with the data protection legislation of all the territories in which you trade. Get expert help in managing your data protection here, appoint your Article 27 GDPR rep, or call +1 303 317 5998.
What are the key HIPAA rules?
HIPAA requires organizations to protect patient data with administrative, physical, and technical precautions. It limits how health records are shared and ensures security measures like access control and encryption are in place. It also gives patients more control over their health information.
What happens if a company violates HIPAA?
Companies that violate HIPAA face fines based on how severe the violation is. Minor, unintentional breaches might cost as little as $137, while severe cases involving willful neglect can lead to fines of over $2 million annually. Some violations may also lead to criminal charges.
What are the key GDPR principles?
GDPR requires that personal data be collected lawfully, used fairly, kept secure, and only held as long as necessary. It emphasizes transparency and gives individuals rights like access, correction, and deletion of their data, with consent being a key requirement.
What are the penalties for GDPR violations?
GDPR violations can result in fines of up to €20 million or 4% of a company’s global annual revenue, whatever is higher. The size of the fine is conditioned by the severity of the breach and how the company responds to it.