Healthcare providers and payors in the United States are no strangers to protecting sensitive data under HIPAA requirements. But with new privacy regulations such as the European Union (EU) General Data Protection Regulation (GDPR), many healthcare entities may wonder, “Does HIPAA compliance automatically make me GDPR compliant?” and “What are the differences between GDPR and HIPAA?”
What is GDPR?
GDPR is a set of EU laws enforced as of May 25, 2018, that changes the way organizations collect, store, and transmit the ‘personal data’ of EU citizens and residents. Essentially, GDPR grants these individuals in the EU expanded control of their personal data. Here are some of the key items within GDPR (more details later in the article):
- It defines personal data (i.e., personally identifiable information/PII) broadly as information that can be used as an identifier. This allows for a wide range of information to be denoted as personal data, including name, identification number, location data or online identifier.
- It applies to entities processing, holding and/or using data of EU citizens, regardless of the entities’ location.
- It can result in hefty fines. Organizations can be fined up to 4 percent of their annual global revenue or 20 million Euros for very serious violations of GDPR regulations.
Am I Subject to GDPR?
Why would a care provider need to worry about GDPR compliance if they treat patients at a US based location? Recall that GDPR is focused upon the EU citizen and their PII. If a U.S.-based healthcare entity interacts with EU citizens and stores and uses sensitive data on them, that entity is subject to GDPR, regardless of its location.
What Are the Key Differences Between GDPR and HIPAA?
The focus is the key difference between GDPR and HIPAA. With GDPR, the focus is on the EU citizen and their PII. Any organization that handles this data can be subject to the GDPR regulations. In contrast, HIPAA is focused on organizations (i.e., covered entities and business associates) that handle patient protected health information or PHI within the United States. In addition to this fundamental difference in focus, GDPR has a much broader coverage scope than HIPAA. GDPR’s “data concerning health” and HIPAA’s “protected health information” are very similar. However, GDPR also addresses “sensitive personal data” such as racial or ethnic origin, or religion. HIPAA, in contrast, is limited to dealing with protected health information (PHI).
Furthermore, GDPR gives data subjects — anyone whose personal data is being collected, processed, or stored — specific rights that differ from HIPAA. GDPR also requires a much shorter timeframe for data breach notification. Here are three additional differences between HIPAA and GDPR.
HIPAA provides for some permitted disclosures of PHI, without patient consent. Under HIPAA, healthcare providers may disclose PHI to another provider for the treatment activities of that provider, without needing patient consent. HIPAA broadly defines “treatment” as the provision, coordination or management of health care and related services by one or more providers. A second permitted disclosure is for healthcare operations. If certain criteria are met, a healthcare provider can disclose PHI to other providers or business associates without patient consent.
This is not the case under GDPR – instead, explicit consent from EU data subjects for any PHI interaction that falls outside of direct patient care must be obtained. This also applies to marketing and communications activities between the care provider and data subjects – the EU citizen or resident must give their express consent to opt into any communication, whether it be through phone, email, direct mail, or other advertising methods.
- Right to be Forgotten
GDPR also gives data subjects the “Right to be Forgotten,” while HIPAA does not. This means that, under specific circumstances, data subjects may tell an organization to erase their data.
This means that IT/security will need complete visibility and control over where that patient’s data is stored by the care provider, business associates, and affiliates.
Let’s say that you have data stored in the cloud or with a third-party business associate. In order to fulfill the patient’s right of erasure under GDPR, you must know the controls that the third-parties in your network have in place. Would your cloud vendor be able to provide the data you need to fulfill upon the rights of data subjects? Do they know where all of your data is stored?
- Data Breaches
Data breaches are a major concern for care providers working to maintain patient care and comply with key regulations and frameworks.
Under the HIPAA Privacy Rule, care providers are required to protect or maintain any personal information (PHI). It also sets limits and conditions on how PHI can be used and disclosed in the absence of patient authorization. The privacy rule gives patients the right to view their health information and medical records, as well as request corrections.
Furthermore, under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals if unsecured PHI is breached.
If more than 500 individuals are affected, then you must notify the Department of Health and Human Services’ Office for Civil Rights (OCR), as well as all individuals affected, within 60 days. For smaller breaches, you must notify the OCR and those affected by the final day of reporting each year — March 1 of the following year (e.g., if there is a breach affecting 300 people on Nov. 1, 2018, you must notify by March 1, 2019).
This is not the case with GDPR. Under Article 33 of GDPR, there is a 72-hour breach reporting requirement. Care providers are required to report a breach to their supervisory authority.
The International Association of Privacy Professionals provides a thorough comparison of the GDPR and HIPAA regulations.
How Can I Become GDPR Compliant?
Like complying with HIPAA, GDPR compliance should be viewed as an opportunity to further prioritize privacy and security of your patient’s data, and not just as a regulatory burden. Although the journey to GDPR compliance is ever evolving, there are some concrete steps you can take now to bring yourself into compliance with the EU rules and help reduce your organization’s risk in the event you treat EU citizens or residents. Here are four steps toward achieving and maintaining GDPR compliance as a healthcare organization:
- Appoint a Data Protection Officer
GDPR requires that the vast majority of organizations subject to the rule assign a Data Protection Officer (DPO). Article 39 of GDPR explains that the DPO is responsible for:
- Informing the controller or processor and their employees of data protection regulations
- Monitoring compliance and training staff
- Providing counsel on data protection impact assessments
- Engaging with the relevant authorities.
Typically, the DPO will need to have a comprehensive understanding of security. It’s important to review the relevant tasks before assigning or hiring for the role.
HIPAA makes a similar requirement under its Privacy and Security Rules. A compliance officer is required; they should have a thorough understanding of HIPAA and will oversee an organization’s compliance with the regulation.
- Conduct a Data Assessment
GDPR makes it essential to obtain a bird’s-eye view of your sensitive data and the workflows associated with that data. Article 4 of GDPR defines “personal data” as any information related to an identified person, while HIPAA, pertains only to protected health information (PHI). The GDPR’s broad definition may include:
- ID numbers
- Online identifiers
- Physical, genetic, economic, cultural, or social identities.
A comprehensive data assessment can reveal where your data rests and where it’s transmitted, gaining more control over its use — including its use in connected cloud applications, third parties, shadow IT, and more.
Under the HIPAA Security Rule, organizations must conduct regular risk assessments. Per HealthIT.gov, “a risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.”
- Implement the Ability to Identify and Report Breaches
Remember that GDPR Article 33 requires you to report a breach within 72 hours of the occurrence. Considering that 60 percent of breaches are caused by insiders and the average time to detect a breach is 206 days, it’s essential to monitor for insider threats. By implementing a proactive monitoring program for your cloud and other applications, you can monitor for damaging behaviors that lead to a breach, nipping malicious or careless behavior in the bud before a breach occurs. You may already be monitoring your EHRs and clinical applications in order to comply with HIPAA audit controls (164.312 (B)), which require covered entities to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. But GDPR requires a broader monitoring program that also scans for the access and use of non-PHI data (e.g., that in Office 365 or Salesforce).
As outlined in the previous section on data breaches, HIPAA also requires covered entities and business associates to identify and disclose breaches promptly.
- Implement Privacy by Design
As data privacy regulations continue to crop up (e.g., the California Consumer Privacy Act), privacy and security should be implemented by design. GDPR stresses that privacy and security considerations be integral to the products or tools that manage confidential data. GDPR reminds us to build user privacy and security principles into products from the beginning of their development lifecycle and not consider privacy and security as design afterthoughts.
Furthermore, organizations need to regularly consider the privacy and security of applications and systems that are outside of their EHR, but which may still contain sensitive information that is regulated by GDPR and other privacy regulations. Ongoing inventory and assessment of confidential data are necessary to ensure you know where all confidential data resides and what vulnerabilities to that data’s privacy exist.
In doing so, you can reduce data breaches and compliance and privacy blunders and focus on excellent, effective, trust-based patient care.