Healthcare providers are no strangers to protecting sensitive data under HIPAA requirements. But with new privacy regulations such as the European Union’s (EU) General Data Protection Regulation (GDPR), many healthcare entities may wonder, “Does HIPAA compliance automatically make me GDPR compliant?” and “What are the differences between GDPR and HIPAA?”
What is GDPR?
GDPR is a set of laws enforced as of May 25, 2018, that changes the way organizations collect, store, and transmit the personal data of EU citizens and residents. Essentially, GDPR grants EU citizens expanded control of their personal data. Here are a few key traits of GDPR:
- It defines personal data (i.e., personally identifiable information/PII) broadly as information that can be used to identify an individual. This allows for a wide range of information to be denoted as personal data, including name, identification number, location data, or online identifier.
- It applies to entities processing, holding, and/or using data of EU citizens, regardless of the entities’ location.
- It can result in hefty fines. Organizations can be charged up to 4% of their annual global revenue or 20 million Euros for serious violations of GDPR regulations.
Am I subject to GDPR?
Why does a United States-based care provider need to worry about GDPR? Recall that GDPR is focused upon citizens of the EU and their PII. If a U.S.-based healthcare entity interacts with EU citizens by storing and using their sensitive data, that entity is subject to GDPR regardless of its location.
What are the key differences between GDPR and HIPAA?
The key difference between GDPR and HIPAA is the focus. GDPR focuses on protecting EU citizens’ PII. Therefore, any organization that handles an EU patient’s information can be subject to GDPR regulations. In contrast, HIPAA is focused on organizations – covered entities and business associates – that handle protected health information (PHI) within the United States. In addition to this fundamental difference, GDPR has a much broader scope of coverage than HIPAA. Despite similarities between GDPR’s data concerning health and HIPAA’s PHI, GDPR also addresses “sensitive personal data” such as racial or ethnic origin and religion. HIPAA, in contrast, is limited to PHI alone.
Furthermore, GDPR gives data subjects — anyone whose personal data is being collected, processed, or stored — specific rights that differ from HIPAA. GDPR also requires a much shorter timeframe for data breach notification. Here are three significant/notable differences between HIPAA and GDPR:
HIPAA permits some degree of PHI disclosure without patient consent. Under HIPAA, healthcare providers may send PHI to another provider for treatment purposes. HIPAA broadly defines “treatment” as the provision, coordination, or management of health care and related services by one or more providers. A second permitted disclosure is for healthcare operations. If certain criteria are met, a healthcare provider can disclose PHI to other providers or business associates without patient consent.
This is not the case under GDPR – instead, explicit consent from EU data subjects for any PHI interaction that falls outside of direct patient care must be obtained. This also applies to marketing and communications activities between the care provider and data subjects – the EU citizen or resident must give their express consent to opt in to any communication, whether it be through phone, email, direct mail, or other advertising methods.
2) Right to be forgotten
GDPR also gives data subjects the “Right to be Forgotten,” while HIPAA does not. For example, individuals may tell an organization to erase their data. To carry out that request, an organization’s IT and security team needs complete visibility and control over where that patient’s data is stored by the care provider, business associates, and affiliates.
Let’s say you have data stored in the cloud or with a third-party business associate. In order to fulfill the patient’s right of erasure under GDPR, you must know the controls that the third parties in your network have in place. Would your cloud vendor be able to provide the data you need to fulfill the rights of data subjects? Do they know where your data is stored?
3) Data breaches
Data breaches are a major concern for health providers working to maintain patient care and comply with key regulations and frameworks.
The HIPAA Privacy Rule mandates for organizations and business associates to protect personal health information (PHI) and limit its disclosure. The Privacy Rule gives patients the right to view their health information and medical records, as well as request corrections.
Furthermore, under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals if unsecured PHI is breached.
If more than 500 individuals are affected, then you must notify the Department of Health and Human Services’ Office for Civil Rights (OCR), as well as all affected individuals, within 60 days. For smaller breaches, you must notify the OCR and those affected by the final day of reporting each year — March 1 of the following year (e.g., if there is a breach affecting 300 people on Nov. 1, 2020, the OCR and affected patients must be informed by March 1, 2021).
This is not the case with GDPR. Under Article 33 of GDPR, there is a 72-hour breach reporting requirement. Care providers are required to report a breach to their supervisory authority.
For more information, The International Association of Privacy Professionals provides a thorough comparison of the GDPR and HIPAA regulations.
How can I become GDPR compliant?
Like complying with HIPAA, GDPR compliance should be viewed as an opportunity to further prioritize the privacy and security of your patients’ data, and not just as a regulatory burden. Although GDPR continues to evolve, there are concrete steps you can take now to meet compliance and reduce your organization’s risk in the event you treat EU citizens or residents. Here are four steps toward achieving and maintaining GDPR compliance as a healthcare organization:
1) Appoint a Data Protection Officer
GDPR requires most applicable organizations to assign a Data Protection Officer (DPO). Article 39 of GDPR explains that the DPO is responsible for:
- Informing the controller or processor and their employees of data protection regulations
- Monitoring compliance and training staff
- Providing counsel on data protection impact assessments
- Engaging with the relevant authorities
Typically, the DPO will need to have a comprehensive understanding of security. It’s important to review the relevant tasks before assigning or hiring for the role.
HIPAA makes a similar requirement under its Privacy and Security Rules in that a compliance officer who has a thorough understanding of HIPAA is required to oversee an organization’s compliance.
2) Conduct a data assessment
GDPR makes it essential to obtain a bird’s-eye view of your sensitive data and the associated workflows. Article 4 of GDPR defines “personal data” as any information related to an identified person, whereas HIPAA pertains only to protected health information. The GDPR’s broad definition may include:
- ID numbers
- Online identifiers
- Physical, genetic, economic, cultural, or social identities
A comprehensive risk analysis can reveal where your data rests and where it’s transmitted, including in connected cloud applications, third parties, shadow IT, and more, allowing you to gain more control over its use.
Under the HIPAA Security Rule, organizations must conduct regular risk assessments. According to HealthIT.gov, “a risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk.”
3) Implement the ability to identify and report breaches
In the event of a breach, GDPR Article 33 requires you to report it within 72 hours. Considering that nearly half of all healthcare breaches are caused by insiders and the average time to detect a breach is 236 days, it’s essential to monitor for insider threats. By implementing a proactive patient privacy monitoring program, you can quickly detect and remediate damaging behaviors, nipping malicious or careless behavior in the bud before a breach occurs. You may already be monitoring your EHRs and clinical applications to comply with HIPAA audit controls (164.312 (B)), which require covered entities to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. On top of that, GDPR requires a broader monitoring program that also scans for the access and use of any personally identifiable data (PII) that may exist in other applications like Office 365 or Salesforce.
4) Establish privacy by design
As data privacy regulations like the California Consumer Privacy Act emerge, privacy and security should be implemented by design, which refers to the process of building privacy procedures into technology as it’s created. GDPR stresses that privacy and security considerations be integral to the products or tools that manage confidential data while reminding us to build user privacy and security principles into products from the beginning of their development lifecycle rather than as afterthoughts.
Furthermore, organizations must consider the privacy and security of applications and systems outside of their EHR, but which may still contain sensitive information that is regulated by GDPR and other privacy regulations. Ongoing inventory and assessment of confidential data are necessary to ensure you know where all confidential data resides and what vulnerabilities to that data’s privacy exist. In doing so, you can reduce data breaches as well as compliance and privacy mishaps while focusing on excellent and effective trust-based patient care.