Last year GDPR was introduced into EU law and there is no doubt that for many businesses it has mandated substantial changes in policies and practices. For healthcare companies doing business in the USA it may, though, be that not much has changed: HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation) share many traits.
Their general aim is the same: to protect personal data from exploitation. So let’s first look at what type of data HIPAA and GDPR aim to protect as the definition varies between the two implementations. HIPAA focuses on protected health information (PHI), which covers any data that could be used to identify a patient; whereas GDPR covers all personal data and has stricter rules covering PHI and other types of sensitive data.
Under both frameworks, obtaining and processing protected data requires consent/authorization from the individual. Under GDPR, that person must be clearly informed about the use of their data and take an affirmative action to demonstrate their consent. Within both frameworks there is provision for use of data without consent if a legal precedent exists, such as protection of the individual’s vital interests and health. Potentially more relevant to healthcare companies, though, is the legal basis to use data for required quality and safety analysis of medicinal products and medical devices.
Both frameworks require that the storage and transfer of protected data need to be secure. The company in control of the data must also know where the data are stored, who has access to the data, and be able to log when data were accessed and/or modified. Furthermore, protocols for detecting unauthorized access to data must be in place. As such, if your company is HIPPA compliant then it is likely that becoming GDPR compliant did or will not require too many changes from the technological standpoint. There are, however, a number of places where GDPR and HIPPA diverge, which will mean that some new workflows are needed.
GDPR protects the data of EU residents, irrespective of their nationality, current location, or the residency of the company collecting data. HIPAA, on the other hand, only protects PHI collected by businesses within the USA. As such, any hospital in the USA that treats an EU resident would need to handle their data in accordance with both HIPAA and GDPR! Although both frameworks require consent, under GDPR this consent must be active and not passive. The other major areas of divergence between HIPAA and GDPR are:
- The right to be forgotten: under GDPR an individual can request, and to an extent enforce, that their personal data be deleted
- Data breaches: under GDPR a data breach must be reported within 72 hours, if the breach may likely “result in a risk to the rights and freedoms of natural persons”. For HIPAA, the Office for Civil Rights must be notified within 60 days if more than 500 individuals were affected by the breach. Smaller breaches must be reported, but only by the final day of reporting each year (March 1st in the subsequent year).
- Public data: any data made manifestly public by an individual is not protected by GDPR. Under HIPAA, however, such disclosure by the individual does not impact on the protections afforded by HIPAA.
If you have any concerns about how GDPR may impact on your business and data processes, we will be happy to try to help. With regard to healthcare aspects of GDPR, Coreva Scientific have received certified training from MyDataTrust and have an in-house data protection officer (DPO).
Source: Based on “The HIPAA Privacy Rule and the EU GDPR: Illustrative Comparisons” published in 2017 by Stacey A. Tovino