We’ve been getting tons of questions about HIPAA vs GDPR compliance lately. Businesses want to know what these two frameworks have in common and what sets them apart. Show
Then there’s the question of overlap. For example, which requirements do these two frameworks share (if any)? And if you’re already compliant with one of them, does that reduce the effort required to get compliant with the other? We’ll answer all these pressing questions and more in our HIPAA vs. GDPR compliance H2H. If you’re looking for a complete primer on HIPAA, we’ve got you covered right here. If not, no worries. We’ll give you the quick and dirty below. HIPAA, AKA the Health Insurance Portability and Accountability Act of 1996, is a U.S. law. It ensures that covered entities in the healthcare space safeguard the security and privacy of protected health information (or PHI). However, before we unpack what covered entities are, let’s dive into PHI. PHI is anything that includes personal identifiers, from your name to your home address. HIPAA applies to covered entities and their business associates. Covered entities are:
To keep things simple, HIPAA covers any organization that handles PHI. As mentioned above, HIPAA is law. However, unlike other healthcare-related security frameworks, like HITRUST, HIPAA doesn’t have a certification body. Because it doesn’t have a certification body, you can’t get HIPAA certified. In other words, all those fancy HIPAA badges businesses have on their websites are pretty much meaningless. That said, HIPAA is enforced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR). If you’re non-compliant, you could face serious fines and irreparable damage to your reputation. The law includes three rules: the Privacy Rule, Security Rule and Breach Notification Rule. These three rules work together to protect individuals and give them rights to their personal information. Why HIPAA?If you’re a covered entity or a business associate of a covered entity, then you must be HIPAA compliant, plain and simple. The Process of HIPAA CertificationCovered entities and their business associates must follow HIPAA’s privacy, security and breach notification rules. The law’s Security Rule also includes an evaluation standard. It requires organizations to perform regular technical and nontechnical evaluations to ensure compliance. What Is GDPR?The General Data Protection Regulation (or GDPR) became law on May 25, 2018, and it’s among the toughest data privacy and security laws on the planet. It applies to all organizations targeting or collecting data related to people in the U.K. or E.U.—even if they operate outside of those jurisdictions. This data, better known as personally identifiable information (or PII), covers anything that can be used to clearly identify a person and organizations are required by law to safeguard it. Under the GDPR, organizations must take documented steps to limit access to PII. If your company collects banking information, only job roles that specifically require that data should be able to access it. The documented steps need to cover the following: ConsentThe GDPR prohibits the use of confusing terms and conditions, so be clear and concise. Whenever data is used for new purposes, a new request for consent is required. And, it must be as easy to withdraw consent as it is to give it. Breach NotificationsOrganizations have 72 hours to notify all data subjects of a security breach, either by email, phone or through a public announcement. Right to AccessOrganizations must be transparent with U.K. and E.U. citizens about how their PII is used. Right to Be ForgottenOrganizations must delete PII if an individual requests it. They must also cease further distribution of that data. Privacy by DesignOrganizations can only process information essential to the completion of their business. Data Protection OfficersOrganizations must appoint a Data Protection Officer (DPO) to oversee the implementation of the GDPR. This individual protects personal data from misuse, unauthorized access and other security breaches. Regardless of size, an organization must appoint a DPO if:
Why GDPR?If you handle PII that belongs to individuals in the U.K. and E.U., then you are required by law to comply with the GDPR. Failure to do so could result in some pretty hefty fines: up to €20 million, or four percent of your worldwide annual revenue from the previous year—whichever is higher. The Process of GDPR CertificationTimelines for GDPR implementation can vary between processors and controllers and are impacted significantly by company structure, but the process can take anywhere from six to 36 weeks. Once implemented, organizations must complete internal GDPR assessments periodically to demonstrate their compliance. They can also apply for certification, though it is voluntary.
More Certifications, Less WorkFind out how to leverage your existing InfoSec program to get compliant with new frameworks faster. Find Framework Overlaps HIPAA vs GDPR: PurposeWhile HIPAA and GDPR both aim to protect how personal information is used, they have entirely different scopes. HIPAA oversees how healthcare organizations and their business associates handle PHI in the U.S. The GDPR, on the other hand, is much broader. It oversees how all organizations handle the PII of U.K. and E.U. citizens. Differences Between HIPAA vs GDPR ComplianceThe most apparent differences between HIPAA vs GDPR are the jurisdictions and industries where both laws apply. There are three noteworthy differences between HIPAA and GDPR. ConsentHIPAA permits some degree of PHI disclosure without patient consent. For example, healthcare providers can send PHI to another provider for treatment purposes. Or, in some circumstances, a healthcare provider can disclose PHI to other providers or business associates without patient consent. Under GDPR, consent must always be given, even for patient care. Right to Be ForgottenGDPR gives data subjects the “Right to be Forgotten,” while HIPAA is forever. With GDPR, individuals may tell an organization to erase their data. HIPAA and medical records, in general, can not be altered or deleted. Data BreachesThe most significant healthcare data breaches reported in 2021 each impacted more than 1 million patients, totaling roughly 22.64 million people. Under the HIPAA Breach Notification Rule, covered entities and business associates must notify affected individuals of breaches. If the incident involves more than 500 individuals, the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified, as well as all affected individuals, within 60 days. In addition, the OCR and affected individuals need notification for more minor breaches by the end of the reporting year. GDPR is a different ball game and size does not matter. Under Article 33 of GDPR, there is a 72-hour breach reporting requirement and care providers must report all breaches to supervisory authorities. Similarities of HIPAA vs GDPR ComplianceIf your organization is already HIPAA or GDPR compliant, you already have several safeguards in place to protect data. While there are more differences than similarities for HIPAA vs GDPR, there is some framework overlap.
Tugboat Logic Can HelpHIPAA vs GDPR compliance gets a little fuzzy sometimes. So, if you’re looking for a more in-depth understanding, chat with one of our experts! They have tons of experience supporting organizations as they navigate HIPAA and GDPR. Or, if you’ve got it all figured out and are ready to take your first steps, we can help you get compliant fast, starting with a free trial of our platform! What is the difference between the privacy Rule and security Rule?The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the HIPAA Security Rule covers electronic protected health information (e-PHI). HIPAA Rules have detailed requirements regarding both privacy and security.
What is the major difference between the Hipaa privacy Rule and the Hipaa security Rule?The Privacy Rule ensures that all forms of Protected Health Information (PHI) are protected and remain private; including physical copies, electronic copies and any information transferred orally. The HIPAA Security Rule differs in that it only applies to Electronic Protected Health Information (ePHI).
What are the Hipaa privacy and security rules?The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain ...
What are the 3 aspects of the security rule?The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
|