The Health Insurance Portability & Accountability Act is the primary source of data protection regulation for US health care providers, health insurers and many employers. But since 25 May 2018, those organisations whose patients or customers include residents of the European Union have a new set of rules to follow. The General Data Protection Regulation (GDPR) is designed to strengthen the data privacy of EU citizens – and give them greater control over how their data is used.
Here’s the upshot: if you process the personal data of EU residents, even if your office or clinic is based in the US, you need to ensure GDPR compliance.
In terms of basic subject matter, it’s true that there’s quite a lot of overlap between HIPAA and GDPR. That said, there are some important differences – and businesses shouldn’t assume that if they already follow the HIPAA rulebook that they will automatically stay on the right side of European regulators.
Here, we’ll take a closer look at the GDPR, its provisions relating to health information, how it differs from HIPAA and what US organisations should do to become and remain compliant.
HIPAA and GDPR: Two privacy frameworks explained
To help you understand the similarities and differences between these two laws, here’s an overview of what each one covers.
HIPAA came into force in 1996. It was designed to make health insurance coverage fairer for employees moving between jobs. It also sought to reduce the cost of health care by bringing in a more standardised process for financial transactions and admin.
Through the “Privacy Rule” contained within the legislation, HIPAA also sets out requirements designed to protect sensitive personal health information (PHI). As well as setting out data governance procedures in areas such as billing and admin, this Rule sets out the right of patients to receive copies of PHI from organisations. It also stipulates the circumstances under which healthcare providers may disclose this information to third parties – and when express patient permission is needed for this.
HIPAA is a healthcare law that includes important data protection elements. By contrast, GDPR is a data protection law that covers all sectors – including insurance and healthcare. US organisations should pay particular attention to the following:
- If you process the personal data of EU residents, you should get familiar with ALL aspects of GDPR. To help you with this, our resource centre has guidance on key aspects of compliance.
- You may need to nominate a representative within the EU to handle compliance formalities. Our guide for US businesses contains further info on this.
Scope: Personal Data vs Protected Health Information
The Privacy Rule within HIPAA is designed to protect patients’ PHI, which means any information regarding “health status, provision of healthcare, or healthcare payment”. Also, it only governs the actions of “covered entities”, referring to healthcare providers – as well as insurance plan providers and clearinghouses.
GDPR’s scope is much broader. It is designed to protect “personal data”, meaning any information capable of directly or indirectly identifying an individual – so includes, for instance, contact information and copies of communications that may fall outside of the HIPAA scope.
GDPR also covers all controllers and processors of that data. This means that organisations that operate in the broad healthcare sector (providers of health & fitness apps for instance) need to ensure GDPR compliance – even though they fall outside of the HIPAA ambit.
Establishing a lawful basis for data processing
HIPAA is highly descriptive on the issue of data disclosure. It stipulates that without patient consent, you can disclose PHI only for the purposes of treatment, securing payment and in connection with the operations of a healthcare provider. For all other purposes, you need to obtain explicit consent from the patient.
GDPR takes a different approach. For a start, it requires you to identify ALL data processing activities (i.e. not just disclosure, but also, for instance, storage and movement within an organisation). For each activity, you need to establish a legal basis for it. Here are a few illustrations of how this will apply:
- Obtaining financial information for the purposes of securing payment from the patient. The legal basis for this will be for the purpose of performance of the contract with the patient.
- Using contact information to send marketing and fundraising communications to the patient. Under both HIPAA and GDPR, you need specific consent for this. Our marketing guide gives guidance on how to obtain this consent.
- Storage of records. HIPAA requires clinical records to be retained for 6 years. So the appropriate legal basis for storage of records for this period would be to enable you to fulfil your legal obligations.
Privacy notices, privacy officers and data protection officers
If you are currently in compliance with HIPAA, you should already provide all patients with full details of what information you hold on them, its purpose and who has access to the information.
For EU residents’ data, you will need to ensure that your privacy notices cover additional GDPR requirements. Specifically, it should set out the legal basis for each processing activity and outline the right to complain to the regulator. Before revising your privacy notice, take a look at our guide.
Broadly mirroring the role of the privacy officer under HIPAA, GDPR requires certain categories of bodies (including most public sector organisations) to appoint a data protection officer.
Subject access rights
Under both frameworks, organisations have 30 days to respond to requests for copy records (although GDPR allows for this to be extended in the case of complicated requests). HIPAA allows for a reasonable admin charge for this – whereas GDPR stipulates that information should be provided free of charge in most instances.
Much has been made of the “right to be forgotten” under GDPR, which enables individuals to request erasure of their data under certain circumstances. Read our guide on this – and bear in mind that it’s not an absolute right – so you shouldn’t delete information that you are legally required to retain under HIPAA or any other Federal laws or professional requirements.
Both sets of rules require you to take appropriate measures to ensure the security and integrity of data. The big difference is in relation to breach reporting. HIPAA requires you to report breaches affecting 500 records or more within 60 days. With GDPR by contrast, all breaches affecting the rights of individuals must be reported to your designated GDPR regulator within 72 hours.
From internal record keeping through to responding to patient requests, GDPR compliance requires you to take a thorough look at all aspects of your data estate and processes. The Privacy Compliance Hub has a complete methodology enabling US organisations to meet their obligations. To discover more, take a look at our demo – or get in contact for a chat.