GDPR & HIPAA Compliance – Key Similarities and Differences in the Compliance Requirements

Introduction

Privacy Regulations has for long been a major concern for most businesses processing or dealing with Personal Data. Today, acknowledging the fact that protecting Personal Information or data is essential, many Regulatory and Governing bodies globally have developed Privacy laws, rules, and regulations. Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation Act (GDPR) are two popular Privacy Regulations established with an aim to protect the Privacy and Confidentiality of Personal Information. In today’s article, we will be discussing both the regulations and their similarities and differences. This will give you a better understanding of both the regulations and help you ease your efforts of Compliance. So, let us first take a look at each of the Regulations individually and then understand how both the Regulations are mapped into a single Compliance effort.

What is the GDPR Regulation?

The General Data Protection Regulation Act is an EU law on Data Protection and Privacy. In January 2012, the European Commission set out plans for establishing data protection reforms called the GDPR across Europe and later in the year 2016 established the Regulatory framework. The regulation requires businesses to protect the privacy of citizens of the EU. It is a Regulation that also protects the privacy of Personal Data processed outside the EU and EEA areas. The Regulation gives citizens the right and control over the use of their Personal Information. GDPR requires businesses to implement data protection measures for securing Personal Information against theft, fraud, or misuse of data.

What is HIPAA Regulation?

The Health Insurance Portability & Accountability Act 1996 is a data protection regulation for the US health care providers, health insurers, employees,and third-party dealing with personal health information.HIPAA Regulation calls for adherencetoa set of requirements designed for securing sensitive Protected Health Information (PHI). It also sets out Data Governance Procedures in areas of billing and administration, wherein it preserves the right of patients to receive copies of PHI from organizations. It further stipulates Procedures for circumstances under which the healthcare providers may disclose maintain or process information with third-parties.  Organizations that deal with Protected Health Information (PHI) are expected to comply with the Regulation by having in place necessary security measures to secure PHI data.

GDPR VS HIPAA

Titles	GDPR	HIPAA
Protected Data	GDPR calls for the protection of Personal Data/Information (PI).  Data that leads to or data that can result in the personal identification of an individual can be defined as Personal Data.	HIPAA Regulation calls for the protection of Protected Health Information (PHI) of individuals/patients.  Any information related to health status, care, or payment created or collected by a HIPAA Covered Entity that can be linked to a specific individual can be defined as Protected Health Information.
Applicability	Organizations that deal with or process the Personal data of citizens of the EU need to comply with GDPR Regulation.	HIPAA applies to all Covered Entities and Business Associates including health plans, health care clearinghouses, and those health care providers that deal and process PHI data.
Scope	GDPR Regulation applies globally to any organization that deals with PI of citizens of the EU.	HIPAA Regulation applies to covered entities and their business associates within the US.
Consent	Under the GDPR Regulation, explicit consent is mandatory for the processing of personal health data which is considered sensitive data. However, the data may be processed without consent if it meets the conditions of processing in Article 9 of the GDPR.	Under HIPAA Regulation, there is no explicit consent required for disclosure of PHIfor treatment purposes.
Consumer Rights	GDPR gives consumers full control over the use of their Personal Information.  Individuals have the right to be forgotten or get their data deleted upon request.	HIPAA Regulation does not specify such rights to individuals.
Data Security	GDPR requires you to take appropriate measures to ensure the Security and Integrity and Privacy of any Personal data.	HIPAA requires you to take appropriate measures to ensure the Security and Privacy of personal health information.
Data Breach	Under GDPR breaches affecting the rights of individuals must be reported to the designated Regulator within 72 hours.	Under HIPAA Regulation breaches affecting 500 records or more needs to be reported to the designated regulator within 60 days
Penalties	The EU GDPR had set a maximum fine of €20 million (£18 million) or 4% of annual global turnover whichever is greater in case of a breach.	The HIPAA Regulation has set penalties for non-compliance based on the level of negligence which can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for repeat violations.

GDPR & HIPAA Regulation– Making the Compliance Process Easier

GDPR and HIPAA Compliance Regulations are Data Privacy laws established to protect the Privacy and Integrity of sensitive data. Since the primary focus of the two Regulations is similar, achieving Compliance to either of the two or both the Regulations can be a lot easier.GDPR is a Regulation much broader in scope and does not just deal with healthcare information, but all sensitive personal data. However, both the Regulations are established keeping in mind the public interest and security of sensitive information. Since the primary focus is onData Security, Privacy,and Integrity, all the measures necessary to comply with the Regulations are broadly similar. So, organizations that are already GDPR or HIPAA Compliant will have in place most of the security measures required to protect the privacy of the data. This will automatically bring your organization closer to achieving Compliance with the other Regulation. Given below are some similarities drawn out in both the Regulation-

Titles	GDPR	HIPAA
Personal Data	Data that can lead to identifying an individual’s personal identity is defined under Personal Data.	Data that can lead to identifying an individual’s personal identity is defined the same as the Individually Identifiable Health Information.
Children’s data	GDPR requires organizations to handle data of children differently with explicit consent from guardians or parents.	HIPAA Regulation too calls for special handling and protecting the privacy of children’s health information.
Security Measures	Organizations need to develop and maintain Data Protection Policies and Procedures. They are also required to identify privacy risks and have in place Data Protection measures and plan how data is processed, disclosed, stored, managed, distributed, and used.	Covered entities and Business Associates need to develop data protection policies, procedures, and have in place physical, technical, and administrative measures to protect the privacy of health information. They are required to identify privacy risks and how health information data is disclosed, stored, and managed.
Data Protection Officer/Privacy Officer	The organization needs to appoint a Data Protection Officer who process sensitive Personal Data.	HIPAA requires the appointment of a Privacy Officer and a Security Officer.
Consumer Rights	GDPR gives people rights over their data and requires organizations to provide copies of data used and details to whom it is transferred or shared.	HIPAA gives patients the right to access their data and require covered entities to provide copies of data used and details to whom the data was disclosed and shared.
Breach Notification	GDPR requires organizations to disclose the breach to the data protection regulator within 72 hours of the incident.	HIPAA too has a breach notification process and disclosure timeframe which includes breaches affecting 500 or more individuals to be notified to the secretary within 60 days.

Conclusion –Approach to Adopt for achieving GDPR & HIPAA Compliance

Organizations looking to be GDPR and HIPAA Compliant, especially for organizations operating in healthcare must map the requirements of both regulations to draw out requirements that go hand in hand. As experts of the industry, we suggest adopting the following approach for your Compliance efforts-

Conduct Data Assessment- It is essential for organizations to first conduct a data assessment to understand the volume and type of sensitive data they are dealing with. This will help them scope the environment and plan strategies around it to safeguard sensitive data. It will also facilitate prioritizing data based on their sensitivity and risk exposure. On-going inventory and assessment of confidential data are necessary to ensure the organization knows where all confidential data resides and the vulnerabilities exposed to the data.

Identify Data Risk Exposure- Organizations should conduct an assessment or evaluate the current security posture of their environment to gauge their level of risk exposure and resilience against threats.This should be evaluated in line with both the regulatory requirements to determine the gap and necessary controls required to be in place. The assessment helps in planning the implementation of security controls and measures for ensuring the security of data and compliance with the Regulation.

Establish Privacy Policy and Procedures- Organizations must design and develop Data Privacy Policies, Procedures, and Frameworks in accordance with their goals of Compliance. Once the Data Assessment and Evaluation of Risk Exposures are performed, based on the gaps identified organizations can accordingly design Policy and Procedures to meet the requirements.

Appoint Professional Consultants – Organizations will need to consult a professional Cyber Security Consulting firm that has a comprehensive understanding of the industry, and its regulatory requirements. Experience and expertise from professionals go a long way in making the Compliance process and journey easy. Organizations need to hire the right consultants for the job for gaining fruitful results.

Author Bio

NarendraSahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India.