[BreachExchange] GDPR Vs. HIPAA — Noting The Differences

[Audrey McNeil]

https://www.healthitoutcomes.com/doc/gdpr-vs-hipaa-noting-
the-differences-0001

If you are in the United Kingdom or anywhere in the European Union, you may
have already started working towards GDPR compliance. The General Data
Protection Regulations (GDPR) is a set of compliance requirements that
comes into effect in May 2018 and will apply to any organization that deals
with data provided by citizens of the European Union. In other words, this
ruling can apply to your organization even if you are based outside the EU
but handle data pertaining to patients from the EU.

A Brief Summary

Before we discuss the impact of GDPR on healthcare providers, it is
important to take a look at what the GDPR regulations state. Philip Piletic
has a great article on this subject, but the essential takeaways are:

- Strict adherence to patient consent while acquiring their personal
details. Organizations can no longer use sneaky opt-out strategies that
assume patient consent by default.
- Right to be forgotten — healthcare providers can no longer hold patient
data indefinitely and must delete this information permanently upon request.
- High security storage — it is mandatory for healthcare service providers
to deploy adequate security, encryption, pseudonymization, redundancy, and
intrusion detection mechanisms in order to ensure that patient data is not
compromised in any way.

Similarities With HIPAA

If you are in the United States, a lot of these regulations may already be
in place thanks to HIPAA. The HIPAA regulation mandates complete SSL
protection for patient data that is transmitted through your hospital
servers. Also, similar to GDPR, the HIPAA compliance requirements also make
it mandatory for healthcare providers to adhere to stringent data security
protocols and ensure compliance to the established protocols while
disposing data.

Coverage

One of the essential differences between HIPAA and GDPR arises with who
these regulations cover. At the outset, it is clear that GDPR covers
citizens of the EU while HIPAA is restricted to American citizens and
healthcare organizations. But what happens when a citizen from one of these
countries visit a third country like India for healthcare? In such a
scenario, GDPR can still apply because this is a consumer-centric
regulation - any organization across the world is liable to adhere to these
stringent regulations when they deal with data pertaining to citizens from
the EU. HIPAA, on the other hand, is an organization-centric regulation and
any data handled by organizations outside the US do not come under the
purview of HIPAA.

Patient Consent

Like we pointed out earlier, the HIPAA regulations are organization-centric
and are mainly targeted at protecting patient records from security breach.
In essence, it does not talk about the patient’s consent to data use. In
other words, unlike in GDPR, where organizations must get an active consent
from the patient before storing any of their personal details in their
database, there is no such requirement from HIPAA. Healthcare organizations
are free to process these details as long as they are stored and
transmitted with adequate security.

Right To Erasure

The right to erasure (in other words, the right to be forgotten) is a
tricky subject as far as healthcare goes. HIPAA does not have a right to be
forgotten rule. That means any patient record that is in the hospital’s
database cannot be erased simply because the patient wants to. This is
unlike GDPR where an organization must comply with such requests from
consumers.

While the right to be forgotten can seem like an earnest move from the
regulators, it is not exactly feasible for health insurance providers.
These organizations assess the premium based on a patient’s past history.
This way, a patient who is known chain-smoker may be required to shell a
lot higher premium for oral cancer related insurance while a non-smoker,
who is less risky, pays lower. What happens if the chain-smoker requests
for his patient details to be expunged? The GDPR ruling to let patients
demand erasure of their records could be penalizing patients who lead
healthy lives and make it cheaper for individuals with unhealthy lifestyles
to secure insurance.

Marketing

One of the biggest differences between HIPAA and GDPR is in the way the
regulations treat processors of information. GDPR identifies two parties
responsible for handling data - controllers are the healthcare
organizations that own the patient data while processors are the third
party agencies who may be responsible for transmitting these details. An
email hosting company or a marketing agency may be considered a processor
while your hospital or insurance company is the controller.

According to Kelly Seifers, the founder of iHealthSpot, a company that
handles marketing for healthcare organizations, HIPAA does not explicitly
prohibit healthcare organizations from letting third party agencies to send
out marketing messages to patients without consent. She points to the
ruling in Section 164.514(e) of HIPAA that states that healthcare
organizations may disclose a “limited data set”   to a third party for
marketing purposes. This limited data set should however exclude direct
identifiers like name, address, telephone number, email, IP address and
photos. While this does not seem draconian, it should be pointed out that
sharing these details to third parties do not require patient consent,
unlike in GDPR.

Violations

Both HIPAA and GDPR propose stringent penalties on organizations that
violate their regulations. However, there is a significant difference in
the way the violations are assessed in the first place. With GDPR, any
organization that violates guidelines with respect to security or handling
of personal data is liable to be prosecuted. The 2013 Final Omnibus Rule of
HIPAA states that rule cited for prosecutions related to “significant harm”
caused by violations, the organizations must prove that harm had not
occurred. Also, HIPAA guidelines may be waived off during times of
calamities like with the recent Hurricane Harvey. No such provisions exist
with GDPR at the moment.

Although GDPR is not restricted to healthcare, it does strive to bring in
regulations that are a lot more stringent and in turn, protects your
consumers better than HIPAA does. If you are an organization that deals
with patients from outside the United States, it is a good idea to prepare
your business for GDPR compliance. Besides the fact that you are adhering
to legal requirements, it is also better for your patients.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171215/3bab9f70/attachment.html>