“Protecting someone else’s data protects all of us.” Tim Cook, CEO of Apple
By: Shobha Lizaso
Important Differences: GDPR vs. HIPAA
- Personal Data:
The definition of “personal data” in Article 4 of the GDPR is as follows:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person….”
The GDPR’s definition of “personal data” casts a wide net. In addition to the personal data protected by HIPAA, the GDPR covers ANY personal data such as computer IP addresses, physical traits, religion, memberships, photos, credit card data, etc.
- Consent Required:
Under HIPAA, obtaining a patient’s consent for the use of protected health information for treatment, payment and health care operations activities optional; however, GDPR requires a health care provider either to obtain an individual’s consent to process personal data or to have another lawful basis for processing the personal data. To get consent from an individual to process his/her Personal Data under GDPR, the individual’s consent must be explicit, freely given, specific, informed and unambiguous agreement to the processing. Under GDPR, an individual must give explicit consent to the use of his/her personal data for each instance that the data is going to be used outside of direct patient care, while HIPAA does not require that an individual sign a consent or release of his/her personal data for treatment or payment purposes.
- Right to Be Forgotten:
Individuals have “the right of erasure” (the right to be forgotten) under GDPR and can require a healthcare provider to delete all of their personal data from the provider’s databases. HIPAA does not provide for this right to be forgotten.
HIPAA that states that healthcare providers may disclose a limited set of personal data to a third-party for marketing purposes and sharing this data with third-parties does not require consent from an individual. However, GDPR requires consent for each use of the personal data.
- Reporting a Breach:
Under the GDPR, in the event of a breach, the breach must be reported within 72 hours of discovery, which is an extremely short window. HIPAA, on the other hand, requires that breaches are reported at least 60 days after the breach was discovered.
- Fines for GDPR Non-Compliance:
Organizations that violate the GDPR compliance requirements could face fines up to 4% of their global annual revenue or 20 million euros, whichever fine is higher; this is much more severe than under HIPAA, which has a maximum fine penalty of $1.5 million per year for identical violations.
If you are an organization that deals with patients from outside the United States, it is a good idea to prepare your business and web presence for GDPR compliance.