Adopted in April 2016, the General Data Protection Regulation (GDPR) is Europe’s new framework for data protection laws, replacing the EU Data Protection Act of 1998. GDPR is designed to standardize data privacy and protection laws across Europe and it changes how personal and sensitive data can be used, processed, managed, stored and disclosed. Enforcement of GDPR compliance by the UK Information Commissioner’s Office (ICO) began on May 25, 2018.
Who Must Comply
GDPR and HIPAA Requirement Similarities
To better understand some of the GDPR requirements, listed below are some similarities with the USA HIPAA compliance requirements.
- Personal data in the GDPR is defined the same as the Individually Identifiable Health Information (IIHI) HIPAA definition.
- Organizations covered by the GDPR will be more accountable for handling people’s personal information, similar to HIPAA’s accounting for disclosures and Notice of Privacy Practices (NPP).
- Organizations will need to account for data portability. (They did not need to prior to GDPR.)
- Organizations will need to handle children’s data differently in context of internet services and social networking. A parent or guardian must give consent for a child’s data to be used, similar to HIPAA and other regulations.
- Organizations must develop and maintain data protection policies and procedures; complete, update, and retain data protection impact/risk assessments; develop and implement remediation plans; identify privacy risks and have relevant documents on how data is processed, disclosed, stored, managed, distributed, and used, similar to HIPAA’s administrative, technical and physical safeguards.
- A “Data Protection Officer” has to be employed by organizations that process sensitive personal data. This is similar to HIPAA, as HIPAA requires a Privacy Officer as well as a Security Officer.
- Organizations have to obtain consent from a person whose personal data is about to be used. The consent has to clearly explain that consent is being given and that it is a “positive opt-in.” Copies must be retained, similar to HIPAA’s release of information consent. Consent has to be given from the person whose data is about to be used.
- Breaches need to be disclosed within 72 hours of discovery to the country’s data protection regulator, the UK Information Commissioner’s Office in Europe. People who are impacted by the breach have to be told as well. HIPAA also has a breach notification process and disclosure timeframe.
- Similar to HIPAA’s patient rights, the GDPR gives people rights over their data. Organizations will need to provide copies of what data has been used and to whom it is given, etc.
The Biggest Difference
One of the biggest differences between HIPAA and GDPR is that the GDPR harmonizes the breach notification law across all EU States. The USA Federal HIPAA breach notification laws can be further defined at the State level.
The Bottom Line
GDPR and HIPAA non-compliance will result in fines. Fines are tiered based on offences and consequences due to non-compliance. More severe offences could result in millions per offence. Hence, organizations should understand the redundancies amongst Federal and International Regulations affecting IIHI and PHI to gain operational efficiencies.