GDPR & HIPAA Compliance – Key Similarities and Differences in the Compliance Requirements

Privacy Regulations has for long been a major concern for most businesses processing or dealing with Personal Data. Today, acknowledging the fact that protecting Personal Information or data is essential, many Regulatory and Governing bodies globally have developed Privacy laws, rules, and regulations. Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation Act (GDPR) are two popular Privacy Regulations established with an aim to protect the Privacy and Confidentiality of Personal Information. In today’s article, we will be discussing both the regulations and their similarities and differences. This will give you a better understanding of both the regulations and help you ease your efforts of Compliance. So, let us first take a look at each of the Regulations individually and then understand how both the Regulations are mapped into a single Compliance effort.

What is the GDPR Regulation?

The General Data Protection Regulation Act is an EU law on Data Protection and Privacy. In January 2012, the European Commission set out plans for establishing data protection reforms called the GDPR across Europe and later in the year 2016 established the Regulatory framework. The regulation requires businesses to protect the privacy of citizens of the EU. It is a Regulation that also protects the privacy of Personal Data processed outside the EU and EEA areas. The Regulation gives citizens the right and control over the use of their Personal Information. GDPR requires businesses to implement data protection measures for securing Personal Information against theft, fraud, or misuse of data.

What is HIPAA Regulation?

The Health Insurance Portability & Accountability Act 1996 is a data protection regulation for the US health care providers, health insurers, employees,and third-party dealing with personal health information.HIPAA Regulation calls for adherencetoa set of requirements designed for securing sensitive Protected Health Information (PHI). It also sets out Data Governance Procedures in areas of billing and administration, wherein it preserves the right of patients to receive copies of PHI from organizations. It further stipulates Procedures for circumstances under which the healthcare providers may disclose maintain or process information with third-parties. Organizations that deal with Protected Health Information (PHI) are expected to comply with the Regulation by having in place necessary security measures to secure PHI data.

Also Read:- A Brief introduction to HIPAA Compliance

GDPR VS HIPAA

Protected Data

GDPR

GDPR calls for the protection of Personal Data/Information (PI). Data that leads to or data that can result in the personal identification of an individual can be defined as Personal Data.

HIPAA

HIPAA Regulation calls for the protection of Protected Health Information (PHI) of individuals/patients. Any information related to health status, care, or payment created or collected by a HIPAA Covered Entity that can be linked to a specific individual can be defined as Protected Health Information.

Applicability

GDPR

Organizations that deal with or process the Personal data of citizens of the EU need to comply with GDPR Regulation.

HIPAA

HIPAA applies to all Covered Entities and Business Associates including health plans, health care clearinghouses, and those health care providers that deal and process PHI data.

Scope

GDPR

GDPR Regulation applies globally to any organization that deals with PI of citizens of the EU.

HIPAA

HIPAA Regulation applies to covered entities and their business associates within the US.

Consent

GDPR

Under the GDPR Regulation, explicit consent is mandatory for the processing of personal health data which is considered sensitive data. However, the data may be processed without consent if it meets the conditions of processing in Article 9 of the GDPR.

HIPAA

Under HIPAA Regulation, there is no explicit consent required for disclosure of PHI for treatment purposes.

Consumer Rights

GDPR

GDPR gives consumers full control over the use of their Personal Information. Individuals have the right to be forgotten or get their data deleted upon request.

HIPAA

HIPAA Regulation does not specify such rights to individuals.

Data Security

GDPR

Under GDPR breaches affecting the rights of individuals must be reported to the designated Regulator within 72 hours.

HIPAA

Under HIPAA Regulation breaches affecting 500 records or more needs to be reported to the designated regulator within 60 days

Penalties

GDPR

The EU GDPR had set a maximum fine of €20 million (￡18 million) or 4% of annual global turnover whichever is greater in case of a breach.

HIPAA

The HIPAA Regulation has set penalties for non-compliance based on the level of negligence which can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for repeat violations.

GDPR & HIPAA Regulation– Making the Compliance Process Easier

GDPR and HIPAA Compliance Regulations are Data Privacy laws established to protect the Privacy and Integrity of sensitive data. Since the primary focus of the two Regulations is similar, achieving Compliance to either of the two or both the Regulations can be a lot easier.GDPR is a Regulation much broader in scope and does not just deal with healthcare information, but all sensitive personal data. However, both the Regulations are established keeping in mind the public interest and security of sensitive information. Since the primary focus is onData Security, Privacy,and Integrity, all the measures necessary to comply with the Regulations are broadly similar. So, organizations that are already GDPR or HIPAA Compliant will have in place most of the security measures required to protect the privacy of the data. This will automatically bring your organization closer to achieving Compliance with the other Regulation.

Conclusion –Approach to Adopt for achieving GDPR & HIPAA Compliance 

Organizations looking to be GDPR and HIPAA Compliant, especially for organizations operating in healthcare must map the requirements of both regulations to draw out requirements that go hand in hand. As experts of the industry, we suggest adopting the following approach for your Compliance efforts-

Conduct Data Assessment- It is essential for organizations to first conduct a data assessment to understand the volume and type of sensitive data they are dealing with. This will help them scope the environment and plan strategies around it to safeguard sensitive data. It will also facilitate prioritizing data based on their sensitivity and risk exposure. On-going inventory and assessment of confidential data are necessary to ensure the organization knows where all confidential data resides and the vulnerabilities exposed to the data.

Identify Data Risk Exposure- Organizations should conduct an assessment or evaluate the current security posture of their environment to gauge their level of risk exposure and resilience against threats. This should be evaluated in line with both the regulatory requirements to determine the gap and necessary controls required to be in place. The assessment helps in planning the implementation of security controls and measures for ensuring the security of data and compliance with the Regulation.

Establish Privacy Policy and Procedures- Organizations must design and develop Data Privacy Policies, Procedures, and Frameworks in accordance with their goals of Compliance. Once the Data Assessment and Evaluation of Risk Exposures are performed, based on the gaps identified organizations can accordingly design Policy and Procedures to meet the requirements.

Appoint Professional Consultants – Organizations will need to consult a professional Cyber Security Consulting firm that has a comprehensive understanding of the industry, and its regulatory requirements. Experience and expertise from professionals go a long way in making the Compliance process and journey easy. Organizations need to hire the right consultants for the job for gaining fruitful results.

This article originally published on Cybersecuritynews

https://cybersecuritynews.com/gdpr-hipaa-compliance/