Avoid GDPR Penalties In Your United States Healthcare OrganizationUnderstand the key differences between HIPAA & GDPR requirements
You know you have to comply with the requirements and protections under the Health Insurance Portability and Accountability Act (HIPAA) as a U.S. healthcare provider, but what about the General Data Protection Rule (GDPR)? You might be surprised to learn that the GDPR may apply to U.S. providers – not just those in the European Union (EU).
There are scenarios in which GDPR’s standards apply to your patient records in the United States, according to healthcare industry attorney Wayne Miller, Esq. in his audio conference, “General Data Protection Rule (GDPR): It Can Apply to American Providers!” And you need to understand how GDPR differs from HIPAA in substantial ways.
Pay Attention To 3 Main GDPR Tenets
The GDPR became effective in May 2018, and many EU healthcare providers are already deep into their compliance efforts, according to Health IT Outcomes. The rule applies to any organization that deals with data provided by EU citizens, and the major difference between GDPR and HIPAA is that one rule applies largely to the EU while the other applies to the United States.
But there are many other key differences and implications for both regulations. The GDPR involves the following major elements:
- Patient consent – Strict adherence to patient consent while acquiring personal details and a ban of the use of misleading opt-out methods;
- Right to be forgotten – Healthcare providers cannot hold patient data indefinitely and must delete information permanently upon request; and
- High-security storage – Mandatory deployment of adequate security, encryption, pseudonymization, redundancy, and intrusion-detection mechanisms to prevent patient data from being compromised.
Although HIPAA has many of the same protections as GDPR, you cannot necessarily rely on your HIPAA compliance to also make you compliant with the GDPR requirements. You must ensure that you comply with GDPR if your U.S. healthcare organization is involved in medical tourism programs or provides clinical services internationally, within EU boundaries, according to Ipswitch.
But what if you’re providing healthcare services in the United States to an EU resident? In this case, your handling of the patient’s protected health information (PHI) would fall under the HIPAA Privacy and Security Rules. You would not necessarily need to comply with the GDPR.
Not so fast: But if you collect the patient’s PHI while the person was in the EU, then the GDPR would apply. For instance, if you collect the personal information of someone residing in the EU on a website, you must comply with GDPR rules.
GDPR vs. HIPAA: Important Differences
Compared to HIPAA, GDPR differs in how you must securely handle data, according to the Compliancy Group. Here are some key differences between HIPAA and GDPR rules and requirements:
- Scope of protected information – The GDPR has a much broader scope of what is considered protected information. “Sensitive personal data” under GDPR compliance standards also includes racial or ethnic origin, religious or philosophical beliefs, political affiliations, union memberships, biometric or genetic data, sexual practice or orientation, and any data relating to health.
- Scope of covered entities – Unlike HIPAA, which applies to covered entities and business associates, GDPR applies to any and all organizations established within or outside the EU that process EU residents’ personal data.
- Explicit consent – The GDPR mandates that organizations get active consent from the patient before storing any of his/her personal information in their database. There’s no such requirement under HIPAA.
- Data breaches – HIPAA has specific requirements regarding data breach notification, which vary depending on the size of the breach. Under the GDPR, however, there are no differing rules depending on how many people are affected by a breach, and you must report a breach to a “supervisory authority.”
- Erasing data – Unlike HIPAA, the GDPR has a “right to be forgotten” rule, which means that an organization must erase all data if an individual requests that it do so, regardless of any reason given or not.
Don’t Rely On Your HIPAA Compliance Alone
Bottom line: You must understand exactly how and when the GDPR applies to your organization, or else you could face stiff penalties, Wayne Miller says in his audio conference. Beware that your compliance with HIPAA won’t be enough to save you from GDPR violations and the resulting consequences.