HIPPA vs. GDPR: major acts regulating health data protection
With a growing share of electronic and online data flow in healthcare, as well as propagation of e-health services, more concerns are raised about the protection of patients’ privacy and secure their personal data. The healthcare ecosystem becomes increasingly complex and is focused around the services, care and products provided to its patients. At the same time, in response to technology advancements, healthcare facilities and organizations become part of digital transformation that promises better care and service. However, with deeper digitalization, the risk of cyber-attacks exponentially increases as well.
The importance of keeping personal information both private and secure is ultra-critical in the healthcare industry. Though the laws and standards for data protection vary in different countries, in his post we are going to compare the two regulations on data protection in the Western world, namely HIPPA and GDPR.
HIPPA (Health Insurance Portability and Accountability Act)
Year of adoption: 1996
Sensitive patient data, that is individually identifiable information relating to the past, present, or future health status of an individual that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations, including:
1. Health information such as diagnoses, treatment information, medical test results, and prescription information
2. National identification numbers and demographic information such as birth dates, gender, ethnicity
3. Contact and emergency contact information
- entities providing treatment, payment, and operations in healthcare;
- business associates with access to patient information who provide support in treatment, payment, or operations;
- subcontractors and any other related business associates.
Companies that deal with protected health information must have physical, network, and process security measures in place and follow them.
Security actions required
The HIPAA has specific physical and technical safeguards for organizations hosting sensitive patient data, including:
1. Limited facility access and control with authorized access in place.
2. Policies about use and access to workstations and electronic media.
3. Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI.
4. Access control allowing only for authorized personnel to access ePHI.
5. Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
6. Audit reports or tracking logs that record activity on hardware and software
The federal fines for noncompliance are based on the level of perceived negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.
Related legal acts
HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information that establishes national standards for the protection of certain health information.
Security Rule establishes a national set of security standards for protecting specific health information. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place.
The Internet of Things Cybersecurity Improvement Act of 2017 is a U.S. Senate bill that lays ground rules for IoT device security. While the legislation only applies to government agency affiliates and suppliers, it can become a benchmark for device manufacturing that would influence commercial production.
GDPR (the EU General Data Protection Regulation)
Year of adoption: 2016 (in effect since May 25, 2018)
Domain: No specific domain
Data concerning health is considered as a special category of data and provides a definition for health data for data protection purposes.
All types of personal data that directly on indirectly identifies an individual in paper, electronic, or online format, including:
1. Basic identity information such as name, email, address, and ID numbers
2. Web data such as location, IP address, cookies data, and RFID tags
3. Health, genetic, and biometric data
4. Racial or ethnic data
5. Political opinions
6. Sexual orientation
- public and private companies and organizations that are registered in EU or have an establishment or subsidiary in the EU;
- organizations outside the EU that offer goods or services to citizens of the EU and request or re-use the personal data of EU residents;
- companies having more than 250 employees;
- companies having fewer than 250 employees but the organization’s practices impact the rights and freedoms of EU citizens or include certain types of sensitive personal data.
In practice, that means approximately all companies.
The governing principle is ensuring the GDPR privacy by design and by default, so that the privacy standards are built into the technology and offered to the user by default, shifting the burden of privacy protection from the user on to the company or organization.
Security actions required
GDPR has specific instructions for what types of security action may be required:
- The encryption and pseudonymization of personal data.
- Regular testing, assessment, and evaluations of the effectiveness of technical and organizational policies for ensuring the security of the data.
- Provisions for confidentiality, integrity, availability, and resilience of processing systems and services.
- In the event of a physical or technical incident, organizations are entitled to restore the availability and access to personal data in a timely manner.
The fines for noncompliance issued by the GDPR authorities can reach up to EUR 20 million or 4% of annual worldwide turnover, whichever is higher.
Related legal acts
The Data Protection Directive (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (PII (US)) and on the free movement of such data) was a preceding European Union directive adopted in 1995 to regulate the processing of personal data within the European Union.
As we can see, both regulations do not define specific requirements for technology types, allowing the healthcare organization to implement its own security measures to meet the standard and specification. At the same time, they threaten the proliferation of health and fitness apps, most of which are unregulated as they are not classed as medical devices but which must comply with data protection rules, so new regulations, for instance, similar to the US Internet of Things Cybersecurity Improvement Act need to emerge covering most recent developments.
However, we are far from being lawyers, so comments from more competent colleagues are most welcome. As well as your insights and speculations over data protection in other countries!