International: GDPR v. HIPAA
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portability and Accountability Act of 1996, as amended ('HIPAA'), both regulate medical data in their respective jurisdictions. Nathanael F. Williams, Associate at Fox Rothschild LLP, discusses the similarities and differences between these two pieces of legislation.
'Data concerning health', as defined by the GDPR and 'protected health information', as defined by the HIPAA, and implementing regulations are similar subsets of personal data that can include some of the most intimate information about a person, and, for that reason, are generally regarded by lawmakers of countries around the world as requiring statutory protection. Framed by Article 5 of the GDPR and the principles relating to processing of personal data listed therein, described below, this article will explore at a high level the similarities and differences between the principles underlying processing and protection of health and medical data under the GDPR and HIPAA. Through this analysis, after certain matters of scope and applicability are addressed, the many similarities between the processing and data protection principles of HIPAA and the GDPR will become clear.
Under the GDPR, 'data concerning health' is a special category of personal data under Article 9, and is defined as 'personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status'1. This definition is general, and, in light of the law's purpose to protect this sensitive category of data, is interpreted broadly2. The processing of special categories of information, including data concerning health, is prohibited, except under certain circumstances enumerated in paragraph 2 of Article 9. Particularly relevant here is the Article 9(1)(h) exception, which states that 'processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3'. Furthermore, in accordance with paragraph 3, the data concerning health must be 'processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies3'.
HIPAA Privacy Rule
Under the HIPAA Privacy Rule, 'protected health information' is defined as 'individually identifiable health information… transmitted by electronic media, maintained by electronic media, or transmitted or maintained in any other form or medium'4. 'Individually identifiable health information' is 'information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual'5. 'Health information' is defined by HIPAA as 'any information, including genetic information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual'6.
Similarities and differences
As demonstrated from the definitions above, data concerning health and protected health information cover quite similar sets of data, but a critical element of the definition of protected health information distinguishes it from data concerning health – namely, the scope of entities to which the term applies and the context of the processing of the information. Under the GDPR, data falling under the definition of 'data concerning health' is not delineated by controller, processor, or industry type. However, under HIPAA, protected health information only relates to information 'created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual'7. Therefore, if an employer in the U.S., in its role as the employer rather than health care provider, maintains protected health information in an employee's record, it is not considered protected health information. Alternatively, under the GDPR, regardless of whether there is an exception to the processing in the employment context, personal data related to the physical or mental health of a natural person is nevertheless considered data concerning health8.
Another important fundamental distinction is the type of action regulated by the applicable entity. Under the GDPR, a controller or processor's 'processing' of personal data is regulated, while under HIPAA a covered entity or business associate is restricted in the 'use' and 'disclosure' of protected health information. 'Processing' under the GDPR is broadly defined as 'any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'9. Under HIPAA, 'disclosure' means 'release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information' and 'use' means 'the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information'10. Accordingly, the scope of data, as well as the actions regulated by the GDPR under the definition of 'processing', is broader than that of 'use' and 'disclosure' under HIPAA.
Article 5 of the GDPR states:
'1. Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation');
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation');
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy');
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation');
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').;
2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability')'.
Lawfulness, fairness, and transparency
Regarding lawfulness, fairness, and transparency, under the GDPR these principles require compliance with Article 6(1), which enumerates the lawful bases for data processing in addition to the applicable exemption to the prohibition on the processing of special categories of data under Article 9(2) of the GDPR. Distinct from GDPR, under HIPAA, the focal point of the analysis is the purpose of the use or disclosure or to whom the protected health information is disclosed rather than the underlying reasoning for the processing. Under HIPAA, certain uses or disclosures by covered entities or business associates are required, permitted without authorisation from the patient, or permitted after authorisation or with no objection from the patient11. However, it should be noted that many of the lawful bases for processing under the GDPR, have similar permitted or required uses or disclosures under HIPAA. For example, the basic requirements for consent12 under Article 7 of the GDPR (freely given, specific, informed and unambiguous) are similar to those for HIPAA Authorisations;13 compliance with a legal obligation14 under the GDPR is similar to HIPAA's uses or disclosures that are required by law15; and the GDPR's protection of a vital interest of the data subject16 is similar to HIPAA's permitted disclosure in the event of an emergency17. Furthermore, the concept of transparency in Article 5(1)(a), as well as the rights of data subjects in Chapter 3 of the GDPR, are quite similar to HIPAA's requirements to provide a notice of privacy practices, the right of an individual to request restriction of uses and disclosures, access to their protected health information, amendment of protected health information, and accounting of disclosures18.
Purpose limitation and data minimisation
The similarities continue between Article 5(1)(b) and (c) and HIPAA related to purpose limitation and data minimisation. Similar in the way that the processing of data concerning health must be 'collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…' and 'limited to what is necessary in relation to the purposes for which they are processed'19 under the GDPR, HIPAA has 'minimum necessary requirements' that limit the data collected for a particular purpose, and the necessary uses and disclosures of the protected health information to prevent further processing of the protected health information20. Therefore, for example, if a data subject's data concerning health was collected for research purposes, under both the GDPR and HIPAA, the data can only be used for that purpose, unless subsequent requirements are met to allow for the further processing or use or disclosure.
Storage limitation is a concept shared by GDPR and HIPAA, though the concept under each has opposing goals. Under HIPAA, required documentation of HIPAA compliance must be retained for six years from the date of its creation or the date when it last was effected, whichever is later21. The purpose of this rule is to ensure the compliance documentation is kept for a sufficient amount of time. With respect to storage of protected health information, although there are 'minimum necessary requirements', HIPAA does not provide a maximum amount of time the documentation can be retained. Alternatively, GDPR requires that the personal data is kept in a form that 'permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed'22. As such, this is one area in which HIPAA and GDPR data protection principles diverge.
Accuracy, integrity, and confidentiality
Accuracy, integrity, and confidentiality are important principles under the GDPR (Article 5(d) and (f)) and HIPAA, as demonstrated by the data subject rights outlined in Chapter 3 of the GDPR and HIPAA's Privacy Rule,23 as well as the security requirements outlined by both laws. Namely, under HIPAA, the security standard in 45 CFR § 164.306(a) specifically states, 'covered entities and business associates must do the following: (1) ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.'24 Specific to the accuracy principle of Article 5(d) of the GDPR, HIPAA provides individuals the right to access their protected health information and request amendment of their protected health information. Specific to the GDPR's requirement to ensure 'appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures', HIPAA includes an entire set of administrative, physical, technical, and organisational requirements to fulfil the same goal as Article 5(1)(f), but with much more specific standards than provided in Article 32 of the GDPR.
Although the GDPR ultimately vests the responsibility for compliance with the requirements of Article 5 (1) in the controller, HIPAA's rules apply to covered entities and business associates. However, similar to a data processing agreement under Article 28 of the GDPR that holds a processor accountable to the controller, a HIPAA business associate agreement holds the business associate accountable to the covered entity.
The differences between the data processing and data protection frameworks of the GDPR and HIPAA are most notable in terms of the breadth of their applicability. Any processor or controller of data concerning health is subject to the GDPR, while only covered entities and business associates are subject to HIPAA. However, any entity that is considered a covered entity under HIPAA in the U.S. and that processes data concerning health in the European Economic Area will find this type of analysis beneficial to identify administrative and operational synergies, potential redundancies, and gaps in compliance that could lead to potential liability.
Nathanael F. Williams Associate [email protected] Fox Rothschild LLP, Philadelphia
1. Article 4(15) GDPR. 2. Datatilsynet, 2 July 2020, 20/02191-1 KBK/- (available here: https://www.datatilsynet.no/contentassets/9d5792264c884f3a903d3981c38812ac/~-20_02191-1-vedtak-om-overtredelsesgebyr---ralingen-kommune-202444_10_1.pdf). 3. Article 9(3) GDPR. 4. 45 CFR § 160.103. 5. 45 CFR § 160.103. 6. 45 CFR § 160.103. 7. 45 CFR § 160.103. 8. Article 9(2)(b) GDPR. 9. Article 4(2) GDPR. 10. 45 CFR § 160.103. 11. 45 CFR §§ 164.502 – 164.516. 12. Article 6(1)(a) GDPR. 13. 45 CFR § 164.508. 14. Article 6(1)(c) GDPR. 15. 'Required By Law' is defined as 'a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorised to require the production of information; a civil or an authorised investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.' 45 CFR § 164.103. 16. Article 6(1)(d) GDPR. 17. 45 CFR § 164.512(f). 18. 45 CFR §§ 164.520, 164.522, 164.524, 164.526, 164.528. 19. Article 5(1)(b) and (c) GDPR. 20. 45 CFR § 164.514(d). 21. 45 CFR § 164.316(b); 164.530(j)(2). 22. Article 5(1)(e) GDPR. 23. 45 CFR Subpart E. 24. 45 CFR § 164.306(a).