Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
International: GDPR v. HIPAA - Comparing and contrasting two important data protection regimes
The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') are two of the most important data protection regimes in place today. The former is a comprehensive data protection regime that applies generally to any information relating to an identified or identifiable natural person and the wide variety of organisations that collect and process the personal data of individuals in the EEA. In contrast, HIPAA is a much narrower US-based regime that only applies to protected health information ('PHI') and certain specified healthcare entities.
Christiana State and Brandon C. Ge, from Crowell & Moring LLP, explore key differences and similarities between the two jurisdictions' approaches to data protection with regard to health-related data.
Background
Adopted by the EU in May 2016, the GDPR was intended to harmonise data protection rules in the EU by creating a single set of data protection rules to replace the patchwork of similar, but different national laws in the various EU Member States. The GDPR, which took effect in May 2018 and was later incorporated into the Agreement on the European Economic Area to make it applicable throughout the EEA, is a comprehensive law that applies to organisations that collect or process the personal data of individuals in the EEA. While the GDPR has heightened restrictions on collecting, using, and disclosing health data and other types of sensitive personal data, it is generally applicable to all types of personal data and organisations.
The framework we know as HIPAA today originated with a statute passed by Congress in 1996. The statutory text, however, does not contain much in the way of detailed privacy or security requirements. Instead, the U.S. Congress called upon the U.S. Department of Health and Human Services ('HHS') to promulgate detailed regulations for protecting health information. The HHS began to do so in the early 2000s, resulting in the HIPAA Privacy Rule and the HIPAA Security Rule. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH Act'), which amended HIPAA, resulting in amended regulations and the HIPAA Breach Notification Rule.
Comparing the GDPR with HIPAA
The GDPR and HIPAA represent two different approaches to data protection with regard to the scope and nature of the data they protect. The former employs a comprehensive approach that applies broadly to personal data and the organisations that collect and process personal data. In contrast, the US currently has a sector-specific approach, employing a fragmented patchwork of constitutional protections, federal and state statutes, regulations, and the common law of torts to protect personal information. At the time of writing, federal bills in the US, such as the American Data Privacy and Protection Act ('ADPPA'), have been proposed, but not passed.
As HIPAA demonstrates, data protection regimes in the US tend to target only specific sectors and types of personal information, generally those considered to be the most sensitive and at risk, such as health information, financial information, telephone and electronic communications, and information about children. As such, HIPAA focuses on PHI and applies specifically to a narrow set of entities that process PHI, specifically health plans, healthcare clearinghouses, and most health care providers (collectively, 'covered entities') and their business associates.
Another key difference lies in the GDPR's extraterritorial reach. Unlike HIPAA, the GDPR applies to organisations that collect or process the personal data of individuals in the EEA, regardless of whether the organisation has a physical presence in the countries that are part of the EEA. In contrast, HIPAA does not expressly provide for extraterritorial reach, and thus far the HHS has not taken enforcement action against a foreign-based entity for a HIPAA violation.
Despite these key differences, the two data protection regimes have many similarities, including:
- permitting the use of health data only in enumerated situations;
- categorising entities subject to the regime;
- employing a risk-based approach to security;
- granting certain individual rights;
- imposing a minimum necessary requirement;
- allowing anonymisation or de-identification;
- requiring the designation of a responsible official; and
- requiring notification in the event of a data breach.
Permissible use of data
With regard to special categories of data, which includes health data, the GDPR only permits processing in specific cases, including (but not limited to):
- where the data subject has given explicit consent;
- where the processing is necessary to fulfil obligations or exercise rights under employment, social security, or social protection law;
- where the processing is necessary to protect a person's vital interests; and
- where the processing is necessary to the establishment, exercise, or defence of legal claims (Article 9 of the GDPR).
Similarly, HIPAA generally requires an individual's written authorisation to use or disclose the individual's PHI except in limited circumstances1. For example, covered entities are generally permitted to use or disclose PHI for their treatment, payment, and healthcare operations activities2. HIPAA also provides various other exceptions, such as disclosures to public health authorities for public health activities3.
Types of covered entities
The GDPR employs the concept of controllers and processors where the former are typically organisations that direct the processing of personal data and the latter generally refer to service providers that process personal data on behalf of a controller (Article 4 of the GDPR). Controllers must execute data processing agreements with their processors that define the scope of processing personal data and lay out requirements for such processing (Article 28 of the GDPR).
In a similar vein, HIPAA applies to covered entities - health plans, healthcare clearinghouses, and most healthcare providers - and their business associates, which are generally service providers that create, receive, maintain, or transmit PHI in performing a service for a covered entity4. In addition, HIPAA requires covered entities to sign business associate agreements with their business associates that define the permissible uses and disclosures of PHI and impose other requirements on the business associate5.
Risk-based approach to security
Both regimes employ a risk-based approach to security and allow covered organisations to determine the safeguards that are appropriate in their environment to ensure an appropriate level of security risk. The GDPR provides that controllers and processors should consider 'the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons' when determining what security measures to implement (Article 32 of the GDPR).
Similarly, the HIPAA Security Rule is intended to be a technology-neutral, scalable, and flexible framework to allow different entities to implement the required standards and protect the confidentiality, integrity, and availability of electronic PHI in a manner appropriate for their circumstances6.
Individual rights
Both the GDPR and HIPAA grant various rights to individuals, many of which are similar.
Right to be informed
The GDPR grants the right to receive detailed information about the collection and use of their personal data (Article 13 of the GDPR).
Similarly, individuals have a right under HIPAA to receive a Notice of Privacy Practices that outlines how the covered entity uses and discloses their PHI7. In addition, under HIPAA, individuals have a right to an accounting of their disclosures, under which a covered entity must, upon request, provide the requesting individual a list of certain disclosures of their PHI made within the last six years8.
Right of access
The GDPR provides the right to obtain confirmation from a controller as to whether the data subject's personal data is processed and, if so, a right to access the personal data stored by the controller (Article 15 of the GDPR).
Likewise, HIPAA grants individuals a right to access their own PHI maintained by a covered entity9.
Right to rectification
The GDPR grants the right to rectify, or update, one's personal data to ensure its accuracy (Article 16 of the GDPR).
Similarly, HIPAA grants individuals the right to amend their PHI10.
Right to restriction of processing and right to object
The GDPR grants the right to restrict and object to the processing of their personal data (Article 18 of the GDPR).
Similarly, HIPAA permits individuals to request a restriction on certain uses and disclosures of their PHI, though covered entities generally are not required to agree to the restriction except in limited circumstances11.
Minimum necessary
Under the GDPR, processing of personal data must be 'adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed' (Article 5 of the GDPR).
Similarly, HIPAA has a minimum necessary rule under which covered entities and business associates must make reasonable efforts to limit requests, uses, and disclosures of PHI to the minimum necessary to accomplish the intended purpose of the request, use, or disclosure12.
De-identification
The GDPR provides for anonymisation, meaning the process of rendering personal data anonymous in such a way that the data subject is no longer identifiable. When personal data is properly anonymised, it is no longer personal data subject to the GDPR (Recital 26 of the GDPR). True anonymisation is a high bar to meet as it must not be possible to identify the data subject for data to be properly anonymised13. However, the GDPR does not provide express instructions for how to anonymise personal data.
In a similar fashion, HIPAA permits the de-identification of PHI, and the resulting information no longer constitutes PHI subject to HIPAA. In contrast to the GDPR, HIPAA expressly provides two methods for de-identifying PHI: the Safe Harbor Method and the Expert Determination Method.
Under the Safe Harbor Method, 18 specified identifiers must be removed14. In addition, the covered entity (or business associate) must have no actual knowledge that the information could be used alone or in combination with other information to identify the individual who is the subject of the information.
Under the Expert Determination Method, someone with 'appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable' must, by applying such principles and methods, determine that the risk is 'very small' that the information could be used (alone or in combination with other reasonably available information) by an anticipated recipient to identify the individual15.
Responsible official
The GDPR requires controllers and processors to designate a data protection officer ('DPO') to assist in monitoring compliance, providing advice on data protection obligations, and acting as a central point of contact for data protection issues (Articles 37, 38, and 39 of the GDPR).
Likewise, the HIPAA Privacy Rule requires covered entities to designate a privacy official responsible for development and implementing the covered entity's privacy policies and procedures16. Generally, the privacy official acts as a central contact for privacy-related issues and questions and the person responsible for receiving complaints about the covered entity's HIPAA Privacy Rule compliance. The HIPAA Security Rule also requires covered entities and business associates to designate a security official who is responsible for developing and implementing the organisation's security policies and procedures17.
Breach notification
The GDPR requires controllers to report breaches of personal data to the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach (Article 33 of the GDPR). The breach notice must contain certain information, such as the nature of the breach, the number of affected data subjects, the number of affected data records, contact information for the DPO or other contact person, a description of likely consequences, and a description of measures taken to mitigate harm. In addition, controllers are required to notify affected data subjects if a breach of personal data is 'likely to result in a high risk to the rights and freedoms of natural persons' (Article 34 of the GDPR). Notification is not required for breaches of encrypted personal data. A processor must notify the relevant controller after becoming aware of a personal data breach.
HIPAA's breach notification requirements mirror these in many respects. HIPAA requires covered entities to notify HHS of breaches of PHI within 60 days of discovery for breaches that affect 500 or more individuals and within 60 days after the end of the calendar year for breaches that affect fewer than 500 individuals18. Such reports must contain similar types of information as those required in a controller's notice to the competent supervisory authority19. In addition, covered entities are required to notify affected individuals20. While there is no risk threshold per se, covered entities are permitted to conduct a breach risk assessment to determine whether there is a low probability of compromise21. If there is a low probability of compromise based on the risk assessment, then the event is not considered a breach and no notification is required. Similar to the GDPR, HIPAA does not require notification where the breach only involves encrypted PHI. Also similar to the GDPR, business associates are required to notify the relevant covered entity after discovering a breach of PHI22.
Christiana State Senior Counsel
[email protected]
Brandon C. Ge Counsel
[email protected]
Crowell & Moring LLP, Washington, D.C.
1. 45 C.F.R. § 164.502(a).
2. Ibid.
3. 45 C.F.R. § 164.512(b).
4. 45 C.F.R. § 164.502.
5. 45 C.F.R. § 164.504(e).
6. 45 C.F.R. § 164.306.
7. 45 C.F.R. § 164.520.
8. 45 C.F.R. § 164.528.
9. 45 C.F.R. § 164.524.
10. 45 C.F.R. § 164.526.
11. 45 C.F.R. § 164.522.
12. 45 C.F.R. § 164.502(b).
13. See Article 29 Data Protection Working Party, Opinion 4/2007 on the Concept of Personal Data at: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf
14. 45 C.F.R. § 164.514(b)(2).
15. 45 C.F.R. § 164.514(b)(1).
16. 45 C.F.R. § 164.530(a).
17. 45 C.F.R. § 164.308(a)(2).
18. 45 C.F.R. § 164.408.
19. Ibid.
20. 45 C.F.R. § 164.404.
21. 45 C.F.R. § 164.402.
22. 45 C.F.R. § 164.410.