HIPAA and GDPR: How Do They Differ?

The General Data Protection Regulation (GDPR) is a set of European Union (EU) laws that provides EU citizens with greater control over their personal data (any information that is related to an identified or identifiable natural person, or subject). The GDPR regulates the way organizations collect, store, and transmit the personal data of EU citizens and residents. HIPAA and GDPR are different in a number of aspects. The differences are discussed below.

What Information is Protected Under the GDPR?

Under the GDPR, personal data is any information that is related to an identified or identifiable natural person, or data subject. A data subject is any person whose personal data is being collected, held, or processed. Personal data can refer to anything from names, home addresses, to social media posts.  

Data subjects are identifiable if they can be directly or indirectly identified.  Names, identification numbers, and location data all constitute as “personal data.” In addition, personal data includes:

• Telephone numbers
• Credit card numbers
• Addresses
• License plate numbers
• Customer numbers

Characteristics that express the physical, physiological, genetic, mental, commercial, cultural, or social identity of a natural person, are also regarded as “personal data.”

Differences Between HIPAA and GDPR: Personal Data

One major difference between HIPAA and GDPR lies in how each law treats the issue of data portability:

HIPAA

HIPAA and GDPR differ with respect to the concept of data portability. There is no right to “personal PHI portability” under HIPAA (the word “portability” in the phrase “Health Insurance Portability and Accountability Act” refers to portability of health insurance, not portability of protected health information). While, under the HIPAA Privacy Rule, covered entities must provide individuals with information to which they are entitled under the right of access (which generally requires that providers give individuals copies of their PHI that are in designated record sets). 

Indeed, covered entities may deny an any number of specific PHI requests. An individual request to access PHI may be denied – without such denial being subject to review or appeal – when:  

• The request is for psychotherapy notes.
• The request is for information compiled in reasonable anticipation of litigation.
  • Note that the request must be for information compiled in “reasonable anticipation” of litigation, not mere “anticipation of litigation.” Providers cannot deny requests for PHI simply because there is a possibility of a lawsuit involving PHI. “Reasonable anticipation” of litigation arises when a covered entity is on notice of a credible probability that it will become involved in litigation, seriously contemplates initiating litigation, or when it takes specific actions to commence litigation.
• The request is for information compiled for or for use in a legal proceeding.
• An inmate requests a copy of their PHI held by a covered entity that is a correctional institution, or healthcare provider acting under the direction of the institution, and providing the copy would:
  • Jeopardize the health, safety, security, custody, or rehabilitation of the inmate or other inmates, or the safety of correctional officers, employees, or other persons at the institution, or responsible for the transporting of the inmate. 
  • Note, however, that in the above instances, the inmate still retains the right to inspect his or her PHI. The inmate is not entitled to exercise the other portion of the right of access – that is, the right to, upon request, to receive copies of the PHI. 
• The requested PHI is in a designated record set that is part of a research study that includes treatment (i.e., clinical trial) and is still in progress.
  • For access to be denied, the individual must have agreed to the temporary suspension of access when consenting to participate in the research. The individual’s right of access is reinstated upon completion of the research.
• The requested PHI is in the federal Privacy Act-protected-records (i.e., certain records under the control of a federal agency, which may be maintained by a federal agency or a contractor to a federal agency), and denial of access is consistent with the requirements of the Act.
• The requested PHI was obtained by someone other than a healthcare provider (i.e., a family member of the individual) under a promise of confidentiality, and providing access to the information would be reasonably likely to reveal the source of the information.   

GDPR

The GDPR right to data portability grants EU citizens a broad right to acquire and use their own personal data. Under the GDPR right to data portability, individuals may transfer, duplicate or physically move their personal data file among different IT environments. Individuals may do this through the use of a data portability service. Through a data portability service, data file owners may see their files, access their files, and download their files to their desktops, laptops, and mobile devices, safely and securely.  

Under the right to data portability, individuals may use the information contained in their personal data file for a variety of purposes, such as for seeking employment, and even for monitoring one’s own finances. In the banking industry, for example, an individual may request his or her personal data file to investigate his spending habits to improve their investing and make informed financial decisions.

Individuals who seek moving of their personal data must make a formal request in writing. The movement of the file itself must occur electronically.

Differences Between HIPAA and GDPR: The Right to Be Informed About How Data Is Used, Collected, and Disclosed

One major difference between HIPAA and GDPR lies in how each law requires individuals to be informed about how their personal information is used, disclosed, and collected.

HIPAA

The HIPAA Privacy Rule requires that covered entities inform individuals about certain uses or disclosures of PHI, through a Notice of Privacy Practices.

What Information Must the Notice of Privacy Practices Contain?

Under HIPAA regulations, covered entities are required to provide individuals with a Notice of Privacy Practices in plain language that contains:   

• The following statement, as a header, or otherwise prominently displayed: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
• A description of how PHI can be used for treatment, payment, and healthcare operations.
• A description of the types of PHI uses and disclosures requiring patient authorization.
• A description of the circumstances in which the covered entity may use or disclose PHI without written authorization.
  • A covered entity may use or disclose PHI without authorization for a number of purposes. Examples include public health and health oversight activities, and judicial proceedings.
• The name, title, and phone number of a person or office to contact for further information or questions about the notice.
• The date on which the notice is first in effect.
• A statement that an individual may revoke an authorization.

GDPR

The General Data Protection Regulation (GDPR) gives individuals a right to be informed about the collection and use of their personal data.

Under the GDPR, a data controller is a person (or business) who determines the purposes for which, and the way in which, personal data is processed. The GDPR imposes certain obligations on data controllers. The obligations turn upon whether personal data is directly obtained from a data subject.

When personal data is obtained directly from the data subject, the subject of the data must be informed immediately – at the time data is obtained. The data controller must inform the data subject of the identity of the data controller, and provide the data subject with the contact data of the Data Protection Officer (the GDPR equivalent, essentially, of a HIPAA Privacy Officer), at the time the data is obtained.

The controller obligation must also inform the data subject of the purposes for which the data is being processed; whom the recipients of the data are; and whether there is an intent on the part of the company collecting the personal data to transfer that data to third countries. 

If personal data is not obtained directly from the data subject, he or she must be provided the information within a reasonable period of time. In cases where the gathered information is used to directly contact the data subject, he or she has the right to be informed immediately upon being approached. Here, the controller has to provide the same specific information as if the personal data had been directly obtained from the data subject. In addition, the controller must inform the data subject as to what sources the personal data originated from, and whether the personal data was publicly available. The data subject has a right to be informed in a precise, transparent, comprehensible and easily accessible form. 

The GDPR, as can be seen from the above, grants individuals a much broader right to be informed about how their information can be and is used, collected, and disclosed, than HIPAA does.

Differences Between HIPAA and GDPR: Consent

One major difference between HIPAA and GDPR lies in how each law treats the issue of consent:

HIPAA

HIPAA permits a number of PHI uses and disclosures without patient authorization. For example, under HIPAA, providers may disclose PHI to another provider for treatment activities, without having to secure patient consent first. The concept of “treatment” under the HIPAA Privacy Rule is rather broad; “treatment” is generously defined as the provision, coordination, or management of healthcare and related services, by one or more providers.

In addition, providers may also use or disclose PHI as is necessary for healthcare operations, and for purposes of treatment. Furthermore, under HIPAA, marketing activities are permitted under several circumstances. For example, a communication does not require an authorization, even if it is marketing, if it is in the form of a face-to-face communication made by a covered entity to an individual; or a promotional gift of nominal value provided by the covered entity.

GDPR

The GDPR is more stringent than HIPAA in regards to the issue of consent. Under the GDPR, EU citizens or residents must expressly consent for any personal data interaction that falls outside of direct patient care. Equally significantly, EU citizens or residents must give their express consent to opt into any communication, whether it be through phone, email, direct mail, or other advertising methods.

Differences Between HIPAA and GDPR: Treatment of Data Breaches

One major difference between HIPAA and GDPR lies in how each law treats the issue of data breaches.

HIPAA
Under the HIPAA Breach Notification Rule, covered entities and business associates are required to notify affected individuals if unsecured PHI is breached.

If more than 500 individuals are affected, notification must be provided to the Department of Health and Human Services’ Office for Civil Rights (OCR), as well as all individuals affected, within 60 days. For smaller breaches, notification must be given to OCR and those affected by the final day of reporting each year — March 1 of the following year (i.e., if there is a breach affecting 300 people on Nov. 1, 2019, you must notify by March 1, 2020).

GDPR

GDPR imposes considerably more stringent data breach requirements. 

In the case of a personal data breach, a data controller (an entity that determines the purposes and means of processing personal data) must, without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to what the GDPR refers to as a “competent supervisory authority.”

This notification must be made unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Under the GDPR, where the notification to the supervisory authority is not made within 72 hours, the notification must contain the reasons for the delay.