The General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) are both crucial legal frameworks that oversee the use of personal data and protect individual privacy, but they have a very different scope.
In this article, we’ll explore GDPR vs HIPAA regulations and give you a detailed overview of the most significant differences and overlapping areas data controllers need to understand for their organizations to achieve and maintain compliance.
Key Takeaways
- GDPR applies globally to EU citizens’ data, while HIPAA covers only health information within the U.S.
- Both regulations mandate breach notifications, but GDPR imposes steeper fines than HIPAA.
- While both laws prioritize privacy and control over personal data, GDPR requires stronger individual consent than its counterpart, HIPAA.
What is GDPR?
The General Data Protection Regulation (GDPR) is one of the first comprehensive data privacy frameworks and regulations to come out. It has essentially been the litmus paper for many other data privacy laws since then.
This compliance framework came into effect on May 25, 2018. The EU parliament introduced GDPR to regulate how organizations generally collect, store, share, and handle data and safeguard consumer’s data and privacy.
While the regulation is one of the most broad and comprehensive in its field, the GDPR applies specifically to commercial, non-profit, and public-sector organizations that process the personal data of European Union (EU) and European Economic Area (EAA) residents, regardless of the organization’s location.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) has a much smaller scope than the GDPR. This US law enacted in 1996 limits the use of protected health information (PHI) of covered entities.
A covered entity is a healthcare organization, and it can be:
- Healthcare providers: Doctors, dentists, pharmacies, clinics, hospitals, etc.
- Healthcare clearinghouses: Entities that process non-standard health information they receive from other entities in a standard format, etc.
- Healthcare plans: Company health plans, health insurance companies, etc.
In addition to covered entities, HIPAA applies to any individuals and businesses that provide services related to protected health information to them, including:
- Lawyers,
- Accountants
- Claims processing companies
- Records storage/destruction companies
- And others
7 Main Differences Between GDPR vs HIPAA Compliance
Now that we have a better picture of what each regulation does and who it applies, let’s explore the main differences between GDPR and HIPAA compliance.
These two regulations differ in several areas, including:
- Scope
- Geography
- Regulatory authority
- Consent requirements
- Individual rights
- Data breach notification requirements
- Fines & penalties
We’ll explore each of these differences in detail below.
Unknown block type “table”, specify a component for it in the components.types option
1. Scope
As mentioned, the GDPR is a much broader regulation, and we can see that especially in their scope.
While the GDPR applies to processing ALL personal data by a business, including financial, health, individual, and other, HIPAA only applies to protected health information and electronically protected health information (ePHI) data.
2. Geography
The GDPR, again, applies to any organization that is processing the personal data of EU citizens. The organization doesn’t have to be located in the European Union (it can be anywhere worldwide).
Conversely, HIPAA only applies to organizations handling US citizens’ protected health information and operates within the US.
3. Regulatory Authority
Each EU member state enforces GDPR on its territory through its own data protection authority (DPA). For example, in Germany, this is the Federal Commissioner for Data Protection and Freedom of Information (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit – BfDI); in France, the National Commission on Informatics and Liberty (Commission Nationale de l’Informatique et des Libertés – CNIL); and so on.
HIPAA, on the other hand, is enforced by the US Department of Health and Human Services Office for Civil Rights (OCR).
4. Consent Requirements
The GDPR has much stricter consent and compliance requirements of the two. It requires explicit and informed consent for the processing of personal data. This consent also needs to be specific.
The regulation allows for the processing of special categories of personal or sensitive data in certain cases without the consumer’s consent.
These cases are explained in detail in Article 9 of the GDPR. Here’s a brief overview:
- When the processing is necessary for exercising specific data controller or individual rights (i.e., employment, social security, etc.)
- When the processing is necessary to protect the vital interest of the data subject or another person
- When the processing relates to the personal data that are already made public by the individual
- When data processing is carried out by a non-profit or foundation, and it specifically relates to its members or former members and personal data is not disclosed outside that organization
- When the processing is required to establish, exercise, or defend the legal claims in court
- When the data processing is of particular public interest
- When the processing is necessary to establish the medical diagnosis, health, and social care, and the assessment of the working capacity of the individual
- When data processing is needed to protect against cross-border threats
- When processing is necessary for archiving purposes in the public interest, scientific, statistical, or historical research purposes.
On the other hand, HIPAA does not always require explicit consent and allows protected health information to be disclosed by covered entities and their partners for health care, treatment, and payment without the previous consent of the individual.
However, in some instances beyond health care, treatment, and payment, HIPAA may require explicit or informed consent from consumers regarding their protected health information.
5. Individual Rights
The GDPR provides eight specific data subject rights:
- Right to be informed
- Right to access data
- Right to rectify and correct data
- Right to object to data processing
- Rights related to automated decision-making and profiling
- Right to be forgotten
- Right to data portability
- Right to restrict processing
Meanwhile, under HIPAA’s Privacy Rule, covered entities must provide individuals access to protected health information about them upon their request. This can be done by inspecting the records the entity is holding or delivering a copy of that record.
This applies to the covered entity itself and any of its partners, as well as to records in paper or electronic form.
6. Data Breach Notification Requirements
The GDPR requires that the organization notifies the DPA of its country and any individuals affected within 72 hours of discovering the data breach.
This GDPR data breach notification should (at a minimum) include the following information:
- The nature of the data breach
- Name and contact information of the data protection officer (DPO) or other person where those interested can get more information about the security incident
- The likely consequences of the breach
- Measures taken or proposed by you as the data controller to address and mitigate the data breach and its effects
HIPAA, in comparison, requires covered entities and partners to inform affected individuals about the breach of their protected health information within 60 days. Where over 500 individuals are affected, the entity must also notify the OCR.
7. Non-compliance Fines & Penalties
Organizations that break the GDPR rules are subject to two types of fines:
- For less severe violations, the fine is up to €10 million or 2% of the company’s global financial turnover for the last year, whichever is higher.
- For more severe violations, the fine is up to €20 million or 4% of the company’s global financial turnover for the last year, whichever is higher.
Regarding HIPAA, non-compliance penalties vary depending on the severity of the violation and whether the violation is intentional or unintentional.
These penalties can range from $100 for minor, unintentional violations and up to $1.5 million for more prominent, deliberate violations.
GDPR vs HIPAA Similarities
Although the GDPR and HIPAA have several differences, they share certain things. Here are a few areas that the GDPR and HIPAA overlap:
1. Privacy by Design and Data Protection Focus
At their core, both regulations are focused on empowering individuals to protect their personal data and privacy held by organizations.
The GDPR also introduces the “privacy by design” concept, which requires data protection to be at the forefront of the company’s IT systems, networked infrastructure, and operations in general.
2. 3rd-Party Data Processors and Business Associates
Both GDPR and HIPAA also regulate how third-party data processors (in GDPR’s case) and business associates (in HIPAA’s case) process personal (GDPR) and protected health information (HIPAA) data.
The regulations provide comprehensive provisions regarding collecting, storing, using, or sharing data they apply to.
3. Data Breach Notification
As we mentioned, both regulations require an organization that experiences a data breach to notify individuals affected by the incident and any relevant authorities (DPA for GDPR and OCR for HIPAA).
FAQs
What is the Difference between HIPAA and GDPR?
These two regulations differ in several areas, including:
- Scope
- Geography
- Regulatory authority
- Consent requirements
- Individual rights
- Data breach requirements
- Fines & penalties
What is the Difference between GDPR and Privacy Shield?
The most significant difference between GDPR and the Privacy Shield is that the General Data Protection Regulation is an exhaustive data privacy framework that regulates the processing of EU citizens’ personal data by commercial, non-profit, and public sector organizations and third-party data processors.
In contrast, the Privacy Shield was a framework created to simplify the transfer of personal data between the EU and the US.
As of July 2020, the Privacy Shield was annulled by the EU’s Court of Justice in the “Schrems Ⅱ” case as the legal basis for data transfers.
How Does GDPR Differ from US Data Privacy Laws?
The critical difference between GDPR and US data privacy laws such as California’s CCPA/CPRA, Colorado’s CPA, or Virginia’s VCDPA is that the EU’s regulation requires explicit consent from consumers for processing their personal data.
On the other hand, US data privacy laws, like those mentioned above, allow for implicit consent, usually inferred from the individual’s lack of objection or actions.
What is the Difference between GDPR and PIPEDA?
The EU’s GDPR and Canada’s PIPEDA both regulate the processing of individuals’ personal data.
However, while the GDPR does this for organizations that handle EU citizen’s data, PIPEDA applies to organizations that do the same for Canadian citizens.
Who Does GDPR Not Cover?
Rather than listing who the GDPR does not cover, it’s much easier to answer who it does cover.
The GDPR applies to any commercial, not-for-profit, and public sector organizations and third-party data processors that handle the personal data of EU citizens.
For example, if a website offers products or services to visitors from the European Union, the GDPR applies to them.
However, if another website does not cater to EU-based customers, GDPR won’t apply to it.
How can Captain Compliance Help You?
GDPR and HIPAA are crucial data privacy regulations in their respective rights, and knowing how to comply with both is a must in today’s business and legal landscape.
Here at Captain Compliance, we have made it our mission to simplify compliance and make it easier for businesses, whether GDPR, HIPAA, or other regulations.