Most data managers and business decision makers recognize that GDPR and HIPAA both regulate data privacy and protect customer information from misuse and unauthorized access. And by this point, most of those responsible for company data decisions recognize that HIPAA is a long-standing rule often associated with medical information and the GDPR is relatively new and addresses general privacy for online customers and media subscribers.
But lately, many data managers are finding gaps in their understanding of how these two sets of rules differ. GDPR does, in fact, carry specific implications for healthcare providers. Any provider that interacts with or accepts data from any EU citizen must comply with the following restrictions:
Patient consent can no longer be assumed or accepted by default. Data consent must be explicit and traceable.
Patient data must be deleted permanently upon request. This is part of the “right to be forgotten” and it can pose a special challenge to those who manage medical histories.
High security and expanded storage are required by healthcare providers. For adequate security, encryption, redundancy, and intrusion detection, healthcare providers may need to expand their data platforms and storage in expensive ways.
Is HIPAA more strict than the GDPR?
Some healthcare data managers are relying on varied stringencies between the two policies and assuming that HIPAA (which has been in effect for many years) covers everything required by the GDPR. In other words, if the organization or practice is already HIPAA compliant, not much needs to be done to comply with the new law. But keep in mind that while HIPAA is organization-centric, the GDPR is patient-centric. HIPAA must maintain adequate data protection in data centers and locations inside the US, and so it does not extend to a US patient who receives healthcare treatment in a third country (like India). But the GDPR travels with a patient, so if a patient covered by the law receives treatment in a third country, their data must still be protected during transmission and storage.
Third-party marketers
In order to send out information or target marketing messages to patients, providers sometimes grant access to patient information to third party companies who handle the transaction (like marketing agencies or email managers). This isn’t a serious problem for HIPAA, which does not explicitly crack down on data sharing and transmission for this purpose, as long as the data doesn’t include direct identifiers like name, address, IP address, or photos.
GDPR, on the other hand, holds the third party explicitly responsible for all the provisions of the law and all requirements for patient consent.
Contact our office for more on the differences and similarities between these two sets of provisions, and how these differences may impact your business as a health care provider or partner.
