GDPR and HIPAA Compliance – Do They Overlap?
May 29, 2018
GDPR, or General Data Protection Regulation, has sent companies big and small scrambling since it went into effect May 25, 2018.1 While the majority of companies affected are within the EU (European Union), some U.S. organizations must comply with GDPR rules, too. How does another country’s data protection regulation play a role in the United States? This week, we’ll explore what GDPR is, followed by what you need to know about it in terms of a HIPAA covered entity or business associate.
GDPR is an EU regulation put in place to protect user’s personally identifiable information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data. The ultimate goal of GDPR? It’s to give EU citizens control over their personal data and change the data privacy approach of organizations across the world. PII includes name, emails, physical address, IP address, health information, income, etc. You can read the full text of the regulation here.
Is there a need for a similar law in the US? “There’s no equivalent of the GDPR in the United States, nor is there likely to be one anytime soon. A mosaic of different state and federal rules, some of them vary widely, govern some of the same issues, but there’s no central authority that enforces them.”2
After May 25th, 2018, businesses that are not in compliance with GDPR can face substantial fines – up to 4% of a company’s global revenue or €20 million (whichever is greater). While GDPR will ultimately result in fines, non-compliance will begin with a warning. Only after continual violations of the law will large fines begin to be handed out.3
How GDPR Affects Your Business in the U.S.
Any personal data that is received from citizens currently residing in the EU has to comply with the GDPR. This means that if you gather any personal data from an EU citizen, their information is subject to GDPR compliance even if that information never leaves the EU. The good news? Most of you don’t have clients who currently live in the European Union, so GDPR likely doesn’t apply to you. “The law isn’t legally binding in the United States, meaning that people living here don’t have the same recourse as an EU citizen if they believe a company runs afoul of the new law. In some ways, Europe may be doing the job for us since companies above a certain size will be adopting GDPR-friendly practices for all users, not just Europeans.”2
GDPR stipulations only apply when personal data is collected from an individual person who is located in an EU country at the time the data is collected. GDPR does not apply to EU citizens who have their data collected while they are outside of the EU.
GDPR actually comes down to where a person is physically located when the information is collected – not the person’s citizenship.
When considering whether GDPR rules apply, the primary determining factor is the location of the individual at the time of data collection.
Here are a few examples of when GDPR applies and when it does not:
❌ GDPR does not apply – An EU citizen is temporarily living in the United States for a 6-month work contract and his PII is breached. GDPR only applies if data is collected while the EU citizen is physically in the EU. Only U.S. laws apply.
✔ GDPR applies – A US citizen traveling in France provides personal information when buying a souvenir. GDPR applies since the person is located within the EU as the purchase takes place.
✔ GDPR applies – A US-based company that has an office in Warsaw asks for email addresses from its EU clients. Organizations based in the EU that collect or process data must comply with GDPR.4
GDPR and HIPAA
The biggest similarity between GDPR and HIPAA is that security is at their core. However, the two are hardly the same. GDPR sets standards for all sensitive personal data, while HIPAA deals with only Protected Health Information (PHI). PHI includes any information that can be used to identify a patient, such a name, address, DOB, bank/credit card details, social security number, photos and insurance information combined with health information. The GDPR, on the other hand, includes any information that can be used to directly or indirectly to identify persons when they are in the EU. This information includes race, religion, political affiliations, sexual preferences, biometric or genetic data, and any other information relating to their health. Personal health information protection is the only common denominator.
HIPAA standards are limited to health information held by covered entities like doctors, employers who offer health benefits or insurance companies. Business associates – like shredding companies, IT companies, or transcription services are regulated by HIPAA. The GDPR, however, applies to all organizations dealing with personal data.
HIPAA Makes GDPR Compliance Easier
If your organization is already HIPAA compliant, you likely have several technical safeguards in place to protect patient data, making you that much closer to complying with GDPR. You’re already controlling access to sensitive data, you have methods for detecting unauthorized changes to PHI, and you encrypt PHI at rest and in transit. Once again, HIPAA compliance proves itself in giving your organization the security it needs to focus on who matters most – your client, patient, or employee.