The European Union’s General Data Protection Regulation (GDPR) finally went into effect on May 25. While the development of the policy was largely initiated to reel in the power massive tech companies have had over users’ personal information, this new law affects all companies, including health organizations, that store and process the personal data of its constituents.
GDPR is even more stringent than HIPAA (Health Insurance Portability and Accountability Act of 1996); any health organization that handles the data of E.U. citizens, even those organizations that are based in the U.S. and are HIPAA-compliant, must adjust their privacy infrastructure to comply.
Here are some of the ways GDPR differs from HIPAA:
1. The scope of the data and entities covered by GDPR is significantly broader than that of HIPAA.
GDPR is a consumer-centric regulation, meaning any organization across the world is liable to adhere to it if and when they handle data belonging to citizens of the European Union. On the other hand, HIPAA is an organization-centric regulation, so any data handled by firms outside of the U.S. do not come under the purview of the Act. In other words, HIPAA is restricted to American citizens and firms.
Furthermore, while GDPR applies to all companies that store and process personal data (i.e. companies like Google and Facebook too, not just healthcare providers, payers, life sciences, and digital health companies), HIPAA only applies to healthcare organizations.
2. Under GDPR, it is mandatory for healthcare service providers to deploy adequate security, encryption, pseudonymization, redundancy, and intrusion detection mechanisms in order to ensure that patient data is not compromised in any way.
So what happens if data is compromised? Organizations have only 72 hours to notify their users of any information or privacy breach. HIPAA allows its constituents 60 days.
3. GDPR requires businesses to gain explicit, affirmative consent from E.U. citizens to collect their personal data.
Healthcare organizations must draft clear and concise consent forms that outline the data that is being collected and provide clear place for E.U. patients to opt in or opt out of data sharing and/or collection. The language in these forms must be simple and easy to understand, which means fine print consent are now prohibited.
There is no such requirement from HIPAA; healthcare organizations are free to process patient data as long as they are stored and transmitted with adequate security.
4. GDPR requires consent from consumers before sharing their personal data with third-parties.
Diversely, under HIPAA, healthcare organizations may disclose a “limited data set” to third party agencies for marketing purposes as the Act does not explicitly prohibit healthcare organizations from letting third party agencies to send out marketing messages to patients without consent.
5. GDPR states that all data must be erased immediately and permanently once a patient revokes their consent.
This right to erasure clause does not exist in HIPAA; healthcare service provides are permitted to hold onto patient data as long as they see fit, regardless of whether or not they have patients’ consent.
RegDesk is a Smart Regulatory Intelligence Platform that provides synthesized global regulations through a central platform, multiple expert opinions to your most critical regulatory questions and real-time alerts on regulatory changes. RegDesk is a trusted source of regulatory intelligence for global medical device companies. Contact us at firstname.lastname@example.org to obtain actionable insights.