There are different regulations on how medical data can be processed and stored in different nations. If your company operates in the MedTech sector in the Western world most likely you have at least heard of HIPAA or the GDPR. This article aims at analysing how both legislations relate to healthcare. The article is particularly useful for those looking to extend their business operations to the EU or US for the first time.
What are HIPAA and the GDPR?
HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. HIPAA was enacted to specifically deal with how medical data are shared and processed. Unlike HIPAA the GDPR regulates any information which can lead to the identification of a living person whether it is health-related or not. The GDPR denotes health data as special categories of personal data, commonly referred to as sensitive data. This means that non-consensual processing of health-related data is strictly prohibited unless the processing purposes are related to medical diagnosing, preventative or occupational medicine, provision and management of health or social care or treatment, in accordance with a contract with a medical professional or based on Union or Member State law.
The GDPR defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his/her health status (GDPR Art.4). HIPAA denotes protected health information as any data uncovering an agent’s identity in respect to his or her past, future or present physical or mental condition, provision of and payment for the health treatment and services. Both definitions are similar, yet HIPAA also designates financial information of the recipient of the treatment as health data. The GDPR applies to all organizations operating in the EU or offering goods or services to individuals located in the EU territorially no matter of the citizenship. HIPAA, on the other hand, applies to special covered entities within the US, those include healthcare providers, health care clearinghouses and health plan providers.
The key differences between HIPAA and GDPR relevant to MedTech
The principal difference between the regulations is obviously their scope. As previously stated, the GDPR relates to all organizations processing all types of data relating to a person. Furthermore, the GDPR applies to a much broader range of entities. Even if the company is located in the US (or anywhere in the world) and processes data of subjects located in the EU, it must comply with the GDPR. Contrastingly HIPAA only applies to covered entities located in the US.
The right to be forgotten is another aspect specific only to the GDPR. It stipulates that under certain conditions, such as the revoking of previously granted consent or when the data is no longer necessary, the data subject may exercise a right to request a free of charge erasure of his or her personal data. If a company relies on third-party cloud storage services, it should ensure that it is able to locate and erase the data when required. The GDPR is also stricter on data breaches, it only grants 72 hours to report a data breach while HIPAA allows for up to 60 days to report a data breach if more than 500 individuals. If less than 500 people are affected, the data breach may be reported by the final day of reporting each year.
The GDPR also introduced the notion of privacy by design and by default. The concept postulates that when developing new services related to MedTech, or any other sector, involving processing personal data, the company must always consider privacy. HIPAA makes no mention of such a framework for launching new services is present in HIPAA.
Both regulations are compulsory and impose fines for non-compliance. HIPAA fines are mostly around $25.000 per violation, although in the worst case circumstances a company may be fined of up to $1.5 million per year. GDPR opens the door to potentially much larger maximum fines of up to 4% of the annual worldwide turnover.
Do HIPAA and GDPR overlap?
There are some similarities and overlap between HIPAA and the GDPR which is good news for companies required to comply with both regulations. Firstly, both include obligations relating to individuals or entities handling data on behalf of covered entities who control the processing of data. Under HIPAA, those are distinguished as business associates and are required to sign a business associate agreement (BAA), this is similar to the data processors under the GDPR.
Secondly, HIPAA, as is the case with the GDPR, requires companies to ensure safeguards are in place to protect the data collected and stored from unauthorised access and disclosure. Article 32 of the GDPR specifically deals with the obligation of minimising risks of a security breach. Appropriate measures include pseudonymisation and encryption of data, maintenance of ‘ongoing confidentiality, integrity, availability and resilience of processing systems and services’ as well as ‘ability to restore availability and access to data in the event of an accident’. The same article prescribes regularly testing, assessing and evaluating the effectiveness of security measures in place. Furthermore, the entity subject of the GDPR shall ensure all personnel processing data on their behalf adheres to the code of conduct prescribed by the legislation and does not process data except on their instructions.
Parallel obligations of the covered entities can be found under HIPAA’s Security Rule. HIPAA also postulates confidentiality, integrity, and availability of protected health information in electronic form (ePHI). Likewise, covered entities must ensure potential security threats, or unlawful uses or disclosures of ePHI, are considered and addressed. HIPAA also obliges the covered entities to ‘ensure compliance of the workforce’.
Both regulations call for minimisation of data collection and minimisation of data disclosure. Data should be disclosed for research purposes, judicial proceedings, public health interest and if required by law in both legislations.
HIPAA and the GDPR grant data subjects analogous rights. In particular, with a few exceptions, such as access to psychotherapy notes, both regulations grant the data subject the right to access and review a copy of the processed data. Moreover, if the information is inaccurate or incomplete, the data subject has a right to request an amendment of the information.
HIPAA and the GDPR grant data subjects a right to be informed of how and for what purpose their personal data is used and processed, this includes information regarding the recipients or categories of recipient to whom the personal data have been or will be disclosed. The privacy notice must include information on individual rights with respect to their personal information and how those rights may be exercised, and the covered entities obligations as well as the purpose of data usage and processing. Interestingly, both GDPR and HIPAA require the privacy notice to be written in clear and plain language.
HIPAA and GDPR application
Two global trends may be identified with regards to MedTech and data processing. On one hand, there is an evident explosion of consumer health data. Technological advancement has stimulated vast growths in consumer-generated health data. Those can be put to work through data analytics to extract powerful insights. Secondly, as life expectancy increases and larger sections of the population account for senior citizens, the market boom for healthcare is explained by a demand to further digitise and employ analytics to identify the most cost and health effective treatments and insurance plans.
Beyond the similarities and differences outlined earlier, there is a fair amount of divergence in how the two frameworks are implemented. Consider an app developer seeking to re-use healthcare data to extract insights. Under the GDPR, this app developer handles a special category of data and this handling is subject to strict safeguards. However, in the US, the same app developer will not be is not a subject HIPAA and the GDPR -provided they do not process personal data from an EU data subject. That is because HIPAA postulates that only covered entities of healthcare providers and insurers or their business associates are subject to the legislation. In other words, medical data that is collected and processed in a hospital will be subject to HIPAA and considered PHI.
If an individual voluntarily provides his or her health information to a mobile app, which is not connected to healthcare activities of a covered entity (i.e. not a business associate of any covered entity), most likely this falls outside of HIPAAs’ jurisdiction but the app developer remains subject to additional state or federal law. An example of such laws is the FTC Act that generally regulates commercial use of personal data or the Children Online Privacy Protection Act with regards to the use of children’s data. Ultimately, this has an effect on how consent should be extracted to process the data, as well as on the appropriate security and organisational protection measures, regardless of HIPAA.
This article is for information purposes only, and does not constitute or replace legal advice. Seek professional support for any specific questions you may have.