I dive into the HIPAA weeds on a daily basis, and am sometimes asked about similarities and differences between HIPAA and the European Union’s General Data Protection Regulation (GDPR). Fox colleague Nate Williams provoked me to think more about this topic. Nate took a close look at key definitions and provisions in these privacy laws to examine how they compare in an excellent article published by OneTrust DataGuidance.
A key difference between the laws is the breadth of their applicability. GDPR applies to almost anyone who handles data that identifies or can be used to identify an individual. Yet HIPAA is more limited — it HIPAA applies only to covered entities (generally, health plans and health care providers) and their business associates and subcontractors and their handling of health-related data that identifies or can be used to identify an individual.
To make the analysis more of an apples-to-apples comparison, Nate focuses on GDPR’s requirements related to “data concerning health.” Despite differences in scope and breadth, both laws are based on very similar underlying principles. Some examples: the lawfulness and fairness of collection and retention; the protection of individual rights (authorization, restriction, and data access); the transparency of purpose and use; the obligation to minimize data collected, used, disclosed, and maintained; and the responsibility for data accuracy, integrity, and confidentiality.
These principles should be considered by any entity collecting individually identifiable information, regardless of applicability of HIPAA and/or GDPR.