Simultaneous HIPAA and GDPR compliance

The European General Data Protection Regulation (GDPR), a comprehensive privacy regulation governing data on EU residents, went into effect in 2018.   US-based organizations serving the healthcare industry, and who handle data of European Union residents may have to comply with GDPR and HIPAA simultaneously. Our comprehensive and customizable HIPAA and GDPR policy templates help you comply with both. Find out here if GDPR applies to you.

HIPAA vs. GDPR

Both HIPAA and GDPR regulate data protection and confidentiality. If you are a US-based organization and comply with HIPAA, you are on your way to complying with GDPR as the requirements overlap.  Here is a partial list highlighting of the similarities and differences:

• HIPAA regulates entities that process health information for U.S. individuals; GDPR regulates entities who process virtually any personally identifiable information for EU residents
• Both empower individuals with a set of privacy rights which overlap.  GDPR has rights not included in HIPAA, such as the “right to be forgotten” and the right for explicit consent prior to storing any information electronically
• HIPAA’s framework regarding sharing information with third-parties is the Covered Entity – Business Associate framework.  GDPR uses a “Controller” – “Processor” framework.  They are not entirely analogous.
• HIPAA establishes permitted “uses and disclosures” for health information.  GDPR requires “lawfulness” of processing and includes a different set of criteria that define the legality of processing data.
• HIPAA’s Security regulation prescribes a relatively detailed set of 45 “implementation specifications” to ensure the confidentiality, integrity and availability of  electronic data.  GDPR also requires confidentiality, integrity and availability of electronic data, but defers to other authoritative standards for the details.
• GDPR requires that organizations be able to “demonstrate” compliance which implies a periodic audit, which could be either an internal audit or third-party audit.  HIPAA has no such requirement.
• Both are similar in that they require significant interpretation and are often ambiguous.

Like HIPAA, GDPR penalties are steep. According to GDPR Article 83, the maximum penalty for a GDPR violation is either €20,000,000  or 4% of worldwide revenue, whichever is higher!

Our philosophy at Eagle Consulting is to simplify compliance and to avoid overlapping and duplicative policy manuals. Instead of adopting an overlapping GDPR manual to use alongside your HIPAA manual, our HIPAA and GDPR policy templates simultaneously comply with both HIPAA and GDPR. This will eliminate the time-consuming need to review two separate policies and be easier for your staff to follow.

Eagle’s HIPAA and GDPR policy templates are now available via our policy store.  They are a cost-savings option compared to starting from scratch.  Using these policies can save many thousands of dollars.

Final Notes

• These policy templates are designed for service providers who provide cloud or hosted information systems, data analytics services, or other similar services to US and EU healthcare organizations.
• Most organizations will require some customization of these policies.  If you do not want to customize these policy templates yourself, we also offer GDPR policy customization services along with other GDPR services.