GDPR and HIPAA: What are the key differences?

The GDPR is a new EU regulation that is due to come into force on May 25, 2018. It has turned into a hot topic in the healthcare industry as service providers prepare to meet the compliance challenge. The United States’ Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a regulation that was developed to protect the privacy and security of sensitive medical information.

There are several key differences between the GDPR and HIPAA. The first is that the GDPR has a much broader scope than HIPAA, in that it is designed to set standards for all sensitive personal data, including the data processed and stored by healthcare service providers. However, the scope of HIPAA is limited to dealing with protected health information (PHI). PHI includes any information that can be used to identify a patient, such a name, address, DOB, bank/credit card details, social security number, photos and insurance information. The GDPR, on the other hand, includes any information that can be used to directly or indirectly identify EU citizens such as information relating to their race, religion, political affiliations, sexual preferences, biometric or genetic data, and any other information relating to their health. The data that relates to a person’s health is where HIPAA and GDPR overlap.

HIPAA includes standards that deal with the exchange of PHI between covered entities such as doctors, insurance companies, and third-party business associates such as billing companies and attorneys. The GDPR, however, applies to all organisations that deal with personal data belonging to EU citizens – including any organisations that monitor or offer goods or services to EU citizens.

If your organisation is already compliant with HIPAA, then you’re probably in a good position to comply with the GDPR. For example, you will likely have technical safeguards in place such as methods for controlling access to sensitive data, methods for detecting unauthorised changes to PHI, tools for encrypting and decrypting PHI – at rest or in transit, and a function which automatically logs-off users after a given period of inactivity. If, on the other hand, you do not have such safeguards in place, you will need to ramp up your software arsenal. Sophisticated auditing solutions such as Lepide Data Security Platform provide many of the tools necessary for both GDPR and HIPAA compliance. For example, Lepide Data Security Platform enables you to easily monitor access permissions, including how they were granted and when they change. It enables you to detect suspicious file and folder activity, track privileged mailbox access, detect and manage inactive user accounts, and help to ensure that passwords are rotated regularly.

Finally, Lepide Data Security Platform provides an advanced reporting console which offers over 300 pre-set reports. It would take a long time and would require a highly skilled technician to create reports from the native event logs generated by Windows Event Viewer. The ability to automatically create reports that identify important system changes will make the process of complying with both HIPAA and GDPR much easier.