SaaS and cloud-providers operating in the healthcare space have to tackle HIPAA compliance. Once you've done that, a common question we hear is "how do I stack up when it comes to GDPR." Why? Because SaaS and Cloud-based products operate without boundaries when it comes to acquiring customers.
Even without a dedicated sales teams trying to win new business in the EU, self-service free trials and community accounts means users are going to find their way into your tool. Successfully navigating the right to privacy requirements set out by GDPR can be a tall task.
Comparing the Privacy Regulations
Outlined below you can spot some of the key differences between the two privacy requirements.
HIPAA compliance is very specifically tied to people with access to PHI/ePHI.
GDPR extends beyond just PHI/ePHI to people with access to PII (personally identifiable information) and special category information.
The organization definitions under HIPAA include Covered Entities (health care providers, health plans, and health care clearinghouses) and Business Associates (people carrying out work on behalf of a covered entity.
GDPR applies to Data Controllers (the entity who determines the purposes for which, and the way in which, personal data is processed) and Data Processors (those acting on the behalf of the Data Controller). These are essentially European equivalents to Covered Entities and Business Associates.
Under HIPAA regulations, organizations are required to notify the public of a breach within 60 days. Should there be fewer than 500 individuals impacted, notification can occur annually.
GDPR requires organizations to disclose a data breach within 72 hours of the breach being discovered.
HIPAA privacy is covered under consent and portability, giving patients the right to access, update and move their healthcare information.
GDPR gives EU citizens specific data protection rights to:
- be informed: privacy policies, cookie policies, terms, consent
- access: no charge access to personal data
- rectification: update personal data
- erasure: "to be forgotten": delete data and account (unless technically infeasible i.e. data logs)
- restrict processing: stop using an individual's personal data
- data portability: download data in common format
- object: consent revoke
Within HIPAA, there are numerous levels of offense and fines.
- Tier 1: Lack of awareness – $100 to $50,000 per violation, up to $1.5M per year
- Tier 2: Lack of due diligence – $1,000 to $50,000 per violation, up to $1.5M per year
- Tier 3: Willful neglect – $10,000 to $50,000 per violation, up to $1.5M per year
- Tier 4: Willful neglect with no effort to correct – $50,000 per violation, up to $1.5M per year
On top of fines, organizations and individuals involved also face potential criminal charges:
- Unknowingly or with Reasonable Cause: up to 1 year
- False Pretenses: up to 5 years and $100,000 fine
- Fraud: up to 10 years and $250,000 fine
GDPR has only two levels of penalties for organizations that are not compliance, but the penalties carry a much larger fiscal weight.
- Lower Level:Up to ‚¬10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
- Higher Level: Up to ‚¬20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher
GDPR requires the appointment of a data protection officer (DPO). This person is tasked with ensuring that data management and handling are compliant GDPR. This responsibility includes enforcing the regulations of the GDPR and making contact with a data subject should that be required by law.
HIPAA has a security rule that provides high-level guidance and best practices. The HIPAA security rule is not scripted in terms of controls and implementations, though. Organizations turn to HITRUST because they find that the security framework aligns with HIPAA Compliance Requirements, as well as others.
GDPR requires data protection by design and data protection by default, which include specific notes around encryption. The HITRUST Cybersecurity Framework also aligns very closely with GDPR, including data protection by design and by default promotes only processing and storing what's needed, deleting data when no longer needed, a plain language, user-friendly privacy defaults, options, controls, preferences and baked-in data protection.
Organizations handling PHI/ePHI as well as Covered Entities and Business Associates are required by law to be HIPAA compliant, so there are no certifications to display.
While there are no officially designated certification, organizations can adopt the Privacy Shield requirements and/or an EU GDPR Representative.
Organizations must complete an annual risk assessment in order to be HIPAA compliant.
Similarly, GDRP requires a Data Protection Impact Assessment (DPIA) when data processing is likely to result in a high risk to data subjects.
More on GDPR Data Breach Notifications
Within 72 Hours
Within 72 hours after discovery of a data breach, an organization must carry out a thorough investigation to determine the nature of the breach. The goal is to answer the questions: who accessed what and when, who are those that carried out the breach, how is the data being used and who are the impacted individuals.
Organizations should put together a record of the work that has been done and the assets put in place to prevent a breach, then draft a comprehensive containment, mitigation and remediation plan. Lastly, the impacted organization needs to notify authorities within 72 hours and the affected individuals without undue delay.
Leverage HITRUST to Align with GDPR
Not Required, But Helpful
For organizations operating in healthcare, HIPAA and HITRUST go hand in hand enough on their own. But there is value for SaaS organizations not operating in healthcare to consider HITRUST as a supportive framework for enforcing the privacy requirements in GDPR that are not featured or prioritized in ISO 27001 (Security-focused), NIST 800-53 (Privacy is secondary) or PCI (nothing on privacy).
To be clear, a complete HITRUST certification makes little sense when you consider the costs and efforts. But adopting some of the controls and requirements would help your organization align with the GDPR privacy requirements of how data is stored, processed and deleted.