SaaS and cloud-providers operating in the healthcare space have to tackle HIPAA compliance. Once you've done that, a common question we hear is "how do I stack up when it comes to GDPR." Why? Because SaaS and Cloud-based products operate without boundaries when it comes to acquiring customers.
Even without a dedicated sales teams trying to win new business in the EU, self-service free trials and community accounts means users are going to find their way into your tool. Successfully navigating the right to privacy requirements set out by GDPR can be a tall task.
Comparing the Privacy Regulations
Outlined below you can spot some of the key differences between the two privacy requirements.
Data Scope
HIPAA
HIPAA compliance is very specifically tied to people with access to PHI/ePHI.
GDPR
GDPR extends beyond just PHI/ePHI to people with access to PII (personally identifiable information) and special category information.
Organization Definitions
HIPAA
The organization definitions under HIPAA include Covered Entities (health care providers, health plans, and health care clearinghouses) and Business Associates (people carrying out work on behalf of a covered entity.
GDPR
GDPR applies to Data Controllers (the entity who determines the purposes for which, and the way in which, personal data is processed) and Data Processors (those acting on the behalf of the Data Controller). These are essentially European equivalents to Covered Entities and Business Associates.
Breach Notifications
HIPAA
Under HIPAA regulations, organizations are required to notify the public of a breach within 60 days. Should there be fewer than 500 individuals impacted, notification can occur annually.
GDPR
GDPR requires organizations to disclose a data breach within 72 hours of the breach being discovered.
Privacy
HIPAA
HIPAA privacy is covered under consent and portability, giving patients the right to access, update and move their healthcare information.
GDPR
GDPR gives EU citizens specific data protection rights to:
- be informed: privacy policies, cookie policies, terms, consent
- access: no charge access to personal data
- rectification: update personal data
- erasure: "to be forgotten": delete data and account (unless technically infeasible i.e. data logs)
- restrict processing: stop using an individual's personal data
- data portability: download data in common format
- object: consent revoke
Fines
HIPAA
Within HIPAA, there are numerous levels of offense and fines.
- Tier 1: Lack of awareness – $100 to $50,000 per violation, up to $1.5M per year
- Tier 2: Lack of due diligence – $1,000 to $50,000 per violation, up to $1.5M per year
- Tier 3: Willful neglect – $10,000 to $50,000 per violation, up to $1.5M per year
- Tier 4: Willful neglect with no effort to correct – $50,000 per violation, up to $1.5M per year
On top of fines, organizations and individuals involved also face potential criminal charges:
- Unknowingly or with Reasonable Cause: up to 1 year
- False Pretenses: up to 5 years and $100,000 fine
- Fraud: up to 10 years and $250,000 fine
GDPR
GDPR has only two levels of penalties for organizations that are not compliance, but the penalties carry a much larger fiscal weight.
- Lower Level:Up to ‚¬10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
- Higher Level: Up to ‚¬20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher
Required Roles
HIPAA
HIPAA regulations require a Privacy Officer to oversee the creation and maintain a HIPAA-Compliant privacy policy and a Security Officer to to oversee the creation and maintain security policies and procedures that enable the enforcement of the privacy policy
GDPR
GDPR requires the appointment of a data protection officer (DPO). This person is tasked with ensuring that data management and handling are compliant GDPR. This responsibility includes enforcing the regulations of the GDPR and making contact with a data subject should that be required by law.
Security
HIPAA
HIPAA has a security rule that provides high-level guidance and best practices. The HIPAA security rule is not scripted in terms of controls and implementations, though. Organizations turn to HITRUST because they find that the security framework aligns with HIPAA Compliance Requirements, as well as others.
GDPR
GDPR requires data protection by design and data protection by default, which include specific notes around encryption. The HITRUST Cybersecurity Framework also aligns very closely with GDPR, including data protection by design and by default promotes only processing and storing what's needed, deleting data when no longer needed, a plain language, user-friendly privacy defaults, options, controls, preferences and baked-in data protection.
Certification
HIPAA
Organizations handling PHI/ePHI as well as Covered Entities and Business Associates are required by law to be HIPAA compliant, so there are no certifications to display.
GDPR
While there are no officially designated certification, organizations can adopt the Privacy Shield requirements and/or an EU GDPR Representative.
Assessments
HIPAA
Organizations must complete an annual risk assessment in order to be HIPAA compliant.
GDPR
Similarly, GDRP requires a Data Protection Impact Assessment (DPIA) when data processing is likely to result in a high risk to data subjects.
More on GDPR Data Breach Notifications
Within 72 Hours
Within 72 hours after discovery of a data breach, an organization must carry out a thorough investigation to determine the nature of the breach. The goal is to answer the questions: who accessed what and when, who are those that carried out the breach, how is the data being used and who are the impacted individuals.
Organizations should put together a record of the work that has been done and the assets put in place to prevent a breach, then draft a comprehensive containment, mitigation and remediation plan. Lastly, the impacted organization needs to notify authorities within 72 hours and the affected individuals without undue delay.
Leverage HITRUST to Align with GDPR
Not Required, But Helpful
For organizations operating in healthcare, HIPAA and HITRUST go hand in hand enough on their own. But there is value for SaaS organizations not operating in healthcare to consider HITRUST as a supportive framework for enforcing the privacy requirements in GDPR that are not featured or prioritized in ISO 27001 (Security-focused), NIST 800-53 (Privacy is secondary) or PCI (nothing on privacy).
To be clear, a complete HITRUST certification makes little sense when you consider the costs and efforts. But adopting some of the controls and requirements would help your organization align with the GDPR privacy requirements of how data is stored, processed and deleted.
