BY BRAD LAWRENCE, SENIOR MANAGER
This will definitely date me, but one of the first consulting engagements I led was helping a prominent healthcare system in the Denver area prepare for Y2K, the year 2000. The millennium bug seemed primarily a financial industry issue, but there was also a concern that biomedical devices might also experience a failure as their internal clocks went from “99” to “00”.
Once the Y2K scare was behind us, I shifted my focus to Electronic Medical Records (EMRs); providers were starting to move away from paper charts and this seemed to be an area with great opportunity. This of course meant navigating U.S. laws around Protected Health Information (PHI), and the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Obviously, as the years progressed, adoption of EMRs grew exponentially as today, two decades later, paper charts are considered archaic. Encouraged by various forms of legislation, i.e. the HITECH Act of 2009 and the phased introduction of Meaningful Use from 2011 – 2014, the healthcare industry continued to make tremendous strides with innovation. Health Information Exchange and Population Health Management platforms designed to improve clinical decision making and outcomes have become prevalent.
Years later, I found myself working at Sendero taking on more of a generalist role in management consulting, learning what working in other industries is like, and doing so in the local market. Within weeks of joining, that’s exactly what happened—a Dallas-based oil and gas company that Sendero had recently helped with an acquisition and international expansion reached out to us for additional help.
The initial request was to drive a Salesforce implementation to which I quickly assembled a team and took the reins. Shortly after, the client realized that as a result of the expansion, the company now had employees and clients located in the European Union (EU). With this new presence in the EU, the company needed guidance with navigating compliance against the General Data Protection Regulation (GDPR) that was soon to be enforced. GDPR is essentially a set of regulations protecting the Personally Identifiable Information (PII) of EU citizens. It was February of 2018, and these regulations would become effective in May, so an aggressive plan was needed. Sendero was asked to help on this front as well.
Our team quickly did some research on best practice for gaining compliance then assembled a governance platform comprised of HR, IT, and Legal resources. Though GDPR was new for me, as I learned more, I began to recognize the many similarities between GDPR and HIPAA. It also occurred to me that there may be scenarios where an organization may need to be in compliance with both.
While there are many similarities between GDPR and HIPAA, there are three key differentiators to note:
Data Privacy, Protection, and Security
The focus of HIPAA is on PHI and how covered entities, both healthcare providers and insurers, house and maintain a patient’s PHI within its systems and facilities. Another area of focus is how the two share that information with business partners securely.
GDPR, is much broader than health and protects any and all Personally Identifiable Information (PII) for EU citizens. Likewise, the regulation applies to businesses regardless of whether they are inside or outside of the EU.
GDPR Requires Explicit Consent
Reflect on the last time you went to see a new doctor. You will recall that during the registration process that you were asked to provide a signature on a HIPAA form and give consent that the personal information you were providing would be used for treatment purposes only. You may have downloaded this from the practice’s website in advance and brought this with you or been asked to review and sign in real time.
Consent is required for both HIPAA and GDPR, for patients and citizens respectively. With HIPAA, however, there are some terms in the regulation whereby physicians can consult with other providers for the purposes of treatment without the need of patient permission.
GDPR however, requires “explicit consent” and provides no exceptions. Likewise, GDPR gives the specific right of an EU citizen to request removal of their data so in order to be GDPR compliant, it is important that the business has the methods in play to remove records.
Breach Reporting & Timing
With HIPAA, if there is a breach with PHI and unauthorized access, the covered entity has up to 60 days to notify the individual of the violation. If the number of individuals accessed is in excess of 500, it also needs to be reported to the Health and Human Services’ Office of Civil Rights (HHS) in the same timeframe. If the breach impacts less than 500 individuals, it can be reported to HHS annually. HIPAA applies these responsibilities to the covered entities as well as their business partners.
With GDPR on the other hand, the reporting time to relevant supervisory authorities is much tighter with a deadline of 72 hours. With the tightened timeframe, companies operating in the EU and/or companies that manage EU citizen’s data must prioritize processes that enable quick reporting to authorities.
With both HIPAA and GDPR, there are significant financial penalties to consider and the potential fines are a good reason for companies to ensure compliance. Beyond the regulatory aspects, they are both about protecting PHI/PII of patients, and/or employees and stakeholders, so reputational damage should be considered as well.
All in all, now having exposure to both HIPAA and GDPR left me with a key takeaway: if a business already has the security and mechanisms in place to adhere to HIPAA regulation, the journey to becoming GDPR compliant will be significantly shorter.
If a business already has the security and mechanisms in place to adhere to HIPAA regulation, the journey to becoming GDPR compliant will be significantly shorter.