HIPAA versus GDPR

by

SaaS and cloud-providers operating in the healthcare space have to tackle HIPAA compliance. Once you've done that, a common question we hear is "how do I stack up when it comes to GDPR." Why? Because SaaS and Cloud-based products operate without boundaries when it comes to acquiring customers.

Even without a dedicated sales teams trying to win new business in the EU, self-service free trials and community accounts means users are going to find their way into your tool. Successfully navigating the right to privacy requirements set out by GDPR can be a tall task.

Comparing the Privacy Regulations

Outlined below you can spot some of the key differences between the two privacy requirements.

Data Scope

HIPAA
HIPAA compliance is very specifically tied to people with access to PHI/ePHI.

GDPR
GDPR extends beyond just PHI/ePHI to people with access to PII (personally identifiable information) and special category information.

Organization Definitions

HIPAA
The organization definitions under HIPAA include Covered Entities (health care providers, health plans, and health care clearinghouses) and Business Associates (people carrying out work on behalf of a covered entity.

GDPR
GDPR applies to Data Controllers (the entity who determines the purposes for which, and the way in which, personal data is processed) and Data Processors (those acting on the behalf of the Data Controller). These are essentially European equivalents to Covered Entities and Business Associates.

Breach Notifications

HIPAA
Under HIPAA regulations, organizations are required to notify the public of a breach within 60 days. Should there be fewer than 500 individuals impacted, notification can occur annually.

GDPR
GDPR requires organizations to disclose a data breach within 72 hours of the breach being discovered.

Privacy

HIPAA
HIPAA privacy is covered under consent and portability, giving patients the right to access, update and move their healthcare information.

GDPR
GDPR gives EU citizens specific data protection rights to:

  • be informed: privacy policies, cookie policies, terms, consent
  • access: no charge access to personal data
  • rectification: update personal data
  • erasure: "to be forgotten": delete data and account (unless technically infeasible i.e. data logs)
  • restrict processing: stop using an individual's personal data
  • data portability: download data in common format
  • object: consent revoke

Fines

HIPAA
Within HIPAA, there are numerous levels of offense and fines.

  • Tier 1: Lack of awareness  – $100 to $50,000 per violation, up to $1.5M per year
  • Tier 2: Lack of due diligence  – $1,000 to $50,000 per violation, up to $1.5M per year
  • Tier 3: Willful neglect  – $10,000 to $50,000 per violation, up to $1.5M per year
  • Tier 4: Willful neglect with no effort to correct  – $50,000 per violation, up to $1.5M per year

On top of fines, organizations and individuals involved also face potential criminal charges:

  • Unknowingly or with Reasonable Cause: up to 1 year
  • False Pretenses: up to 5 years and $100,000 fine
  • Fraud: up to 10 years and $250,000 fine

GDPR
GDPR has only two levels of penalties for organizations that are not compliance, but the penalties carry a much larger fiscal weight.

  • Lower Level:Up to  ‚¬10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher
  • Higher Level: Up to  ‚¬20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher

Required Roles

HIPAA
HIPAA regulations require a Privacy Officer to oversee the creation and maintain a HIPAA-Compliant privacy policy and a Security Officer to to oversee the creation and maintain security policies and procedures that enable the enforcement of the privacy policy

GDPR
GDPR requires the appointment of a data protection officer (DPO). This person is tasked with ensuring that data management and handling are compliant GDPR. This responsibility includes enforcing the regulations of the GDPR and making contact with a data subject should that be required by law.

Security

HIPAA
HIPAA has a security rule that provides high-level guidance and best practices. The HIPAA security rule is not scripted in terms of controls and implementations, though. Organizations turn to HITRUST because they find that the security framework aligns with HIPAA Compliance Requirements, as well as others.

GDPR
GDPR requires data protection by design and data protection by default, which include specific notes around encryption. The HITRUST Cybersecurity Framework also aligns very closely with GDPR, including data protection by design and by default promotes only processing and storing what's needed, deleting data when no longer needed, a plain language, user-friendly privacy defaults, options, controls, preferences and baked-in data protection.

Certification

HIPAA
Organizations handling PHI/ePHI as well as Covered Entities and Business Associates are required by law to be HIPAA compliant, so there are no certifications to display.

GDPR
While there are no officially designated certification, organizations can adopt the Privacy Shield requirements and/or an EU GDPR Representative.

Assessments

HIPAA
Organizations must complete an annual risk assessment in order to be HIPAA compliant.

GDPR
Similarly, GDRP requires a Data Protection Impact Assessment (DPIA) when data processing is likely to result in a high risk to data subjects.

More on GDPR Data Breach Notifications

Within 72 Hours

Within 72 hours after discovery of a data breach, an organization must carry out a thorough investigation to determine the nature of the breach. The goal is to answer the questions: who accessed what and when, who are those that carried out the breach, how is the data being used and who are the impacted individuals.

Organizations should put together a record of the work that has been done and the assets put in place to prevent a breach, then draft a comprehensive containment, mitigation and remediation plan. Lastly, the impacted organization needs to notify authorities within 72 hours and the affected individuals without undue delay.

Leverage HITRUST to Align with GDPR

Not Required, But Helpful

For organizations operating in healthcare, HIPAA and HITRUST go hand in hand enough on their own. But there is value for SaaS organizations not operating in healthcare to consider HITRUST as a supportive framework for enforcing the privacy requirements in GDPR that are not featured or prioritized in ISO 27001 (Security-focused), NIST 800-53 (Privacy is secondary) or PCI (nothing on privacy).

To be clear, a complete HITRUST certification makes little sense when you consider the costs and efforts. But adopting some of the controls and requirements would help your organization align with the GDPR privacy requirements of how data is stored, processed and deleted.

JupiterOne Team
JupiterOne Team

The JupiterOne Team is a diverse set of engineers and developers who are working on the next generation of cyber asset visibility and monitoring.

Keep Reading

Proactive IAM Security: Transforming Identity Security with Actionable Insights | Okta Integration with JupiterOne
December 19, 2024
Blog
Unlocking Proactive Security: How Okta and JupiterOne Elevate IAM Insights

Unlock proactive IAM security with Okta and JupiterOne, gaining real-time insights, enforcing least privilege, and reducing risks in dynamic cloud environments.

Transitioning from Vulnerability Management to Exposure Management | JupiterOne
December 13, 2024
Blog
Transitioning from Vulnerability Management to Exposure Management with JupiterOne

Explore Gartner's latest report on Exposure Management and learn how your organization can prioritize vulnerabilities and minimize exposures.

The Ultimate CAASM Guide for 2025 | JupiterOne
November 20, 2024
Blog
The Ultimate CAASM Guide for 2025

Discover how Cyber Asset Attack Surface Management (CAASM) is providing enhanced visibility of internal and external assets in 2025.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.