HIPAA & GDPR Overview

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by The Health Information Technology for Economic and Clinical Health (HITECH) Act, protects the privacy and security of individual health information used, transmitted, and retained for the provision and payment of health care services. This information is known as protected health information (PHI).

HIPAA applies to all health insurance plans and health care billing clearinghouses, and to health care providers (such as hospitals, physicians, and clinics) that bill insurers electronically. These entities are collectively called “HIPAA Covered Entities”. HIPAA also applies to third parties such as attorneys, consultants, auditors, and other service providers (“Business Associates”) who access a Covered Entity’s PHI to provide services.

How is PHI defined

HIPAA defines PHI as any health information that is created, received, or maintained by a HIPAA covered entity whether in print, orally, or electronically, that:

1. includes “individual identifiers” that identify an individual (or has components that could be used to identify the individual); and
2. is related to a past, present, or future physical or mental health condition, or the provision of, or payment for health care or genetic information.

PHI includes virtually any information from an individual’s medical records, records of payment for medical services made by or on behalf of a person (including insurance claims and reimbursements), or information provided to a health care provider about an individual’s physical or mental health or condition that identifies or can be used to identify the individual.

General Data Protection Regulation (GDPR) in the EU

The General Data Protection Regulation (GDPR) came into effect in 2018, and its primary purpose is to create one coherent data protection framework across the EU. GDPR substantially enhances data protection and privacy rights for persons in the EU. It imposes a comprehensive set of principles and obligations with which a lot of organizations operating or offering products and services in the EU must comply.

GDPR is one of the highest standards of privacy and data protection in the world and will provide EU Data Protection Authorities (DPAs) the ability to regulate and bring enforcement against companies across the globe.

Applicability

• GDPR applies to every company that collects personal data from EU data subjects, regardless of where the company is established
• It applies to data processors as well as data controllers
• It applies to companies that offer goods or services in the EU, regardless of whether payment is required, or monitor the behavior of EU residents
• Broad Personal Data Definition – “any information that directly or indirectly can be related to an identified or identifiable natural person”

One of the biggest and most impactful changes of the GDPR is the extraterritorial regulatory oversight and enforcement reach that it gives the EU regulators the authority to regulate and bring enforcement actions against any company that handles personal data (employee/consumer/business contact) of EU residents regardless of where that company is headquartered or where the data is processed.

Useful definitions

• Personal data could be anything from a name, a photo, an email address, a computer IP address, or patient information. Data processing could be anything from obtaining, recording, or holding the data, or carrying out any actions with it.
• Under GDPR, 'data controller' means the organization “which [...] determines the purposes and means of the processing of personal data”.
• 'Data processor' means the organization “which processes personal data on behalf of the controller”.