Categories
Guide Types of Attacks

What is the correlation between GDPR and HIPAA? 

What is the correlation between GDPR and HIPAA? 

While both GDPR and HIPAA are regulations that emphasize on the protection of data, it becomes essential to be aware of them to ensure adherence to compliance requirements.

It means gaining a deeper understanding of their similarities and distinctions. Let us explore the correlation between GDPR and HIPAA.

What is the GDPR (General Data Protection Regulation)? 

The General Data Protection Regulation (GDPR) was a data privacy law enforced by the European Union in 2018 to ensure the security and privacy of the data of EU members.

It is one of the most comprehensive and complex data protection laws in the world that requires organizations subjected to it to securely collect, process, store, and transfer personal data. 

Some interesting GDPR Facts

(Source – Statista, CMS)

  • Ireland holds the spot for the country with the highest GDPR fine imposed of EUR 2.8 billion
  • The cause of non-compliance with most penalties was “non-compliance with general data processing principle of GPDR with a whopping total of 2.4 billion
  • Centric Health paid the highest fine in the healthcare sector to date of EUR 4,60,000 for failing to implement adequate measures to protect the personal data of 70k people in  a ransomware attack
  • The average fine in all countries was around EUR 2,142,712 (2018-2024) 
  • The highest fine imposed on electric and gas supplier Enel Energia who was penalized with EUR 79 million ($86 million)

What is HIPAA? (Health Information Portability and Accountability Act)? 

HIPAA was passed in 1996 to ensure the security and privacy of health-specific information. It was enacted by the government as a measure against rising data breaches in the healthcare industry.

It requires organizations to ensure that they have taken the requisite measures for the security of sensitive Protected Health Information (PHI) and ensure that it is never disclosed without patient consent.

Some interesting HIPAA  

(Source – HIPAA Journal)  

  • The highest number of data breaches leading to HIPAA violations occurred in 2023 with over 745 incidents.
  • Business Associates were ranked as top in terms of most records breached in 2024, with around 22917030 records exposed due to a data breach. 
  • Among HIPAA-subjected entities, healthcare providers faced the most breaches with 287 breaches.  
  • The average penalty paid for HIPAA violations was $7,31,900. 
  • The highest penalty, of $4,750,000, was imposed in 2024 on Montefiore Medical Center. 

What is the correlation between GDPR and HIPAA? 

To understand both the regulations better, it is essential to be aware of points of similarities and distinctions for smoother compliance management.  

The points where GDPR and HIPAA differ 

HIPAA  GDPR  
HIPAA was implemented by the US government in the 1996 Implemented by the European Union in 2018 
Focuses on the security of Protected Healthcare Information, including any data that can be used for identifying a patient, reflecting the status of their health, provision of healthcare services, or transaction information specific for acquisition of such services.  Focuses on a broad range of personal data that includes names, email, addresses etc., and other sensitive data like biometric data.  
There are exceptions to requiring consent. For example, a healthcare provider can disclose information to other healthcare providers for treatment/healthcare purposes.  Explicit verifiable consent is a must, along with information on how the data will be used 
Medical records and other sensitive information cannot be erased and are stored forever.  Data subjects can ask organizations who have stored their data to erase the data.  
Data breach must immediately be notified to authorities, the individuals impacted, and the media through the Office of Civil Rights (OCR) breach reporting tool.     Within sixty days if a breach involves leakage of 500 or more records Within 12 months if a breach involves leakage of less than 500 records. Supervisory authority and service providers must be informed within 72 hours regardless of the size of breach.  
All the subjected entities are required to perform risk assessments annually for the secure processing of Protected Health Information Data Protection Impact Assessment is only required when a project or process can involve a high risk to people’s personal information.  
Non-compliance can lead to penalties, anywhere between $100 to $50000  Non-compliance can lead to fines, from $20 million to 4% of global annual income, whichever is higher.  

Points of similarity  

Security and Privacy centric  

GDPR and HIPAA regulations require subjected entities to possess a mechanism where they can track changes in data along with information on who made the changes to the data or whether there are any unauthorized changes to data.  

Encryption 

Organizations subject to GDPR or HIPAA regulations must take measures to encrypt sensitive health information before storing or sending data. 

Regular training and awareness 

Both the regulations emphasize on conducting regular training and awareness sessions for staff regarding data protection best practices and their roles and responsibilities specific to the regulations.  

Accountability, transparency, and trust 

HIPAA and GDPR subjected entities that handle sensitive data are held accountable to take technical and organizational measures to ensure privacy and security of data ensuring that they maintain transparency on how they handle, process, and store data.  

Consequence of non-compliance 

There is strict enforcement of both regulations where non-compliance/violations of either of the requirements may result in penalization. 

Learn about some of the highest fines ever paid for non-compliance

Read More

All
Endpoint Security