Data privacy and protection are at the core of the EU and UK General Data Protection Regulations (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) in the United States. These regulations require appropriate measures to ensure the security and integrity of data. However, there are significant differences, and businesses shouldn’t assume that they will automatically meet the GDPR compliance requirements if they already comply with HIPAA.
Data continues to shape the life sciences industry from research and development through post-market approval activities. Consequently, multiple highly regulated data protection and privacy considerations exist throughout a pharmaceutical drug or medical device’s lifecycle.
This article explores at a high level the similarities and differences between the principles underlying the processing and protection of personal data under the GDPR and HIPAA.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is the key health data protection legislation in the United States. HIPAA is an industry-specific federal law that came into force in 1996. It requires covered entities (healthcare providers, health insurance companies, etc.) and business associates (covered entities’ vendors) to implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of Protected Health Information (PHI). PHI is any information regarding health status, provision of healthcare, or healthcare payment. The regulation also established breach notification requirements and penalties for non-compliance.
HIPAA consists of a Security Rule, a Privacy Rule and a Breach Notification Rule. The Privacy Rule establishes requirements around legal uses and disclosure of PHI, the Security Rule outlines requirements for protecting PHI, and the Breach Notification Rule sets out what to do in the case of a data breach.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted and further strengthened HIPAA by implementing steeper fines for non-compliance and stricter breach notification requirements. Also, business associates became responsible and accountable for complying with the regulation.
In 2013, HIPAA was amended to include some new provisions from the HITECH Act. This regulation further restricted the sale of PHI and expanded patients’ rights to access their data.
Who needs to comply with HIPAA?
Any business that collects, stores, processes or shares PHI must comply with HIPAA. In most cases, pharmaceutical and biotech companies are not directly regulated by HIPAA, although there are exceptions. More typically, life sciences businesses are indirectly impacted by HIPAA in their clinical research activities through their interactions with providers, vendors, patients, and others with HIPAA compliance obligations or HIPAA-granted rights.
If a US pharmaceutical or biotech company complies with HIPAA, are they automatically GDPR compliant?
In short, no.
The good news is that as your organisation is already HIPAA compliant, you will have several technical and organisational measures in place. These will help you in your journey towards complying with GDPR and, to some extent, avoid duplication of operational effort. However, we must stress that demonstrating GDPR compliance is no small task and should be firmly embedded in the early planning stages for clinical trials in Europe and not left to the last minute.
GDPR
Unlike HIPAA, a healthcare law with a narrow scope, the EU and UK GDPR are data protection laws designed to protect the personal data of EU or UK residents, meaning ANY information capable of directly or indirectly identifying an individual.
The GDPR also has more stringent requirements for the processing of special category (sensitive) data, defined as personal data revealing or concerning:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- a person’s health
- a person’s sex life
- a person’s sexual orientation.
When does the GDPR apply to US companies?
Any organisation that collects, processes or stores the personal data of EU citizens or residents, regardless of the business location, must comply with the GDPR to safeguard the rights and freedoms of the data subjects. If you are unsure about your GDPR compliance position, working with a GDPR consultancy service can help you navigate the regulation and optimise your security controls to meet the required standards.
Talk to us about your data processing activities in the UK or EU
Is there a US GDPR?
There is no overarching federal data privacy legislation. There are only national laws that regulate the use of data in specific industries. For example, HIPAA (healthcare), Gramm-Leach-Bliley Act (financial), Children’s Online Privacy Protection Act (online companies) and The US Privacy Act (US government agencies). However, some US states have attempted to provide greater transparency around the use of personal data and more rigorous protection for individuals within their jurisdiction.
California, for example, passed the California Consumer Privacy Act (CCPA) in 2018 and updated it with the California Privacy Rights Act of 2020. Like the GDPR, California regulations enable the state’s residents to control their personal information. Including the right to know what information is collected, sold or shared and the right to deny the sale of personal information.
Similarly, Virginia enacted the Consumer Data Protection Act in March 2021. Its provisions draw heavily from California’s Consumer Privacy Act. And more recently, Colorado approved the Colorado Privacy Act, drawing from the GDPR and the California and Virginia laws. Following close behind are the Connecticut Data Privacy Act and Utah Consumer Privacy Act, both effective in 2023. Now more than a half dozen additional states have data protection and privacy legislation in development.
US businesses that operate nationwide or across state lines must comply with a range of mandates, some of which may contradict each other.
GDPR and HIPAA frequently asked questions:
- What kind of personal information is protected?
HIPAA Privacy Rule enforces the secure processing of patients’ protected health information (PHI) – anything that contains personal identifiers, from your name to your home address.
GDPR protects the personal data of EU or UK residents, meaning ANY information capable of directly or indirectly identifying an individual. GDPR has more stringent requirements for processing special category (sensitive) data, such as health data. - How do HIPAA and the GDPR differ concerning disclosure and consent?
HIPAA’s Privacy Rule allows the collection, processing, disclosure and storage of PHI without patient consent for treatment, securing payment and in connection with the operations of a healthcare provider.
For all other purposes, you must obtain explicit consent from the patient.
GDPR requires you to identify ALL data processing activities and, for each activity, establish a legal basis for data processing. Consent is just one of the legal bases you can use to justify collecting, handling and storing personal data.
Explicit consent is mandatory for the processing of sensitive personal data. - What is GDPR’s right to be forgotten?
HIPAA does not grant this right.
GDPR gives individuals the right to be forgotten (or to have their data deleted upon request). However, it’s not an absolute right. Exceptions include processing personal data for purposes directly related to health or scientific research. - What should an organisation do in the case of a data security breach?
HIPAA requires organisations to protect PHI and limit disclosure. Covered entities must notify affected individuals of security breaches.
If 500 or more people (records) are affected, the company must inform both data subjects and the Department of Health and Human Services (HSS) within 60 days.
GDPR states organisations must take appropriate measures to ensure the security and integrity of data. Companies must notify affected persons of data security breaches and must report all breaches to your designated GDPR regulator within 72 hours. - What is the cost of non-compliance?
HIPAA has a 4-tier approach to fines for non-compliance based on the perceived level of negligence of the organisation. These tiered fines can reach $1.5 million a year. In addition to monetary penalties, is the threat of criminal charges and even jail time.
GDPR allows the data protection authorities in each country to issue sanctions and fines. The maximum penalty is 4% of the company’s global revenue or €20 million, whichever is higher. Data protection authorities can also issue sanctions, such as bans on data processing or public reprimands.
- How long can data be stored?
HIPAA requires clinical records to be retained for at least 6 years. There is no limit on how long data can be kept.
GDPR states data should be stored for the shortest time possible, considering why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period.
Are you a US pharma company seeking clinical trial approval in Europe or the United Kingdom? How can you comply with the GDPR?
It takes a significant amount of time to understand the GDPR and how to demonstrate compliance, especially if this is the first time you’ve had to do it.
There is no one-size-fits-all approach to GDPR compliance, as companies have different people, working processes and technologies. You must apply the GDPR in the context of your pharma or biotech business and the personal data that you collect, use, and store. A GDPR compliance checklist, for example, can only go so far.
We at Pharma Data Protection understand pharma working practices, clinical trials and data protection and have supported numerous US companies as they navigate GDPR compliance requirements.
We know the regulations inside-out and partner with you to pragmatically apply every aspect of the GDPR to your working practices – making it work for you. Pharma Data Protection do the heavy lifting, supporting you through each stage of compliance as you make the necessary changes to policies and procedures, secure in the knowledge that you are reinforcing the privacy and security of your personal data, thus reducing risks to your business and data subjects while meeting the requirements of the UK or EU GDPR.
Talk to us about GDPR requirements in the US