In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Sean Baird examines the similarities and differences in the requirements for the collection, use and protection of information subject to the U.S. Health Insurance Portability and Accountability Act, and the treatment of health information as “sensitive personal data” under the GDPR, including “data concerning health” — namely the scope of information covered, the entities covered and the permissible uses of the covered data.

Protected information

The GDPR covers all personal data defined as any data from which a living individual is identified or identifiable, whether directly or indirectly. This broad definition includes data outside the scope of HIPAA, but GDPR includes specific requirements relating to “sensitive personal data” such as racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. GDPR’s “data concerning health” and HIPAA’s “protected health information” are very similar. GDPR specifically defines data concerning health as personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveal information about his or her health status.

PHI is defined under HIPAA as any individually identifiable information relating to past, present or future physical or mental health condition, the provision of health care or the payment of health care. The U.S. Department of Health and Human Services has indicated that PHI includes names, addresses and demographic information if in a context that indicates that the individuals named were patients of a health care provider, even if no specific diagnostic or payment information is included.

Covered entities

Previously, EU data protection regulations only applied to organizations that collected or used personal data where the organization was established within the EU, or where the organization was established outside the EU, but used equipment within the EU to process personal data. GDPR has modified these requirements to apply to organizations established elsewhere, to the extent that the organization processes personal data of individuals based in the EU and either (i) monitors the behavior of data subjects within the EU, or (ii) offers goods or services to individuals within the EU.

HIPAA, on the other hand is narrowly defined to regulate covered entities and their business associates. A covered entity is a health care provider who electronically transmits PHI in connection with certain HIPAA-covered transactions (e.g., electronically bills a health plan), a health plan, or a health care clearinghouse. A business associate generally is a person or entity who creates, receives, maintains, or transmits PHI on behalf of a covered entity for a specific function or activity regulated by HIPAA (such as payment activities or health care operations) or who performs certain specific services (e.g., consulting, management, or administrative services) for a covered entity and in which the covered entity discloses PHI to the person or entity as part of such services. It is likely that HIPAA does not apply outside of the United States because neither the HIPAA statute nor regulations address extraterritoriality and because there is no indication that Congress intended HIPAA to apply extraterritorially. HIPAA will apply to covered entities and business associates within the United States, even with respect to non-United States citizens or residents.

Processing vs. uses and disclosures

Organizations governed by GDPR that collect or use sensitive personal information may only process such information in certain circumstances. The term “process” is extremely broad and generally covers anything that is done to or with personal data (this may include collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, using, disclosing, disseminating or making available, restricting, erasing, or destroying data). Similarly, HIPAA permits covered entities and business associates to “use” or “disclose” PHI under limited conditions. HIPAA defines use to mean, with respect to PHI, “the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.” Disclosure means “release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.”

HIPAA permits many more explicit uses and disclosures of PHI and generally includes the permissible processing available through GDPR, as follows:

  GDPR HIPAA
Consent Permits the use of health-related personal data with explicit consent from the subject, unless reliance on consent is prohibited by EU or member state law. "Explicit consent" must meet a higher standard than consent for the processing of other forms of personal data — an individual must be clearly informed of the use of their data and take an affirmative action to demonstrate their consent. Permits the use or disclosure of PHI pursuant to an individual’s authorization, which must include a number of required elements.
Carrying out employment, social security or social protection obligations Permits the processing of sensitive personal information for the carrying out of obligations under employment, social security or social protection law, or a collective agreement. Permits use or disclosure of PHI as authorized by laws relating to workers’ compensation but generally prohibits use of PHI for employment purposes.
Protecting vital interests when the subject is incapable of providing consent Permits processing sensitive personal information, such as health-related personal data, when necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent. Permits disclosure to an individual’s personal representative who would presumably be in a position to protect the individual’s vital interests where the individual is incapable of making certain decisions.
Not-for-profit entities Permits processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent. Does not have a similar use or disclosure provision.
Information made public by the subject Allows entities to process data manifestly made public by the data subject. Diverges from GDPR and provides the opposite — such a use or disclosure by the data subject has no effect on the protections afforded by HIPAA.
Judicial proceedings Permits processing that is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their judicial capacity. Permits disclosure of PHI in the course of a judicial or administrative proceeding.
Public interest & required by law Permits processing sensitive personal information necessary for reasons of substantial public interest on the basis of EU or member state law that is proportionate to the aim pursued and which contains appropriate safeguarding measures. Provides for the use or disclosure of PHI as required by law. This means that a mandate contained in law that compels an entity to use or disclose PHI and that such use or disclosures is enforceable in a court of law. Uses and disclosures required by law include, but are not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
Medical treatment Provides for the processing of sensitive personal information when necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or member state law or a contract with a health professional. Permits the use or disclosure of PHI for treatment purposes which includes provision, coordination or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
Public health Permits processing of sensitive personal information that is necessary for public interest reasons in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices. Permits use or disclosure of PHI to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury or disability. This would include, for example, the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations or interventions.
Research Permits processing sensitive personal information for scientific and historical research purposes or statistical purposes. Provides that PHI may be used or disclosed for research purposes.

Conclusion

Although the scope of data and entities covered by GDPR is significantly broader than the data and entities covered by HIPAA, organizations that process and use or disclose health information in the EU and United States must firmly understand the restrictions surrounding data concerning health and PHI of U.S. and EU residents.

photo credit: MPD01605 EU Flagga via photopin (license)