This document compares and contrasts the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). HIPAA was implemented in the United States to protect patient healthcare data and privacy, while GDPR was implemented in the European Union to standardize and strengthen data protection for all EU citizens. Both regulations aim to protect personally identifiable information (PII) and protected health information (PHI), but GDPR has broader scope and applicability to any company that processes EU citizens' data. GDPR also provides stronger penalties for non-compliance in the form of fines up to 20 million Euros or 4% of annual revenue.

1. HIPAA VS GDPR
THE HOW, WHAT, AND WHY ?
ENTREPRENEUR | CISO ON DEMAND | CYBERFEMINIST | TOP 50 CYBER
INFLUENCER @RESPONSIBLE CYBER
MAGDA LILIA CHELLY
1

2.  Why, What, How and Whom?
 Why do we need HIPAA/GDPR?
 What is HIPAA vs GDPR?
 What is PHI, PII?
 How Does HIPPA vs GDPR Help us Protect PHI?
 To Whom does HIPAA / GDPR apply?
 What are the fines for HIPAA / GDPR non-compliance ?
Agenda Overview

3. According to the PwC survey, 68 percent of U.S.-
based companies expect to spend $1 million to
$10 million to meet GDPR requirements. Another
9 percent expect to spend more than $10 million.

4. Why, What, How, and Whom?
WHY?
Health Insurance
Portability and
Accountability Act
(HIPAA)
After 1966, HIPAA was deployed to protect
patient data and privacy, to proceed with
organized research and to preserve ethical
behavior
WHY?
General Data Protection
Regulation (GDPR)
In April 2016, the GDPR was deployed to
replace the Data Protection Directive
95/46/EC. Its objectives are to harmonize
data privacy laws across Europe, to protect
and empower all EU citizens data privacy and
to reshape data privacy

5. What?
HIPAA = Health Insurance Portability
and Accountability Act
Strictly enforced since 2003
Protects PHI
Why, What, How, and Whom?
What?
GDPR = General Data Protection
Regulation
Enforced in May, 25th 2018
Protects all EU citizens data privacy

6. Hipaa—Why, What, How, and Whom?
• Physical Controls
• Administrative Controls
• Technical Controls
• Organizational Measures (GDPR)

7. Hipaa—Why, What, How, and Whom?
HIPAA
 ‘’The HIPAA Rules apply to covered
entities and business associates, Individuals,
organizations, and agencies that meet the
definition of a covered entity under HIPAA, in
the United States ’’, and subcontractors.
‘’Health plans, health care clearinghouses, and to any
health care provider who transmits health information in
electronic form in connection with transactions for
which the Secretary of HHS has adopted standards
under HIPAA’’
GDPR
“Extraterritoriality”
 The GDPR does NOT ONLY apply to EU
based companies but also to companies that
collect data of EU citizens, regardless of a
physical presence in the EU.
“The processing of personal data is designed to serve man;
the principles and rules on the protection of individuals with
regard to the processing of their personal data should,
whatever the nationality or residence of natural persons,
respect their fundamental rights and freedoms, notably their
right to the protection of personal data.”

8. What is Protected health information (PHI)
vs Personal Data?
HIPAA
PHI = Protected Health
Information
 An individual’s physical or
mental health allowing his/her
identification
GDPR
PII = Personally Identifiable
Information
 Any information related to a
‘Data Subject’, allowing
his/her/its identification

9. What are the considered elements ?
HIPAA
1. Names
2. Dates
3. Phone numbers
4. Fax numbers
5. Electronic mail addresses
6. Social Security numbers
7. Medical record numbers
8. Health plan beneficiary numbers
9. Account Numbers
10. Certificates
11. Serial Numbers
12. Vehicle Numbers
13. URLs
14. IP addresses
15. Biometric data
16. Face pictures
17. Any unique codes
GDPR
1. Names
2. Identification number
3. Location data
4. Online identifier
5. Any specific identifier related to the physical,
physiological, genetic, mental, economic, cultural or
social identity of the person
6. Social media posts
7. Photographs
8. Lifestyle preferences
9. Transaction histories
10. IP Addresses
11. Racial or ethnic data
12. Political opinions
13. Sexual orientation

10. The Rules
Set of national standards for the protection of
health information
‘’The HIPAA Privacy Rule establishes national
standards to protect individuals' medical
records and other personal health information
and applies to health plans, health care
clearinghouses, and those health care
providers that conduct certain health care
transactions electronically.’’
NO DEFINITION OF ‘’AUTHORIZATION’’
HIPAA —The Privacy rule
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
The GDPR defines “consent” as any
“freely given, specific, informed and
unambiguous indication of the data subject’s . .
. agreement to the processing of personal data
relating to him or her.”
GDPR — General Data Protection

11. Fundamental right to knowledge of
the privacy practices
The Notice of Privacy Practices
(NOPP) must be provided of how a
covered entity may use and disclose
PHI
HIPAA —The Privacy rule GDPR — General Data Protection
The Rules
The GDPR only requires that the data
subject is made aware of the extent to
which consent is given.
The data subject needs to be aware
of, at least, “the identity of the
controller and the purposes of the
processing for which the personal
data are intended.”

12. The right to revoke an already-given
authorization at any time in writing.
Exceptions are related to:
• Using or disclosing PHI before the
received
• Authorization was obtained as a
condition of obtaining insurance
coverage
The Rules: Rights of Revocation and
Withdrawal
HIPAA GDPR
The right to withdraw requires the data
subject to be allowed to withdraw his or
her consent
at any time unless personal data has
already been processed pursuant to the
prior consent.
 Easy to withdraw data

13. Basic Requirements
• Confidentiality, integrity, and
availability of all e-PHI
• Protect the integrity of the
information
• Protect against unauthorized
disclosures
• Ensure compliance
HIPAA GDPR
• Confidentiality, integrity, and
availability of all PII
• Data Portability
• Store only for Consent Duration
• Privacy by Design and by Default
• Breach Notification in 72 Hours

14. Data Protection Officer (DPO)?
HIPAA GDPR
DPOs must be appointed in the
case of:
(a) public authorities,
(b) organizations with large scale
systematic monitoring, or
(c) organizations with large scale
processing of sensitive personal
data (Art. 37)

15. Privacy vs. Security—What’s the difference?
The individual controls the USE of his or
her PHI in ALL FORMATS.
This means providing
CONFIDENTIALITY, in storage or in
transit.
HIPAA GDPR
The individual controls the USE, the
ERASURE, the TRANSFER of his or her
PII in ALL FORMATS.
‘’Rights to be forgotten and to erasure’’
 In transit, in storage, backups, etc.

16. If you don’t Need it
Don’t Store it

17. Consent
A covered entity may voluntarily
choose, but is not required, to
obtain the individual’s consent for
it to use and disclose information
about him or her for treatment,
payment, and health care
operations.
HIPAA GDPR
(a) the data subject has given consent . . .; (b) processing is
necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the
data subject prior to entering into a contract; (c) processing is
necessary for compliance with a legal obligation to which the
controller is subject; (d) processing is necessary in order to
protect the vital interests of the data subject or of another
natural person; (e) processing is necessary for the
performance of a task carried out in the public interest or in the
exercise of official authority vested in the controller; or (f)
processing is necessary for the purposes of the legitimate
interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or
fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the
data subject is a child

18. Breach Notification
If a breach affects 500 or more
individuals, a notification must be done in
no case later than 60 calendar days from
the discovery of the breach.
‘If a breach affects fewer than 500
individuals, a covered entity must notify
the breach within 60 days of the end of the
calendar year in which the breach was
discovered.’
HIPAA GDPR
Article 31 requires notice of any personal
data breach.
 Not later than 72 hours
after having become aware
of it

19. Fines
From $100 to $50,000 per
violation (or per record), with a
maximum penalty of $1.5 million
per year
HIPAA GDPR
Max EUR 20 million or 4% of
the annual revenues

20. Marketing
HIPAA GDPR
Prohibition from using or
disclosing an individual’s
PHI for marketing unless a
specific authorization form
The GDPR requires that the
authorization should “explicitly be
brought to the attention of the
data subject,” requiring it to be
“presented clearly and separately
from any other information,”

21. Right To Erasure
GDPR
‘’The GDPR requires to establish modalities,
including electronic request modalities, that
facilitate the exercise of the right to erasure of
personal data.’’

22. Right To Erasure
GDPR
There are some exceptions related to the right to erasure:
(1) Legal Obligation under Union or Member State law;
(2) Public health requirement reasons
or (3) For scientific archiving reasons

23. DISCLAIMER
NOTE: This presentation is not and shall not be considered legal advice.
For further information/details/clarification, visit the following references
View the HIPAA details on:
http://www.hhs.gov/ocr/privacy/hipaa
View the GDPR details on: https://www.eugdpr.org

24. THANK YOU !
PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS
24