Project management software is one of the most important pieces of technology that you can have in...
HIPAA & GDPR – What’s The Difference?
These are my general thoughts on General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act (HIPAA). It is absolutely not a legal or technical exposé or advice, life’s short enough as it is!
The nuts and bolts are that 10to8 appointment scheduling software handles lots of personal info from around the world. This includes scheduling data from all 28 EU countries (GDPR’s home turf) and Personal Healthcare Information in the US (HIPAA for appointments). So GDPR and HIPAA are core parts of what we do and how we do appointment management.
We discovered the character of these two regulations are very different, even though they both try to keep peoples’ data safe. At 10to8 we’ve developed these rules of thumb to help understand the underlying difference between the two.
GDPR is about ownership
People own their data and anyone using it has to always make sure they have that person’s permission to do something with it.
HIPAA is about portability
It lets healthcare providers share data to provide better care. It tells providers how to handle healthcare digital data to make sure it’s accessed, stored, transmitted securely.
HIPPA & GDPR at 10to8
HIPAA tells a business how to share data for the right purpose, but GDPR fundamentally reassigns ownership of that data from the business to its users.
We’ve implemented both at 10to8 and, as a company that takes privacy seriously, GDPR was the most challenging. GDPR, unlike HIPAA, forces a shift in how businesses ‘do’ personal data: it has huge knock-on effects in what you can, cannot and should do. In addition to this, it is much less clear what specific technical steps need to be done in order to comply.
For HIPPA, the opposite is true: it is very clear what technical steps and policies need to be done to become compliant. And a business implementing HIPAA can do so without changing its fundamental philosophy for handling data.
So for us implementing both, it was clear that GDPR was always going to be the one to do first: Get that right and HIPAA is a few more tweaks to an existing process. The other way round and you end up doing everything twice, or not doing either very well.
I’ve found the differences to be similar to my own cultural stereotypes. HIPAA is uniquely American;
“What do you need to get on and do something”
A can-do attitude to not let box-ticking get in the way of providing healthcare. GDPR is more European and centered on individuals’ rights;
“Make sure you protect our citizens’ data”
It tries to make sure that, in the digital age, citizens’ fundamental rights and freedoms are protected. It’s nice to live in a corner of the world where we have both. And it’s nice to say that 10to8 is both GDPR and HIPAA compliant scheduling software.
Please never forget though; it’s not just about using compliant software, you always have to use it in a compliant way – responsibility for people’s data never ends.