← All posts
GDPR and HIPAA for Digital Health Apps: Why It Matters, and How to Fast-Track Your Route to Compliance
Regulatory

GDPR and HIPAA for Digital Health Apps: Why It Matters, and How to Fast-Track Your Route to Compliance

Extra Horizon ·

Regardless of whether or not your company is based in the European Union (EU): if you hold or process personal data of European citizens, you must comply with the General Data Protection Regulation (GDPR).

The regulation, which is in effect in the EU since May 2018, is aimed at strengthening both data privacy and data security, and gives EU citizens more rights relating to how their data can be used. GDPR also addresses the transfer of personal data outside the EU and the European Economic Area (EEA).

Accordingly, if your digital health app and/or medical device collects personal data from individuals in the EU, you need to ensure GDPR compliance.

What is the Difference Between HIPAA and GDPR?

HIPAA (The Health Insurance Portability and Accountability Act, passed in the US in 1996) considerably predates GDPR, but GDPR has a much broader focus and legal implications. Businesses whose operations comply with HIPAA cannot assume compliance with GDPR - and, in fact, vice versa. Security is at the core of both regulations, but there are distinct differences between them.

For example, HIPAA standards apply only to ‘covered entities’, such as healthcare and insurance plan providers, and their business associates, for example IT providers or transcription services.

Furthermore, HIPAA only concerns PHI (Protected Health Information), which includes any personal health information that can potentially identify an individual, and which was created, used, or disclosed in the course of providing healthcare services.

GDPR, by comparison, applies not only to PHI, but also covers any information that can be used to directly or indirectly identify people in the EU - for example, information pertaining to political, cultural, or religious group affiliation. In addition, GDPR applies to all organisations, regardless of sector, holding or processing personal data.

Explicit consent is mandatory under GDPR for the processing of personal health data (which is categorised as sensitive data). Article 9 of GDPR asserts a comprehensive scope, with limited exceptions.

In contrast, HIPAA is less restrictive, allowing for the disclosure of personal data without patient consent for treatment purposes, securing payment, and in connection with the operations of a healthcare provider.

GDPR requires that you identify ALL data processing activities, not just disclosure. This includes, for example, data storage and transfer within an organisation. A legal basis must be established for each and every activity.

The Right to Be Forgotten

HIPAA, along with most data privacy and security regulations, sets out the right of patients to receive copies of their own PHI held by the organisation. GDPR goes a step further to assure the rights of data subjects to be forgotten.

The timeframes around these procedures are explicit, and therefore need to be specifically addressed within the system design in order to ensure compliance. This is but one element, as system compliance requirements also extend to theft/misuse, un/intended disclosure or breach, and erasure/disposal of records.

You must have procedures and mechanisms in place to receive and reliably manage these process tasks so that, in the event of a request to be forgotten (i.e. for the deletion of personal information), it is possible to validate the request, and ensure the information is indeed deleted and no longer held anywhere in the system.

Mandatory Data Protection Impact Assessments

Under GDPR it is not enough simply to have the systems in place to meet the regulatory requirements, you must be able to demonstrate that you have the necessary capabilities to fulfill the regulations.

Job roles, such as data protection officer (DPO) and data controllers, are specified, as well as staff training. In addition, Article 35 of GDPR mandates an impact assessment covering all aspects related to the collection, storage, processing, and management of personal data, including risk assessment and mitigation measures.

Pseudonymization and Separate Data Storage

Pseudonymization is a critical strategy for preserving data privacy in compliance with HIPAA and GDPR.

Pseudonymization is defined within GDPR (Article 4(3b)) as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual.”

Note that under GDPR, even with the identifying fields removed, the data is still considered personal data, and use of de-identification and pseudonymization is not intended to exclude other measures of data protection.

GDPR and ISO 27001:2017

ISO 27001:2017 represents an international standard for security certification, and as such provides an ideal framework for implementing the technical measures necessary for data security compliance with GDPR.

However, GDPR and ISO 27001:2017 are in no way interchangeable, and having ISO 27001:2017 certification does not mean you comply with GDPR. GDPR is wider, and encompasses both data security and data privacy.

Extra Horizon: Medical Back-End as a Service

Unlike most cloud infrastructure providers, Extra Horizon provides a medical back-end as a service, certified to ISO 27001:2017 (information management system) and ISO 27701:2019 (privacy information management system) amongst others.

Extra Horizon alleviates most of the compliance burden from your organisation by taking responsibility for protecting the infrastructure and systems that support your app. Key benefits include:

  • Extra Horizon will be responsible for the management of software updates and security patches, as well as the networking configurations underlying the system.
  • Our platform uses the best-in-class encryption standards, and makes it easy to move to pseudonymized data and ensure that personal information and pseudonymized data are stored separately.
  • Our user and group service makes it simple to manage users, offering you granular access control opportunities, audit trails, consent management, and management of the right to be forgotten.
  • Building your digital health application on Extra Horizon’s regulatory-compliant framework will significantly advance your GDPR and MDR compliance trajectory.

Contact us

Get in touch, we're eager to discuss your project

Have a question, want a demo, or just want to explore what Extra Horizon can do for your product? Drop us a message and we'll get back to you quickly.

Follow our journey