Why HIPAA and GDPR cannot replace each other

Why HIPAA and GDPR cannot replace each other?
Its a misconception that GDPR and HIPAA can replace each other. Many companies misconstrue both the compliances. They think that HIPAA is USA, GDPR is EU and both talk about personal information. They further think that implementing one, means automatically implementing the other.

Unfortunately that is not the case. There is a subtle overlap among both of these compliances, but those are entirely different from implementation point of view.

So why they are different?
1. GDPR sets standard for all sensitive personal data and its categories, while HIPAA only deals with PHI.
2. GDPR includes race, religion and multiple other parameters while identifying a person, while HIPAA includes only a subset of it.
3. GDPR outlines the geographical presence requirements of a person, while HIPAA does not mention that and is more wider in those terms.
4. GDPR applies to all organizations who deal with personal data, while HIPAA is limited to PHI controlled by covered entities, focusing specifically on the healthsector.

How those differ from implementation perspective?
1. Documentation – HIPAA requires a deeper and wider documentation as compared to GDPR.
2. Procedures – Following HIPAA procedures is very different than those for GDPR. For example, HIPAA has a well defined requirement for breach notification, while GDPR procedures are very good in defining what information is Personally Identifiable Information.

So which compliance should be implemented first?
The answer is – it does not matter. Whether you implement HIPAA or GDPR, a separate set of documents of policies and procedures, risk assessment and forms are required. Implementing HIPAA first, can sometimes make life easier to implement GDPR but it is very subjective to the organization’s business, geographical locations, internal structure and nature of product or service.

So what is suggested as a right practice?
If an organization want to go for HIPAA and GDPR, treat those separately in terms of policies, procedures and documentation. Both implementations can be started in parallel, and when it comes to document creation, keeping those separate and linking the pointers among the policy set yields better results.

Things to remember
1. HIPAA is USA way of looking at privacy, while GDPR is EU way. There is a difference in terms of the law angles that reflects into the documentation and governance.
2. HIPAA came first, and GDPR came later. This will always keep a subtle difference between what the compliances address and keeping those separate in the organizations, helps in longer run.