April 4, 2024 Today, we’re talking about our friends across the pond – Europe. HIPAA, or the Health Insurance Portability and Accountability Act, guides the security of health information only in the United States. Don’t worry, the fight for data privacy goes global, with many countries having similar legislation. Now, even in the land of euros and rich history, the safety of personal information is important. Grab your passport! Today, we’re taking a quick trip over the Atlantic to explore how privacy laws are in Europe. What’s the GDPR? The GDPR, or the General Data Protection Regulation, is the European Union’s equivalent to HIPAA. The GDPR was established in 2018, preceding similar legislation, and it defines the rights of EU citizens regarding how organizations collect and handle their personal information. For those unfamiliar with the EU, this currently includes 27 European countries: Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden. Whew! That’s a lot of countries! Interestingly enough, countries that are not technically a part of the EU, but are a part of the European Economic Area, like Norway and Iceland, are also bound to the GDPR. Now, before you ask, we haven’t forgotten our British buddies. After Brexit, the United Kingdom split from the EU and established its system, similar to the GDPR, called the Data Protection Act. Alongside this legislation, they have the simply named: UK GDPR. Guess what that is? Ding ding ding! Yep, you guessed it! It’s the GDPR with slight updates for the UK. Hopefully, I haven’t lost you yet! GDPR vs HIPAA While the GDPR and HIPAA are really similar, they have major distinct differences. The GDPR not only covers healthcare but all situations that include personal information. Buying something online from an EU-based company? The retailer has to be GDPR-compliant. Even a US bank can’t outrun the GDPR! If you’re a US-based bank with a new location in Europe, that location has to be GDPR-compliant. The GDPR also allows for the right for erasure. If a patient wants their records to be deleted, a practice has one month to respond to the request. GDPR rules around consent are also more distinct than HIPAA, requiring explicit and informed consent. GDPR consent must be easy to give and withdraw. Rather than one organization, like the OCR, enforcing legislation, the GDPR is enforced by individual data protection authorities (DPAs) from the EU and EU-adjacent countries. GDPR fines can be vast – with some being up to 20 million Euros, or up to 4% of their total global annual revenue, whichever is higher! In a major GDPR case, health data software company Dedalus Biologie was fined €1.5 million in France for a data breach affecting nearly half a million people! What can we learn from this? Now, welcome back to the US! Hopefully, you were able to sleep on the way back. From our quick exploration, we can see how important data privacy is on a global scale. While Europe’s legislation might be more encompassing than HIPAA, the same message is clear: data privacy is a fundamental right. To see how your compliance currently stands in the US, email us at info@abyde.com and schedule a consultation here!