Skip to content

GDPR Implementation & HIPAA Compliance: What you need to know

By Hemant Pathak, Assistant General Counsel, Lead Attorney for Microsoft U.S. Sales & Marketing, Steve Mutkoski, Director of Government Affairs & Microsoft Worldwide Health, Nathan Leong, Lead Attorney, Microsoft U.S. Health & Life Sciences, Jackie Haydock, Attorney, Microsoft U.S. Health & Life Sciences, Melanie Scott-Bennett, Attorney, Microsoft U.S. Health & Life Sciences, Lisa J. Acevedo, Shareholder, Polsinelli, P.C., Kathleen D. Kenney, Associate, Polsinelli, P.C., and Lindsay R. Dailey, Associate, Polsinelli, P.C. on May 14, 2018

Filed under Health

two doctors looking at computer screen

With May 25, 2018 quickly approaching, the General Data Protection Regulation (GDPR) continues to take the data privacy industry by storm with organizations heavily focused on GDPR Implementation.  GDPR’s long-reach extends to the U.S. and imposes new rules on organizations that offer goods and services to people in the European Union (EU) or that collect and analyze data tied to EU residents. 

As U.S. Health & Life Sciences organizations work on GDPR Implementation, organizations that are already governed by HIPAA should turn to their HIPAA Compliance journey and existing privacy knowledge which  provides a solid foundation of privacy and legal compliance experience and acts as a good starting point when it comes to their GDPR journey and implementation. Those organizations governed by HIPAA will greatly benefit from their strong compliance mindset as they look to requirements unique to the GDPR.

The GDPR and HIPAA share many common themes and principles.  Both are comprehensive regulatory schemes, each with the same overarching goal to protect individual privacy.  Both regulate how covered information can be used, disclosed, maintained and transmitted, as well as how it must be secured.  Both also provide individuals with certain rights to their data. Both regulate downstream vendors and both have breach reporting requirements.  

However, despite some similarities between the GDPR and HIPAA, there are critical and significant differences that US Health & Life Sciences organizations should consider and understand for their GDPR Implementation, including the scope of regulated individuals/entities, types of data that is regulated and permitted uses and disclosures of regulated data.

To help guide this process for our customers, Microsoft has partnered up with Polsinelli, P.C., to co-author a white paper that compares and contrasts key GDPR Implementation requirements with their counterparts under HIPAA and provides practical tips for GDPR implementation. This white paper can be used as a crosswalk between GDPR Implementation and HIPAA Compliance to help organization focus in on steps they will need to take that are new to the organization as a result of the GDPR . 

The paper explores the following questions:

  • Does the GDPR apply to U.S. Health & Life Sciences organizations?
  • What types of data are regulated by the GDPR and do they overlap with the scope of data regulated by HIPAA?
  • Does the GDPR restrict uses and disclosures of personal data in the same manner as HIPAA?
  • How does the treatment of individual rights compare under the GDPR and HIPAA?
  • Are there differences between breach reporting under the GDPR and HIPAA?
  • How do the compliance program obligations under the GDPR compare to those required under HIPAA?
  • How do security requirements under the GDPR compare to the HIPAA Security Rule?
  • How do non-compliance penalties compare under the GDPR and HIPAA?
  • What is Microsoft’s commitment to GDPR compliance?

In addition to this paper, Microsoft and Polsinelli will also be issuing a series of blog posts over the course of the next several weeks further examining the journey of GDPR implementation for US Health & Life Sciences Organizations.  This series will focus on operational tips and key takeaways for Microsoft’s customers to consider on their GDPR journey.

Like HIPAA compliance, GDPR Implementation and compliance is a marathon not a sprint – implementing and operationalizing the requirements takes significant time and resources.  This white paper and blog series are intended to serve as tools to assist U.S. Health & Life Sciences organizations with GDPR implementation.

Useful Links

Contact Us