GDPR vs. HIPAA for Digital Health Apps

Every Digital Health App processes personal data and most will also process health sensitive data. Processing such data requires you to be compliant with relevant data protection laws. How do you do that as a Digital Health Business? Here are the key things you have to consider.

What type of data am I collecting?

It is important to understand what type of data you are collecting. You can easily do that by completing our Self-Assessment test. This will also give you advice on what you should be doing – depending on the nature of the data that you are processing you might need greater security measures or procedures. BTW, did you know dynamic IP-addresses count as personal data?

What is the difference between HIPAA and GDPR?

You need to understand the different requirements that different data protection laws impose. If the aim for your business is to scale globally you must be aware of all relevant laws, such as the EU GDPR[^1] and the US HIPAA[^2]. The different requirements are summarised in the table below.

Administrative Requirements under HIPAA can be compared to GDPR's Organisational Measures. They need to be considered case by case involving lawyers, privacy experts and by carefully studying the entire privacy framework.

The main aim for companies is to ensure that their data processing is legal, and that their service is properly regulated using legal documents such as Terms and Conditions and Privacy Policies.

Technical and Physical Requirements under HIPAA can be compared to GDPR's Technical Measures.

The main aim of these technical requirements is to ensure the security of your data.

GDPR does not define a standard way to ensure security. This may create uncertainty since the central disposition regarding security (art. 32 GDPR)  requires measures to be "adequate" but it does not explain how to reach the appropriate level of "adequacy". Furthermore, GDPR requires a risk-based approach: the higher the risk, the more rigorous the technical/security measures that the controller or the processor needs to take to manage the risk.

By contrast, the HIPAA Security Rule defines precisely what steps and measures are necessary to achieve compliance.

How can Chino.io help?

Chino.io offers a secure Database as a Service that gives digital health, eHealth, and mHealth developers the ability to store some or all of their data securely. We provide security solutions which allow you to be both HIPAA and GDPR compliant. Furthermore, we are ISO 9001, 13485 and 27001 certified!