Keywords
HIPAA
Privacy Rule
consent
authorization
healthcare data
data privacy
How to Cite
Abstract
The purpose of this paper is to conduct a general comparisonof legal requirements regarding consent under the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Both regulations aim to protect health data as a special category of personal data, highlighting the importance of obtaining explicitconsent or authorization from the data owner before processing or disclosing the information. The article explores the distinct approaches of HIPAA and the GDPR in defining consent and authorization, the requirements for withdrawal or revocation of consent, and the form and language of consent.
It also examines the scope of application and the impact on healthcare operations, emphasizing the need for informed and transparent consent practices under both regulations. Furthermore, it examines the differences in the regulatory scopes and the specific measures each framework takes to safeguard personal health information.
References
Alder, Steve. “What Is HIPAA Authorization?” The HIPPA Journal. Accessed June 27, 2024. https://www.hipaajournal.com/what-is-hipaa-authorization/.
Benson, Tim, and Grahame Grieve, “Privacy and Consent.” In Principles of Health Interoperability: FHIR, HL7 and SNOMED CT. Springer Cham, 2021. DOI: https://doi.org/10.1007/978-3-030-56883-2
Bygrave, Lee A. Data Privacy Law: An International Perspective. Oxford University Press, 2014. DOI: https://doi.org/10.1093/acprof:oso/9780199675555.001.0001
Bygrave, Lee A., and Luca Tosoni. “Article 4(11). Consent.” In The EU General Data Protection Regulation (GDPR): A Commentary, edited by Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and Laura Drechsler. Oxford University Press, 2019. DOI: https://doi.org/10.1093/oso/9780198826491.003.0017
EUR-Lex. “Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Health Data Space.” Accessed November 8, 2024. https://eurlex.europa.eu/legalcontent/EN/TXT/?uri=CELEX%3A52022PC0197.
European Commission. “European Health Data Space.” Accessed November 8, 2024. https://health.ec.europa.eu/ehealth-digital-health-and-care/european-health-data-space_en.
The European Data Protection Board. Guidelines 05/2020 on Consent under Regulation 2016/679. Accessed November 8, 2024. https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf.
European Union Agency for Fundamental Rights, and Council of Europe. Handbook on European Data Protection Law. Publications Office of the European Union, 2018.
Fajgielski, Paweł. „ Artykuł 4. Definicje.” In Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz. Wolters Kluwer Polska, 2022.
Fajgielski, Paweł. „Artykuł 33. Zgłaszanie naruszenia ochrony danych osobowych organowi nadzorczemu.” In Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz. Wolters Kluwer Polska, 2022.
Fajgielski, Paweł. „Artykuł 35. Ocena skutków dla ochrony danych.” In Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz. Wolters Kluwer Polska, 2022.
Georgieva, Ludmila, and Christopher Kuner. “Article 9. Processing of Special Categories of Personal Data.” In The EU General Data Protection Regulation (GDPR): A Commentary, edited by Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and Laura Drechsler. Oxford University Press, 2019. DOI: https://doi.org/10.1093/oso/9780198826491.003.0038
Hecker, Lorna. HIPAA Demystified: HIPAA Compliance for Mental Health Professionals. Loger Press, 2016.
Hordern, Victoria. “Lawful Processing Criteria.” In European Data Protection: Law and Practice, edited by Eduardo Ustaran. International Association of Privacy Professionals, 2023.
Janger, Edward J., and Paul M. Schwartz. “The Gramm-Leach-Bliley Act, Information Privacy, and the Limits of Default Rules.” Minnesota Law Review 86, 2001–2002: 1219–61. DOI: https://doi.org/10.2139/ssrn.319144
Kalinowska, Natalia, Bartłomiej Oręziak, and Marek Świerczyński. “Badania kliniczne w świetle RODO.” Prawo Mediów Elektronicznych, no. 3(2018): 4–15.
Kuner, Christopher. “Article 49. Derogations for specific situations.” In The EU General Data Protection Regulation (GDPR): A Commentary, edited by Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and Laura Drechsler. Oxford University Press, 2019.
Kuner, Christopher, Lee A. Bygrave, and Christopher Docksey. “Background and Evolution of the GDPR.” In The EU General Data Protection Regulation (GDPR): A Commentary, edited by Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and Laura Drechsler. Oxford University Press, 2019.
Kuner Christopher, Lee A. Bygrave, and Christopher Docksey, eds. The EU General Data Protection Regulation (GDPR): A Commentary. Oxford University Press, 2019. DOI: https://doi.org/10.1093/oso/9780198826491.001.0001
Lee, Tian-Fu, I-Pin Chang, and Guo-Jun Su. “Compliance with HIPAA and GDPR in Certificateless-Based Authenticated Key Agreement Using Extended Chaotic Maps.” Electronics 12, no. 5(2023): 1108. DOI: https://doi.org/10.3390/electronics12051108
Lubasz, Dominik. “Warunki wyrażania zgody jako przesłanki legalizującej przetwarzanie danych osobowych.” Gdańskie Studia Prawnicze, no. 4(52)(2021): 62–79. DOI: https://doi.org/10.26881/gsp.2021.4.04
Olawunmi, Israel. Safeguarding Health Data in a Digital Era: A Comparative Study of the GDPR and HIPAA. 2023. https://www.researchgate.net/publication/370934056_SAFEGUARDING_HEALTH_DATA_IN_A_DIGITAL_ERA_A_COMPARATIVE_STUDY_OF_THE_GDPR_AND_HIPAA.
Osiej, Tomasz. “Personal Data Protection – Where to Start?” Ophtha Therapy 6, no. 1(21)(2019): 51–54. DOI: https://doi.org/10.24292/01.OT.300319.08
Parker, David M., Steven G. Pine, and Zachary W. Ernst. “Privacy and Informed Consent for Research in the Age of Big Data.” Penn State Law Review 123, no. 3(2019): 703–33.
Pejović, Časlav. “Civil Law and Common Law: Two Different Paths Leading to the Same Goal.” Poredbeno Pomorsko Pravo 40, no. 155(2001): 7–32. DOI: https://doi.org/10.26686/vuwlr.v32i3.5873
Shah, Wasim Fathima. “Preserving Privacy and Security: A Comparative Study of Health Data Regulations – GDPR vs. HIPAA.” International Journal for Research in Applied Science and Engineering Technology 11, no. 8(2023): 2189–99. DOI: https://doi.org/10.22214/ijraset.2023.55551
Sharma, Sanjay. Data Privacy and GDPR Handbook. Wiley, 2019. DOI: https://doi.org/10.1002/9781119594307
Siems, Mathias, and Po Jen Yap, eds. “Central Themes in Comparative Law.” In The Cambridge Handbook of Comparative Law. Cambridge University Press, 2024. DOI: https://doi.org/10.1017/9781108914741
Stokes, Richard. “HIPAA Standards for Privacy of Individually Identifiable Health Information.” Technical Bulletins, 2002: 1–16. https://trace.tennessee.edu/cgi/viewcontent.cgireferer=&httpsredir=1&article=1082&context=utk_mtastech.
Topelson, Dalia, Christopher Bavitz, Ritu Gupta, and Irina Oberman. Privacy and Children’s Data: An Overview of the Children’s Online Privacy Protection Act and the Family Educational Rights and Privacy Act. The Berkman Center for Internet & Society, 2013. DOI: https://doi.org/10.2139/ssrn.2354339
U.S. Department of Health and Human Services. “At What Age of a Child Is the Parent No Longer the Personal Representative of the Child for HIPAA Purposes?” Accessed June 27, 2024. https://www.hhs.gov/hipaa/for-professionals/faq/2093/what-age-child-parent-no-longer-personal-representative-child-hipaa-purposes.html.
U.S. Department of Health and Human Services Office for Civil Rights. HIPAA Administrative Simplification: Regulation Text: 45 CFR Parts 160, 162, and 164. 2013. Accessed June 27, 2024. https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
License
Copyright (c) 2024 Magdalena Jurczuk, Maria Suprunowicz
This work is licensed under a Creative Commons Attribution 4.0 International License.