What is a Data Breach under GDPR and HIPAA?

Travis Good, MD
Travis Good, MD

Co-founder & Chief Technology Officer

January 9, 2018  tag GDPR

We get asked all the time for the meaning of a data breach. It often comes up when people look at a breach vs. a security incident. It gets even muddier when the term “security incident involving ePHI” is brought into the mix. While seemingly nitpicky, understanding the differences between these terms is essential to reduce your risk and to inform your partners and customers. Ambiguity and opacity is a not a good strategy when it comes to compliance and foundational definitions.

What is a security incident?

Starting with a security incident, which is less ambiguous, NIST defines the term in 800-61 as:

A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.”

HIPAA has a very similar definition in section 164.304:

“A security incident as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”

GDPR doesn’t explicitly define “security incident” so a safe path is to use the NIST definition if you want to comply with GDPR. GDPR does expand the definition of a “personal data breach,” as you’ll see below, so the distinction between security incident and data breach is less evident under GDPR than under HIPAA.

What is a HIPAA Data Breach?

The significant difference between a security incident and a data breach, or personal data breach, is the impact on individual data.

HHS and HIPAA define a breach simply as:

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”

At Datica, we’ve used the HIPAA definition for a data breach. But GDPR expands on that definition to include not just “impermissible use and disclosure” but “destruction, loss, and alteration” of personal data. As we extend our compliance program to meet the requirements of GDPR, we are adjusting our definition of breach to the more stringent GDPR definition.

What is a GDPR Data Breach?

GDPR, in the definitions section of the regulation (Article 4), defines a “personal data breach” in the following way:

Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

What’s the difference?

The other difference in data breach between HIPAA and GDPR is the actual type of data. HIPAA is only concerned with “protected health information” where GDPR is concerned with “personal data,” a much broader scope. One security strategy employed in the US to mitigate the risk of a data breach is to separate, logically in storage, personally identifiable data and health data. This separation reduces the likelihood of protected health information being breached. Under GDPR, this strategy, while good to employ from a security and exposure perspective, does not mitigate the risk of personal data breach.

The differences in terminology between these definitions can be subtle. But the impact is significant if you don’t explicitly articulate these terms to your workforce because they are an essential component of an effective monitoring program and to meeting the GDPR data breach notification requirements outlined in GDPR Article 33 and 34.

Learn more about GDPR — Understand the requirements of GDPR Data Breach Notifications

Related Academy Articles

small/icon-book-fill Datica Academy