By Gil Vidals, , HIPAA Blog, Resources

In order to host and/or migrate medical data being transferred from the European Union (EU), US hosting providers have to undergo and partake in the U.S.-EU Safe Harbor certification process.

EU Directive 95/46/EC is the European Union mandate (in conjunction with the European Convention {EC}) for the protection of individuals with regard to Automatic Processing of Personal Data. Health information falls within the scope of this European Directive.

U.S.-EU Safe Harbor Framework is a process for US organizations to comply with this European standard for privacy protection of personal data originating from countries participating in the EU.

When dealing with data protection of this nature, non-production (development) hosting environments are not bound to these regulations (if protected health information (PHI) and/or electronic medical records (EMR) are not resident on these systems). Whereas the “transition” and “production” systems would be required to follow these data protection constraints.

There are differences between US HIPAA Compliance and the US-EU Safe Harbor requirements. Health Information Portability and Accountability Act (HIPAA) is more of a guideline, whereas EU data privacy is more stringent when dealing with information protection and data security measures.

HIPAA Guidelines follow Code of Federal Regulations (CFR) by which to adhere for compliance; US-EU Framework uses the Safe Harbor Privacy Principles as the fundamental rules.

In short, HIPAA and US-EU Safe Harbor both serve the same purpose: the protection of private data (to include medical records and patient information).

  • HIPAA is regulated by the US Federal Government
  • US-EU is regulated by the US Federal Government and the European Union
    • Data being hosted in the US is bound to HIPAA, not to US-EU
    • Data being hosted in the EU is not bound to HIPAA, nor to US-EU
    • Data being hosted in the US [containing private data transferred from EU to US] is bound to HIPAA and US-EU