Because SignRequest is an EU-based company, we comply with GDPR regulations. GDPR is an EU regulation put in place to protect user’s personally identifiable information (PII) and hold businesses to a higher standard when it comes to how they collect, store, and use this data. It’s to give EU citizens control over their personal data and change the data privacy approach of organizations across the world. PII includes name, emails, physical address, IP address, health information, income, etc.
GDPR and HIPAA
The biggest similarity between GDPR and HIPAA is that security is at their core. GDPR sets standards for all sensitive personal data, while HIPAA deals with only Protected Health Information (PHI).
PHI includes any information that can be used to identify a patient, such a name, address, DOB, bank/credit card details, social security number, photos and insurance information combined with health information.
The GDPR, on the other hand, includes any information that can be used to directly or indirectly to identify persons when they are in the EU. This information includes race, religion, political affiliations, sexual preferences, biometric or genetic data, and any other information relating to their health. Personal health information protection is the only common denominator.
HIPAA standards are limited to health information held by Covered Entities like doctors, employers who offer health benefits or insurance companies. Business Associates – like shredding companies, IT companies, or transcription services are regulated by HIPAA.
The GDPR, however, applies to all organizations dealing with personal data.
Currently, SignRequest is non-HIPAA compliant and is unable to sign a BAA form.