The company I work for has products in multiple countries and use Safe Harbor instead of HIPAA. From what I have experienced Safe Harbor is more stringent especially when it comes to personal data.

My experience has been more directly with the data and when having to sending it to external companies for testing purposes. All of the personal information had to be removed (i.e. initials) or changed (i.e. birth date, study identifier and other certain dates which could link a person to a specific visit).

When sending the data out I had to send it on a CD-R since they wouldn't allow it to be sent over an email (even over a secured connection). The data had to be in an encrypted zip file and the password was sent separately. Both were sent via Fed-Ex after it was approved by our Safe Harbor representative. This was done even with a confidentiality agreement with the companies in question.

For internal use it didn't have to be as "scrambled" but there still was some level and again it had to be approved before it could be sent/used to the department.

Like HIPAA the tech side isn't clearly defined and left to mainly open to interpretation by the company representatives.

"Security. The Directive requires that "appropriate technical and organizational measures to protect data" against destruction, loss, alteration, or unauthorized disclosure or access be taken(Article 17)."

Safe Harbor