What U.S. Healthcare Providers Should Know About GDPR
Thursday, June 28, 2018
The General Data Protection Regulation (GDPR) is a new European legal framework that regulates the privacy and security of personal data belonging to individuals within the European Union (EU) as well other European Economic Area (EEA) countries namely Norway, Iceland, and Liechtenstein. The main tenet of GDPR is the rights of individuals to their personal information — individuals have complete control over where, when, and how their personal information is to be collected and used.
GDPR was signed into law in April 2016 and companies were given two years to meet compliance before it went into effect on May 25 of this year. The cost of non-compliance with the GDPR requirements is high; four percent of the company's global annual revenue or 20 million euros (24 million dollars), whichever is higher.
With GDPR just taking effect, the full consequences of this law are still yet to be fully determined. What is known, though, is that its impact will be felt globally and not just within the EU. Also, all sectors of the economy, healthcare included, will be impacted by the GDPR regulations. Below are important provisions within the GDPR that U.S. healthcare providers should be aware of:
- Right to be forgotten: Also known as the right to erasure, individuals can request that companies delete all their personal information. Healthcare organizations can no longer hold on to their patients' information indefinitely if otherwise requested.
- Right to access: Companies are required to provide individuals with all their personal information when requested.
- Consent: Individuals must provide explicit consent to have their personal information collected. This consent must be freely provided, specific, and unambiguous. The consent can be revoked at any time at the individuals' discretion.
- Data privacy and security: Only the minimum data needed by a company to fulfill its duties should be collected and stored. In addition, data should only be shared with third parties when absolutely necessary.
- Breach notification: In the event of a data breach, companies have 72 hours to notify affected individuals.
- Data portability: Personal information should be provided in a manner that can be readily transferred by individuals if requested.
Impact of GDPR on U.S. healthcare providers
For the most part, U.S. healthcare providers are not expected to be significantly impacted by GDPR except under specific circumstances:
- The healthcare facility has a physical location in any of the EU or EEA member countries.
- The healthcare facility offers goods or services to individuals within the EU by direct advertisement to have them seek medical care in the U.S. However, individuals residing in EU member countries who seek unsolicited medical care at any U.S. healthcare facility are not covered by GDPR.
- The affected individual needs additional monitoring upon return to the EU as may occur as part of a healthcare facility's post-discharge plan.
Additional things to note about GDPR are:
- Any U.S. citizen who travels to any of the EU member countries is covered by GDPR if seen by an EU healthcare provider. The U.S. citizen's health information will be treated in accordance with GDPR standards until he or she leaves the EU nation.
- Medical information transferred from a U.S. healthcare facility to an EU healthcare provider upon request for continuation of medical care is not regulated by GDPR.
HIPAA vs GDPR
The Health Insurance Portability and Accountability Act (HIPAA) provides privacy standards that regulate the use of patients' medical records and other pertinent medical information in the U.S. While similar to GDPR in some regards, there are some significant differences:
- HIPAA is limited in scope, regulating primarily information related to the medical care of individuals. In contrast, GDPR has a much broader scope, covering any personally identifiable information such as IP addresses, credit card information, among others.
- In the event of a data breach, HIPAA-compliant organizations have a 60-day window from the time of discovery to notify affected parties. Under GDPR, companies only have 72 hours for breach notification.
- Under HIPAA, obtaining consent is optional prior to the release of protected health information (PHI). With GDPR, consent must be explicitly obtained prior to the collection or use of an individual's information.
- HIPAA allows individuals to determine how their information is shared, with some restrictions. However, under GDPR individuals can request the complete deletion of their entire personal data from a company's database.
With GDPR still in its nascent phase, further adjustments may need to be made by affected companies as the full effects of the law come into view. Affected U.S. healthcare providers should be ready to modify their business practices to keep up with the complexities of GDPR.