Commercial risk will be a critical catalyst of progress – it’s complicated, but is it possible? We think so.

Blog Post

Treat any patients with an EU passport? This new far-reaching regulation applies to you.

December 19, 2017

    A new European Union (EU) regulation designed to protect the privacy and personal data of EU residents may impact many U.S. health care organizations (HCOs) if they provide care to EU individuals.

    Get cheat sheets on other health care legal landmarks

    The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, brings heavy fines for non-compliance —but few U.S. health care leaders are aware of its extraterritorial reach. While it is not yet clear how the regulation will be enforced against U.S. organizations, the threat of fines for non-compliance demands U.S. health care leaders have a basic working knowledge of this far-reaching regulation and prioritize conversations about GDPR with legal, compliance, and privacy leaders within their organization. 

    Parts of GDPR resemble elements of HIPAA. Nonetheless, GDPR's wide scope, expanded individual rights (particularly around consent and ability to make changes to their data—including complete data erasure), and breach notification requirements extend beyond what U.S. HCOs are familiar with. It's likely that GDPR will require U.S. HCOs to  modify current processes to be compliant with the regulation. Below we address some of the foundational elements of GDPR that U.S. HCOs need to know.

    Who is bound by the GDPR?

    Takeaway: The extraterritorial reach of GDPR means that U.S. HCOs that treat EU patients may be subject to compliance and fines. 

    What is the scope of data regulated?

    Takeaway: GDPR regulates a broad scope of personal data, including health care information.


    How does the GDPR restrict the usage of patient health data?

    Takeaway: GDPR elevates patient consent requirements for health data processing (anything done to or with personal data). HCOs must ensure their consent documents are clear and in plain language, separated from other forms, and specific as to the purposes of the data processing.


    What are GDPR's requirements regarding data security?

    Takeaway: Compliance with HIPAA and GDPR requires many of the same cybersecurity protections. However, because of the broad scope of the GDPR requirements, HCOs bound by the regulation may need to take additional steps to bolster their security measures.

    What are the organizational staffing requirements under GDPR?

    Takeaway: The DPO (Data Protection Officer) required by GDPR is a position akin to the Chief Privacy Officer (CPO) role in U.S. organizations. Thus, the CPO's responsibilities will take on heightened importance given the high financial stakes that GDPR imposes.

    Get cheat sheets on the latest trends for today's digital health systems

    What data privacy rights do individuals have under GDPR?

    Takeaway: EU patients have rights related to their personal data that may extend beyond those afforded to patients under HIPAA that likely will require modification of processes to address.


    How does the GDPR affect data transfer between the U.S. and the EU?

    Takeaway: If U.S. HCOs receive any personal data from the EU, they must legitimize transfers using certain safeguards, as the European Commission has not deemed personal data protection in the United States to be adequate.


    What are the penalties for non-compliance with GDPR?

    Takeaway: The financial penalties under GDPR are greater than those under HIPAA, reaching into the multi-millions.


    How will GDPR be enforced in the United States?

    It is not clear how EU authorities will enforce GDPR regulations against U.S. HCOs, but enforcement will likely involve the help of U.S. authorities. The EU can issue fines to U.S. organizations in accordance with international law and there has long been enforcement cooperation between U.S. and EU data protection authorities.

    Action items

    What should U.S. HCOs do now to prepare for GDPR? Here are some ways to get started:

    • Consult with your organization's compliance and legal teams to fully understand GDPR's enforcement implications within the U.S. and how it interacts with HIPAA and other applicable state regulations.
    • Incorporate GDPR discussions as a component of regularly occurring compliance meetings to determine how your organization wants to prepare.
    • Consider modifying intake processes and materials to be able to identify GDPR-applicable patients and ensure GDPR-compliant consent is collected.
    • Ensure processes or plans are in place to accommodate or handle EU patient requests for data access, copies, erasure, and portability. 

    Additional resources


    Get answers to your biggest health care IT questions

    Learn how Health Care IT Advisor can help you address the major IT-related issues facing health care leaders today.

    Learn More

    Paint a picture of a cyber-resilient organization

    Historically, cybersecurity preparation efforts have been isolated to the IT department, but the new quickly-evolving and sophisticated threat landscape demands an enterprise-wide and holistic approach. C-suites and boards must work in collaboration with IT and security leaders to ready their organizations to withstand and combat cyberattacks.

    Download this infographic to explore the ecosystem of preparation efforts required for cyber resilience, key actions for IT leaders, and top lessons for non-IT leaders.

    Download Now

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.