The General Data Protection Regulation (GDPR), which goes into effect May 25, 2018, brings heavy fines for non-compliance —but few U.S. health care leaders are aware of its extraterritorial reach. While it is not yet clear how the regulation will be enforced against U.S. organizations, the threat of fines for non-compliance demands U.S. health care leaders have a basic working knowledge of this far-reaching regulation and prioritize conversations about GDPR with legal, compliance, and privacy leaders within their organization.
Parts of GDPR resemble elements of HIPAA. Nonetheless, GDPR's wide scope, expanded individual rights (particularly around consent and ability to make changes to their data—including complete data erasure), and breach notification requirements extend beyond what U.S. HCOs are familiar with. It's likely that GDPR will require U.S. HCOs to modify current processes to be compliant with the regulation. Below we address some of the foundational elements of GDPR that U.S. HCOs need to know.
Who is bound by the GDPR?
Takeaway: The extraterritorial reach of GDPR means that U.S. HCOs that treat EU patients may be subject to compliance and fines.
What is the scope of data regulated?
Takeaway: GDPR regulates a broad scope of personal data, including health care information.
How does the GDPR restrict the usage of patient health data?
Takeaway: GDPR elevates patient consent requirements for health data processing (anything done to or with personal data). HCOs must ensure their consent documents are clear and in plain language, separated from other forms, and specific as to the purposes of the data processing.
What are GDPR's requirements regarding data security?
Takeaway: Compliance with HIPAA and GDPR requires many of the same cybersecurity protections. However, because of the broad scope of the GDPR requirements, HCOs bound by the regulation may need to take additional steps to bolster their security measures.
What are the organizational staffing requirements under GDPR?
Takeaway: The DPO (Data Protection Officer) required by GDPR is a position akin to the Chief Privacy Officer (CPO) role in U.S. organizations. Thus, the CPO's responsibilities will take on heightened importance given the high financial stakes that GDPR imposes.
What data privacy rights do individuals have under GDPR?
Takeaway: EU patients have rights related to their personal data that may extend beyond those afforded to patients under HIPAA that likely will require modification of processes to address.
How does the GDPR affect data transfer between the U.S. and the EU?
Takeaway: If U.S. HCOs receive any personal data from the EU, they must legitimize transfers using certain safeguards, as the European Commission has not deemed personal data protection in the United States to be adequate.
What are the penalties for non-compliance with GDPR?
Takeaway: The financial penalties under GDPR are greater than those under HIPAA, reaching into the multi-millions.
How will GDPR be enforced in the United States?
It is not clear how EU authorities will enforce GDPR regulations against U.S. HCOs, but enforcement will likely involve the help of U.S. authorities. The EU can issue fines to U.S. organizations in accordance with international law and there has long been enforcement cooperation between U.S. and EU data protection authorities.
What should U.S. HCOs do now to prepare for GDPR? Here are some ways to get started:
- Consult with your organization's compliance and legal teams to fully understand GDPR's enforcement implications within the U.S. and how it interacts with HIPAA and other applicable state regulations.
- Incorporate GDPR discussions as a component of regularly occurring compliance meetings to determine how your organization wants to prepare.
- Consider modifying intake processes and materials to be able to identify GDPR-applicable patients and ensure GDPR-compliant consent is collected.
- Ensure processes or plans are in place to accommodate or handle EU patient requests for data access, copies, erasure, and portability.
- The final General Data Protection Regulation is available here: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
- EU GDPR Portal: http://www.eugdpr.org/eugdpr.org.html
- "Top 10 operational impacts of the GDPR," IAPP, https://iapp.org/resources/article/top-10-operational-impacts-of-the-gdpr/.
Get answers to your biggest health care IT questions
Learn how Health Care IT Advisor can help you address the major IT-related issues facing health care leaders today.
Paint a picture of a cyber-resilient organization
Historically, cybersecurity preparation efforts have been isolated to the IT department, but the new quickly-evolving and sophisticated threat landscape demands an enterprise-wide and holistic approach. C-suites and boards must work in collaboration with IT and security leaders to ready their organizations to withstand and combat cyberattacks.
Download this infographic to explore the ecosystem of preparation efforts required for cyber resilience, key actions for IT leaders, and top lessons for non-IT leaders.