What does the EU's new Privacy and Security law mean for US Healthcare Providers, Payors, and Vendors?

Beginning on May 25, 2018, HIPAA won’t be the only healthcare data security standard that U.S. companies are worrying about. Healthcare businesses (such as healthcare providers, digital health/health IT companies, and their vendors) that “control” and/or ”process” health data in the U.S. that may include data from EU "data subjects" will be required to comply with the new EU General Data Protection Regulation (the “GDPR”). A recent Reuters article called the implementation of these regulations “the biggest overhaul of online privacy since the birth of the internet.”   

GDPR 101: What is the GDPR, and how does it affect my healthcare practice or company?

The GDPR is broader in scope than HIPAA, as its protections extend to all broadly defined “personal data,” not just Protected Health Information (PHI). It replaces the 1995 Data Protection Directive from the European Union, which only impacted U.S. companies that transferred the data of EU data subjects out of the EU. In contrast, the GDPR affects all companies that do business with EU data subjects, whether or not they have a presence in the EU. Therefore, any company that uses, collects, or retains any personal data from any European citizen, either knowingly or unknowingly, will have to comply with the GDPR - even if that citizen is physically located in the U.S.  If that company is a HIPAA covered entity or business associate, the company will likely also need to comply with HIPAA. 

Like HIPAA, the GDPR gives EU data subjects special rights related to their personal data and will require companies to make adjustments to 1) their technology (how systems are managed); 2) their data (how their data may be stored and processed); and 3) their compliance obligations (policies and procedures). If you are a healthcare provider in the U.S., there is a strong chance that you may provide services to citizens of the EU while they are visiting or living in the U.S. This may mean you are a “controller” under the GDPR.  If you are a company that provides technology to healthcare providers or processes any data for healthcare providers, you will almost certainly be processing data from an EU data subject, making you a “processor” under the GDPR. “Controllers” are those who are determining why and how a person’s data is being collected and used. “Processors” are those that process personal data after being engaged by a controller to do so. 

What Do I Need to Do Right Now?

1.    Appoint a Data Protection Officer

The GDPR creates a specific obligation on Controllers and Processors to appoint a Data Protection Officer. This individual serves a role similar to that of the HIPAA Security Officer. 

2.    Know Your Data and Obtain “Explicit Consent”

All health-related data will be considered sensitive personal data of an EU data subject.  So if you are in the healthcare field and will be covered by the GDPR, any data you collect will likely be considered not only personal data but sensitive personal data. Controllers and Processors will need to have lawful grounds for collecting and processing personal data and sensitive personal data. There are a few ways that healthcare providers can lawfully collect and process this data, including:

  • “Medical care” grounds, where the collection and processing is necessary for preventative or occupational medicine, medical diagnosis, providing healthcare treatment, managing health systems and services, or under a contract with a health professional subject to professional confidentiality or secrecy under law.
  • “Public health” grounds, where processing is necessary in the public interest for public health reasons
  • As necessary for scientific research

If you are a Controller and would like to use the data for another purpose, you must obtain  Explicit Consent from the individual whose data is being collected or processed.  Explicit Consent is consent which is freely given, specific in its use, informed, and unambiguous.  The data consent must (1) be obtained in a way that is distinguishable from other consents, (2) be easily accessible, (3) use clear and plain language, and (4) be subject to easy withdrawal.  Controllers must explain how the data will be used, including whether it will be transferred, how long it is going to be kept, and any decisions that will be made based on the data. In addition, the GDPR puts the burden on the Controller to prove that consent was properly given. Healthcare companies will need to revisit their terms of use (TOU), terms of service (TOS), and/or consent and authorization mechanisms to comply with these new requirements. 

3. Execute Compliant Contracts

The GDPR requires specific language, related to documentation on processing activities, be included in contracts between Controllers and Processors. Companies that collect data from EU data subjects will need to revise their Business Associate Agreements and/or Information Security Agreements to include all additional GDPR-required provisions.  

4. Revise your Privacy Policy, notices, and related agreements

If you are a digital health company or vendor, you will need to revise your Privacy Policy, Terms of Use, and End User License Agreements.

If you are a medical practice or other provider entity, you will need to revise your Privacy Notice and your Patient Authorizations.

The GDPR requires that controllers provide data subjects with specific pieces of information about themselves and the purposes for which they and any third parties will be using their information. There are also more specific rights of access, rectification, and erasure granted to EU citizens under GDPR that depart from or add to rights available under HIPAA. The GDPR gives EU data subejcts the following rights related to their personal data:

●      The Right To Be Forgotten

●      The Right to Data Portability

If you are collecting health-related data from EU data subjects, your technology systems need to allow an EU data subject to request that their personal data be completely deleted. Your technology must also enable you to provide personal data upon request in machine readable format.

5. Revise your Security Policies and Procedures

The GDPR has additional breach reporting requirements, a separate set of security controls, and BARS a processor (like a digital health company providing data analytics to a hospital) from sharing health data with any third parties, such as cloud services vendors, without written authorization of the controller. GDPR also imposes additional record-keeping requirements and requires a data protection impact assessment, which may require a third party certification. Each of these elements will require businesses that have health data within their systems to revisit their security program.

6. Prepare for More Stringent Data Breach Requirements

One other significant obligation on controllers and processors is that they must report data breaches to Data Protection Authorities and affected individuals within 72 hours if the data breach is likely to result in a risk to individuals. This is a much less complex breach analysis than under HIPAA, but recall that companies subject to HIPAA have 60 days to report a breach, so the requirement is actually much more onerous. Companies and practices will need to modify their systems, protocols, contracts, and workflows to adjust to this new 72-hour requirement. 

What Now?

Non-compliance with the GDPR carries with it some hefty fines and penalties, so it cannot be ignored.  Fines for lower level violations are between up to €10 million or 2% of worldwide financial revenue and €20 million or 4% of worldwide financial revenue. If you need help determining whether and how you will be affected by the GDPR, click here to contact a Nixon Law Group attorney.