What does the EU's Privacy and Security Paradigm mean for US Healthcare Providers, Payors, and Vendors?
Beginning on May 25, 2018, HIPAA won’t be the only healthcare data security standard with which U.S. companies have to comply. Medical practices, digital healthcare companies, and vendors (e.g., electronic health records companies, medical billing companies, and cloud services companies) that do business in the healthcare sector and collect data from European citizens will be required to comply with the new EU General Data Protection Regulation (the “GDPR”). A recent Reuters article called the implementation of these regulations “the biggest overhaul of online privacy since the birth of the internet.”
The GDPR is broader in scope than HIPAA, as its protections extend to all “personal data”, not just Protected Health Information (PHI). It replaces the 1995 Data Protection Directive from the European Union, which only impacted U.S. companies that transferred the data of European citizens out of the EU. In contrast, the GDPR affects all companies that do business with European citizens, whether or not they have a presence in the EU. Therefore, any company that collects any data from any European citizen, even if that citizen is in the U.S., will have to comply with the GDPR. If that company is a HIPAA covered entity or business associate, the company will likely also need to comply with HIPAA.
The GDPR gives EU citizens special rights related to their “personal data” and will require companies who are either Controllers or Processors to make adjustments to (1) their technology, (2) their data, and (3) their compliance obligations. If you are a healthcare provider in the U.S., there is a good chance that you may provide services to citizens of the EU while they are visiting or living in the U.S.—this may mean you are a “controller” under the GDPR. If you are a company that provides technology to healthcare providers or processes any data for healthcare providers, you will almost certainly be processing data from an EU citizen—this may mean that you are a “processor” under the GDPR. “Controllers” are those who are determining why and how a person’s data is being collected and used. “Processors” are those that process personal data after being engaged by a controller to do so.
What Do I Need to Do Right Now?
1. Appoint a Data Protection Officer
The GDPR creates a specific obligation on Controllers and Processors to appoint a data protection officer—this individual serves a role similar to that of the HIPAA Security Officer.
2. Know Your Data and Get “Explicit Consent”
All health-related data will be considered sensitive personal data of an EU citizen. So if you are in the healthcare field and will be covered by the GDPR, any data you collect will likely be considered not only personal data but sensitive personal data. Controllers and Processors will need to have lawful grounds for collecting and processing personal data and sensitive personal data. These include:
- “Medical care” grounds, where the collection and processing is necessary for preventative or occupational medicine, medical diagnosis, providing healthcare treatment, managing health systems and services, or under a contract with a health professional subject to professional confidentiality or secrecy under law.
- “Public health” grounds, where processing is necessary in the public interest for public health reasons
- If it is necessary for scientific research
3. Execute Compliant Contracts
The GDPR requires specific language, related to documentation on processing activities, be included in contracts between Controllers and Processors. Companies that collect data from EU citizens will need to revise their Business Associate Agreements and/or Information Security Agreements to include all additional GDPR-required provisions.
4. Prepare for More Stringent Data Breach Requirements
One other significant obligation on controllers and processors is that they must report data breaches to Data Protection Authorities and affected individuals within 72 hours if the data breach is likely to result in a risk to individuals. This is a much less complex breach analysis than under HIPAA, but recall that companies subject to HIPAA have 60 days to report a breach, so the requirement is actually much more onerous. Companies will need to modify their systems, protocols, contracts, and workflows to adjust to this new 72-hour requirement.
The GDPR gives EU citizens the following rights related to their personal data:
● The Right To Be Forgotten
● The Right to Data Portability
If you’re collecting health-related data from EU citizens, your technology systems need to allow an EU citizen to request that their personal data be completely deleted. Your technology must also enable you to provide personal data upon request in machine readable format.
Non-compliance with the GDPR carries with it some hefty fines and penalties, so it cannot be ignored. Fines for lower level violations are between up to €10 million or 2% of worldwide financial revenue and €20 million or 4% of worldwide financial revenue. If you need help determining whether you will be affected by GDPR, or how to get into compliance with the GDPR, click here to contact a Nixon Law Group attorney.