Topics
More on Compliance & Legal

Europe's GDPR privacy law is coming: Here's what US health orgs need to know

By May 25, U.S. providers caring for EU patients will need to brush up on consent forms, data sharing and privacy monitoring.

Jessica Davis, Associate Editor

The European Union General Data Protection Regulation will go into effect on May 25, and healthcare organizations who treat patients from any of the 28 EU nations will need to familiarize themselves with the law to ensure compliance.

GDPR requires companies to gain affirmative consent for any data collected from people who reside in the EU. And organizations that violate the law could face fines up to four percent of their global annual revenue or 20 million euros -- whichever fine is higher.

While U.S. organizations must remain HIPAA-compliant, GDPR rules could be a game-changer for those who care for EU patients. Providers will need to consider data flows, cross-border data transfer, privacy and security monitoring, to ensure their policies are compliant with the law.

Tougher than HIPAA

GDPR is much more stringent than HIPAA, as it broadens the definition of personal data and covers any information associated with an "identified or identifiable natural person," including computer IP addresses, photos, credit card data and the like.

The law also mandates organizations process data requests from EU patients much more quickly than with U.S. standards. And providers will also need clear permission to even use EU resident information.

Because of HIPAA, GDPR is nothing new for U.S. healthcare organizations, explained Kristen Johns, partner at Waller, a national healthcare law firm.

"But it will be a real shock for people who aren't aware of the kind of data they hold and what they share with other vendors," said Johns. "But for healthcare, it shouldn't be a shock or learning curve."

To Johns, there's a fundamental difference between GDPR and HIPAA, as the EU law is based on personal rights, while HIPAA is focused more on the data itself and who can share it and what can be done with it.

Right to erasure and consent

One of the biggest challenges for U.S. provides will likely be the GDPR "right to be forgotten" or sometimes known as the right to erasure. One of the cornerstones of the law is to strengthen individual rights, meaning organizations must honor all patient requests to erase personal data.

It also places limits on how long data can be stored, covering all data not considered valuable to scientific research under GDPR definition. Organizations must implement technology capable of totally and completely erasing personal data upon request.

For the U.S., where it's common to store patient data indefinitely, this will be a major change.

Notice of consent is the other area U.S. providers must fully understand, explained Johns. Providers should draft consent forms that outline what's collected and make sure that they give a clear place for patients to opt in or out of data sharing or collection.

"Securing disclosure: It boils down to consent, something beyond what exists now in most cases," Waller said. "You have to show that you have that chance to opt in and out easily. And consent has to be in clear, plain language. Currently, not all these healthcare consents are."

Roughly translated, GDPR mandates the elimination of fine print, often overlooked by patients, which can contain loopholes in privacy policies. The idea is that organizations will need to simplify consent language so that it's easy for patients to understand.

Tighter security

GDPR also cracks down on security requirements to ensure patient data is protected. This includes implementing pseudonymization and redundancy, along with routine pen testing and intrusion detection measures. Further, much like with HIPAA, organizations will need a continuous process to evaluate its security measures.

But one GDPR mandate that some healthcare organizations still haven't gotten right is the need for encryption. Providers must lockdown all patient data -- if they haven't already.

And one final security measure that is vastly different than HIPAA is that organizations will only have 72 hours to inform EU patients of a breach. HIPAA gives providers 60-days from the time of discovery.

"In reality, GDPR article is about data protection by design and by default," said Johns. "It gives all identities that could be a data processor … a chance to look at their IT infrastructure and see where they can improve to comply with GDPR."

There are plenty of lists online to determine how entities can be compliant with the data structure of each entity, and how it applies to internal audits, explained Johns. But for healthcare, "the big thing is the internal audit: looking to make sure they have the ability to access information quickly in a compliant way with GDPR and HIPAA."

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com