Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Government
May 18, 2018 01:00 AM

A guide to the European Union's new privacy law, GDPR

Rachel Z. Arndt
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print

    With the European Union's General Data Protection Regulation policies becoming reality on May 25, privacy and technology leaders in healthcare are preparing for subtle but notable changes in how they manage data. Here's what they need to know.

    What is the GDPR?

    The EU passed the General Data Protection Regulation in 2016 with the goal of giving people control over their personal data, including information such as basic identity, like first and last name; IP addresses; and health data. When enforcement of the rule begins May 25, organizations will have to change how they handle personal data of people—regardless of their citizenship—in the EU. They'll have to let people know how their data is being used, and they'll have to get people's consent—in clear language—before using their data. If the reason for using the data changes, they'll have to get consent again. So, for instance, if an organization collects someone's medical history for clinical care, the organization wouldn't be allowed to use that history for medical research.

    Individual people will also have new rights under the law, including the so-called right to be forgotten: People can ask companies to erase the information those companies hold about them. That could come into play with insurance and pre-existing conditions, said David Ross, principal and cybersecurity growth leader for Baker Tilly's risk, internal audit and cybersecurity practice.

    "The more information you have isn't necessarily a good thing. It puts you at risk because you take on responsibility for security and what if a consumer wants to have access or remove their data from being used," asked Beth Valencia, vice president of business operations for privacy and compliance for Medicx.

    If an organization violates the GDPR, it'll be subject to maximum fines of whichever is greater, 4% of revenue or 20 million euros. That's huge compared to what U.S. health systems have had to pay for data breaches. In 2016, for instance, Advocate Health Care agreed to pay $5.55 million to settle data protection violations that affected about 4 million patients. If it had faced the maximum GDPR fine, that would have amounted to $224 million.

    What does it mean for U.S. patients in the U.S.?

    The law is applicable only to people who are located in EU countries. As long as a U.S. patient's data stays within the U.S., it's subject only to HIPAA rules, not to the GDPR. Even if the data does travel to an organization in the EU, it may not be subject to the GDPR since the patient is not located in the EU.

    What does it mean for U.S. patients in the EU?

    Things change when a U.S. patient goes to the EU. If that patient generates data while in the EU, those data are covered by the GDPR just as they would be for an EU citizen in the EU. So no matter where a person is from, if they're in the EU and generating data there, the data will be protected by the GDPR.

    If a U.S. healthcare organization, given patient consent, provides a patient's information from an encounter in the U.S. to an EU organization while the patient is in the EU, the U.S. organization must only meet HIPAA requirements and U.S. privacy laws. But the EU organization would need to comply with the GDPR, according to Bernadette Broccolo, a partner with McDermott Will & Emery.

    What does it mean for EU patients in the U.S.?

    Here's where things get even trickier. If a French doctor who saw a patient in the EU and sends data from that encounter to a U.S. provider while the patient is in the U.S., the GDPR is applicable to the French doctor's data handling but not to the receiving organization in the U.S., because the U.S. organization is handling data of a patient located in the U.S., not in the EU. But if that U.S. organization follows up with the patient when the patient is back in the EU, and the patient provides information to the U.S. organization related to that follow-up, then the U.S. organization would become subject to the GDPR, Broccolo said.

    U.S. organizations therefore have a choice to make: whether to segregate data subject to the GDPR or to make all processes across all data complaint with the GDPR. "Segregating the data is a littler higher risk than doing it across the board," Ross said. "For most organizations, across the board is not a heavy lift because they've done HIPAA."

    What does the GDPR mean for research?

    "There can be consent and authorization implications for research," Broccolo said. For example, if a U.S. organization participates in a study that includes people located in the EU and it collects or receives information on those people, the organization will be subject to the GDPR.

    "Where we need to change our policy primarily is with research," said David Chou, chief information and digital officer at Children's Mercy Kansas City. His organization is still working out the details of necessary policy changes. "We're making a big scramble to get it finalized," he said. U.S.-based health systems with sites in the EU, like HCA, might have to pay particular attention to this facet of the law.

    U.S.-only hospital systems must pay attention too. At Beth Israel Deaconess Medical Center, for instance, leaders are conducting GDPR training for researchers.

    Does it change anything with HIPAA?

    No, but HIPAA does help with the GDPR. "If a healthcare organization is following HIPAA, they are a long way along to being complaint with GDPR from a data protection standpoint," Ross said. "For most U.S.-based organizations, the key message is not 'Is the sky falling?' " Ross said. "But it is a great opportunity to look at privacy and decide for your organization how much privacy matters."

    An edited version of this story can also be found in Modern Healthcare's May 21 print edition.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    abortion-pill-misoprostol-legal
    Abortion pill case advances to appeals court, on course to Supreme Court
    young doctor medical resident
    Federal physician recruitment program at risk
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Modern Healthcare Alert: Sign up for this breaking news email to be kept in the loop as urgent healthcare business news unfolds.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing