With the European Union's General Data Protection Regulation policies becoming reality on May 25, privacy and technology leaders in healthcare are preparing for subtle but notable changes in how they manage data. Here's what they need to know.
What is the GDPR?
The EU passed the General Data Protection Regulation in 2016 with the goal of giving people control over their personal data, including information such as basic identity, like first and last name; IP addresses; and health data. When enforcement of the rule begins May 25, organizations will have to change how they handle personal data of people—regardless of their citizenship—in the EU. They'll have to let people know how their data is being used, and they'll have to get people's consent—in clear language—before using their data. If the reason for using the data changes, they'll have to get consent again. So, for instance, if an organization collects someone's medical history for clinical care, the organization wouldn't be allowed to use that history for medical research.
Individual people will also have new rights under the law, including the so-called right to be forgotten: People can ask companies to erase the information those companies hold about them. That could come into play with insurance and pre-existing conditions, said David Ross, principal and cybersecurity growth leader for Baker Tilly's risk, internal audit and cybersecurity practice.
"The more information you have isn't necessarily a good thing. It puts you at risk because you take on responsibility for security and what if a consumer wants to have access or remove their data from being used," asked Beth Valencia, vice president of business operations for privacy and compliance for Medicx.
If an organization violates the GDPR, it'll be subject to maximum fines of whichever is greater, 4% of revenue or 20 million euros. That's huge compared to what U.S. health systems have had to pay for data breaches. In 2016, for instance, Advocate Health Care agreed to pay $5.55 million to settle data protection violations that affected about 4 million patients. If it had faced the maximum GDPR fine, that would have amounted to $224 million.
What does it mean for U.S. patients in the U.S.?
The law is applicable only to people who are located in EU countries. As long as a U.S. patient's data stays within the U.S., it's subject only to HIPAA rules, not to the GDPR. Even if the data does travel to an organization in the EU, it may not be subject to the GDPR since the patient is not located in the EU.
What does it mean for U.S. patients in the EU?
Things change when a U.S. patient goes to the EU. If that patient generates data while in the EU, those data are covered by the GDPR just as they would be for an EU citizen in the EU. So no matter where a person is from, if they're in the EU and generating data there, the data will be protected by the GDPR.
If a U.S. healthcare organization, given patient consent, provides a patient's information from an encounter in the U.S. to an EU organization while the patient is in the EU, the U.S. organization must only meet HIPAA requirements and U.S. privacy laws. But the EU organization would need to comply with the GDPR, according to Bernadette Broccolo, a partner with McDermott Will & Emery.
What does it mean for EU patients in the U.S.?
Here's where things get even trickier. If a French doctor who saw a patient in the EU and sends data from that encounter to a U.S. provider while the patient is in the U.S., the GDPR is applicable to the French doctor's data handling but not to the receiving organization in the U.S., because the U.S. organization is handling data of a patient located in the U.S., not in the EU. But if that U.S. organization follows up with the patient when the patient is back in the EU, and the patient provides information to the U.S. organization related to that follow-up, then the U.S. organization would become subject to the GDPR, Broccolo said.
U.S. organizations therefore have a choice to make: whether to segregate data subject to the GDPR or to make all processes across all data complaint with the GDPR. "Segregating the data is a littler higher risk than doing it across the board," Ross said. "For most organizations, across the board is not a heavy lift because they've done HIPAA."
What does the GDPR mean for research?
"There can be consent and authorization implications for research," Broccolo said. For example, if a U.S. organization participates in a study that includes people located in the EU and it collects or receives information on those people, the organization will be subject to the GDPR.
"Where we need to change our policy primarily is with research," said David Chou, chief information and digital officer at Children's Mercy Kansas City. His organization is still working out the details of necessary policy changes. "We're making a big scramble to get it finalized," he said. U.S.-based health systems with sites in the EU, like HCA, might have to pay particular attention to this facet of the law.
U.S.-only hospital systems must pay attention too. At Beth Israel Deaconess Medical Center, for instance, leaders are conducting GDPR training for researchers.
Does it change anything with HIPAA?
No, but HIPAA does help with the GDPR. "If a healthcare organization is following HIPAA, they are a long way along to being complaint with GDPR from a data protection standpoint," Ross said. "For most U.S.-based organizations, the key message is not 'Is the sky falling?' " Ross said. "But it is a great opportunity to look at privacy and decide for your organization how much privacy matters."
An edited version of this story can also be found in Modern Healthcare's May 21 print edition.