- US healthcare organizations that handle personal information of EU individuals will face stricter regulatory requirements and possibly hefty fines under the EU’s new data privacy rule set to take effect May 25, 2018.
The General Data Protection Regulation (GDPR) applies not only to EU organizations, but any organizations regardless of location that hold and process personal data of individuals residing in EU countries.
If you violate the rules, you could be in for a hefty fine of up to 4 percent of your annual global turnover or €20 million, whichever is greater. This is the highest level of fines for the most serious violations, such as not having sufficient consent from individuals to process their data or violating the GDPR’s Privacy by Design concept.
According to GDPR, Privacy by Design requires the “controller”—the entity that determines the purposes and means of processing personal data—to implement appropriate technical and organizational measures “in an effective way” to protect the rights of EU data subjects.
Less severe penalties include fines of 2 percent of annual global turnover for not having records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.
To comply with GDPR, you must get clear consent from the EU data subjects that they agree to have their personal information handled and processed by you, with the purpose of the data processing included in the consent form.
For “sensitive personal information,” which includes medical records, the subject must actively “opt in” to have their data collected and processed.
Under GDPR, data subjects have the right to obtain information about whether personal data concerning them is being processed, where that is being done, and for what purpose. Further, the organization is required to provide a copy of the personal data, free of charge, in an electronic format to the data subject and must delete the information if the subject so requests—the so-called right to be forgotten.
In addition, an organization must notify data protection authorities about a data breach within 72 hours of when it becomes aware of the breach in which personal data of EU residents may be at risk.
"In today's world, the way we handle data will determine to a large extent our economic future and personal safety,” said European Commissioner for Justice, Consumers and Gender Equality Vĕra Jourová. “We need modern rules to respond to new risks, so we call on EU governments, authorities and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day."
While the possible penalties and data breach notification deadline are strict, US healthcare providers that do not market to EU residents and don’t have any European locations don’t have much to worry about, according to Attorney Stephen Wu of the Silicon Valley Law Group.
“If it's a strictly within-the-US healthcare provider, where it's not attempting to market to Europeans; it's not putting up a website in foreign languages saying 'we'll take your Euros,' and if it's not located in the EU, then that entity is not covered by GDPR," Wu told GovInfoSecurity.
However, if the US healthcare provider does market to EU residents and/or has facilities in Europe, then it had better get its data security ducks in a row. Just complying with US HIPAA rules won’t be enough, Wu added.
In addition to EU countries, GDPR applies to residents of Norway, Iceland, and Liechtenstein—not a member of the EU but the affiliated European Economic Area—and Switzerland, explained Bernadette M. Broccolo and Daniel F. Gottlieb, partners with the law firm of McDermott Will & Emery.
According to Broccolo and Gottlieb, the GDPR has “direct extraterritorial reach” to personal data collected and/or processed by a US organization if it processed the data:
• In the context of the activities of a business or other establishment in the EU
• Related to the “offering of goods or services” to EU individuals, such as by advertising that targets them to be patients or other customers even if the services will be provided only in healthcare facilities located in the United States
• Part of monitoring the behavior of EU individuals, such as tracking patients after they return to the EU, for example, as part of postdischarge patient engagement to prevent hospital readmission
“To avoid any unintended gaps in security for electronic Personal Data, however, US health care providers should revisit security risk assessments performed for HIPAA compliance purposes to determine whether they assess the risks relative to the security of Personal Data (and not only electronic protected health information),” the privacy lawyers concluded.