How the GDPR Is Going to Affect the Healthcare Industry in the US
Amid all the conversations regarding the GDPR across the globe, the personal data protection law is now effective since May 25, 2018. Although this is an EU law, applying primarily to the businesses and organizations across the European Economic Area (EEA) countries, the GDPR also has an extraterritorial reach to business activities in other countries, including the US. Like other industries, the GDPR has important implications for the US healthcare industry too, however, many healthcare providers are still not fully aware of how it applies to their organizations, let alone be prepared for it. According to a survey from information security company Clearswift, only 17% of the healthcare bodies across the US, UK, Germany, and Australia claimed to have the process in place to address the regulation's requirements. In this article, we'll tell you all that you need to know about the GDPR, and how it applies to the US healthcare organizations. Apart from that, we'll also be sharing how to keep you relatively safe from its implications. Keep reading!
What is the GDPR?
The GDPR (General Data Protection Regulation) is the latest data protection law drafted by the European Union (EU) to provide its citizens more control over their personal data and its use. It regulates the collection, use, disclosure or other "processing" of personal data by controllers and processors. It affects all industries, but in the healthcare industry, think of it as a stricter HIPAA (Health Insurance Portability and Accountability Act) compliance for EU countries. Controllers & Processors Just like “covered entities” and “business associates” in HIPAA, we have controllers and processors in the GDPR. A processor (business associate) processes data on behalf of a data controller (covered entity) where the processor is required to protect the data just as a controller would. Much like the HIPAA regulations – in fact, stricter than that – the GDPR requires controllers/data processors to ensure a level of security through implementing technical and organizational measures to mitigate the risks of data misuse. These have been described very well by the National Law Review website for healthcare providers. [See the attachment below]
Now let's try to understand how GDPR is going to affect the US healthcare industry.
Implications of the GDPR for the US Healthcare Providers
The primary question here is what impact, if any, this GDPR framework may have on the US healthcare providers. For a simplified answer, a US healthcare provider is involved with this only when they are processing personal data that concern an individual belonging to an EEA country. And, that the data was solicited when the individual was physically located in the EU, and not in the US. According to National Law Review: In short, to be affected by the GDPR, your organization should be actively marketing services in the EU or practicing there. Or, it should be processing personal data of a European patient collected locally in the US (even after the patient has returned to the EU) as part of a post-discharge patient-engagement program. Considering the above, the GDPR will only slightly affect those providers or hospitals in the US that frequently receive visits from international patients to their facilities for treatment purposes. In that case, the most affected providers or hospitals will be those from the states or cities that welcome the most number of EU travelers every year.
Source: Trivago (via Huffington Post)
Based on the tourist data available to us, New York, Los Angeles, Orlando, Miami, San Francisco, Boston, Chicago, Washington D.C., San Diego, Honolulu, and Key West are the cities that welcome most of the EU travelers every year. This means that healthcare providers from these cities and surrounding tourist areas need to be more cautious about handling personal data that concern an EU resident.
When Does the GDPR Apply to Your Clinical Activities in the US?
As mentioned at the beginning of this article, the GDPR has a direct 'extraterritorial' reach, which means that any clinical activity at a hospital in the US in which the personal data of an EU citizen is used without their consent for any purpose will be considered as a violation to the GDPR regulations. Here are the data processing activities that the GDPR considers as a violation:
- “Offering of goods or services” (even if for free) to individuals in the EU even if the service can only be provided at healthcare facilities located in the US.
- Offerings including more than a mere access to the website or email address, such as marketing activities intending to attract individuals in the EU to be patients at a hospital in the United States.
- Monitoring the behavior of patients, such as under a post-discharge patient engagement program, even after the patient has returned to the EU.
How to Stay Unaffected by GDPR Implications
Even though the healthcare providers in most parts of the country are relatively safe in terms of complying with the GDPR, they should still follow some simple rules to avoid any issues when processing personal data of an individual from Europe. Considering the hefty fine that the GDPR imposes (4% of the worldwide annual revenue for the highest level of violation), you'll find these safety measures convenient enough to follow:
- Take consent: Take written consent from the patient for the use of personal health information for any purpose, including treatment, payment, and healthcare operation activities, and even marketing. Taking consent from the patients is optional under HIPAA's rules while it is a must under the GDPR.
- Consider how your website collects personal data: As the internet isn't excluded from the GDPR's extraterritorial reach, US healthcare providers should also consider how their website is collecting personal data from users of EEA countries. Website pages targeting individuals in the EU by pricing them in Euros or translating text into a national language of an EEA country will put you directly under the purview of the GDPR.
- Upgrade the technology: US healthcare companies will need to adopt an entirely different method for storing and processing EU's patient data so that whenever a patient revokes his/her consent (under their 'right to erasure' granted by the GDPR), there should be a technology that not only totally erases the data but can also provide proof.
Even though there are no direct or larger implications of the GDPR on the US healthcare industry, healthcare organizations operating internationally should be careful while dealing with patients' personal data. A small mistake will not only cost them a huge penalty but also put them under stricter data scrutiny, which will only make things worse, especially when the issue of data privacy is on an all-time high.