“Protecting someone else’s data protects all of us.” Tim Cook, CEO of Apple
By: Shobha Lizaso
We are in the age of electronic data and heightened data privacy. New laws to strengthen individuals’ privacy rights and to strengthen data protection are evolving worldwide. The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data about residents of the European Union. This new law affects US healthcare providers and organizations that provide services to residents of any of the EU countries, that collect data from EU residents or monitors EU residents through the use of cookies and the like, and practitioners involved in medical tourism programs and other clinical activities. GDPR imposes more restrictions on the collection, use, processing, storage, disclosure, and disposition of patient data than HIPAA.
GDPR became effective on May 25, 2018, and there will not be a compliance grace period, so healthcare providers should meet with their healthcare technology attorney to determine whether they are subject to the GDPR, to update their online Terms of Use & Privacy Policies, and to audit internal data handling procedures to prevent any violations.
Important Differences: GDPR vs. HIPAA
- Personal Data:
The definition of “personal data” in Article 4 of the GDPR is as follows:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person….”
The GDPR’s definition of “personal data” casts a wide net. In addition to the personal data protected by HIPAA, the GDPR covers ANY personal data such as computer IP addresses, physical traits, religion, memberships, photos, credit card data, etc.
- Consent Required:
Under HIPAA, obtaining a patient’s consent for the use of protected health information for treatment, payment and health care operations activities optional; however, GDPR requires a health care provider either to obtain an individual’s consent to process personal data or to have another lawful basis for processing the personal data. To get consent from an individual to process his/her Personal Data under GDPR, the individual’s consent must be explicit, freely given, specific, informed and unambiguous agreement to the processing. Under GDPR, an individual must give explicit consent to the use of his/her personal data for each instance that the data is going to be used outside of direct patient care, while HIPAA does not require that an individual sign a consent or release of his/her personal data for treatment or payment purposes.
- Right to Be Forgotten:
Individuals have “the right of erasure” (the right to be forgotten) under GDPR and can require a healthcare provider to delete all of their personal data from the provider’s databases. HIPAA does not provide for this right to be forgotten.
- Marketing:
HIPAA that states that healthcare providers may disclose a limited set of personal data to a third-party for marketing purposes and sharing this data with third-parties does not require consent from an individual. However, GDPR requires consent for each use of the personal data.
- Reporting a Breach:
Under the GDPR, in the event of a breach, the breach must be reported within 72 hours of discovery, which is an extremely short window. HIPAA, on the other hand, requires that breaches are reported at least 60 days after the breach was discovered.
- Fines for GDPR Non-Compliance:
Organizations that violate the GDPR compliance requirements could face fines up to 4% of their global annual revenue or 20 million euros, whichever fine is higher; this is much more severe than under HIPAA, which has a maximum fine penalty of $1.5 million per year for identical violations.
If you are an organization that deals with patients from outside the United States, it is a good idea to prepare your business and web presence for GDPR compliance.