EU's GDPR privacy law is here: Are you certain your US organization is compliant?

The European regulation is much more stringent than HIPAA, and those health systems that handle EU patient data, even in the U.S., must adjust their privacy measures to comply.
By Jessica Davis
02:37 PM
Share
EU's GDPR privacy law

The European Union's General Data Protection Regulation goes into effect today, May 25. U.S. healthcare providers who treat patients from any of the 28 EU countries should, by now, be familiar with the law and whether or not they need to be in compliance.

As part of GDPR, all businesses must gain affirmative consent from EU citizens before collecting their data. The result of violating the law can cost up to four percent of a company's annual revenue or 20 million Euros – whichever amount is higher.

GDPR is more stringent than HIPAA, which means by adhering to the regulation, organizations can only benefit from an improved security posture. As the compliance deadline loomed, so did the privacy notices sent from businesses outlining privacy policies. Some vendors have even launched tools to help healthcare organizations manage the new regulation.

There are plenty of GDPR resources out there, but many U.S. organizations are still uncertain as to how much of the law applies to their business. Here are some things to think about to help assess whether you're compliant:

The differences between HIPAA and GDPR

Under the regulation, organizations must implement safeguards to keep data safe during processing and have default data protect measures in place. HIPAA already mandates providers have these security features in place – along with risk assessments and encrypted data.

But encryption is one area that – although HIPAA requires it – providers often fail to implement. Under GDPR, organizations must encrypt data.

Also notable, GDPR only gives organizations 72 hours to notify patients of a breach, while HIPAA gives up to 60 days.

Right to erasure

One of the crucial aspects of GDPR, this provision states that a person's data can't be kept indefinitely. If you're handling EU data, you must completely erase that data when the patient revokes their consent, a partner organization requests that data be deleted or the service or agreement ends. There are exceptions to the rule that would allow an organization to retain that data, including all data not considered valuable to research under GDPR definition.

Patient consent

Under GDPR, providers need to draft clear and concise consent forms that outline the data collected and ensure there's a clear place for EU patients to opt in or out of data sharing or collection. Simply put, the law bars fine print consent forms that are far too often overlooked by patients. The language must be simple and easy for patients to understand.

"In reality, GDPR article is about data protection by design and by default," said Kristen Johns, partner at Waller, a national healthcare law firm. "It gives all identities that could be a data processor … a chance to look at their IT infrastructure and see where they can improve to comply with GDPR.

"The big thing is the internal audit: looking to make sure (healthcare organizations) have the ability to access information quickly in a compliant way with GDPR and HIPAA," she added.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com