European perspective: How hospitals should be approaching GDPR compliance
Since the European Union enacted its General Data Protection Regulation law this past May, it's probable that many healthcare organizations in the U.S. have been trying hard not to think much about it.
But most should be paying a lot more attention to the rules since, even if the exact mechanisms of U.S. enforcement are still somewhat unclear, it's likely they're expected to follow the law if they handle any data of EU residents.
GDPR has a higher compliance threshold than HIPAA, since it defines personal data as anything connected to an "identified or identifiable natural person" – and that could be a photograph or an IP address, not just protected health information as most U.S. hospitals think of it.
Stateside health systems are on the hook for GDPR if they have European patients, and could face fines exceeding €20 million. And, as we've shown this week, those who are curious about trying their hands at more advanced projects such as blockchain should also be aware of the privacy law's ins and outs.
At HIMSS19, two experts from Germany will explain how one EU health system prepared for the new privacy law.
Florian Benthin, senior manager at Deloitte, and Peter Gocke, chief digital officer at Charité Berlin, the largest university clinic in Europe, will first show how Charité developed an an implementation plan.
Figuring out which elements of compliance are already in place and which aren't should be the first step in GDPR readiness for every healthcare organization, they said, regardless of which side of the Atlantic it's on.
They'll also spotlight common gaps in hospital preparedness and explain how Charité rolled out its own privacy transformation program – ensuring its employee culture, data governance policies, IT infrastructure and more were ready for GDPR.
As for American hospitals, when asked what steps U.S. providers should be taking to ensure GDPR readiness, Benthin emphasized first that it's a legal text that must be closely analyzed in order to learn of industry-specific requirements.
GDPR "demands on the one hand that companies know their processes and responsibilities," he said. "On the other hand structures are needed to work on a common process landscape." Templates are available for process documentation, he noted, suggesting that hospitals take advantage of them to help with basic documentation.
"Many large healthcare providers lack an exact overview of their processes and the software systems used for them," Benthin explained. "In addition, structures – and often also technical options – for correcting, locking and/or deleting data in IT systems are missing."
All of those are required by the law. So he suggested healthcare organizations "set up a process and data map and establish a data management team" to help manage some of those demands.
"For GDPR readiness, it is quite essential to work on a common process landscape," Gocke explained. "Templates should be developed in order to achieve a consistent process documentation, and a good life cycle management should be established to keep the documentation and the technical measures derived from it up to date at all times."
At Charité Berlin, "we have established our own data protection management team which reports directly to the CEO and coordinates closely with the staff unit for information security," Gocke added.
For providers on the U.S. side, are there lessons to be drawn from their own past preparedness efforts for laws such as HIPAA?
While GDPR's requirements are "significantly broader than the data and entities covered by HIPAA," said Benthin, "HIPAA is a good starting point and some elements are needed in both worlds."
Benthin and Gocke's session, "Healthcare Information and Technology in the Age of GDPR" is scheduled for Wednesday, February 13, from 2:30-3:30 p.m. in room W320.