What U.S. Healthcare Providers Need to Know About GDPR

Over the past few months, you probably noticed the deluge of emails from major companies informing you of changes to their online privacy policies. This was largely in response to the European Union’s (EU) adoption of its new General Data Protection Regulation (GDPR), which took effect on May 25, 2018. What is GDPR? Does it have any effect on you as the owner or employee of a US-based healthcare practice?

The Basics of GDPR

If you are in the healthcare industry, you already know about the HIPAA privacy rule, the complex web of US federal regulations that tell you how you must use and protect patient medical records. GDPR does a similar thing, except on an EU-wide basis and for every industry, not just healthcare. More precisely, GDPR “protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

Actually, GDPR applies to more than just the 28 existing EU members. It actually covers the European Economic Area (EEA), a group that includes Iceland, Norway, and Liechtenstein, which are not EU members. In terms of subject matter, GDPR covers the “personal data” of all persons living within the EEA, which is broadly defined to include a resident’s “name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity.”

GDPR defines two groups of regulated entities. The first are “controllers,” which are any individual or business that “determines the purposes and means of the processing” of a given set of personal data. The second group are “processors,” which handle personal data according to the instructions of the controller. In HIPAA terms, controllers are similar to “covered entities,” while processors are akin to “business associates.”

Are You a Controller or Processor According to the EU?

So how do you know if your US healthcare practice qualifies as a controller or processor? If you conduct business in the EEA or maintain a physical presence in the EU, then you are unquestionably covered by GDPR. But even if you operate exclusively within US borders, you are not necessarily exempt.

Remember, GDPR protects personal data of EEA residents. So, if you operate a clinic in Chicago and treat individuals who are traveling from Europe on business, their information may be subject to GDPR protections. In many cases you may be fine just following your existing HIPAA compliance practices, but if you handle a significant amount of personal data from European patients, you need to speak with a lawyer to make sure you are also in compliance with GDPR.

This is important because in many respects, GDPR has much stricter requirements. For example, if a data breach occurs–someone gains unauthorized access to personal data under your control–you only have 72 hours to notify EU authorities. In contrast, HIPAA gives covered entities up to 60 days to give notice of a data breach.

Need Advice on Regulatory Compliance? We can help.

While most small and mid-size US healthcare practices probably will not need to spend much time worrying about GDPR, if you do collect any kind of data from EU or EEA residents, you should redouble your efforts to ensure the security and confidentiality of that information. Your online terms and conditions, as well as your new patient registration packets and HIPAA policies, may also include references to your stance on and efforts towards GDPR compliance.

Still have questions? Schedule a free consultation with one of Jackson LLP’s healthcare attorneys today by clicking the button below.