GDPR is coming… and it’s tougher than HIPAA
General Data Protection Regulation (GDPR), a new framework for data protection laws, will force organizations to think well beyond the realms of the Health Insurance Portability Accountability Act (HIPAA) compliance this year and beyond.
GDPR will fundamentally modify how individuals’ personal and sensitive data can be processed, managed, stored, disclosed, and deleted. While the regulation has been designed to standardize data privacy and protection laws across Europe, GDPR’s new obligations will also apply to U.S. organizations that collect data from EU residents. As a result, from May 25th when GDPR comes into effect, U.S. healthcare providers will need to strengthen their data sharing and privacy monitoring procedures pertaining to any patients from the E.U. nations.
While U.S. organizations are already required to meet HIPAA compliance, the rules set out by GDPR will make data protection processes even tougher for those who provide services for or on behalf of E.U. patients. Companies that fail to comply with GDPR law could face fines up to 4% of their global annual revenue or 20 million euros ($25 million) – whichever number is greater.
Tougher than HIPAA
While HIPAA already outlines a set of data privacy guidelines, there are some fundamental differences between GDPR and HIPAA – while HIPAA is focused on protecting medical data that has already been collected, GDPR is based on personal rights. Under GDPR rules, healthcare providers will need specific permission to collect and use any E.U. resident information.
GDPR also defines ‘personal data’ in a much broader and more stringent way than HIPAA regulation. Under GDPR, ‘personal data’ relates to any information associated with an “identified or identifiable person” – not just health information, so this could include photos, addresses, telephone numbers, email addresses, financial details, medical information, social media posts, and IP addresses.
The rules outlined by GDPR will present U.S. organizations with a number of new challenges to overcome when it comes to handling personal data. For example, while it is common for most U.S organizations to store patient data indefinitely, GDPR will introduce strict restrictions on the length of time data can be held for. In addition, organizations will be required to implement technology that has the capability to completely erase personal data ahead of the new “right to be forgotten” rule whereby organizations must wipe any personal data they hold when requested to do so by an individual.
Similarly to HIPAA, organizations will be required to continuously evaluate their security measures under GDPR to ensure patient data remains protected. However, while HIPAA gives providers 60 days to report a breach from the time of discovery, the rules of GDPR are not so generous, giving a leeway of just 72 hours.
Although not an exhaustive list, requirements for U.S. organizations to protect E.U. citizens in compliance with GDPR will include:
- Collecting data only when there is a legal reason to do so
- Obtaining consent from an individual or their designated guardian before any personal data is collected, stored, or processed
- Making sure individuals are informed about how their information will be collected and used – similar to the Notice of Privacy Practices required by HIPAA
- Implementing controls to ensure the confidentiality of data remains safeguarded
- Ensuring it is possible to permanently erase all collected data so that E.U. citizens’ right to be forgotten can be honored if necessary
- Ensuring international data transfer is carried out in a way that complies with GDPR regulations
- Implementing GDPR data breach notification policies to ensure E.U. citizens are kept informed should there be a breach of their personal data
No matter how big or small, no organization that deals with data from E.U. citizens will be immune from the rulings of GDPR. It is therefore essential to be aware of the challenges and requirements associated with collecting and using personal data and consider how these can be translated into compliance policies and procedures. The GDPR enforcement date of May 25 is looming fast – for more information visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/