GDPR Impact on US Healthcare Organizations

Posted by Ken Reiher

The General Data Protection Regulation (GDPR) is the European Union (EU) regulation on privacy and security of personally identifiable information (PII). It goes into effect on May 25, 2018. Though the GDPR’s “data concerning health” is similar to HIPAA’s PHI, the new requirements include several differences in scope, definition of impacted entities and definition of terms. Many of these differences under GDPR define a broader scope than HIPAA and some are more stringent—potentially impacting U.S. healthcare organizations. This blog provides an important comparison between GDPR and HIPAA.

A key difference is that GDPR is a “consumer-centric” regulation that can apply to any entity anywhere in the world that services or collects PII on EU citizens. HIPAA is “organization centric,” and is narrowly defined to regulate covered entities (CE) and their business associates (BA) in the U.S. Covered entities include health plans, healthcare clearinghouses such as billing services and community health information systems, and healthcare providers that transmit protected health information (PHI) according to HIPAA regulations. PHI is generally defined under HIPAA as any individually identifiable health information, both hard copy and electronic. BAs are third-party vendor organizations whose contractual scope of work with CEs requires them to access, use, store or transmit CE PHI.

GDPR covers a broader range of PII, defined as any data that can be used to directly or indirectly identify a living person. It is sometimes referred to as “sensitive personal data.” Examples include racial or ethnic origin, religious or philosophical beliefs, political affiliations, union memberships, biometric or genetic data, sexual practice or orientation, as well as healthcare information.

Patient/Citizen rights

Under GDPR a CE must get an active consent from the patient/person before storing any of their PII. HIPAA requires CEs to provide patients with a Notice of Privacy Practices (NPP). The NPP covers CEs for future use and disclosure authorizations, except for psychotherapy notes, which require separate use and disclosure authorizations each time.

Individuals have “the right of erasure,” sometimes called “the right to be forgotten,” under GDPR, and can require a CE to delete their information from the organization’s databases. Though the right to be forgotten is not provided under HIPAA, patients do have the right to request an amendment to their PHI. However, CEs can choose not to do so.

Unlike HIPAA, if an individual publically posts personal and/or health related information, such as on social media, entities can process and use that information according to GDPR.

Do I need to comply?

Healthcare organizations that have connections with facilities in the EU, own facilities in the EU, or actively market/advertise services to EU states are covered under the GDPR. However, healthcare organizations treating EU citizens in the U.S. without marketing or advertising are not covered under GDPR.

How violations are addressed

The 2013 HIPAA/HITECH Omnibus Final Rule states penalties in the event of breach incidents are related to “significant harm” caused by violations. To avoid penalties, CEs must provide evidence showing a low probability of compromise of PHI and therefore no significant harm.

Under GDPR, CEs that violate guidelines with respect to security or handling of PII can be prosecuted with no stipulations on “significant harm” or any harm for that matter.

HIPAA provides for use and disclosure restrictions to be waived for a number of exclusions such as during times of natural disasters—major hurricane, floods, etc. No such provisions currently exist with GDPR.

Breach definitions

GDPR looks at a breach of personal information, defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to PII transmitted, stored or otherwise processed. Breach notification must be “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” The regulations state that a delay in excess of 72 hours may be accompanied by a written explanation of the reasons behind any response delay. No special format is required and the full detailed reporting of the incident can occur after the 72-hour notification requirement.

HIPAA defines a breach of PHI (a subset of GDPR PII) as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the PHI. A breach must minimally be reported annually to HHS, and initially within 60 days of discovery if there are over 500 individuals from one state involved in the breach.

Here are six strategies to consider if your organization is covered under the GDPR:

  • Train your staff. Update your HIPAA compliance training to include annual refresher courses and periodic reminders about the impact of GDPR
  • Update your process to identify any patient in your facility who is a EU citizen, as full compliance with HIPAA will not cover all the rights and regulations that impact an EU citizen under your care
  • Audit your systems to determine if you currently have records of EU citizens in your databases. If so, a more detailed impact assessment may be needed to update your policy, procedures, processes, and training.
  • Ensure privacy and security officers research the GDPR regulation and update your risk management and risk analysis process to incorporate potentially more stringent privacy and security requirements. As under HIPAA, conducting risk analysis and risk management is required under GDPR.
  • Document your compliance policies and procedures to show due diligence in your efforts to protect private information for any EU citizen on your systems
  • Be aware that a breach under GDPR does not have to imply “significant harm.” Therefore, some of the rules allowing an incident NOT to be considered a breach under HIPAA may not apply, and the incident may be a reportable breach under GDPR.