General Data Protection Regulation (GDPR) Act and the U.S. Healthcare

By May 4, 2018 No Comments

Data security breaches that target healthcare institutions are rising in frequency at an alarming rate. In 2018 so far, the United States has already experienced several significant data breaches, including prominent health systems such as UnityPoint Health System in Wisconsin, Florida Medicaid, and Hancock Health of Indiana. Data security violations transpired in a variety of ways. The most common vehicles that hackers utilized to gain entry into the systems were phishing emails (emails designed to mimic those sent from official system email addresses). Furthermore, hackers can also gain entry to heavily protected health system electronic medical records via misconfigured servers, unsecured Wi-Fi networks, or sophisticated ransomware attacks.

The United States government has bolstered its punitive measures on data breaches specific to health-based personal information. However, an imminent European Union (EU) legislation could magnify and intensify this aim. The General Data Protection Regulation (GDPR) Act of 2016 is designed to advocate for consumer ownership of individual personal information by implementing specific procedures for ensuring data security at the organizational level. Adopted in 2016, the GDPR expands the scope of current EU data protection law to all companies, EU-based or global, that process personal data of EU residents. According to the language of the GDPR, personal data includes social media, personal, private, or professional life, bank details, social media, health information, and/or computer IP address.

With regard to healthcare and/or medical professionals based in the U.S., GDPR is applicable to U.S. healthcare companies (including medical practices, electronic medical records (EMR) firms, and cloud or data management companies) that conduct businesses in EU countries and engage with the personal data of EU residents while they are on EU soil. Under GDPR, health data is specifically defined as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status,” generic data that is considered a “unique identification of that natural person, such as facial images or dactyloscopic data,” and “biometric data.” The above data is highly relevant for a variety of healthcare stakeholders, including practitioners, management companies, and practice administrators – each of which would be held to the same standards of GDPR in the event they serve EU patients.

Looking forward, once the majority of EU-serving companies begin to be held to GDPR, it may allow for an entrance of parallel legislation in the United States. Should this occur, healthcare practices would be held to much higher standards of data privacy and information security. For example, the concept of patient consent would be highly intensified. The data subject (e.g. patient) would have to give explicit consent to each form of the data submission and processing. Exceptions to receipt of explicit and unambiguous patient consent would be rare; these exceptions would likely only be considered for appeal if the healthcare data was considered necessary for public health and/or occupational health and safety of the individual or system Healthcare organizations will have to implement very specific and targeted methods for obtaining consent from potential/current patients. This could include a method as simple as a check-box on EMR, or a more complicated measure such as requiring the patient to write and sign a declarative statement affirming consent for all forms of data processing (e.g. data storage, international data transfers, transfers within healthcare institutions, etc.).

In addition, under a GDPR-type legislation, patients would have certain rights to their data. Such rights would include the right to Data Portability, also known as the right for patient to have their data sent to them immediately; the Right to Be Forgotten, a more extensive way of saying the patient’s right for the data to be erased; and the Subject Access Right, which dictates that the patient’s data can be made free and must be addressed within one month upon request.

Furthermore, should a breach in healthcare data be made, the institution would be required to respond in 72 hours — far shorter than the 60-day HIPAA requirement. To achieve the goals of data security, institutions and companies will have to work with a data protection officer, an expert tasked with controlling and managing the data, including the provisions of pseudonymity or anonymity, along with sanctioning offenses should rules not be followed.

The ultimate aims of such regulations are transparency and security – ensuring that patients have the right to own their personal data, knowing that its pathway through various actors in the system is safe and that sensitive health information is secure. Come May 25, 2018, a large proportion of U.S. healthcare companies and practices will become subject to GDPR if they serve EU residents. As the trend of highly controlled data management sweeps throughout the globe, it is highly probable that a GDPR-type legislation will reach the United States, covering those groups not already subject to GDPR. Healthcare companies, practices, and administrators should pay heed to the global trend and invest preemptively in rigorous and thoughtful systems for data security.