U.S. health providers who treat foreign patients may want to take a closer look at their privacy policies to make sure they comply with new European Union data protection rules.
May 25 heralds the enforcement of the European Union’s General Data Protection Regulation ( GDPR ), a set of rules designed to strengthen and harmonize record protection for EU citizens and tighten how their data privacy is managed. The regulations protect various forms of electronic data including basic identity information, health and genetic data, and biometric information.
Penalties for violating the GDPR are steep. Whether a violation occurs by noncompliance or through data breaches, a mistake could cost providers up to 4% of their annual gross revenue.
Knowing when and how the regulations are triggered during medical care of EU patients is essential, experts say. Treating a vacationing EU patient who needs unplanned treatment in the states is not likely to subject physicians to the GDPR, said Cynthia J. Larose , a privacy and data security attorney based in Boston.
“In general, the GDPR should not impact U.S. doctors who may incidentally treat an EU patient while that patient is here in the U.S.,” Ms. Larose said in an interview … If the EU patient presents at a U.S. health care provider for treatment, then the GDPR does not apply to her personal data in the possession of the U.S. health care provider – HIPAA applies. While the [GDPR] does have extraterritorial reach, you have to be doing something in the EU for the GDPR to apply.”
But other scenarios that could prove problematic, such as U.S. researchers studying patients in the EU, U.S. physicians providing telemedicine care to EU patients, and doctors who continue to monitor EU patients following treatment in the United States once patients return to their home country.
About 200,000 international visitors fly to the United States yearly for health treatment, of whom about 25% are from Europe, according to a 2015 report by the United States International Trade Commission.
Advertising medical services in the European Union is another way that U.S. physicians could be subject to the GDPR. For example, if a practice or hospital markets their specialty care on websites or other materials in the EU, this could fall under the GDPR umbrella, according to security experts.
“If you are advertising services to patients in the EU, and then they decide to obtain such services, that could trigger GDPR because the data subjects are in the EU and you are offering services to them,” said Elaine C. Zacharakis Loumbas , a health and security law attorney based in Chicago. “It becomes very fact specific.”
Health providers who may be subject to GDPR should focus their attention on three areas: transparency, consent, and data minimization, said John Barchie , a senior fellow at Arrakis Consulting, a security firm that specializes in GDPR compliance.
Like HIPAA , the GDPR requires that health providers disclose information to patients about where and how their data may be used. Mr. Barchie notes that in the United States, patient consent forms may generally include two or three potential uses for patient data such as marketing and medical research. The GDPR specifies that each potential usage of patient data requires its own separate consent form, he said.
“Let’s say you’re a clinic that specializes in diabetes [and] you’re used to taking data and sending it to a general database to [collect information] about diabetes,” Mr. Barchie said. “You can’t do that under GDPR. You would have to have a separate consent form for that. So one consent to provide your diabetes service, one consent form to maybe market to the [patient], and a separate consent form [regarding] the database.”
GDPR also requires the minimizing of personal data copies stored within multiple systems. In the United States, it’s not uncommon for there to be multiple copies of a person’s data in several places, which makes sense from an IT perspective, Mr. Barchie said. The GDPR however requires that data keepers limit the number of copies they maintain to only the most necessary information.
“[Under GDPR], you should send only the data that you need for that particular process,” he said. “For example, [in the case of] address, user name, and patient ID. If you only need the patient ID number, you should not send the patient name and address. You minimize the amount of data that you’re sending to be processed.”
Breach notification also is more stringent under the GDPR, compared with U.S. regulations. Under HIPAA, covered entities must notify the U.S. Department of Health & Human Services and affected patients of a data breach without unreasonable delay no later than 60 days following discovery of a breach. The GDPR requires that effected entities notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach].” (The GDPR supervisory authority depends on the EU country affected.)
If determined that the personal data breach is “likely to result in a high risk to the rights and freedoms of individuals,” efforts must be made to communicate about the personal data breach with the affected data subjects “without undue delay,” according to the rules.
If unsure of whether your practices may fall under GDPR, experts advise discussing the question with a legal counselor, GDPR expert, or risk management team.