All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
Keep up to date with Data Fast Solutions for your business.
General Data Protection Regulation, or GDPR, is due to take effect next month and many in healthcare in the U.S may wonder how it affects them. Per the GDPR portal, it “was designed to harmonize data privacy laws across Europe” and relates to those residing in the EU. However, it does have far reaching effects into the United States due to how personal data is collected, used, disclosed and processed by controllers and processors. Simply put, controllers determine the “purposes, conditions and means of processing personal data”, while processors are those who process “personal data on behalf of the controller”.
American healthcare organizations may think that GDPR is already completely addressed through U.S. HIPAA regulation, however, that is not necessarily the case. An article, published in February of this year, by The National Law Review, Does GDPR Regulate Clinical Care Delivery by US Health Care Providers?, helps address the specifics of GDPR as it relates to U.S. healthcare. Per the article, the GDPR does not have direct reach to personal data processing by a U.S. controller or processor if the business is:
· Not physically located in the EU
· Not offering goods and services through advertising or direct marketing to individuals in the EU
· Not monitoring the post care of individuals treated in the U.S.
With many smaller U.S. healthcare offices, all three of the criteria may not apply. However, post care of those located in the EU may occur, so GDPR would need to be strictly enforced to avoid stiff penalties.
The key in healthcare providers having to adhere to GDPR in the U.S. pertains to the location of an individual in the EU, not their EU citizenship. So, if you’re treating an EU citizen who resides in the U.S., HIPAA laws, not GDPR, would apply. If you are providing post care to an individual who resides in the EU, HIPAA and GDPR must be followed.
It’s important to understand that HIPAA relates to the privacy of protected health information (PHI) while GDPR, according to the article above, relates broadly to personal data, health related or otherwise, which is “any information relating to an identified or identifiable natural person who is in the EU, regardless of the individual’s EU citizenship status.”
The broader terms of GDPR, as opposed to HIPAA are outlined in the HIPAA Journal article, Understanding GDPR Compliance, published last January, which states:
Any body which collects, maintains or uses an individual´s personal data but neglects to first acquire the informed consent of those persons, or does not delete destroy their record of the data concerned after an individual has withdrawn their consent – breaches the GDPR. There are numerous other rights of individuals that must be taken into account by companies or organization[s] when they review their GDPR compliance. These rights of individuals include [but are not limited to]:
In addition, the IAPP (International Association of Privacy Professionals) gives a good side-by-side comparison of HIPAA and GDPR. If you are an American healthcare entity, it’s important to be informed about GDPR as it must be strictly adhered to beginning next month. Data Fast Solutions can assist you in making sure your healthcare I.T. services meet both GDPR and HIPAA regulations. Contact us today!
This article is ©2018 Data Fast Solutions • All Rights Reserved