One Consultant’s Take on GDPR and How It Raises the Stakes for U.S. Healthcare Organizations
The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, is set to go into effect in one month, and the new regulation has far-reaching implications for organizations worldwide that collect personal information about European Union residents. In the U.S., physicians and healthcare providers will be facing new laws regarding the safeguarding of Personally Identifiable Information (PII) for EU patients.
GDPR was adopted in April 2016 and will be fully enforced on May 25, 2018 by the UK Information Commissioner’s Office (ICO). GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. According to many experts, the regulatory framework pertains to any organization that handles EU data, whether that organization is in the EU or not. The entire regulation can be accessed here, the EU GDPR website's frequently asked questions page can be found here and a breakdown of key changes can be found here.
Moving forward, U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to the Health Insurance Portability and Accountability Act (HIPAA) regulation and other U.S. regulations. The GDPR will affect when and how a healthcare provider must report breaches, and fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed.
According to the website of the Spiceworks virtual IT community, in a nutshell, “the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things.”
What’s more, the GDPR imposes stiff fines on data controllers and processors for non-compliance, up to 4 percent of the organization’s global annual revenue or 20 million euros, whichever is higher. According to the EU GDPR website, this is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines—a company can be fined 2 percent of global annual revenue for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning “cloud” will not be exempt from GDPR enforcement, according to the EU GDPR website.
According to the Spiceworks virtual IT community, the following are some, but not all, of the provisions organizations collecting or processing any personal data on EU residents must comply with if they want to avoid the risk of incurring potentially large financial penalties:
Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a “need to know” basis.
Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default. Additionally, an individual's consent can be removed at any time.
Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.
Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.
Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.
Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.
Data protection officers —Organizations that process large sums of GDPR data must assign a data protection officer (DPO).
John Barchie, a security consultant and senior fellow at Phoenix-based Arrakis Consulting, recently spoke with Healthcare Informatics’ associate editor Heather Landi to drill down further into the implications of the GDPR regulation for U.S. healthcare organizations and what steps organizations should be taking now to be compliant with GDPR. Below are excerpts of that interview, edited for length.
What are some of the key requirements of GDPR, and what do healthcare organization leaders need to know about the regulatory framework?
This is a disruptive regulation and it will require organizations to get their legal departments involved. Once it’s understood, it’s fairly straightforward. Healthcare organizations should already be fairly compliant with what GDPR is asking for. If an organization is strongly HIPAA compliant, then it will be much easier for them to absorb GDPR; if they have been going off HIPAA for a while, then GDPR is going to come as a shock.
There are some major categories that they need to be aware of—one is the concept of consent, and then the right to access. When we say the right to access, we mean the data subject’s right to access their own data. And then there is the data subject’s ‘right to be forgotten,’ and the data subject’s right to have their data portable. Then, there are the obligations of the processor and the controller—the controller is the one who is collecting the data from the data subject, and the processor is the one processing that data. If you give your data to a health system, that health system might have a sub-contractor that is processing the data. So, the health system would be the controller and the sub-contractor would be the processor. The controller and processor must have something built in called privacy by design.
The regulation requires a new role to be created called the data protection officer. In terms of HIPAA, it’s similar to the chief privacy officer, but it’s a different concept. The chief privacy officer is responsible for determining when data should legitimately be released. The purpose of the data protection officer is to ensure that the data that is processed in a legal manner for the regulation. This role is a requirement if you’re going to be GDPR compliant.
There also are implications with regard to breach notification. In the U.S., we’re used to providing breach notification after our investigation, and with GDPR, you’ll need to inform the supervisory authority within 72 hours of identifying that a breach has occurred.
What steps should healthcare organizations be taking now to be GDPR-compliant?
The first thing is, you need to read the regulations; there are 99 articles within the regulation. The biggest thing organizations can do right now is go over their consent forms and evaluate how they collect the data. And then, on the back end, they need to actually diagram out how their data is processed. With regard to their consent form, that’s going to involve the legal department, as there are new requirements above and beyond what they are used to providing for HIPAA. And on the back end, on the clinical side, they really need to take inventory of where their data is and where it is processed. By that I mean, writing it down and having diagrams and data flows; all the things a regulator is going to look for when they come in and start asking questions.
The fact is, GDPR will be disruptive, and if organizations are starting now they are not likely, in my opinion, to be compliant by May 25. If you’re not going to be compliant May 25, you need to show a willingness to comply. To show that willingness to comply, organizations should, at the very least, have their consent forms ready to go by May 25. Organizations also should know who their supervisory authority is (Article 51 of GDPR). They also should have taken inventory of all the uses and data processes. They should know, in writing, where is that data in the organization and who are we sub-contracting that data out to? The contracts with those sub-contractors also need to be updated. The goal is, if they have a working plan and even if they are only 60 percent done on the working plan when May 25 rolls around, they are probably in good shape, because they have a working plan and they are showing what’s known as a willingness to comply.
At an organization level, who should be involved in this work?
From an executive point of view, this should be a board-level item that the board discusses in a regular meeting and there should be board minutes as to how they intend to address GDPR. The executive steering committee should provide direction on how they intend to address GDPR. A program manager might need to be assigned the task of breaking out the project. The CIO should definitely be involved, as well as the CISO (chief information security officer). The head of customer service also should be involved, and, obviously, the organization’s chief privacy officer. Within IT, there has to be an understanding of where the data is and how it’s being processed. The database administrator, or the system administrator, will need to be involved. It’s not a one- or two-man show and it’s not just something IT does. There’s a lot that IT can’t do because it has to do with privacy and how information is released and handled. But, there is the technical piece that IT needs to do, such as the ‘right to be forgotten,’ that’s a big deal from an IT perspective.
What are the implications for health IT leaders specifically?
With regard to the data subject rights, the biggest one is the ‘right to be forgotten,’ which is a provision that says a data subject has the right to insist on the total and complete erasure of their data. If a data subject doesn’t want to do business with you, you should not be processing their data anymore. And that’s a technical challenge, as, technically, if you’re in a database, you’re in the database forever. With the ‘right to be forgotten,’ there needs to be a mechanism where an organization can guarantee that data is not being processed. That’s a tough row to hoe, especially for healthcare organizations or companies if they use that healthcare data as part of their research, as now that piece of research has been taken away from you, and that is the data subject’s right to say I’m not doing business with you, and by default, you’re not allowed to use my data anymore. That whole concept is foreign to healthcare organizations.
The key is, compliance officers at healthcare organizations need to read up on the regulations as GDPR changes the way organizations handle people’s data. It will be disruptive and already is disruptive to healthcare organizations that are in the middle of all this work.