The European Union’s General Data Protection Regulation (GDPR) has its own web site with a clock in the corner ticking down the hours, minutes and seconds until it goes into effect. When I looked on the morning of July 5, it was 323 days, 8 hours, 5 minutes and 29 seconds. But what do you care? You probably don’t have any operations in Europe.
But consultants and analysts are reminding U.S.-based healthcare executives that it might make sense to understand the GDPR anyway.
It is conceivable that some of the requirements could eventually make their way into U.S. regulations someday. And if your organization does have any contact with European health data and needs to make any changes to comply, you would need to start now to be ready by May 25, 2018, when the EU will begin enforcing the regulation. Even if you don’t have to respond to European requirements, the details of the regulation are fascinating as we watch cybersecurity attacks span the globe in a day. And perhaps most importantly, these changes could also impact the international adoption of interoperability standards such as HL7’s FHIR (Fast Healthcare Interoperability Resources.)
A recent white paper by Forrester noted that one big change is that the GDPR gives companies only 72 hours from the moment they become aware of a data breach to report it to authorities and affected customers. “Compliance with this requirement will be tougher than many companies expect,” Forrester analysts wrote. Sharing those details with customers that early “means you and your incident response team will have to craft clear, compelling messages that reflect adequate levels of competency, sensitivity, and customer care,” they said.
Forrester noted that GDPR does have some “extraterritorial reach.” It applies to any organization that stores, transfers or otherwise processes data from EU citizens, regardless of whether that organization is based in the EU or not. In other words any U.S.-based data aggregator that collects and resells EU customers' data to other business partners will need to comply with GDPR requirements, rather than simply meeting international data transfer rules. And any metadata about the European citizens would have to follow their data.
René Spronk works for a Netherlands-based firm called Ringholm, a group of European experts in the field of messaging standards and systems integration in healthcare IT. He recently wrote a great online piece summarizing the impact of GDPR, highlighting from the regulation’s language some specific potential impacts:
• The data subject has the right to request erasure of personal data related to them.
• A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used Open Standard electronic format. Spronk noted that these regulations will require big cultural changes in many countries. “Within the EU there are a fair number of countries that currently don't provide any access to electronic patient data,” he wrote.
• GDPR requires the use of Privacy by Design and by Default (Article 25): this requires that privacy settings must be set at a high level by default.
These changes will have a direct impact on the use of interoperability standards. “It is something that those that implement or create healthcare data interoperability standards need to be aware of,” Spronk wrote.
He noted that the new right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services (e.g. second opinion, switching healthcare providers, use of a personal health record). It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. There are some big exceptions carved out, but basically the right applies to any health system activity that involves getting patient consent.
Spronk quotes from the EU guidance document on implementation around data portability, which stated that, “data controllers should guarantee that personal data are transmitted in a structured, commonly used and machine-readable format, and they should be encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.”
So how would this impact interoperability standards?
Any application that creates, uses, or processes healthcare data is affected if that application is involved in any data processing scenario that requires explicit patient consent under the GDPR.
Spronk noted that whenever data needs to be exchanged, it would likely have to be enriched with metadata about things like consent, provenance and security labels. Here is one example: If the patient consented to sharing the data with the research community in general, then that consent would allow the receiver to re-disclose the data to other research organizations.
So if GDPR requires detailed consent management and security labels to follow the data, could FHIR help solve this problem? Spronk writes that FHIR Consent Directives tell data processors/holders what security labels to use on types/instances of data and related data.
GDPR also requires auditing capabilities, he wrote. Patients have the right to view their entries from the audit log of any data controller or data processor. These can be served as FHIR AuditEvent resources, he suggests.
“The EU Guidance strongly encourages cooperation between industry stakeholders and trade associations to work together on a common set of interoperable standards and formats to deliver the requirements of the right to data portability. It also suggests that vendors offer an appropriately secured and documented API,” Spronk concluded. “FHIR could be that standard.”
