Though few healthcare leaders in the United States are aware of it, a new regulation promulgated by the European Union (EU) could impact them, if they treat more than a handful of patients every year who come from any of the 28 nations in the European Union. Indeed, the General Data Protection Regulation (GDPR) is due to go into effect on May 25, 2018.
So, to begin with, what is the GDPR? A good, basic explanation of the GDPR can be found on the website of the Spiceworks virtual IT community. The website explains that “GDPR, or the General Data Protection Regulation, is a set of rules designed to protect the privacy and personal data of European Union residents. The implications of GDPR are far reaching, as it impacts all organizations worldwide that collect personal information about EU residents. Non-compliance with GDPR can carry serious financial consequences, with some proposals calling for damages of up to 4% of a company's annual revenue or 20 million euros — whichever is higher. The regulation was approved in 2016 and is set to become effective on May 25, 2018.”
As the Spiceworks website explains, “In a nutshell, the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things. Organizations collecting or processing any personal data on EU residents must comply with the following provisions if they want to avoid the risk of incurring potentially large financial penalties,” in areas such as privacy by design, consent, pseudonymization, right to access, breach notification, right to erasure, data portability, and data protection officers.
Here is what Spiceworks has shared with its IT community members about those subjects:
> Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a "need to know" basis.
> Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default, and children must get consent from a parent or guardian. Additionally, an individual's consent can be removed at any time.
> Pseudonymization — Data collected on individuals must be obscured or anonymized in a way that the data can't by tied back to a specific person without additional information, for example using encryption, which requires a key in order to read the information.
> Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.
> Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.
> Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.
> Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.
> Data protection officers — Some organizations that process personal data on a large scale or track particularly sensitive information may be required to appoint qualified data protection officers to help ensure compliance with GDPR.
As Spiceworks has explained to its community, “In simple terms, GDPR is like a bill of rights that protects data privacy for residents of the EU. In less simple terms, GDPR establishes government-sanctioned ground rules that organizations must abide by or else they face legal consequences.”
What’s more, a recent survey of the Spiceworks community found that only 9 percent of IT professionals based in the United States were informed about GDPR and what its impact would be for them. That is across all industries, and it compares with the 43 percent of British IT professionals, and the 36 percent of IT professionals in the rest of the EU, who said they were firmed about the new regulation.
Meanwhile, although the majority of community hospitals and medical clinics in the United States may be able to manage the demands of GDPR using manual, individualized processes, the IT leaders at large academic medical centers and other patient care organizations, particularly those that serve hundreds or thousands of international patients every year, will need to think carefully about their preparation for this regulation.
It is in that context that Healthcare Informatics Editor-in-Chief Mark Hagland spoke recently with Jeff Sanchez, managing director at Protiviti, a Los Angeles-based risk consulting firm that has been focusing strongly on helping prepare corporate organizations in all industries to prepare for the GDPR regulation’s implementation. Below are excerpts from their interview.
Can you explain in your own words the significance of the GDPR regulation for our audience, and why healthcare IT leaders in the U.S. need to familiarize themselves with this European regulation?
GDPR is a new rule that comes into effect in May 2018 that requires organizations that either control or process PII [personally identifiable information] or European residents, to protect that information, and provide residents with certain rights that they didn’t have. One of the biggest changes over prior EU privacy standards, is that it doesn’t have geographic boundaries. That’s why it’s a big thing. U.S. companies that have information on European residents, are subject to GDPR. Previously, rules around compliance impacted companies that had a presence in Europe and were based in Europe; GDPR has no geographic boundaries. U.S. companies that have information on European residents are subject. And the fines for non-compliance are huge—probably some of the largest fines ever.
What kinds of fines are we talking about?
Up to 2 percent of revenues.
So a hospital in the United States could be affected by this, correct?
If you think about the healthcare arena, the biggest impact will be on pharma [pharmaceutical] and biotech [biotechnology] companies, because they’re working in a global environment. For providers, the risk is less. But where you do have more risk on the provide side is with some of the high-profile providers that may have a very specialized service that they’re globally known for. For example, if you were a facility that was globally renowned, such as a cancer center. That’s where you probably have more GDPR risk, as a provider.
There are hospitals and medical clinics that annually treat thousands of international patients, including of course, patients who are EU citizens. They would be exposed, correct?
Yes, absolutely. Those are the organizations that probably have the most exposure to GDPR in the provider space.
What are the key requirements for GDPR, then?
It’s fairly extensive. In addition to standard information security best practices, there are a number of different requirements around how the data can be used and the ways in which the data can be accepted from the individual. For example, everything needs to be opt-in, not opt-out. So anytime you’re going to use information for any purpose other than direct patient care, you have to provide them the ability to opt out, in a way that is as easy as opting in. And you may have to have a data privacy officer. And there are specific rules about the role and assignment of that CPO. And there has to be data protection by design and by default. So where is data encrypted, where is it encrypted at rest and in motion? And organizations have to do data protection impact assessment.
What’s involved in a data protection impact assessment?
It means understanding what data’s being collected, how the data is being used, and the potential risk of exposure of the patient’s or person’s data, and looking at whether there’s the potential for misuse or exposure that is broader than what the organization intended. One of the big changes is the right to be forgotten. This change is fairly significant, because most companies don’t have the ability to systematically find and remove an individual from their records; they haven’t built that functionality into systems. I have companies that say that if someone comes to them and ask them to remove all information on individuals, they can do that, but it requires them to go to four or five places, and it’s time-consuming. And if it’s one-off requests, that’s one thing; but if the requests are numerous, companies will need a more systematic approach to that.
In addition, you have to be able to provide an individual with the details of all the records you have on them. And you have to be able to provide all of that. Those are things that companies probably could provide today, but it would be time-consuming and expense to do so. So this will require additional functionality. So many companies are working towards becoming GDPR-compliant—creating the ability to remove an individual or find out all the information they have on an individual, with a single click.
This goes into effect next may. And then, when is the EU empowered to impose penalties?
Will the IT leaders of patient careorganizations need help to systematize these processes?
One of the first steps that organizations will need to go through is just figuring out what data they have, and where it is. In some cases, you’ll be using cloud service providers. And GDPR requirements flow down through all of those. So some of the initial help organizational leaders will need, will be simply around finding out where all the data is, and working out contracts with third-party data providers around this. Systematizing processes will be important, too. A lot of companies in the U.S. are just beginning to see the impact of GDPR.
Most companies can already do that process to meet the requirements, but it’s expensive to meet the requirements today through those manual processes. And in this space that you’re talking about, in this healthcare provider space, and the volume may be low enough that the risk might be low enough that a manual process still works for them. I mean, I wouldn’t be going to a provider and asking them to remove all my data; that’s a lower risk in healthcare than in other industries. I’d probably focus on security controls and overall privacy.
Another key issue that companies face is that a lot of companies have a lot of data on European citizens; and they collected the data in a historically legal way, but their collection methods don’t meet GDPR standards today. That basically means that they won’t legally be allowed to use the data they already have. So figuring out what their authorizations were—and going back to existing customers, to continue to use that data going forward, will be important. And that will change on May 25 .
That could very strongly affect financial services organizations, correct?
Yes, financial services, but also marketing, and Google, and Facebook, and retailers that know what you bought yesterday, because you used your member card. It affects anyone who operates a website; an IP address is covered. PII is defined broadly. Healthcare information is called a special category, and organizations in healthcare have to have a data privacy officer. So there’s no industry definition to this; it's anybody who has information that is considered personal information, around any EU resident. And hospitality and airlines are other industries that will be heavily affected by this. In the healthcare space, we expect pharma and biotech to be heavily affected by this as well, because they’re very global in nature.
What would you like the CIOs of the 100 or so U.S. providers with large international clienteles, to know?
The first thing they need to know is that GDPR applies to them; and the second is that GDPR is a fairly big lift. We found that 25 percent of companies with more than 1,000 employees, will spend more than $1 million on GDPR compliance. Fortunately, in U.S. healthcare, we have HIPAA, so we have done some things. And some of what GDPR requires is going to be consistent with what’s required under HIPAA; but their differences. GDPR is broader in terms of what’s considered PII [personally identifiable information]; an IP address is covered under GDPR, and isn’t covered under HIPAA. So I’d say, this isn’t the same as HIPAA. And you’re impacted, and you should figure out what data you have, and do a data assessment, and a gap assessment, so you understand whether you have gaps or not, and what those might be, you need to then act. And you’ve got until May of next year. So that’s something that organizations need to jump on, if they haven’t already been working on this.