Though few healthcare leaders in the United States are aware of it, a new regulation promulgated by the European Union (EU) could impact them, if they treat more than a handful of patients every year who come from any of the 28 nations in the European Union. Indeed, the General Data Protection Regulation (GDPR) is due to go into effect on May 25, 2018.
So, to begin with, what is the GDPR? A good, basic explanation of the GDPR can be found on the website of the Spiceworks virtual IT community. The website explains that “GDPR, or the General Data Protection Regulation, is a set of rules designed to protect the privacy and personal data of European Union residents. The implications of GDPR are far reaching, as it impacts all organizations worldwide that collect personal information about EU residents. Non-compliance with GDPR can carry serious financial consequences, with some proposals calling for damages of up to 4% of a company's annual revenue or 20 million euros — whichever is higher. The regulation was approved in 2016 and is set to become effective on May 25, 2018.”
As the Spiceworks website explains, “In a nutshell, the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things. Organizations collecting or processing any personal data on EU residents must comply with the following provisions if they want to avoid the risk of incurring potentially large financial penalties,” in areas such as privacy by design, consent, pseudonymization, right to access, breach notification, right to erasure, data portability, and data protection officers.
Here is what Spiceworks has shared with its IT community members about those subjects:
> Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a "need to know" basis.
> Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default, and children must get consent from a parent or guardian. Additionally, an individual's consent can be removed at any time.
> Pseudonymization — Data collected on individuals must be obscured or anonymized in a way that the data can't by tied back to a specific person without additional information, for example using encryption, which requires a key in order to read the information.
> Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.
> Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.
> Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.
> Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.
> Data protection officers — Some organizations that process personal data on a large scale or track particularly sensitive information may be required to appoint qualified data protection officers to help ensure compliance with GDPR.
As Spiceworks has explained to its community, “In simple terms, GDPR is like a bill of rights that protects data privacy for residents of the EU. In less simple terms, GDPR establishes government-sanctioned ground rules that organizations must abide by or else they face legal consequences.”
What’s more, a recent survey of the Spiceworks community found that only 9 percent of IT professionals based in the United States were informed about GDPR and what its impact would be for them. That is across all industries, and it compares with the 43 percent of British IT professionals, and the 36 percent of IT professionals in the rest of the EU, who said they were firmed about the new regulation.
Meanwhile, although the majority of community hospitals and medical clinics in the United States may be able to manage the demands of GDPR using manual, individualized processes, the IT leaders at large academic medical centers and other patient care organizations, particularly those that serve hundreds or thousands of international patients every year, will need to think carefully about their preparation for this regulation.
It is in that context that Healthcare Informatics Editor-in-Chief Mark Hagland spoke recently with Jeff Sanchez, managing director at Protiviti, a Los Angeles-based risk consulting firm that has been focusing strongly on helping prepare corporate organizations in all industries to prepare for the GDPR regulation’s implementation. Below are excerpts from their interview.
Can you explain in your own words the significance of the GDPR regulation for our audience, and why healthcare IT leaders in the U.S. need to familiarize themselves with this European regulation?
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.