A New EU Data Privacy Regulation Could Impact U.S. Patient Care Organizations Serving Large Numbers of International Patients | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

A New EU Data Privacy Regulation Could Impact U.S. Patient Care Organizations Serving Large Numbers of International Patients

July 29, 2017
by Mark Hagland
| Reprints
Protiviti’s Jeff Sanchez parses some of the complexities in the looming GDPR regulation from the EU

Though few healthcare leaders in the United States are aware of it, a new regulation promulgated by the European Union (EU) could impact them, if they treat more than a handful of patients every year who come from any of the 28 nations in the European Union. Indeed, the General Data Protection Regulation (GDPR) is due to go into effect on May 25, 2018.

So, to begin with, what is the GDPR? A good, basic explanation of the GDPR can be found on the website of the Spiceworks virtual IT community. The website explains that “GDPR, or the General Data Protection Regulation, is a set of rules designed to protect the privacy and personal data of European Union residents. The implications of GDPR are far reaching, as it impacts all organizations worldwide that collect personal information about EU residents. Non-compliance with GDPR can carry serious financial consequences, with some proposals calling for damages of up to 4% of a company's annual revenue or 20 million euros — whichever is higher. The regulation was approved in 2016 and is set to become effective on May 25, 2018.”

As the Spiceworks website explains, “In a nutshell, the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things. Organizations collecting or processing any personal data on EU residents must comply with the following provisions if they want to avoid the risk of incurring potentially large financial penalties,” in areas such as privacy by design, consent, pseudonymization, right to access, breach notification, right to erasure, data portability, and data protection officers.

Here is what Spiceworks has shared with its IT community members about those subjects:

>  Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a "need to know" basis.

>  Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default, and children must get consent from a parent or guardian. Additionally, an individual's consent can be removed at any time.

>  Pseudonymization — Data collected on individuals must be obscured or anonymized in a way that the data can't by tied back to a specific person without additional information, for example using encryption, which requires a key in order to read the information.

>  Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.

>  Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.

>  Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.

>  Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.

>  Data protection officers — Some organizations that process personal data on a large scale or track particularly sensitive information may be required to appoint qualified data protection officers to help ensure compliance with GDPR.

As Spiceworks has explained to its community, “In simple terms, GDPR is like a bill of rights that protects data privacy for residents of the EU. In less simple terms, GDPR establishes government-sanctioned ground rules that organizations must abide by or else they face legal consequences.”

What’s more, a recent survey of the Spiceworks community found that only 9 percent of IT professionals based in the United States were informed about GDPR and what its impact would be for them. That is across all industries, and it compares with the 43 percent of British IT professionals, and the 36 percent of IT professionals in the rest of the EU, who said they were firmed about the new regulation.

Meanwhile, although the majority of community hospitals and medical clinics in the United States may be able to manage the demands of GDPR using manual, individualized processes, the IT leaders at large academic medical centers and other patient care organizations, particularly those that serve hundreds or thousands of international patients every year, will need to think carefully about their preparation for this regulation.

It is in that context that Healthcare Informatics Editor-in-Chief Mark Hagland spoke recently with Jeff Sanchez, managing director at Protiviti, a Los Angeles-based risk consulting firm that has been focusing strongly on helping prepare corporate organizations in all industries to prepare for the GDPR regulation’s implementation. Below are excerpts from their interview.

Can you explain in your own words the significance of the GDPR regulation for our audience, and why healthcare IT leaders in the U.S. need to familiarize themselves with this European regulation?


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



It's great to see GDPR being raised in healthcare and I found the article covered many excellent points. With all due respect, there are several inaccuracies:
- Maximum fines are up to 4% or 20 million Euros, whichever is greater. One of the responses stated 2%.
- GDPR affects any organization that actively markets to EU individuals and collects that information on EU soil, or it could be collected by someone else and then transferred to US soil. It is not just web sites-- it is any activity and could include employees, consumers, and even business contacts.
- "U.S. companies that have information on European residents, are subject to GDPR.". Not necessarily-- if the information was collected on EU soil and the organization actively engages with EU data subjects such as actively marketing medical services to EU individuals, then yes. Otherwise while they made need to adhere to Privacy Shield to transfer data collected in EU to the US or other data transfer agreements such as EU Model Clauses (EUMC), they may not be subject to GDPR.
"And you may have to have a data privacy officer. And there are specific rules about the role and assignment of that CPO". In GDPR we refer to a DPO as Data Protection Officer, and that may be required if handling sensitive data such as health data. A DPO has very specific responsibilities and could be separate from a Chief Privacy Officer or even a data privacy officer. More details are here: https://ec.europa.eu/info/departments/data-protection-officer_en .
"And organizations have to do data protection impact assessment.". This is also not necessarily a requirement although it is good practice. Regulator guidance: ec.europa.eu/newsroom/document.cfm?doc_id=44137 .
"Another key issue that companies face is that a lot of companies have a lot of data on European citizens;". GDPR applies to living, breathing, individuals on EU soil- citizens, residents, visitors alike.
"PII is defined broadly.". In GDPR this is referred to as 'Personal Data'.
Again, thank you for bringing GDPR awareness to this industry.
Kind regards,
- Cindy Compert
<NOTE: Opinions are my own personal opinions and do not constitute legal advice>