A New EU Data Privacy Regulation Could Impact U.S. Patient Care Organizations Serving Large Numbers of International Patients | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

A New EU Data Privacy Regulation Could Impact U.S. Patient Care Organizations Serving Large Numbers of International Patients

July 29, 2017
by Mark Hagland
| Reprints
Protiviti’s Jeff Sanchez parses some of the complexities in the looming GDPR regulation from the EU

Though few healthcare leaders in the United States are aware of it, a new regulation promulgated by the European Union (EU) could impact them, if they treat more than a handful of patients every year who come from any of the 28 nations in the European Union. Indeed, the General Data Protection Regulation (GDPR) is due to go into effect on May 25, 2018.

So, to begin with, what is the GDPR? A good, basic explanation of the GDPR can be found on the website of the Spiceworks virtual IT community. The website explains that “GDPR, or the General Data Protection Regulation, is a set of rules designed to protect the privacy and personal data of European Union residents. The implications of GDPR are far reaching, as it impacts all organizations worldwide that collect personal information about EU residents. Non-compliance with GDPR can carry serious financial consequences, with some proposals calling for damages of up to 4% of a company's annual revenue or 20 million euros — whichever is higher. The regulation was approved in 2016 and is set to become effective on May 25, 2018.”

As the Spiceworks website explains, “In a nutshell, the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things. Organizations collecting or processing any personal data on EU residents must comply with the following provisions if they want to avoid the risk of incurring potentially large financial penalties,” in areas such as privacy by design, consent, pseudonymization, right to access, breach notification, right to erasure, data portability, and data protection officers.

Here is what Spiceworks has shared with its IT community members about those subjects:

>  Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a "need to know" basis.

>  Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default, and children must get consent from a parent or guardian. Additionally, an individual's consent can be removed at any time.

>  Pseudonymization — Data collected on individuals must be obscured or anonymized in a way that the data can't by tied back to a specific person without additional information, for example using encryption, which requires a key in order to read the information.

>  Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.

>  Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.

>  Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.

>  Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.

>  Data protection officers — Some organizations that process personal data on a large scale or track particularly sensitive information may be required to appoint qualified data protection officers to help ensure compliance with GDPR.

As Spiceworks has explained to its community, “In simple terms, GDPR is like a bill of rights that protects data privacy for residents of the EU. In less simple terms, GDPR establishes government-sanctioned ground rules that organizations must abide by or else they face legal consequences.”

What’s more, a recent survey of the Spiceworks community found that only 9 percent of IT professionals based in the United States were informed about GDPR and what its impact would be for them. That is across all industries, and it compares with the 43 percent of British IT professionals, and the 36 percent of IT professionals in the rest of the EU, who said they were firmed about the new regulation.

Meanwhile, although the majority of community hospitals and medical clinics in the United States may be able to manage the demands of GDPR using manual, individualized processes, the IT leaders at large academic medical centers and other patient care organizations, particularly those that serve hundreds or thousands of international patients every year, will need to think carefully about their preparation for this regulation.

It is in that context that Healthcare Informatics Editor-in-Chief Mark Hagland spoke recently with Jeff Sanchez, managing director at Protiviti, a Los Angeles-based risk consulting firm that has been focusing strongly on helping prepare corporate organizations in all industries to prepare for the GDPR regulation’s implementation. Below are excerpts from their interview.

Can you explain in your own words the significance of the GDPR regulation for our audience, and why healthcare IT leaders in the U.S. need to familiarize themselves with this European regulation?

GDPR is a new rule that comes into effect in May 2018 that requires organizations that either control or process PII [personally identifiable information] or European residents, to protect that information, and provide residents with certain rights that they didn’t have. One of the biggest changes over prior EU privacy standards, is that it doesn’t have geographic boundaries. That’s why it’s a big thing. U.S. companies that have information on European residents, are subject to GDPR. Previously, rules around compliance impacted companies that had a presence in Europe and were based in Europe; GDPR has no geographic boundaries. U.S. companies that have information on European residents are subject. And the fines for non-compliance are huge—probably some of the largest fines ever.

What kinds of fines are we talking about?

Up to 2 percent of revenues.

So a hospital in the United States could be affected by this, correct?

If you think about the healthcare arena, the biggest impact will be on pharma [pharmaceutical] and biotech [biotechnology] companies, because they’re working in a global environment. For providers, the risk is less. But where you do have more risk on the provide side is with some of the high-profile providers that may have a very specialized service that they’re globally known for. For example, if you were a facility that was globally renowned, such as a cancer center. That’s where you probably have more GDPR risk, as a provider.

There are hospitals and medical clinics that annually treat thousands of international patients, including of course, patients who are EU citizens. They would be exposed, correct?

Yes, absolutely. Those are the organizations that probably have the most exposure to GDPR in the provider space.

What are the key requirements for GDPR, then?

It’s fairly extensive. In addition to standard information security best practices, there are a number of different requirements around how the data can be used and the ways in which the data can be accepted from the individual. For example, everything needs to be opt-in, not opt-out. So anytime you’re going to use information for any purpose other than direct patient care, you have to provide them the ability to opt out, in a way that is as easy as opting in. And you may have to have a data privacy officer. And there are specific rules about the role and assignment of that CPO. And there has to be data protection by design and by default. So where is data encrypted, where is it encrypted at rest and in motion? And organizations have to do data protection impact assessment.

What’s involved in a data protection impact assessment?

It means understanding what data’s being collected, how the data is being used, and the potential risk of exposure of the patient’s or person’s data, and looking at whether there’s the potential for misuse or exposure that is broader than what the organization intended. One of the big changes is the right to be forgotten. This change is fairly significant, because most companies don’t have the ability to systematically find and remove an individual from their records; they haven’t built that functionality into systems. I have companies that say that if someone comes to them and ask them to remove all information on individuals, they can do that, but it requires them to go to four or five places, and it’s time-consuming. And if it’s one-off requests, that’s one thing; but if the requests are numerous, companies will need a more systematic approach to that.

In addition, you have to be able to provide an individual with the details of all the records you have on them. And you have to be able to provide all of that. Those are things that companies probably could provide today, but it would be time-consuming and expense to do so. So this will require additional functionality. So many companies are working towards becoming GDPR-compliant—creating the ability to remove an individual or find out all the information they have on an individual, with a single click.

This goes into effect next may. And then, when is the EU empowered to impose penalties?

Immediately thereafter.

Will the IT leaders of patient careorganizations need help to systematize these processes?

One of the first steps that organizations will need to go through is just figuring out what data they have, and where it is. In some cases, you’ll be using cloud service providers. And GDPR requirements flow down through all of those. So some of the initial help organizational leaders will need, will be simply around finding out where all the data is, and working out contracts with third-party data providers around this. Systematizing processes will be important, too. A lot of companies in the U.S. are just beginning to see the impact of GDPR.

Most companies can already do that process to meet the requirements, but it’s expensive to meet the requirements today through those manual processes. And in this space that you’re talking about, in this healthcare provider space, and the volume may be low enough that the risk might be low enough that a manual process still works for them. I mean, I wouldn’t be going to a provider and asking them to remove all my data; that’s a lower risk in healthcare than in other industries. I’d probably focus on security controls and overall privacy.

Another key issue that companies face is that a lot of companies have a lot of data on European citizens; and they collected the data in a historically legal way, but their collection methods don’t meet GDPR standards today. That basically means that they won’t legally be allowed to use the data they already have. So figuring out what their authorizations were—and going back to existing customers, to continue to use that data going forward, will be important. And that will change on May 25 [2018].

That could very strongly affect financial services organizations, correct?

Yes, financial services, but also marketing, and Google, and Facebook, and retailers that know what you bought yesterday, because you used your member card. It affects anyone who operates a website; an IP address is covered. PII is defined broadly. Healthcare information is called a special category, and organizations in healthcare have to have a data privacy officer. So there’s no industry definition to this; it's anybody who has information that is considered personal information, around any EU resident. And hospitality and airlines are other industries that will be heavily affected by this. In the healthcare space, we expect pharma and biotech to be heavily affected by this as well, because they’re very global in nature.

What would you like the CIOs of the 100 or so U.S. providers with large international clienteles, to know?

The first thing they need to know is that GDPR applies to them; and the second is that GDPR is a fairly big lift. We found that 25 percent of companies with more than 1,000 employees, will spend more than $1 million on GDPR compliance. Fortunately, in U.S. healthcare, we have HIPAA, so we have done some things. And some of what GDPR requires is going to be consistent with what’s required under HIPAA; but their differences. GDPR is broader in terms of what’s considered PII [personally identifiable information]; an IP address is covered under GDPR, and isn’t covered under HIPAA. So I’d say, this isn’t the same as HIPAA. And you’re impacted, and you should figure out what data you have, and do a data assessment, and a gap assessment, so you understand whether you have gaps or not, and what those might be, you need to then act. And you’ve got until May of next year. So that’s something that organizations need to jump on, if they haven’t already been working on this.




The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


AMIA Calls for Harmonization of Data Privacy Policies

November 16, 2018
| Reprints

As the lines between consumer and clinical data systems continues to blur, there is a need to harmonize health sector data privacy policy, such as the Health Insurance Portability and Accountability Act (HIPAA) and consumer data policy to develop a new era of privacy policy, according to the American Medical Informatics Association (AMIA).

AMIA provided written comments last week in response to the National Telecommunications and Information Administration’s Request for Comment (RFC) on the Administration’s approach to consumer privacy. NTIA, an agency within the Department of Commerce, was seeking feedback on ways it can advance consumer privacy while also protecting innovation. The RFC sought feedback on how certain organizational privacy goals and outcomes can be achieved. These outcomes include organizational transparency, user control over personal information, reasonable minimization of data collection, organizational security practices, user access and correction, organizational risk management, and organizational accountability.

In its written comments, AMIA encouraged the Trump administration to closely examine both HIPAA and the Common Rule and develop an explicit goal to harmonize “health sector” and “consumer sector” data privacy policies. The informatics group cautioned the Administration against a patchwork of consumer privacy policies that is already the norm in the health sector.

Jeff Smith, vice president, public policy at AMIA, notes that given the health sector’s experience with HIPAA and the Common Rule, there is a unique opportunity to accomplish two aims with this executive and legislative branch conversation—harmonize health sector data privacy policy with consumer data privacy policy and develop a national forum and framework to allow states flexibility to address local needs and norms.

In its written comments, AMIA noted that differences in the interpretation of HIPAA have led to wild variations in application. The group thus urged the administration to balance the need for both prescriptive process-oriented policies and outcome-oriented policies, writing that “[a]n over-emphasis on vague or difficult-to-measure outcomes without guidance on process will result in the failings of HIPAA – wide variation in interpretation and inconsistent implementation.”

AMIA went on to not only reiterate its support for patients always having access to their data, but advocated extending this principle to other sectors of the economy and elevating it to “a prerequisite condition and central organizing principle from which other outcomes derive.”

Further, while AMIA broadly supported the RFC’s high-level goals, it recommended that the administration also focus on “closing regulatory gaps” that endanger data privacy. Citing a 2016 ONC report, AMIA pointed out that there are health-related technologies that exist outside the scope of HIPAA, Federal Trade Commission (FTC) regulation, or state law. Thus, a truly comprehensive approach to consumer privacy should address these gaps, AMIA wrote.

Finally, AMIA encouraged the administration to take several steps to address data governance and ethical use. It recommended that FTC “develop a framework for organizations to use that supports trust, safety, efficacy, and transparency across the proliferation of commercial and nonproprietary information resources,” in addition to an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

“We applaud the administration for initiating this long overdue conversation. As the lines between consumer and clinical devices continues to blur, the need for harmonized federal policy becomes more pronounced,” Douglas B. Fridsma, M.D., Ph.D, AMIA President and CEO, said in a statement. “Just as we strive to ensure that patients have access to and control over their data, we must strive to deliver the same for consumers. The administration should learn from the health sector and develop improved privacy policies across all sectors of the economy.”


More From Healthcare Informatics


Time to End ‘Wild West’ of Health Data Usage in HIPAA-Free Zones

| Reprints
Beyond consent, bioethicists argue for ethical guidelines governing fair use of data
Click To View Gallery

In a recent conversation, a CMIO described the era of Meaningful Use and ICD-10 to me as the “doldrums of regulatory reform” that “sucked up all the oxygen” in the industry, leaving little room for innovation. So I can see why there would be little appetite for more regulation related to health data, and obviously the current administration prefers market-based solutions to regulatory ones.

Yet the Oct. 22 meeting, “Data Min(d)ing: Privacy and Our Digital Identities,” put on by the U.S. Department of Health & Human Services, made it clear to me that as more health data is gathered (and sold) outside the clinical setting, there is a “Wild West” atmosphere in which pretty much anything goes in terms of what companies not covered by HIPAA can do with our health data.

As an example, an April 2018 CNBC article noted that Facebook “has asked several major U.S. hospitals to share anonymized data about their patients, such as illnesses and prescription information, for a proposed research project. Facebook was intending to match it up with user data it had collected in order to help the hospitals figure out which patients might need special care or treatment.” (That project is currently on hiatus, Facebook said.)

The HHS meeting brought together industry leaders and researchers for some thought-provoking presentations about the many ways genetic, wearable and EHR health data is being used. For instance, James Hazel, Ph.D, J.D., a research fellow at the Center for Biomedical Ethics and Society at the  Vanderbilt University Medical Center, presented his research that involved a survey of the privacy policies proffered by U.S. direct-to-consumer genetic testing companies. Hazel noted that there has been huge growth in direct-to-consumer genetic testing, with an estimated 12 million people tested in the United States. Beyond offering consumers the services, these companies doing the testing wish to monetize that data through partnerships with pharmaceutical companies and academic researchers. There is also value to government and law enforcement officials – to solve cold cases, for instance.

There is a patchwork of federal and state laws governing disclosure of secondary data usage to consumers, but the industry is largely left to self-regulate, he said. In his survey of 90 companies offering these genetic data services, “10 percent had no policies whatsoever,” he said. About 55 companies had genetic data policies, but there was tremendous variability in policies about collection and use. Less than half had information on the fate of the sample. In terms of secondary use, the majority of policies refer to internal uses of genetic data. However, very few addressed ownership or commercialization. And although almost all made claims to being good stewards of the data, 95 percent did not provide for notification in case of a data breach. The provisions for sharing de-identified data are even less restrictive. Hazel noted that 75 percent share it without additional consent from the consumer.

Hazel’s take-home message: “We saw variability across the industry. Also, we had a group of law students and law professors read the policies and there was widespread disagreement about what they meant,” he said. “Also, nearly every company reserves the right to change the policy at any time, and hardly any company provided for individual notice in event of a change.” He finished his presentation with a question. “What is the path forward? Additional oversight by the Federal Trade Commission? Or allowing industry efforts to take the lead before stepping in?”

In a separate presentation, Efthimios Parasidis, J.D., a professor of Law and Public Health at the Ohio State University, spoke about the need for an ethical framework for health data.

Parasidis began by noting that beyond data security and privacy, consent and notice are inadequate ethical markers. “If one looks at regulations, whether it is HIPAA, the European Union’s GDPR, or California’s recently enacted consumer privacy law, the regulatory trend has been to emphasize consent, deletion rights and data use notifications,” he said. While these are important regulatory levers, missing is a forum for assessing what is fair use of data. “Interestingly, few areas of data collection require ethics review,” he stressed. HIPAA does not speak to when data use is ethical but rather establishes guidelines for maintaining and sharing certain identifiable health information. Even those protections are limited. HIPAA only applies to covered entities, he noted. It does not apply to identifiable health information held by a wide variety of stakeholders, including social media, health and wellness apps, wearables, life insurers, workers’ compensation insurers, retail stores, credit card companies, Internet searches, and dating companies.

“While the volume of identifiable health information held in HIPAA-free zones engulfs that which is protected by HIPAA and may support more accurate predictions about health than a person’s identifiable medical records,” Parasidis said, “the limits of HIPAA’s protections go beyond scope. For data on either side of the HIPAA divide, an evaluation of ethical implications is only required for human subject research that falls under the Common Rule. Much of data analytics falls outside the Common Rule or any external oversight.”

Citing the Facebook example mentioned above, Parasidis noted that tech giant Amazon, Apple, Google, Microsoft and Uber are entering the digital health space. “The large swathes of identifiable information that these entities hold raise a host of ethical questions,” he added, “including widespread re-identification of de-identified health information, health profiling of individuals or groups and discrimination based on health conditions.”

Policies and guidelines can supplement the small subset of data covered under legally mandated ethics review, he explained. For instance, federal agencies sometimes use internal disclosure review boards to examine ethical implications of data disclosure. But it is not clear this type of review is happening in the private sector.

Parasidis described work he has done with Elizabeth Pike, director of Privacy Policy in the Office of the Chief Information Officer at HHS, and Deven McGraw, who served as deputy director of health information privacy at HHS, on a framework for ethical review of how health data is used.

One way to think about more robust ethics review is the use of data ethics review boards, he said. Their structure can be modeled on institutional review boards or disclosure review boards. “This new administrative entity is necessary because much of contemporary data analytics falls outside existing frameworks,” he said. “We argue that these boards should focus on choice, responsiveness, accountability, fairness and transparency — a CRAFT framework. For instance, choice goes beyond consent. Individuals have an ongoing interest in their health data and should be able to specify how it is collected, analyzed and used.”

Reasonable minds can disagree on the relative weight of ethical principles or how they should be enacted into the context of data use deliberations, he said. “We nevertheless believe there remains an urgent need to craft an ethical framework for health data.”



Related Insights For: Privacy


Despite HIPAA Law, Researchers Say Getting Medical Records Still is Burdensome

October 8, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Although federal law has long promoted patients’ access to their protected health information, a recent study of 83 hospitals has revealed that there was noncompliance with federal regulations for formats of release and state regulations for request processing times.  

The research, published recently in JAMA, also found that there was discordance between information provided on medical records release authorization forms and that obtained directly from medical records departments regarding the medical records request processes.

The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives patients the right of access to their protected health information. Per federal regulation, medical record requests must be fulfilled within 30 days of receipt (with the possibility of a single 30-day extension) in the format requested by the patient if the records are readily producible in that format.

Despite HIPAA and the fact that electronic health records (EHRs) are much more widespread now than in years past, patients may not be able to easily request, receive, and manage their medical records. Under guidance from the U.S. Department of Health and Human Services, hospitals are permitted to impose a reasonable cost-based fee for the release of medical records, but costs still remain high. What’s more, many hospitals add procedural obstacles that can limit patient access, the researchers noted.

To this point, a GAO (Government Accountability Office) report earlier this year also found some troubling trends regarding patient access to medical records. The GAO analyzed four states, finding one instance in which patients paid more than $500 for a single medical record request, and another in which one patient was charged $148 for a PDF version of her medical record.

For this latest study, researchers collected both medical records release authorization forms from each hospital, and subsequently telephoned each hospital’s medical records department to collect data.

Among the 83 hospitals, 44 (53 percent) provided patients the option on the forms to acquire their entire medical record. For individual categories of “requestable” information on the forms, as few as nine hospitals (11 percent) provided the option of selecting release of physician orders and as many as 73 hospitals (88 percent) provided the option of selecting release of laboratory results. Most hospitals (92 percent) provided the option of an “other” category for requesting information not explicitly listed on the form.

Among the telephone calls made, all the hospitals said they were able to release entire medical records to patients. When asked if any information would be withheld with a request of an entire medical record, two hospitals disclosed that nursing notes would not be released unless they were specifically requested. However, just 25 percent of the hospitals who were called said they were able to release information onto patient portals. All hospitals stated in telephone calls and on the forms that they could release information via mail.

Regarding cost, on the authorization forms, 35 percent of hospitals disclosed exact costs for releasing medical records, 22 percent said they would charge patients without specifying a cost, and 36 percent did not specify anything about fees. For a 200-page record, the cost of release ranged from $0.00 to $281.54, based on the 29 hospitals that disclosed costs.

Among the telephone calls, 82 out of 83 hospitals disclosed costs for paper formats of release. For a 200-page record, the cost of release as communicated in telephone calls ranged from $0.00 to $541.50. And of the 82 hospitals that disclosed costs, 48 hospitals (59 percent) stated costs of release above the federal recommendation of a $6.50 flat fee for electronically maintained records.

Finally, for processing times for medical records release, of the 71 hospitals that provided mean times of release when called, 21 percent reported mean times of less than 7 days; 25 percent in seven to 10 days; 31 percent in 11 to 20 days; 5 percent in 21 to 30 days; and 3 4 percent in more than 30 days. In general, most hospitals were able to release records in electronic format in a shorter time frame than records in paper format.

Of the hospitals that responded with times of release, seven had ranges extending beyond their state’s requirement before applying the single 30-day extension granted by HIPAA.

The researchers concluded, “Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients. Our results revealed inconsistencies in information provided by medical records authorization forms and by medical records departments in select U.S. hospitals, as well as potentially unaffordable costs and processing times that were not compliant with federal regulations. As legislation, including the recent 21st Century Cures Act, and government-wide initiatives like MyHealthEData continue to stipulate improvements in patient access to medical records, attention to the most obvious barriers should be paramount.”

See more on Privacy

betebet sohbet hattı betebet bahis siteleringsbahis