Privacy With a European Flair — How the GDPR Could Impact US Health Care Organizations
Those in the data business have been studying up since May 2016. That’s when the European Union (EU) first implemented the General Data Protection Regulation (GDPR), which allowed two years before enforcement of the new rules would take effect. Indeed, on May 25, 2018, enforcement began, and, within hours, fines equivalent to $9.3 billion were lodged against tech giants Google and Facebook.
If you are thinking, “Yes, but what exactly is the GDPR?” you’re not alone. Even those who have been paying close attention since 2016 have yet to reach a complete answer on that question.
The GDPR is a sweeping set of rules that affords citizens of the EU greater data privacy rights than any law anywhere. In its “State of Data Protection Around the World,” Consumers International went so far as to call the GDPR “the strongest data protection regime in the world.”
Regime or not, experts agree it’s a good start to resolving big gaps in privacy protections.
The GDPR calls companies operating in the EU to task, establishing stringent rules for how they—particularly tech companies—treat user data. To oversimplify, the GDPR says that if a company is holding personally identifiable data on individuals, it must obtain appropriate permissions from those individuals. In addition, companies that receive secondhand data must prove why they need it. Personally identifiable data are defined broadly to include any information that can, in any way, be linked to an individual. More importantly, the GDPR gives individuals far more control over what happens to their personal data.
In short, understanding the GDPR is important for any company collecting or transmitting personal data, particularly if it targets or serves EU markets.
While most in the HIM profession have at least heard of the GDPR, understanding what it means for US health care is a challenge. The learning curve is steep because the law is so dense.
“We’re all still trying to learn it,” says Chris Bowen, CISSP, CCSP, CIPP/US, CIPT, chief privacy and security officer and founder of ClearDATA, a health care data protection company. ClearDATA has been working on readiness for a long time, but the May deadline still came quickly. Because he serves clients with workloads throughout Europe, Bowen knew his company would be accountable to the GDPR.
Yet, many organizations aren’t sure whether the GDPR applies to them. In that uncertainty, they call upon people such as Adam Greene, a partner with Davis Wright Tremaine, LLP, a nationally recognized authority on HIPAA and the HITECH Act. As a former regulator at Health and Human Services (HHS), Greene understands better than most how the GDPR enforcement will likely proceed.
“Occasionally, I’ve had to talk [clients] down from the ledge a bit. They’re worried that anytime a European walks through their door, they’re going to have to stand up to a whole new compliance program,” Greene says.
His short answer to the folks on the ledge? “The mere fact that a Belgian tourist breaks their leg skiing and shows up in your emergency room does not bring you into the GDPR if you are not specifically targeting and marketing to the EU,” he explains.
However, Greene says the situation can be a little more complicated for organizations that are unaware that they’re collecting data from the EU.
Who’s Most Vulnerable?
The good news for organizations unsure whether they fall within the purview of the GDPR is that early enforcement has focused on the big guys. Behemoths such as Amazon, Google, and Microsoft all possess easy-to-find statements on their GDPR compliance along with tools for helping their customers self-assess, signaling they know they’re the ones under the magnifying glass.
When it comes to US-based health care organizations, Kelly McLendon, RHIA, CHPS, managing partner of CompliancePro Solutions, a compliance and incident management software company, says, “I’m not terribly worried about the GDPR right now, but I am advising that we need to look at it carefully. Absolutely, every organization should understand whether or not it’s going to apply.”
McLendon qualifies that he means providers of care, specifically, are relatively safe. Other health care–related companies, however, may want to pay special attention. “Pharma is health care, and they could get hammered by the GDPR,” he points out, while adding business associates such as coding vendors with offshore servers to the list of those who should be wary.
Greene says, “If you are targeting the EU or if you are actually monitoring the behavior of EU residents, you could become subject to the GDPR,” noting that online retargeting ad campaigns that snag behavioral data on EU residents might be enough to bring a US-based company into the GDPR.
“There are probably dozens or hundreds of use cases, but we don’t know them all yet,” McLendon says. “In fact, we know very few and we’re just trying to get our arms around it—including the attorneys; they’re trying too.”
Begin With a Self-Assessment
As crazy as it may seem, knowing that you don’t know whether the GDPR applies to your organization may be the healthiest starting position. Those who are quick to discount the law’s relevancy in the United States may discover it’s a small world, after all—once enforcement gains momentum.
For now, the advice on what to do should sound familiar to those in HIM: “What I would recommend with respect to the GDPR, and frankly other international law, is every health care provider should have a self-assessment and look at whether they have contacts internationally,” Greene says.
Bowen notes that assessment is more than a recommendation—it’s a stipulation of GDPR compliance. “One of the requirements is to document the processing activities,” he says.
Bowen asks clients, “What data are you processing? Is it sensitive? Where does it flow? And which countries does it flow through?” This full data-lifecycle analysis, or data locality plan as it’s called at ClearDATA, maps information from creation and distribution to use, maintenance, archiving, and destruction.
Unlike HIPAA, which became law with little guidance on how to achieve compliance, the GDPR has built in more prescription.
“There is a good bit of work to do on the front end with the GDPR,” McLendon says, noting that’s a good thing for those who simply want to know whether they’re at risk and how to comply.
HIPAA’s a Start, but It Won’t Get You There
How does the GDPR compare with HIPAA? Turns out, the differences between the two laws are vast. Some of the individual protections afforded in both laws, such as the right to be notified of a breach, are similar, but the GDPR goes much further in establishing an individual’s right to privacy.
“The GDPR model is more effective. This is coming from someone who used to work at HHS and has the utmost respect for HIPAA, but the reality is the P in HIPAA does not stand for privacy,” Greene says. “HIPAA was first and foremost focused on insurance portability, and it included provisions that were focused on transactions between health care providers and health plans. As a bit of an afterthought, privacy and security was added on to that but only to those entities that were involved in those transactions.”
While Greene touts the superiority of the GDPR as a privacy law, he believes covered entities that have established robust HIPAA compliance may be better situated than most US health care organizations. Although, he admits, the new law will still require a significant lift for US companies.
McLendon warns it’s dangerous for organizations to believe that meeting HIPAA requirements translates to GDPR compliance. Data that historically haven’t been protected by HIPAA are protected under the GDPR, he notes. Therefore, while health care organizations may be better prepared than other businesses to meet new regulations, they are not exempt and need to complete a self-assessment to know where gaps exist.
As mentioned, GDPR enforcement began immediately with sizable fines leveled against Google and Facebook on the first day. There are approximately 27 supervisory authorities in the EU charged with overseeing compliance, but most of them are underfunded. As a result, many of the member states went after the giants first.
“Those early fines will help them operationalize enforcements,” Bowen says. “My prediction is that there will continue to be enforcement, but they’ll largely go after the companies that are egregious or have really big pockets.”
Greene seeks to allay oversized fear that unsuspecting organizations could be blindsided by fines. “It can only be enforced by EU authorities through EU systems, so it’s not like someone can come into a US court and try to enforce the GDPR,” he says, while admitting that certain US companies are nevertheless top targets.
It’s possible that an EU supervisory authority could bring an action under the GDPR against a US company that has some small but measurable target of EU residents, “but I don’t think that is a priority,” Greene says.
What has many organizations worried is the possibility of enduring crippling sanctions should they be found in violation of the GDPR. A noncompliant company can be fined up to 4% of its global revenue—and that’s just for noncompliance. A breach doesn’t have to occur for enforcement to be triggered.
That’s just the beginning. “Then, of course, you have member states that can issue fines over and above the GDPR fine. So, 4% of your gross worldwide revenue is just for the GDPR, and it goes up from that,” Bowen says.
EU and member state supervisory authorities are not the only ones who will take their pound of flesh. A noncompliant organization is vulnerable to civil suits as well, something small companies hoping to fly under the radar during these early enforcement days should note.
“Anytime regulation is introduced that you should be paying attention to and you decide not to, even if the enforcers don’t find you, you can be open to civil liability. You have to be careful with the attorneys looking for the ways the GDPR applies and going after businesses on a civil basis,” McLendon says.
He continues, “It’s going to be very shocking to a lot of business and an industry that has never really cared about privacy protections before,” which should be a small consolation for health care organizations that, at least, have been talking privacy for many years.
A GDPR Primer
A lot of unpacking will occur over the next few years as the European Commission publishes more guidance, but there are three aspects of the law worth highlighting. First, personally identifiable information is defined far more broadly than US health care organizations might assume. HIPAA defines 18 identifiers that must be protected, but ascribing that to the GDPR would be a mistake.
“If you can possibly identify a person, that’s considered PII [personally identifiable information],” Bowen says. For example, an IP address could be used in conjunction with other data to identify an individual; therefore, that address becomes an identifier. How data relate to each other becomes important. A data protection impact assessment, required by the GDPR, will help companies know whether the data being collected are personally identifiable.
Second, the GDPR promotes the concept that an individual owns his or her data, a component of the law that Bowen backs wholeheartedly. “What a great concept. As a privacy official, I love the fact that Chris Bowen’s data belong to Chris Bowen—not to some entity that I don’t even know about,” he says.
The third aspect of the law that has received a lot of attention is the right of erasure. A direct conclusion drawn from an individual’s ownership of his or her data is the individual’s right to request data be deleted. This poses several challenges for organizations that hold data.
“It is a massive effort on the part of the data controller as well as the data processor to find that information and then to make sure it gets deleted,” Bowen says.
Further complicating matters is the question of what happens when an EU citizen’s right to erasure comes into conflict with other regulations, such as state retention policies that require records be kept for a specific length of time.
“First off, they would have to be subject to the GDPR,” Greene says. In the case of the Belgian tourist with the broken leg, the GDPR is not likely to apply to that hospital in Colorado, unless, for example, the hospital is involved in research conducted in the EU. In which case, Greene recommends consulting with counsel just to be on the safe side, not that he thinks it’s a huge concern.
Similarly, McLendon says, “This is my opinion, and I’m not a lawyer, but nobody’s going to have the right to erase medical records faster than whatever provider of care wants them erased. If you read very closely the right of erasure, medical records would be protected.”
A Note on the California Consumer Privacy Act
The United States’ nearest attempt at a privacy law similar in scope to the GDPR is the California Consumer Privacy Act, which is set to go into effect January 1, 2020. The most robust privacy protection passed in this country, the hastily composed law is already triggering similar legislation in other states.
“It’s not an ideal law in many respects,” says Greene, who hopes that as states begin to emulate California’s action, they will go more slowly and work out some of the kinks.
What’s inevitable is that the United States will get on board with more appropriate privacy laws, and US companies that shrug off the GDPR may want to heed a warning from McLendon: “If they don’t get you with the GDPR, the state laws will sweep you up in the next few years.”
Bowen, Greene, and McLendon all would love to see national legislation such as the GDPR passed in the United States, but none of them hold hope that will happen anytime soon.