Never was health information privacy as threatened as when the 75-year old Rolling Stones star Mick Jagger visited the US to undergo a procedure on his heart. When even highly respected newspapers like the New York Times were detailing the kind of cardiac procedure which Mick Jagger had undergone, and how he was resting; you knew that both HIPAA and GDPR had gone for a toss. While Jagger isn’t a US citizen, the hospital where he underwent the procedure is certainly a covered entity as defined by the Privacy Rule and the Final Omnibus Rule. Further, Brexit or not, UK remains within the purview of the GDPR. This matter has highlighted how fragile the data privacy and security norms are in practice.
Background: Data privacy and security are increasingly coming under threat regardless of which part of the globe you inhabit. Though the regulation covers banking and other sectors too, we will focus on the impact the EU General Data Protection Regulation (GDPR) has had on healthcare data privacy. The US healthcare system has had to be compliant with the provisos of the Health Insurance Portability and Accountability Act (HIPAA), and its ancillary laws and regulations, namely, HITECH, the Privacy Rule, the Security Rule, the Breach Notification Rule, and the Final Omnibus Rule, for more than two decades.
Look Back in Anger or Regret?
Technically, the US healthcare organizations should have enjoyed a smooth transition to GDPR compliance. There has been so much activity, including major breaches, under HIPAA and its supplementary rules, that one would have thought the US healthcare industry is particularly amenable to GDPR compliance with its focus on data privacy. It is almost a year since GDPR was implemented. So, this is a good time to review how well (or ill) American healthcare organizations have fared. These would be the companies or organizations which have dealings in any country within the European Union (EU), manufacture healthcare products which are sold in the EU, are registered in Ireland (for tax purposes), or employ people who are citizens of any EU country,
To Whom Does GDPR Apply?
There has been a measure of confusion in this matter as the regulation does not refer to citizenship per se. It is more concerned with geographic jurisdiction inasmuch that where a person resides, temporarily or permanently — that is, current location — when any data is used. So, a citizen of any EU country residing anywhere outside the EU can’t claim data protection under GDPR. However, if one of your patients needs to travel to any EU country, and must wear some health device which collects data; then you, your patient, as well as the manufacturer of the device come within the purview of GDPR.
Cross-Border Implications of GDPR
Any healthcare organization or company which needs to collect data within the EU, or as the GDPR spells it out — European Economic Area (EEA) — data sourced in the EU is protected by GDPR regardless of where it is used, or accessed, according to Article 3 of GDPR. Such data would include genetic data, biometric information, data surrounding your patients’ PHI, addictions, sexual orientation, and any medication your patients need to have, especially if they require refills on prescriptions while in any EEA. This implies that as a non-EU entity, if you need to source, access, and/or use data from any EEA, you will need to establish a proxy or representative entity there to represent you in all regulatory matters.
Consent Is Central to Data Use
As in the HIPAA Privacy Rule, consent is central to use of personal data under GDPR, even when any information is collected from a visitor to a website. Just collecting consent once won’t serve for a lifetime. You must seek consent everytime there is a transaction on your website, even if it is simply access to a medical journal analyzing prevention methods of certain ailments, or healthcare newsletter for professionals which you publish. Analyze whatever data you store on your website’s server to calculate which will be greater — the cost of deletion, or the cost of encryption.
The California Consumer Privacy Act of 2018
In this context it is worthwhile to note that the California Consumer Privacy Act of 2018, AB 375, which passed into law in July 2018, has GDPR like features in its bid to protect consumer privacy. Some of these features include being informed why any data are being collected, with whom it will be shared, and why; the right to be forgotten, i.e. the right to have all personal data deleted upon request; the right to request that personal data is not sold to a third party; and most importantly — as in HIPAA — seek legal redressal in case of failure to protect any information.
Sit Up and Take Note
This should serve as a warning to all healthcare providers and covered entities operating in California, or treating patients who are citizens of California to be doubly cautious of safeguarding protected health information (PHI). Since the way health data is created, stored, used, accessed, analyzed, and shared has changed radically, especially to protect payments; it becomes even more critical for any healthcare provider, insurance carrier, clearinghouse, and business associate of a covered entity to be compliant about data privacy and security.
Erect a More Sophisticated Data Security Environment
Since GDPR imposes back breaking fines for breaches, and non-compliance; it becomes imperative to erect a more sophisticated data security environment. Unlike HIPAA, any breach under GDPR must be notified to the Supervisory Authority within 72 hours of a data controller discovering it. Individuals also must be notified if they have been negatively affected by the breach. If as a healthcare provider you have an online presence, GDPR has special implications for you. If the visitors to your website include people who are located in the EEA, then your policies regarding cookies, RFID tags, login information including email id and telephone number, IP address, and other data which you collect would attract the provisos of GDPR.
Do this: Always seek permission before collecting any personal data, and be circumspect about its usage and sharing. Make any data collection explicitly opt-in. Also, make opt out easier by responding swiftly to data requests from contacts. Update privacy policy, and terms and conditions for use with reference to GDPR terminology. Don’t forget to create a cookie policy notification banner. If you advertise on a social networking site, or host a page; keep the advertisements and the page GDPR compliant. Transparent data policies will afford your organization protection should you come under the Supervising Authority’s scrutiny. Anonymize any personally identifiable data or information.
Moot Point Often Overlooked by Experts
Since the US is not on the list of countries that provide “adequate level of data protection”, GDPR prohibits exchange of personal data of people residing within any EU country despite there being an EU-US Privacy Shield ratified in 2016. The primary reason for this is that President Trump’s executive order number 13768, signed in the very first week of taking oath, carried the sentence, “Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”
Exceptions under Binding Corporate Rules or Code of Conduct
However, if certain data are collected, or exchanged, under Binding Corporate Rules (BCR), or a defined code of conduct, they would still need to comply with GDPR provisos to be permissible. The healthcare provider or insurance carrier of an employee of an American company or organization who is currently located in the EEA would necessarily need to collect health data, including history of family health, history of present illness, and might need to monitor vitals like pulse rate, and blood pressure for a cardiac patient or an individual who is considered high risk for cardiac disease.
Keep data security airtight before sharing: Such data collection could come under the exceptions permitted by GDPR as long as other security provisos such as appropriate training, audits, and dispute resolution are in place. Please read Article 47 of GDPR for more details. Where they need to be shared by a third party such as a billing office, clearinghouse, or even laboratory; remember to keep the process as airtight from a privacy and security perspective as you would need to satisfy HIPAA and its ancillary rules and regulations.
Demonstrate good faith: As with HIPAA compliance, you should document rigorously the steps you have taken to be GDPR compliant to be able to demonstrate good faith. Such documentation will also throw up any gaps in compliance as well as in data security provisos. Stick to the basics of restricted access, security, integrity, and enforcement to keep humongous fines at bay. Follow the best practices associated with ransomware prevention including data backup, early protection, audits and preventive monitoring, spam filters, and employee awareness training.
The Sad Reality
According to a study conducted by the Goodway Group at the beginning of 2019, both compliance and enforcement of GDPR has been slow to take off. The TrustArc conducted a research survey after the May 25, 2018 enforcement date. It turned up the shocking result that only 20 percent companies are GDPR ready. As many as 30 percent of the relevant companies had not even begun preparing for GDPR. The extremely high cost of GDPR readiness has been one of the major deterrents for the small to medium organizations and practices, since it involves more than minor tweaks to website settings.
Key Takeaways
- Data privacy and security norms are fragile in practice, especially when the health and personal activities of celebrities are concerned.
- As far as jurisdiction goes, GDPR applies to a person’s current location when any data is used.
- If a non-EU entity needs to source, access, and/or use data from any EEA, it will need to establish a proxy or representative entity there to represent it in all regulatory matters.
- Consent is central to data use in GDPR.
- Analyze whatever data you store on your website’s server to calculate which will be greater — the cost of deletion, or the cost of encryption.
- Since GDPR imposes back breaking fines for breaches, and non-compliance; it becomes imperative to erect a more sophisticated data security environment.
- Anonymize any personally identifiable data or information.
- GDPR prohibits exchange of personal data of people residing within any EU country despite there being an EU-US Privacy Shield ratified in 2016.
If still in doubt or Need Guidance or Immediate Assistance?
Why don’t you contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)
Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com.
We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.
About the Author
Veronica is a Certified Lead Auditor (LA) in Information Security Management Systems (ISO 27001:2022) with 3 years of working experience for a US-based HITRUST Certification Body (CB). This subject is one of the most complicated and advanced Common Security Frameworks (CSF) known in information technology, information security, and cyber security. She has also tested SOC 2 Type II controls for large-scale US Organizations having multiple locations and business lines globally.
She is currently doing her Masters in Cybersecurity and has a personal mission to make organizations build and follow a culture of compliance.
