- The EU data privacy rule, General Data Protection Regulation (GDPR), takes effect today and healthcare organizations need to be aware of the regulation changes to understand how their data exchange and access processes may be impacted. Some organizations may even need to assess and update their health IT infrastructure.
GDPR is a new regulation in EU law that protects the data privacy for people in the European Union and the European Economic Area. It also covers exporting data outside of the EU and EEA. GDPR will give citizens of the EU control over their personal data.
The GDPR does not only apply to EU organizations, but to any organization across the world that has access to data of EU citizens. This could include healthcare organizations collaborating with doctors or healthcare organizations overseas.
These regulations can also impact how organizations implement their IT security and data availability. Non compliance with GDPR can result in a fine of up to 4 percent of annual global turnover or €20 million, depending on whichever is greater.
Only 48 percent of US industries plan to comply with GDPR and only 25 percent of US healthcare organizations plan to comply with GDPR, according the Black Book Research.
"It is imperative for U.S. firms to plan and continue their efforts towards compliance to safeguard the continuity of business within the EU and avoid substantial penalties because of non-compliance," Black Book Market Research LLC founder Doug Brown said in a statement.
“With data privacy concerns, particularly medical information on the rise and stringent regulatory requirements like GDPR coming into force, organizations have no choice but to redefine the way they approach data management,” he continued.
Organizations that are not in compliance with GDPR can face heavy fines. Organizations that do collect data from European citizens need to prove that they are in compliance with GDPR.
Health IT vendors are also taking GDPR into consideration. Managed service provider ClearDATA announced new features for GDPR compliance for its managed public cloud. The dashboard will now feature functionality and reporting capabilities so clients have a full view and can constantly know that they are in compliance with GDPR.
“Because of ClearDATA’s healthcare-exclusive focus on security and compliance in the cloud, we are prepared for GDPR and can assist our customers in achieving and maintaining compliance - just as we have done with HIPAA regulations,” ClearDATA Founder and Chief Privacy and Security Officer Chris Bowen said in a statement. “We have interpreted the articles of GDPR and created a view of compliance for them in our dashboard, so customers impacted by GDPR can quickly confirm that their public cloud solutions comply.”
ClearDATA also stated that US organizations may be surprised that they will be impacted by GDPR.
US healthcare organizations need to take measure for GDPR if:
- The organization processes personal data of EU individuals.
- The organization is established in the EU.
- The organization is established outside the EU and processes data for goods and services offered in the EU.
- The organization monitors the behavior of EU individuals.
In order to avoid any security risks or unknowingly violating GDPR regulations, organizations need to conduct security risk assessments to determine if their current security infrastructure meets GDPR standards and confirm that they currently or will meet at least one of the criteria above.
Organizations should also consult their IT security vendors to confirm if they have any plans to address GDPR and how that will affect the security solution and how it will be deployed.
Although GDPR seems like it won’t affect US healthcare organizations, many providers will be impacted. Organizations with telehealth relationships with hospitals in the EU, or with affiliates in the EU will need to take time to reassess their security to avoid fines.