Privacy gets complicated for data crossing the pond
With the European Union’s General Data Protection Regulation policies becoming reality on May 25, privacy and technology leaders in healthcare are preparing for subtle but notable changes in how they manage data.
WHAT IS THE GDPR?
The EU passed the General Data Protection Regulation in 2016 with the goal of giving people control over their personal data. If an organization violates the GDPR, it’ll be subject to maximum fines of whichever is greater, 4% of revenue or 20 million euros. That’s huge compared to what U.S. health systems have had to pay for data breaches. In 2016, for instance, Advocate Health Care agreed to pay $5.55 million to settle data protection violations that affected about 4 million patients. If it had faced the maximum GDPR fine, that would have amounted to $224 million.
WHAT DOES IT MEAN FOR PATIENTS IN THE U. S.?
The law is applicable only to people who are located in EU countries. As long as a U.S. patient’s data stays within the U.S., the information is subject only to HIPAA rules, not to the GDPR.
WHAT DOES IT MEAN FOR U. S. PATIENTS IN THE EU?
If a U.S. patient generates data while in the EU, those data are covered by the GDPR just as they would be for an EU citizen. So no matter where a person is from, if they’re in the EU and generating data there, the data will be protected by the GDPR.
WHAT DOES IT MEAN FOR EU PATIENTS IN THE U. S.?
If a French doctor who saw a patient in the EU and sends data from that encounter to a U.S. provider while the patient is in the U.S., the GDPR is applicable to the French doctor’s data handling but not to the receiving organization in the U.S. But if that U.S. organization follows up with the patient when the patient is back in the EU, and the patient provides information to the U.S. organization related to that follow-up, then the U.S. organization would become subject to the GDPR.
WHAT DOES THE GDPR MEAN FOR RESEARCH?
If a U.S. organization participates in a study that includes people located in the EU and it collects or receives information on those people, the organization will be subject to the GDPR.