With the effective date of the European General Data Protection Rule (GDPR) looming, it's important for all U.S. companies including physician practices, regardless of size, to appreciate and understand the law.
It's easy to know something is a "big deal" when a click on a website reveals a count-down timer.
Such is the case with GDPR – "the most important change in data privacy in 20 years.". Agreed upon by the European Parliament and Council in April 2016, GDPR will replace the Data Protection Directive (95/46/ec), which was passed in 1995. The effective date of the law is May 25, 2018 and there are items that all providers should know about the law and how it relates to their practice.
There is good news and bad news associated with GDPR. First, if your organization is HIPAA and HITECH Act complaint, aside from changes in contracts and a few policies, the security standards should be met – this is the good news.
The bad news is that GDPR is extra-territorial in scope. This means that "regardless of whether the processing [of an EU citizen's data] takes place in the EU or not" – the law reaches "to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to the offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU." As an aside, one can analogize controllers and processors to covered entities and business associates – in both instances, liability is now equal.
We know that HIPAA and the HITECH Act can carry significant penalties. GDPR makes those fines look like the cost of an ice cream cone. Like HIPAA and the HITECH Act, breach notification is mandatory and a tiered penalty approach is used. However, the timeframe for reporting a breach under GDPR is significantly less – within 72 hours of becoming aware of the incident. Organizations found in breach of GDPR, by way of contrast, potentially face up to 4 percent of annual global turnover or 20 million Euros – whichever is greater.
For physicians and other providers, the first step is to see who is accessing your website. Where are the perpetrators located? Is data being collected? The next step is to look at all business associates and subcontractors, including cloud providers and data centers, to see where they are located and where the data of any EU citizens is being processed, housed, collected or transmitted.
Next, the following items need to be considered: contracts, business associate agreements, right to access, right to be forgotten, data portability, privacy by design and data protection officers. This should provide a starting point for a law that should not be ignored, given the jurisdictional reach of the EU.