Posted In: Cybersecurity & Data Privacy & Health Care
Technology & Health Care
Compliance Checkup: Part One: Does Your Practice Need to Comply with the General Data Protection Regulation?
on September 10, 2019
I’d like to introduce you to my colleague, Craig Horbus, a partner at Brouse McDowell. He’s actually a superhero without a cape — he helps companies of all sizes and in all industries address data security issues. You may have heard of the General Data Protection Regulation, or GDPR, the European Union’s data privacy regulation. In today’s Compliance Checkup, Craig will provide you with a primer on GDPR and how it could affect your health care practice, in part one of a two-part series. Stay tuned for Part Two later this month.
In 2016, recognizing the value of personal data and the importance to increase data protection protocols, the European Union (EU) enacted a major piece of legislation: General Data Protection Regulation (GDPR). GDPR is a strict set of rules designed to give European Union citizens more control over their personal data, or personally identifiable information (PII). (Think of GDPR as a HIPAA-like regulation for general personal information.) Under GDPR, all companies, institutions, organizations, and government agencies that process PII from individuals residing in the European Union must abide by GDPR’s privacy regulations. The goal of GDPR is to provide European residents (the “data subjects”) with a heightened level of transparency in how their PII is used, improve consumers’ level of control over their own data, and increase the safeguards used to protect consumer data.
What is GDPR?
Under GDPR, a business must ask for explicit permission from a data subject before processing any of their PII, and the data subject must be granted certain rights regarding control and access of their data. Personally identifiable information encompasses any information that can be processed to uniquely identify an individual and includes names, addresses, photographs, IP addresses, and other personal information such as medical records and genetic or biometric data. GDPR also imposes a high-level of legal liability on an organization that experiences a data breach, and any organization found to be noncompliant may face hefty fines and penalties. Sounds like HIPAA, right?
How GDPR May Affect Your Medical Practice
More than likely, your practice is impacted by GDPR since the reach of this regulation extends to all organizations that house, control, or process consumer data, going well beyond the borders of the European Union. Because most health care practices in the U.S. only provide health care services to U.S. citizens, it would seem that the GDPR applicability for medical practices is limited. However, GDPR often reaches U.S.-based businesses, including perhaps your medical practice, through websites and other social media sites. Ultimately, any organization that has a presence on the internet and collects PII from data subjects is subject to the provisions of GDPR. These data collection points include forms that collect personal information such as an email address for a newsletter subscription and other marketing purposes. It can also include a mere IP (internet protocol) address native to nearly every computer and mobile device. Additionally, in the subculture of cryptic internet land, data is often stored at the most discrete level that most of us prefer not to discuss and want to pretend we do not know about! However, it is likely that EU citizens, even if they are not your patients, have visited your website or social media pages due to the international reach of these sites. Thus, most practices would be prudent in recognizing this likelihood and subsequently their need for a GDPR compliance strategy.
Furthermore, federal, state, and local governments are not exempt under GDPR. Thus, even government entities must analyze and revamp their data collection, use, and storage practices for GDPR compliance. For this reason, any Federally Qualified Health Center (FQHC) or other government-based medical practice is also subject to the same regulations.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2024 Brouse McDowell. All rights reserved.