Posted In: Health Care & Cybersecurity & Data Privacy
Technology & Health Care
Compliance Checkup: Part Two: Does Your Practice Need to Comply with the General Data Protection Regulation?
By Craig S. Horbus & Laura F. Fryan on September 24, 2019
Part II: Does Your Practice Need to Comply with the General Data Protection Regulation?
Remember earlier this month when my colleague Craig Horbus gave us a primer on the General Data Protection Regulation, or GDPR? Catch up here if you need to, and read on for Part II on what GDPR requires and how to comply.
Core GDPR Requirements
The General Data Protection Regulation contains a lot of requirements that need to be followed for compliance:
- Your organization must obtain consent to collect and use personally identifiable information (PII) of data subjects. Your terms of consent must be clear and cannot contain complex language that the ordinary reader would not understand. Consent must be easily given and ALSO be able to be freely withdrawn at any time. Consent must be specific and must be requested separately from other documents and policy statements. GDPR also requires parental consent to collect or process PII of children under the age of 16.
- Timely breach notifications must be provided to data subjects in the event of a data security breach. Under GDPR, you have 72 hours to report the data breach to your affected data subjects and any data controllers.
- Data subjects must be granted access to their data. Upon request, you must be able to provide a free and fully detailed electronic copy of the data that you have collected from a given data subject. The detailed report must also include the various ways that your organization has used, and is currently using, their PII.
- Data subjects must be given the right to be forgotten, also known as the right to data deletion. Once the original purpose or use of the data has been realized, your data subjects must have the right to request that their PII be completely erased from your systems.
- Organizations must grant data subjects the right of data portability. This right allows users to obtain their personal data from your organization and reuse or transmit that data to different controllers outside of your organization.
- Your business must implement privacy by design. Your organization is responsible for including data protection protocols at the onset of designing your systems rather than later including protection protocols as an addition.
- You must determine whether your company needs to appoint a Data Protection Officer (DPO). This requirement depends upon the size of your company and your current level of data collection and processing.
- Organizations must determine whether a Data Protection Impact Assessment (DPIA) is necessary. A DPIA is a process that helps organizations identify and minimize risks regarding data processing. DPIAs are usually undertaken when an organization introduces new data processing systems or technologies.
GDPR’s Impact on the Health Care Industry
Although GDPR affects all industries, its impact is potentially even greater on the health care industry because of the mass amounts of PII collected in electronic medical record systems (EMR) for patient care. GDPR radically changes how patient data must be managed and gives data subject patients control over the PII data collected by health care organizations. Although there are some overlaps in terms of data storage and security, GDPR regulations extend beyond a health care provider’s HIPAA requirements by requiring protocols for the consumer patients to request their PII be deleted or destroyed. The first step is to understand whether your practice interacts with EU citizens, even indirectly through a website or the internet. Then a review must be done on how PII is obtained, how it’s used, and where it’s stored. Finally, if your practice treats EU citizens, it should establish a GDPR compliance strategy for the PII data you control, including within your EMR system.
GDPR Compliance Guidelines
The following points provide best practices for GDPR compliance:
- Know your data, where it lives, what your website and social media sites track and monitor, and if you’re collecting PII from potential EU citizens.
- Know your data controls, document your data flows and legal grounds of processing, and confirm consent, if necessary.
- Develop internal and external policies – regularly update privacy policies.
- Create a culture of compliance – educate and train your employees.
- Perform privacy/security impact assessment on new projects and core changes.
- Ensure management and IT are on the same page.
- Review your information security controls.
- Develop a process for responding to data breach attacks.
- Review your contracts for adequate language (e.g., vendor agreements with whom you may also have a Business Associate Agreement (BAA) with).
- Develop an audit strategy and audit your program.
- Measure effectiveness and maintain strong documentation.
Consequences for Non-Compliance
Organizations that fail to comply with the General Data Protection Regulation may be fined up to $22.4 million, or 4 percent of their annual global turnover, whichever is greater. The exact extent of fines imposed on an organization for failing to comply with the GDPR will depend upon the severity of the breach and the compliance actions taken as a result of the breach.
The General Data Protection Regulation is something that your practice needs to take seriously. Progressive organizations should make every effort to be compliant with GDPR to reduce corporate risk and eliminate liability related to data management. Implementing strong data rights management practices will be beneficial to your practice, employees, and patients, as the increased level of transparency in data processes will strengthen the relationships between organizations and the individuals they serve.
The GDPR is a complex topic, and although this article may provide insight into its basics, you should consult with legal professionals to ensure that you are in compliance. Organizations with any questions regarding the applicability of the GDPR to their current business practices, or seeking information on how to become GDPR compliant, should contact the Health Care Group at Brouse McDowell.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2019 Brouse McDowell. All rights reserved.