The General Data Protection Regulation (“GDPR”) establishes protections for the privacy and security of personal data about individuals in the European Economic Area countries (all European Union member states, Norway, Iceland and Liechtenstein – referred to for purposes of the GDPR as the “EU”). The GDPR became effective on May 25, 2018, and is a substantial change to EU privacy and security laws. The GDPR has significant implications not only for EU-based organizations, but for non-EU based organizations that conduct business or business communications in EU countries.

On a very basic level, the GDPR regulates the collection, use, disclosure or other “processing” of “personal data” by controllers and processors. GDPR requires organizations to let individuals know how their data is being used, and requires them to get individualized consent – in clear, specific language – before using their data. If the reason for using the data changes, the organization will need to obtain the individual’s consent again. For example, if an organization collects someone’s medical history for clinical care, the organization would not be allowed to use that history for medical research without receiving a second consent.

Individuals also have new rights under the regulation, including the “right to be forgotten.” If an individual asserts this right, all of the individual’s personal data must be erased immediately as long as the data is no longer needed for their original processing purpose, or the impacted person has withdrawn his consent and there is no other reason for maintaining the data (e.g., statutory recordkeeping requirements).

If an organization violates the GDPR, it will be subject to maximum fines of 4% of annual global revenue or 20 million euros, whichever is greater. That’s a considerable difference when compared to what US health systems have paid for data breaches. In 2016, for instance, Advocate Health Care agreed to pay $5.55 million to settle data protection violations that affected about 4 million patients. If it had faced the maximum GDPR fine, that would have amounted to over $200 million.

Extraterritorial Reach

As mentioned above, an important aspect of the GDPR is its extraterritorial reach. US-based companies with no physical presence in the EU are subject to the GDPR in the following situations:

  1. The offering of goods and services (even if for free) to individuals in the EU. This is more than the mere access to a website or an email address. If a hospital’s marketing activities, for example, are intended to recruit individuals in the EU, this may bring the hospital under GDPR. Are any physicians marketed in their bios as being “internationally recognized” or is the facility “world-renowned?” Or, by way of another example, do any physicians offer second opinions to their EU colleagues for EU residents? If so, GDPR compliance may be required.
  2. The monitoring the behavior of individuals in the EU (e.g., tracking individuals on a website through the use of cookies or logging IP addresses).

Basic Definitions

In order to help you understand how GDPR applies, the following are some basic definitions for terms commonly used in the regulation:

“Data Controller” is defined as any individual or entity that determines how and for what purposes personal data is processed.

“Data Processor” is defined as any individual or entity that processes personal data for a data controller, other than the controller’s employee.

“Personal Data” is defined as “any information relating to an identified or identifiable natural person” who is in the EU, regardless of the individual’s EU citizenship status. An individual is identified or identifiable if the individual can be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

“Processing” is very broadly defined and essentially applies to anything that is done to or with personal Data.

Common Questions for Healthcare Facilities

  1. Does PHI Become Personal Data Protected by the GDPR if a US-Based Provider Treats an EU Resident at a Facility in the United States?
    No, PHI is not personal data merely because it concerns an EU resident. Remember that the data must concern an individual located in an EU country. Generally, individually identifiable data collected from an EU resident at a location in the United States will be subject to US law unless the data was solicited from an individual while the individual was physically located in the EU, or the organization continues to monitor the EU resident after the resident returns to the EU, such as part of post-discharge patient engagement programs.
  2. Is Consent Required for a US-Based Provider to Transfer PHI about an American Who is a Tourist in the EU to a Health Care Provider in the EU for Treatment Purposes?
    If an EU health care provider requests a copy of medical records or other protected health information for treatment purposes, GDPR will not regulate the US provider’s transfer of the PHI merely because it is being transferred to the EU. Under the GDPR, the ad hoc transfer of records or other information alone should not constitute the offering of goods or services or monitoring individuals in the EU. The US provider will, however, need to comply with any consent requirements under any federal and state privacy laws.
    Reverse the situations – when an American travels to the EU for business, vacation or other purposes, an EU health care provider must protect the individual’s privacy in accordance with GDPR while the individual is in the EU.
  3. Does GDPR Change Anything with HIPAA?
    No, but being HIPAA-compliant does help with GDPR compliance. If a healthcare organization is following HIPAA, most of the foundational work for becoming GDPR-compliant has been done.

By Grayson J. Derrick of Baird Holm