In late May 2018, the European Union officially implemented the General Data Protection Regulation (GDPR), a law that affects every organization collecting and storing EU citizens’ data, regardless of where they’re based.
While the healthcare industry is no stranger to regulation or stiff penalties for failing to comply with them, GDPR may be one of the strictest policies yet. And given the increase in cyber crimes and data breaches and the dramatic costs associated with non-compliance, meeting General Data Protection Regulation guidelines is something you likely can’t afford not to do.
But how exactly does GDPR affect how healthcare organizations collect and process patient data? Here’s what you need to know.
1. GDPR is broader than HIPAA.
While both regulations require organizations to take measures to protect the privacy of patients’ health information, GDPR expands to protect all of an individual’s data—whether related to their health or not. According to the full-text version of the regulation, protected data includes:
“...a name, an identification number, location data, an online identifier to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
2. You cannot process data without clear consent.
GDPR forbids healthcare organizations from processing data unless a patient has given “explicit consent.” In other words, patients must opt into data processing rather than opt out of a pre-checked box.
3. You must disclose exactly how you will use patient data.
4. Healthcare organizations may be required to appoint a Data Protection Officer (DPO).
Every healthcare organization has a HIPAA security officer, which is usually a duty given to an IT manager or general compliance officer. However, a DPO is a much more defined role that must be filled by a professional with expert knowledge of data protection practices and laws, as well as someone who is an expert in security. Large organizations that process large-scale data sets, like hospitals, will likely need to appoint a DPO.
5. You must report data breaches within 72 hours.
If any of the data you store is lost, altered, destroyed or otherwise accessed by unauthorized personnel, your Data Protection Officer (DPO) must report it to regulators and impacted individuals within 72 hours of discovering the breach.
6. Patients have a right to know what data you’re processing.
If at any time a patient requests to see the data your organization is processing, the data controller must provide a full copy of processed data free of charge. Additionally, GDPR grants individuals the “right to erasure,” which means a patient can request data be removed or deleted for one of six reasons:
- The patient has decided to withdraw consent
- The patient objects to the processing of their data
- The original purpose of the data processing has been fulfilled
- The organization is court ordered to erase data
- The data was collected unlawfully
- The data relates to a child
GDPR only applies to healthcare companies that are collecting and processing data from individuals within the EU, but there’s a good chance similar regulations will be rolled out in other regions of the world in coming years. While meeting these requirements may require extra time and effort, avoiding hefty fines and establishing a greater sense of trust with your patients is well worth the commitment.