GDPR Compliance – What US Healthcare Organizations Need to Do

The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, will require U.S. healthcare organizations to think well beyond the Health Insurance Portability Accountability Act (HIPAA). Important considerations include data flows, handling data, cross-border data transfer, data privacy, security monitoring and overall policy compliance for international patients.

In this blog post, we will explore the GDPR key requirements for U.S. healthcare organizations.

Adopted in April 2016, the GDPR will be fully enforced on May 25, 2018 by the UK Information Commissioner’s Office (ICO). The GDPR is designed to standardize data privacy and protection laws across Europe, but it will impact processes, technology, relationships and communication internationally. The new obligations pertain to any organization that handles EU data, whether that organization is in the EU or not. Hence, U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to HIPAA and other U.S. regulations. The GDPR fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed.

Healthcare organizations will need to prove that they have adequate processes in place to manage and protect EU residents’ “personal data.” The ICO may request written documentation in support of GDPR compliance. Key requirements of the GDPR are listed below.

Accountability, Policies and Procedures

• Appoint a Data Protection Officer (DPO) responsible for data processing
• Document privacy and security policies and procedures
• Implement GDPR special codes of conduct

Compliance and Risk Activities

• Measure effectiveness of privacy and security compliance controls
• Implement risk-based approach for data processing
• Define risks presented by data processing activities
• Implement Data Protection Impact Assessment (Article 35)

Implementation of Security Measures

• Implement controls and processes related to potential security threats, vulnerabilities and breaches
• Utilize pseudonymization and encryption as controls
• Regulate controls to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services
• Enable restoration of availability and access to data and services, in timely manner, in the event of a security incident
• Implement process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

Summary

Alignment of data handling practices with GDPR is mandatory, and time is critical! Be sure to familiarize yourself with the GDPR challenges and requirements associated with collecting and using EU residents’ personal data. Map those to your organizational policies and procedures. Understand the impact of GDPR, educate and train staff, and get professional guidance as necessary. The GDPR compliance date of May 25, 2018 is just around the corner!

For more information on the EU General Data Protection Regulation, please refer to https://www.eugdpr.org/