GDPR and the Impact on U.S. Healthcare Providers

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand what it was referring to, know that you’re not alone.

In fact, we conducted a recent webinar poll with over 300 registrants and found that 81% of providers did not know what GDPR was referring to, let alone its potential impact on the U.S. healthcare industry.

Defining GDPR

GDPR stands for General Data Protection Regulation, a new set of rules drafted by the European Union (EU) to give citizens more control over their personal data. Think of a “stricter” HIPAA compliance for EU countries. Back in January 2012, the European Commission began working on plans to create data protection reform across the EU so that European countries would have greater controls in place to manage information in the digital age.

Additionally, GDPR aims to simplify the regulatory environment for businesses so both European citizens and businesses can benefit from a digital economy. Fast forward six years and now in just a few short weeks GDPR will take effect internationally (May 2018.)

The Stateside Implications

The primary question we are asking ourselves at HIPAA One is how will this framework impact U.S. based healthcare providers? Here’s what we know, U.S. companies do not need to have business operations in one of the 28-member states of the EU to be impacted by GDPR.

The new set of rules will require organizations around the world that hold data belonging to individuals who live in the EU to a high level of protection and must be able to account for where every bit of data is stored.

The good news is a large majority of U.S. based healthcare providers will be relatively safe in terms of complying with GDPR. If your organization is not actively marketing your services in the EU or practicing in the EU, a data breach where an EU citizen’s PHI is compromised would most likely be your most realistic brush with GDPR.

For instance, a walk-clinic in New York City seeing many international tourists has a much higher chance of being impacted than say a rural clinic treating mostly local residents. Providers in larger cities with more diverse patient groups will need to be extra vigilant regarding their breach notification standards and security posture.

Controller vs. Processor

An important concept for healthcare entities to grasp when thinking about GDPR is controllers vs processors which can be defined similar to the way we view covered entities and business associates. A processor (business associate) processes data on behalf of a data controller (covered entity) and is required to protect the data just as a controller would.

Much like the HIPAA regulations, GDPR requires controllers/data processes to ensure a level of security appropriate to the risk by implementing technical and organizational measures to mitigate the risk. One way that controllers or processors can demonstrate such compliance is adopting existing leading practices such as COBIT, ITIL, NIST or ISO standards.

How Healthcare Providers Can Prepare for GDPR

With still many unknowns about the true implications of GDPR on the American provider, there are few ways your organization can prepare now to ensure a proper level of readiness.

  • Conduct HIPAA Security and Privacy and Breach Notification Risk Assessment – The HIPAA One SRA and PRA software addresses most of the recommended GDPR controls and checks the box on an important mandatory HIPAA requirement. Double win!
  • Review your current risk governance – An evaluation of your organization’s security posture is a great step in preparing for the growing international cybersecurity climate.
  • Conduct a GDPR Assessment – Our internal research concludes GDPR encompasses approximately 60% of the same standards and regulations as OCR’s HIPAA Audit Protocol (e.g. performing a HIPAA Security Risk Assessment per 45 CFR §164.308(a)(1)(ii)(A)). A complete and comprehensive set of Policies and Procedures can be used to bridge the gap of the remaining 40% of standards covered by GDPR.

Just as we try to do with all cybersecurity and HIPAA related happenings in both the U.S. and aboard, the team at HIPAA One is committed to closely monitoring GDPR requirements and providing our readers with the most up-to-date information we have.

As with all aspects of healthcare, sometimes it feels like the only constant is change. By getting your house in order now, your workplace will be well equipped to navigate any changes brought on by GDPR in the months and years to come.

Learn more about how your practice can get started with a bona fide HIPAA risk assessment today.