GDPR and Health & Life Sciences Organizations in the US: 5 Facts You Need to Know
The European Union GDPR (General Data Protection Regulation) that was officially enacted on May 25, 2018 doesn’t just apply to organizations operating in Europe – it has a major impact here in the United States, too. And among those being impacted are health and life science organizations. Few would argue the importance of GDPR compliance, but the vast majority of those in the United States who are affected by these regulations don’t necessarily understand what it means.
What follows are five key facts about GDPR that you need to be aware of if you work in health and life sciences.
Fact #1: GDPR more broadly defines personal data than HIPAA does.
HIPAA focuses on Protected Health Information (PHI), which includes governing the use, disclosure, and protection of PHI by covered entities. As you probably already know, covered entities include health care providers and their business associates, along with service providers and third-party vendors who need access to PHI to perform their services.
GDPR, on the other hand, regulates how personal data is processed, not just PHI – and under the GDPR, almost all information is considered sensitive and therefore protected. This is a much broader definition of protected data. GDPR, therefore, also impacts much more than just the covered entities described by HIPAA. Any entity that processes the personal data (which includes maintaining, adapting, storing, transmitting, etc.) of a business or resident in the European Union falls under GDPR’s purview. Thus, the type of info protected and how it is processed under GDPR has a far broader definition.
Fact #2: GDPR differs from HIPAA in how it restricts the use and disclosure of personal data.
Both HIPAA and GDPR are structured to prohibit the use/disclosure of personal data unless there is a provision in the regulation that allows it. However, GDPR is far more restrictive than HIPAA and there are fewer exceptions to the provisions. To make matters more interesting, the GDPR is not always as clear in its guidance as HIPAA.
The GDPR affects all residents and business owners located in the European Union, and those who collect their PHI. HIPAA affects healthcare organizations located in the United States only, but there are healthcare organizations based in other countries who have offices in the US. These entities are required to comply.
Fact #3: HIPAA compliance does not mean GDPR compliance.
As you have probably guessed by now, just because you are HIPAA compliant does not mean that you are automatically GDPR compliant. As discussed, the GDPR covers much more than just PHI. However, being HIPAA compliant means that your company already has experience dealing with compliance issues and has an excellent foundation on which to build solid GDPR compliance. Just keep in mind that there are different requirements involved with GDPR.
Fact #4: GDPR can apply to US Health & Life Science Organizations.
If your organization is considered an establishment in the EU, then it must comply with GDPR. But what does it mean to have an establishment? In a nutshell, having an establishment in the EU means offering goods and services to EU residents. Even if your organization has no physical presence in the EU, or exists as an EU corporate entity, you are considered an establishment if you offer goods and services to residents of the EU.
Here’s another way your organization can be required to comply with GDPR: if you monitor the behavior of EU subjects. If EU residents go to your website and you analyze or track their behavior, this counts as monitoring the behavior of an EU resident. This is especially true if your website is aimed at EU residents, which includes factors such as using EU-specific language or currency symbols.
Fact #5: The timeframe for breach reporting is much shorter under GDPR than HIPAA.
Under HIPAA, your organization has no more than 60 days to officially report a breach to a regulatory body, the Health and Human Services (HHS) Office of Civil Rights (OCR), unless it can be demonstrated that there was a low risk that the data was actually compromised.
Under GDPR, that timeframe for making an official report to a regulatory body is shortened to just 72-hours. Under GDPR, the affected individuals must also be notified if the breach is a high risk to their rights and freedoms. Note that the focus of the GDPR is protecting the rights of the individual, while the aim of HIPAA is more about protection of the data itself.
Because healthcare is global, with diseases and illnesses refusing to acknowledge the existence of socio-political borders, the data related to healthcare is as well. In a very real sense, protecting our personal information including healthcare data is a global concern.
If you are part of a life science or healthcare organization in the US that has a presence on the web or works with entities (including business associates and vendors) who operate overseas, then you need to make sure that your organization is GDPR compliant. Being HIPAA compliant is an excellent foundation upon which to build GDPR compliance, but isn’t synonymous with GDPR compliance. While there are many similarities between HIPAA and GDPR, they involve very different goals and GDPR is much broader in its definitions of what constitutes protected data.
For most health and life sciences orgs, regardless of where they’re located, it’s important to understand both HIPAA and GDPR regulations. The fines and penalties for just one violation can be thousands of dollars.