By John Barchie
In 2017, over 8.1 million citizens of European Union countries visited the United States as tourists, according to the U.S. Department of Commerce. Most of them probably visited attractions and returned home without incident, but there were a few who might have required medical attention due to injury or illness during their visits. When The EU's General Data Protection Regulation (GDPR) goes into full effect on May 25, 2018 - and the penalties for non-compliance - it will change how health care providers in the U.S. must store and protect information about EU citizen patients, under certain circumstances. The scope of the regulation's reach will need to be determined on a case by case basis and until a breach occurs that involves EU records health care facilities may not have a clearly defined example of when and where GDPR applies. So, it is best to prepare like it will and avoid any future potential fines.
For example, if a vacationing EU citizen comes down with the flu and visits a local urgent care facility for diagnosis and medicine that visit and the information the urgent care collects on the patient will likely not be covered by GDPR. However, if the urgent care has to request files or medical history from the patient's doctor in the EU and data on the patient is sent back and forth between the EU and the U.S., then GDPR could apply.
Additionally, if the EU citizen is visiting the U.S. and has to seek care at a name-brand hospital that is internationally known and could be assumed to advertise to people worldwide, then any aspect of the patient's care could be covered by GDPR, even if records are not sent between the EU and the U.S. Let's say an EU vacationer goes skiing in the U.S. and breaks a leg. The individual goes to the local hospital and receives x-rays, pain-killers, surgery, and other treatment. If the vacationer requests that his/her records be sent to a primary care doctor in the EU, there is currently no way to know if this transaction would be covered by GDPR. However, is the doctor treating the patient in the U.S. has medical conversations via phone or email with the primary care doctor in the EU then it is clearer that GDPR would be in play.
Essentially, GDPR was created to ensure companies in the EU and worldwide are better protecting any data collected on EU citizens. GDPR also requires that EU citizens be clearly notified and requires their explicit consent before any personal data is collected and stored. In order to comply with GDPR, health care organizations and facilities would need to ensure they have developed and are implementing compliant consent forms starting in May. Other GDPR requirements include specifications on how long a company has to notify authorities if a breach occurs, along with requirements of how personal data on EU citizens is encrypted while being transferred or stored.
Current U.S. based data privacy regulations require companies to notify customers if a data breach occurs, but in the U.S., there can be a significant time delay between the breach and the notification letter, not so with GDPR. GDPR requires the Supervisory Authorities be notified within 72 hours, even while a breach is still being investigated. Failure to report within 72 hours could lead to significant fines. Maximum fines could be up to $26MM or 4% of global gross revenue, whichever is greater.
Care facilities that will absolutely need to be compliant with GDPR starting in May are those facilities that can be assumed are advertising to all persons globally for a specialty service. This could include hospitals that specialize in types of cancer treatment, transplant surgery, addiction and recovery counseling, etc. Basically, if a care facility is known as the only one in the world to provide a certain service, it is located in the U.S. and treats patients from EU nations, then GDPR applies.
Depending how many patients from the EU are treated by a facility, it may be necessary to assign a Data Protection Officer (DPO). A company will be required to have a DPO if it possesses large amounts of data covered by GDPR. The DPO must be available and involved in any events where there is a possibility of a loss of GDPR covered data. The DPO will be the point person for any GDPR issue with the affected persons and the Supervisory Authority. The DPO needs to know the regulations and the company's security protocols. If a company is not required to have a DPO, it should still have a plan in place for who it will call if the Supervisory Authority opens an investigation, and take steps to ensure data on EU citizens that is being collected is done so with consent and stored in a manner that meets GDPR security requirements.
John Barchie, Senior Fellow at Arrakis Consulting, which specializes in GDPR compliance, has twenty years of experience in computer networking, particularly Information Technology and Cyber Security. The majority of his career has been spent developing security protocols for Silicon Valley corporations including Symantec, Paypal, PG&E, KPMG and OpenSky. He has completed security projects for Sony PlayStation and NASA. For more information, visit www.arrakisconsulting.com.