The General Data Protection Regulation (GDPR) of the European Union (EU) is like HIPAA...and then some. In fact, if you thought HIPAA had high fines, the revised GDPR will give you a run for your money. So, do yourself a favor and take the precautions necessary to abide by these new regulations, which are set to go into effect on May 25, 2018....
What is the GDPR?
The GDPR is a law in the European Union that enforces data protection and privacy for all of its citizens and residents. However, it is quite far reaching and will impact how data is stored and managed in the United States. While some businesses are being affected more than others, health care practices are not exempt. To put this into perspective, HIPAA violations could get you fined anywhere up to $1.5M along with imprisonment; with the GDPR, the minimum fine is 2% of your global annual turnover or €10M - whichever is higher. That’s right. Do we have your attention now?
HIPAA vs GDPR - What Should I Know?
HIPAA governs what we call in the United States Protected Health Information, or PHI. It is only concerned with the secure transfer of private medical data between points of contact. GDPR includes EVERY piece of information that can identify a person. So, it is not limited to healthcare. In fact, you will find GDPR causing waves in even your favorite web and mobile applications that are not related to healthcare.
HIPAA grants patients the right to get a copy of their health records (for an associated cost at the discretion of the practice). With GDPR, you get them for free. Also, while HIPAA will allow you to put a restriction on your PHI and how it can be distributed or used, GDPR allows patients to request for their PHI to be completely deleted from a practice’s archives.
While both HIPAA and the GDPR require absolute secure measures to ensure confidentiality and security when transferring PHI, they differ in their timelines for breach notification. With HIPAA you have to inform the US Department of Health and Human Services within 60 days of a security breach of electronic PHI. You are also required to inform the media if the breach affected 500 or more individuals. However, with the GDPR you have only 72 hours to notify the authorities and those affected.
HIPAA does not require a patient to sign a consent form or authorize the release of their PHI for treatment or payment purposes. This is why you don’t have to authorize your general practitioner to work with your insurance policy, or why you don’t have to give consent to a physician’s office to get a debt collector to come after you for not paying your medical bills. With the GDPR, you must have explicit consent for any interaction with PHI other than direct patient care. Furthermore, health care organizations must be able to prove that this consent was given under appropriate conditions and that the individual was of sound mind and aware of the use of their PHI.
Don’t get caught paying fines for non-compliance to the revised GDPR! It doesn’t matter if you are outside of the EU - the GDPR most likely still applies to you. If you have any patients in your system who are EU passport holders, do your due diligence and make sure you are compliant. Remember that the GDPR is a more rigorous version of HIPAA. Just because you are abiding to the HIPAA guidelines, it does not mean you are compliant with GDPR.