General Data Protection Regulation (GDPR) Act and the U.S. Healthcare

By May 4, 2018Uncategorized

In 2018 so far, the United States has already reported several critical data breaches of healthcare data, such as breaches in UnityPoint Health System, Florida Medicaid, and Hancock Health. The systems were hacked in several ways. The most common mechanism that hackers used to gain illegal entry into the data system was sending phishing emails to healthcare system employees. Phishing emails are designed to mimic those sent from official system email addresses. Moreover, hackers also gained entry to heavily protected health systems by capitalization on unsecured Wi-Fi networks or misconfigured servers, reflecting the lack of a current focus on data security in the U.S. healthcare system.

The United States government has intensified its punitive measures on data breaches specific to health-based personal information. However, a soon-to-be enacted European Union (EU) legislation will impact this objective. The General Data Protection Regulation (GDPR) Act of 2016 is intended to advocate for consumer ownership of individual personal information by implementing specific procedures for ensuring data security at the institutional level. As per the language of the act, personal data will encapsulate data on one’s personal, private, and/or professional life and could include health information, social media, bank details, or one’s computer IP address. Healthcare information is evidently a topic of interest to the public, as this will heavily influence how sensitive health data is managed post-2018 at the global level.

The EU and the U.S. often influence each other, particularly concerning regulation. Once the majority of EU-serving companies begin to be held to the GDPR law, it may encourage an entrance of similar legislation in the United States. In this event, healthcare practices would be held to a much higher standard of data privacy and information security. For example, the concept of patient consent would be strengthened. In effect, the patient would have to provide explicit and unambiguous consent to each stage of the data processing. Healthcare organizations would thus have to implement higher quality methods for obtaining consent from patients. This could include a method as simple as multiple check-boxes on the patient’s electronic medical record, or a more complex measure such as requiring the patient to author and sign a declarative statement affirming consent for all forms of data processing, such as data storage on a cloud, international data transfers, transfers within healthcare institutions, etc.

Furthermore, under a GDPR-type legislation, patients would have certain expedited rights to their data. For example, under the GDPR individuals have a right to Data Portability, also known as the right for patient to have their data sent to them immediately; the Right to Be Forgotten, a more extensive way of stating the patient’s right for the data to be erased; and the Subject Access Right, which dictates that the patient’s data can be made free and must be addressed within one month upon request. Such expedited rules would likely be aligned with a U.S. transition to a GDPR model.

The high-level goal of data regulations is transparency and security – ensuring that patients have the right to their personal data, knowing that their sensitive health information is secure. Come May 25, 2018, a large proportion of U.S. healthcare companies and practices will become subject to GDPR if they serve EU residents. To achieve the goals of data security, practices will have to work with a data protection officer, an expert tasked with controlling and managing the data, including the provisions of pseudonymity or anonymity, along with sanctioning offenses should rules not be followed. Moreover, as the trend of highly controlled data management spreads to nations outside the EU, it is highly likely that a GDPR-type legislation will reach the U.S, impacting those groups not already held to GDPR. Healthcare companies, practices, and administrators should prepare for the impending global trend, investing pre-emptively in strategic and powerful systems for data security.