Regulations like the GDPR are changing both how we do business and how customers engage with their data. Healthcare is no exception to that rule. Even in light of strict frameworks like HIPAA, health organizations face a number of unique challenges where privacy laws are concerned. Here’s why – and how you can overcome them.
The European Union’s General Data Protection Regulation (GDPR) puts ownership over personal information directly into the hands of the consumer, and introduces harsh penalties for any business that doesn’t meet its duty of care to protect and enable that ownership. And this is just the beginning. Already, countries like Australia and the United Kingdom have implemented their own versions of the GDPR, while Canada is not far behind. I do not doubt that at one point or another we will see a similar framework in place for the United States. Suffice it to say, no matter your industry, your business cannot afford to ignore what’s happening in the world. This is especially true in healthcare. Virtually all data you work with is privileged in some way – patient information that’s protected by HIPAA. What’s more, the GDPR specifically references three types of PHI:
- Data concerning health
- Genetic data
- Biometric data
The good news is that healthcare providers in the U.S. are in an advantageous position when it comes to regulations like the GDPR. They should already have strong data governance practices and processes in place with regular reviews performed by a dedicated compliance officer. They should already know where all PHI is stored, how it is accessed, by whom it is accessed and how it is used. Compliance with the bulk of the GDPR should, therefore, pose no threat to healthcare entities that are on top of their HIPAA compliance efforts. But for those that are not – those that are still dealing with fragmented legacy systems, old paperwork that’s yet to be digitized, and siloed departments – it represents a logistical nightmare. It also carries with it several distinct challenges, even for organizations that are fully HIPAA compliant. Chief among these is the right to be forgotten, known also as the right to erasure. At any point, a patient may request that the data a business stores about them be deleted, and the business must honor that request. Closely related to this segment is the right for patients to access their personal data on request, free of charge (provided their request is reasonable). Healthcare agencies will thus need to develop the capacity to quickly locate all information pertaining to a particular patient. They will also need clear policies in place detailing how erasure requests must be handled. Such policies must include guidelines on data that is exempt from the right to erasure. HIPAA and similar regulations require health organizations to retain PHI for a set period of time in the event of an audit, after all. Though this appears, on paper, to clash with the GDPR, the two initiatives aren’t actually as misaligned as you might expect. The Right to Erasure only applies in certain circumstances. Data which is required for medical diagnoses, provision of care or management of services, such as health insurance is generally held to be exempt. Were it not, patients could potentially abuse the regulation to guarantee themselves lower premiums. So, what health data does it apply to? Generally speaking, data which is inaccurate or no longer required for the provision of care. To help your organization comply with the GDPR, your first step should be to appoint a dedicated data protection officer. This individual must have a solid understanding of both the GDPR and HIPAA. They will work closely with your IT department and your HIPAA compliance officer to update your policies and systems. Next, conduct a gap analysis, either internally or with the help of a third-party security agency. This will help you understand the areas in which your compliance is weaker and consequently enable you to better direct your compliance efforts. Concurrent with this analysis, conduct a thorough assessment of your data hygiene. Once you have developed a solid understanding of where you must improve, update your infrastructure and data management framework. The goal is to consolidate your patient data and establish full visibility over your organization’s infrastructure. This will also involve breaking down the silos between different departments, which itself will require a cultural shift of sorts. Before proceeding, it’s important to speak to executives, physicians and other clinical staff to get everyone on-board. Finally, once you have brought your own organization up to standards, evaluate your supply chain. If the covered entities you work with are noncompliant with the GDPR, that means you are noncompliant by association. Request that each supplier and partner undergo the same process you did and perform regular risk assessments to ensure that they do so. There is a great deal of overlap between HIPAA and regulations like the GDPR. If you are compliant with the former, it will be much easier to comply with the latter. Even with that in mind, however, you cannot simply assume you’re in the clear. Under regulations like the GDPR, your duty of care has become more extensive than ever – and this is only the beginning.
About the Author: Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
