U.S. Healthcare Orgs and the GDPR: A New Wave of Privacy Is Blowing In From Europe

4131.jpgIn the United States (US), healthcare organizations and providers have much experience with the Health Insurance Portability Accountability Act (HIPAA), and other pertinent federal laws and regulations. Now, with the new European privacy regulations, the General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, should cause many U.S. healthcare organizations to think well beyond information security and patient privacy.

Keith-Daniels.jpgNow, important considerations will also include data flows, handling data, cross-border data transfer, data privacy, security monitoring and overall policy compliance for international patients. For those healthcare organizations that offer services in the European Union (EU) or service European Union citizens, then the GDPR, which took effect on May 25, 2018, is a new burden.

The GDPR is designed to standardize data privacy and protection laws across Europe, but it will impact processes, technology, relationships and communication internationally. The new obligations pertain to any organization that handles EU data, whether that organization is in the EU or not. U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to HIPAA and other U.S. regulations. The GDPR fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed and applies whether an organization is a data controller or data processor.

Healthcare organizations with operations in the EU or who collect personal data in Europe on EU citizens (even such things as collecting business cards at a conference in the EU) will clearly be within the GDPR regime.

The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues – which seems excessive, but is intended to be scary.  One major change from most US laws on data breach reporting is that the regulations requires organizations notify authorities of a data breach within 72 hours and, if the breached data is of a serious personal nature, that those individuals whose data has been breached also be notified within 72 hours.

Now, those healthcare organizations subject to GDPR will need to prove that they have adequate processes in place to manage and protect EU residents’ “personal data.” The regulator who manages GDPR in each country may request written documentation in support of GDPR compliance.  Key requirements of the GDPR include:

1)     Appoint a Data Protection Officer (DPO) responsible for data processing.

2)     Document privacy and security policies and procedures.

3)     Implement GDPR special codes of conduct.

4)     Measure effectiveness of privacy and security compliance controls.

5)     Implement risk-based approach for data processing.

6)     Define risks presented by data processing activities.

7)     Implement Data Protection Impact Assessment (Article 35).

8)     Define implement controls and processes related to potential security threats, vulnerabilities and breaches.

9)     Utilize pseudonymization and encryption as controls – a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers.

10)  Regulate controls to ensure the ongoing confidentiality, integrity, availability (CIA), and resilience of systems and services

11)  Enable restoration of availability and access to data and services, in a timely manner, in the event of a security incident.

12)  Implement process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

13)  Right to erasure (‘right to be forgotten’).

In conclusion, an organization’s CEO and Board of Directors are responsible for GDPR compliance as well as complying with American laws. They must ensure that practices are balanced with all cybersecurity and data privacy regulations that apply to their organization. If not done properly, organizations will leave themselves vulnerable to huge fines and criminal consequences under the GDPR, damage to their public reputations, the possibility of additional penalties in the U.S. and securities lawsuits. Multinationals and their US business partners can expect to have to answer underwriters’ queries as to their compliance with GDPR when they are buying or renewing their cyber liability and management liability policies for the next several years.

As the number and breadth of massive data breaches increase, pressure will build on politicians to enact new statutes and regulations with a focus on making corporate management and boards responsible parties for protecting personal information. GDPR is going to be an important “test case” that other countries and jurisdictions will watch closely. New regulations and statutes such as GDPR are mandating that boards and individual directors become focused and engaged on cybersecurity issues. Now, individual directors may be personally responsible for cybersecurity-related issues. There is currently a lack of cyber knowledge on boards of directors in general.

It is unlikely that the threat of holding individual directors responsible for cybersecurity will abate. Data breaches which are reported almost daily have raised the general level of distrust of “big business”, such as the recent criticism of the officers of Experian and Uber and many others before them, and a corresponding increase in the desire to hold top executives personally responsible. In response to these trends, directors must increase their cybersecurity skills, engagement and awareness to comply with the GDPR and the likely next wave of cyber laws and regulations.

Cyber and D&O underwriters will also be closely monitoring these developments and we can expect changes in policy forms to occur as the risks evolve and any negative loss trends become apparent.

For U.S. healthcare organizations subject to GDPR, a demonstrable effort to comply is mandatory, and time is critical.  It seems that the regulators are not requiring immediate and total compliance. Rather, they are looking for entities to be able to show that they are making steps towards compliance and are moving forward with what yet needs to be done. Almost all healthcare organizations, whether now subject to the GDPR or not, will soon also face new laws, such as have just been passed in California (and due to be in effect in 2020), which will bring GDPR-type regulations to the USA itself.

Writer Keith Daniels, JD, CIPP/US[1]
Editor Jeremy Swenson, MBA, MSST

[1] Keith Daniels, JD, CIPP/US is a graduate of the University of Wisconsin – Eau Claire and the University of Wisconsin Law School. He has practiced law in Wisconsin and Illinois and has been involved in cyber liability insurance since its inception around the year 2000. Keith is a Sr independent cyber privacy, compliance, data protection, and risk liability consultant who partners with Abstract Forward Consulting. He is located in Minneapolis, MN and can be reached on LinkedIn here.