European data protection regulation impacts U.S. patient privacy

European Union regulation on data protecion has put pressure on U.S. legislators and regulators to heighten protections within our own borders, experts say. The ramifications for healthcare organizations, both abroad and in the United States, are significant. Here’s what you need to know. (xixinxing - stock.adobe.com)

The European Union’s (EU) General Data Protection Regulation (GDPR), which went into effect May 25, 2018, is designed to harmonize data privacy laws across Europe, protect and empower all EU citizens’ data privacy, and reshape the way organizations across the region approach data privacy, according to the education website eugdpr.org.

The website states that GDPR’s mention of “personal data” encompasses “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier."

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organizations collect information about people.”

Organizations not in compliance face hefty fines.

The ramifications for healthcare organizations, both abroad and in the United States, are significant. Here’s some valuable information.

1. IS GDPR APPLICABLE TO U.S PRACTICES?

The GDPR, technically, only applies to the EU, says Anthony Orlando, Ph.D., of the College of Business Administration, California State Polytechnic University, Pomona.

“But, in practice, it has had a significant effect on the U.S., as multinational corporations have adopted similar policies in both regions for simplicity and to minimize the risk of violating the rules when they conduct crossborder business,” he tells Dermatology Times.

Dr. Orlando is also the lead author of a new article entitled “The New Privacy Crisis: What’s Health Got to Do with It?”, which was published online in the American Journal of Medicine on October 24, 2018. In the article he notes that the GDPR’s central philosophy is to notify consumers about what companies are doing with their data, require their explicit consent, and allow consumers to view and delete the data they don’t want.

In contrast, the Health Insurance Portability and Accountability Act (HIPAA) only applies to healthcare providers and insurance plans and their “business associates,” but that technologic innovation has opened the gates to further access of information, including fitness trackers and direct-to-consumer genetic testing services.

“HIPAA does not apply to any of these digital actors,” Dr. Orlando wrote.

2. WHAT ARE THE IMPLICATIONS OF GDPR FOR U.S. PRACTICES?

In an editorial about the GDPR and data breaches in the Aesthetic Surgery Journal, Foad Nahai, M.D., F.A.C.S., of the department of surgery at Emory University School of Medicine in Atlanta, notes that “the widespread adoption of GDPR privacy standards by international companies may be a case of the ‘Brussels effect,’ in which European laws and regulations are used as a global baseline.”

Therefore, Dr. Nahai encourages healthcare professionals to be cognizant of the GDPR standards and their potential impact.

“Given the increasing awareness of privacy risks in the United States, the GDPR has put pressure on U.S. legislators and regulators to heighten protections within our own borders,” says Dr. Orlando in the interview. “Against this pressure, the U.S. must weigh the value of data collection and information sharing to spur beneficial innovations. The experience of EU firms, consumers, healthcare providers and patients with GDPR over the next few years will factor into experts’ recommendations for reform here in the U.S.”

3. IS GDPR A GOOD IDEA?

“I believe the increase in transparency under the GDPR is a step in the right direction,” Dr. Orlando says. “Currently, too few consumers and patients understand how much of their personal health information is at risk and in what ways it can be used to harm them. The GDPR makes an important distinction for ‘data concerning health,’ which cannot be processed without either the data subject’s explicit consent or a necessity to provide healthcare or protect public health. As we point out in our article, however, the GDPR does not address several other risks associated with personal health information, nor does it protect consumers who do not understand what they are consenting to. In some cases, transparency might not be a sufficient safeguard.”

4. WHAT OTHER STIPULATIONS OF GDPR SHOULD CLINICIANS BE AWARE OF AND HOW BEST CAN THEY NAVIGATE THOSE MEASURES?

“In this rapidly evolving world of technological innovation, clinicians should consult legal counsel to ensure that their data collection, protection, usage and sharing procedures comply not only with the letter of the law but also with the best practices prescribed by the U.S. Department of Health and Human Services, as well as leading data privacy experts, such as the Future of Privacy Forum,” Dr. Orlando says. “It is not only important for their own liability but also for the efficacy of the medical profession, as this attention to patient privacy increases public trust in the healthcare system,” Dr. Orlando says.

“It has been reported that 95% of all breaches of enterprise networks enter through a spear phishing attack (an email with a malicious attachment or link),” writes Dr. Nahai, who is also editorin-chief of Aesthetic Surgery Journal. “Physicians and healthcare facilities should be aware that healthcare records are more valuable than credit card data.”

Fortifying vulnerable systems with numerous antivirus engines can dramatically increase malware detection rates. Besides preventive technology, “You and virtually every member of your staff, as well as your software consultants need to be actively engaged in the war against security breaches,” Dr. Nahai writes.

5. WHAT ARE FUTURE CONCERNS ABOUT PATIENT PRIVACY?

“These issues will not go away. They are only going to grow in importance as the technology improves,” Dr. Orlando says. “The support of the medical community is critical to ensure an ethical, inclusive, productive balance is struck between innovation and privacy for generations to come.”

Disclosures:

Dr. Orlando reports no relevant financial disclosures.

References  ¹Orlando AW, Rosoff A. “The New Privacy Crisis: What’s Health Got to Do with It?” American Journal of Medicine, October 24, 2018. DOI:10.1016/j.amjmed.2018.09.033 (Epub ahead of print]. ²Nahai R. “General Data Protection Regulation (GDPR) and Data Breaches: What You Should Know,” Aesthetic Surgery Journal, October 29, 2018. DOI:10.1093/asj/sjy296 [Epub ahead of print]