By Kumar Venkatesiah
If you are in the United Kingdom or anywhere in the European Union, you may have already started working towards GDPR compliance. The General Data Protection Regulations (GDPR) is a set of compliance requirements that comes into effect in May 2018 and will apply to any organization that deals with data provided by citizens of the European Union. In other words, this ruling can apply to your organization even if you are based outside the EU but handle data pertaining to patients from the EU.
A Brief Summary
Before we discuss the impact of GDPR on healthcare providers, it is important to take a look at what the GDPR regulations state. Philip Piletic has a great article on this subject, but the essential takeaways are:
Similarities With HIPAA
If you are in the United States, a lot of these regulations may already be in place thanks to HIPAA. The HIPAA regulation mandates complete SSL protection for patient data that is transmitted through your hospital servers. Also, similar to GDPR, the HIPAA compliance requirements also make it mandatory for healthcare providers to adhere to stringent data security protocols and ensure compliance to the established protocols while disposing data.
One of the essential differences between HIPAA and GDPR arises with who these regulations cover. At the outset, it is clear that GDPR covers citizens of the EU while HIPAA is restricted to American citizens and healthcare organizations. But what happens when a citizen from one of these countries visit a third country like India for healthcare? In such a scenario, GDPR can still apply because this is a consumer-centric regulation - any organization across the world is liable to adhere to these stringent regulations when they deal with data pertaining to citizens from the EU. HIPAA, on the other hand, is an organization-centric regulation and any data handled by organizations outside the US do not come under the purview of HIPAA.
Like we pointed out earlier, the HIPAA regulations are organization-centric and are mainly targeted at protecting patient records from security breach. In essence, it does not talk about the patient’s consent to data use. In other words, unlike in GDPR, where organizations must get an active consent from the patient before storing any of their personal details in their database, there is no such requirement from HIPAA. Healthcare organizations are free to process these details as long as they are stored and transmitted with adequate security.
Right To Erasure
The right to erasure (in other words, the right to be forgotten) is a tricky subject as far as healthcare goes. HIPAA does not have a right to be forgotten rule. That means any patient record that is in the hospital’s database cannot be erased simply because the patient wants to. This is unlike GDPR where an organization must comply with such requests from consumers.
While the right to be forgotten can seem like an earnest move from the regulators, it is not exactly feasible for health insurance providers. These organizations assess the premium based on a patient’s past history. This way, a patient who is known chain-smoker may be required to shell a lot higher premium for oral cancer related insurance while a non-smoker, who is less risky, pays lower. What happens if the chain-smoker requests for his patient details to be expunged? The GDPR ruling to let patients demand erasure of their records could be penalizing patients who lead healthy lives and make it cheaper for individuals with unhealthy lifestyles to secure insurance.
One of the biggest differences between HIPAA and GDPR is in the way the regulations treat processors of information. GDPR identifies two parties responsible for handling data - controllers are the healthcare organizations that own the patient data while processors are the third party agencies who may be responsible for transmitting these details. An email hosting company or a marketing agency may be considered a processor while your hospital or insurance company is the controller.
According to Mary Hall, CEO at iHealthSpot — a company that handles marketing for healthcare organizations — HIPAA does not explicitly prohibit healthcare organizations from letting third party agencies to send out marketing messages to patients without consent. She points to the ruling in Section 164.514(e) of HIPAA that states that healthcare organizations may disclose a “limited data set” to a third party for marketing purposes. This limited data set should however exclude direct identifiers like name, address, telephone number, email, IP address and photos. While this does not seem draconian, it should be pointed out that sharing these details to third parties do not require patient consent, unlike in GDPR.
Both HIPAA and GDPR propose stringent penalties on organizations that violate their regulations. However, there is a significant difference in the way the violations are assessed in the first place. With GDPR, any organization that violates guidelines with respect to security or handling of personal data is liable to be prosecuted. The 2013 Final Omnibus Rule of HIPAA states that rule cited for prosecutions related to “significant harm” caused by violations, the organizations must prove that harm had not occurred. Also, HIPAA guidelines may be waived off during times of calamities like with the recent Hurricane Harvey. No such provisions exist with GDPR at the moment.
Although GDPR is not restricted to healthcare, it does strive to bring in regulations that are a lot more stringent and in turn, protects your consumers better than HIPAA does. If you are an organization that deals with patients from outside the United States, it is a good idea to prepare your business for GDPR compliance. Besides the fact that you are adhering to legal requirements, it is also better for your patients.
About The Author
Kumar Venkatesiah is an eLearning consultant from India with more than nine years of experience. He works with telemedicine startups to help onboard new clients to the digital platform. You may reach him at firstname.lastname@example.org.