GDPR and HIPAA: Next Steps in the U.S. Healthcare Industry

Alesandra Hlaing
Associate Editor
Loyola University School of Law, JD 2020

The EU General Data Protection Regulation (“GDPR”) is now in effect as of May 25, 2018, and has been a prominent topic of international debate across multiple sectors as companies look to adjust to new stringent regulations in data management. With a wide scope (the GDPR now applies to all organizations possessing personal data of individuals based in the EU) and steep penalties for companies that fail to comply, companies across the globe are spending millions of dollars in preparation.

What does GDPR mean for U.S. healthcare?

In particular, U.S. healthcare organizations, which are already regulated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), are struggling to prepare for an added layer of scrutiny in their management of protected health information (“PHI”). U.S. healthcare organizations must comply with the GDPR if the organization utilizes personal data of EU individuals, is established in the EU, is established outside of the EU but processes data for goods and services offered in the EU, or if the organization monitors the behavior of EU individuals. With a broad scope of entities required to comply with GDPR, healthcare entities must examine what further steps beyond HIPAA compliance they must take in order to avoid noncompliance.

There are several notable differences between the scope of GDPR and HIPAA— the predominant difference being that GDPR addresses standards for all personal data, as opposed to HIPAA, which is focused in protected health information. HIPAA was enacted with the intention of balancing the protection of patient healthcare information with the proper use of healthcare information to provide and promote better healthcare outcomes for the public good. Unlike HIPAA, the GDPR was enacted with the intention of protecting the individual’s autonomy over their personal data. The GDPR calls for more strict standards for health data, separating health data into three categories: data concerning health, biometric data, and genetic data.

How will GDPR affect consent?

One of the key differences between HIPAA compliance and the GDPR is that healthcare organizations will need to be mindful of the issue of active consent. Unlike HIPAA, which only requires secure processing and handling of PHI, the GDPR requires the “active consent” of the individual when handling their information. Under Article 7 of the GDPR, active consent is given when it is a clear act that is freely given, specific, informed, and unambiguous. Healthcare providers can no longer assume patient consent as the default when handling data of EU patients. The GDPR also gives individuals the right to erasure, meaning that a provider must comply if an EU patient requests to have his or her medical record removed. Unlike the GDPR, HIPAA does not give patients these rights, and this expansion in patient autonomy may raise unintended complications for healthcare insurance premiums.

How will GDPR affect breach notification?

GDPR also places stricter requirements in the event a breach occurs. Under HIPAA, healthcare organizations have 60 days from the time of discovery to inform patients of a breach or suspected breach. Under GDPR, that timeline is shortened to only 72 hours. Providers will have to review internal procedures to ensure that these breach notification requirements are met for EU patients, which may result in a shift in organization-wide internal procedures. In addition to the breach notification timeline, the determination of when notification of a breach is required varies between the laws. Under HIPAA, a breach must be reported unless the organization can show that there is a low probability that the PHI was compromised through a specific risk assessment. In contrast, GDPR requires notification if the breach will likely result in a great risk to a person’s rights and freedoms. Due to these different analyses, healthcare entities will have to distinguish between which analysis they must perform in the event of a potential breach.

Companies that fail to comply with GDPR face heavy fines — up to 20 million euros or 4 percent of annual global turnover. Though the GDPR has only been in effect for less than two months, complaints against companies not in compliance have already been filed—with potential fines of more than 4 billion dollars. With privacy activists continuing to file complaints against major industries, it is essential that healthcare providers and other healthcare entities continue to take necessary precautions to ensure compliance under the GDPR.