The General Data Protection Regulation (GDPR) of the European Union (EU) is like HIPAA...with a twist...a big twist. Seriously. If you thought HIPAA had high fines, the revised GDPR will give a run for your money. So, do yourself a favor and take the precautions necessary to abide to these new regulations - now in effect.
The GDPR is a law in the European Union that enforces data protection and privacy for all of its citizens and residents. However, just because you don’t practice in the EU does not give you an out. GDPR has a far reach and will impact how data is stored and managed everywhere in the world. That’s right, this applies to you too...most likely. While some businesses are being affected more than others, health care practices are not exempt. To put this into perspective, HIPAA violations could get you fined anywhere up to $1.5M along with imprisonment; with the GDPR, the minimum fine is 2% of your global annual turnover or €10M - whichever is higher. That’s right. Do we have your attention now?
HIPAA governs what we call in the United States protected health information, or PHI. It is only concerned with the secure transfer of private medical data between points of contact. GDPR includes EVERY piece of information that can identify a person. So, it is not limited to healthcare. That’s right, you’re not alone in this transition.
HIPAA grants patients the right to get a copy of their health records (for an associated cost at the discretion of the practice). With GDPR, patients get them completely free of charge! Additionally, while HIPAA will allow you to put a restriction on your PHI and how it can be distributed or used, GDPR allows patients to request for their PHI to be completely deleted from a practice’s archives.
While both HIPAA and the GDPR require absolute secure measures to ensure confidentiality and security when transferring PHI, they differ in their timelines for breach notification. With HIPAA you have to inform the US Department of Health and Human Services within 60 days of a security breach of electronic PHI. You are also required to inform the media if the breach affected 500 or more individuals. However, with the GDPR you only get 72 hours to notify the authorities and those affected. Can you hear the cha-ching now?
HIPAA does not require a patient to sign a consent form or authorize the release of their PHI for treatment or payment purposes. This is why you don’t have to authorize your general practitioner to work with your insurance policy, or why you don’t have to give consent to a physician’s office to get a debt collector to come after you for not paying your medical bills. With the GDPR, you must have explicit consent for any interaction with PHI other than direct patient care. Furthermore, health care organizations must be able to prove that this consent was given under appropriate conditions and that the individual was of sound mind and aware of the use of their PHI.
Don’t be caught paying fines for non-compliance to the revised GDPR. It doesn’t matter if you are outside of the European Union - the GDPR most likely still applies to you. So, if you have any patients in your system who are EU passport holders, do your due diligence and make sure your practice is compliant. Also, remember that the GDPR is a more rigorous version of HIPAA. So just because you are abiding to the HIPAA guidelines, it does not mean you are following the regulations per the GDPR.