The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
The European Union (EU) has drafted guidance to give citizens more control over their personal data, so what does this mean for U.S. based healthcare providers?
On May 25, 2018, the EU will roll out General Data Protection Regulation (GDPR), a new set of rules that is similar in nature to HIPAA compliance for EU countries. The effort to create GDPR started years ago in January 2012, when the European Commission began working on plans to create data protection reform across the EU so that European countries would have greater controls in place to manage information in the digital age. Additionally, GDPR aims to simplify the regulatory environment for businesses so both European citizens and businesses can benefit from a digital economy.
Being that GDPR has not yet taken effect, there are aspects to this new framework that are difficult to fully understand and define at this time yet we do know that U.S. companies DO NOT need to have business operations in one of the 28-member states of the EU to be impacted by GDPR. The new set of rules will require organizations around the world that hold data belonging to individuals who live in the EU to a high level of protection and must be able to account for where every bit of data is stored.
The good news is a large majority of U.S. based healthcare providers will be relatively safe in terms of complying with GDPR. If your organization is not actively marketing your services in the EU or practicing in the EU, a data breach where an EU citizen’s PHI is compromised would most likely be your most realistic brush with GDPR.
For instance, a walk-clinic in New York City seeing many international tourists has a much higher chance of being impacted than say a rural clinic treating mostly local residents. Providers in larger cities with more diverse patient groups will need to be extra vigilant regarding their breach notification standards and security posture.
Want to learn more about how your healthcare organization can prepare for GDPR? Read this HIPAA One blog post to learn how your practice can prepare now for a more international data sharing climate.
About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes. HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices. Are you HIPAA Compliant? Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.
Excellent reminder that medicine is a global practice. GDPR is not going to be a panacea or make data more secure. Ignore at your own risk, however. Breaches will take on another level.