The European Union’s new data privacy law, the General Data protection Regulation, or GDPR, took effect on May 25, 2018 (all references to GDPR provisions can be found here). In addition to being applicable to all member states of the European Union, along with Iceland, Liechtenstein and Norway, the GDPR has an international reach and could apply to organizations located elsewhere under certain circumstances. Organizations in the healthcare industry should assess whether the GDPR is applicable to them and, if so, what steps to implement for compliance.
The GDPR could apply to a healthcare entity for a variety reasons, ranging from engagement in certain clinical research activities and medical tourism to offering products in the health technology sector, when such activities involve the personal information of an individual in the EU (for purposes of this article, references to the EU or member states are also intended to reference other countries within the European Economic Area, or EEA, to which GDPR applies). This article sets forth a summary of the circumstances in which the GDPR applies to a United States healthcare entity, an overview of some of the key provisions of the GDPR, and a discussion of some of the key similarities and differences between the GDPR and the Health Insurance Portability and Accountability Act (“HIPAA”).
Applicability of the GDPR to U.S. Healthcare Organizations
The GDPR’s intent is to protect the personal data of individuals (referred to as data subjects) in the EU in the use and disclosure (or “processing” in GDPR terms) of such data, while also promoting the free flow of such data throughout the EU. Although applicability of the GDPR rests on the geography of the data subjects within the EU and not the citizenship of those individuals, the GDPR has a global reach because it applies:
- to the processing of personal data of subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the Union. [See GDPR, Article 3]
Given the broad scope of “monitoring behavior” and “offering goods or services,” the GDPR could apply to healthcare entities in the United States in a number of ways.
For example, the GDPR will apply to U.S. research entities that conduct research at physical locations in the EU, recruit individuals in the EU to participate in research, or continue to monitor individuals in the EU (e.g., following research conducted in the U.S.). On the other hand, data collected from EU citizens as part of research conducted wholly in the U.S. does not become “personal data” under the GDPR simply because of the EU citizenship of the research participant. The applicability of the GDPR focuses on where the behavior is occurring and being monitored and where services are being offered. Clinical research sites in the United States that sponsor or have some control over study analysis and data processing for global studies should examine whether they receive personal data from individuals in the EU or recruit subjects for a study in the EU. Further, if relying on a research subject’s consent for processing his or her personal data as part of a research study, research entities must comply with the GDPR’s consent requirements. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication” of agreement to the processing of a data subject’s personal data. Among other requirements, the GDPR requires that a data subject be informed of his or her right to withdraw consent at any time and be able to withdraw easily. Consent must be given by a clear affirmative or opt-in action (i.e., default or pre-checked boxes would not constitute consent).
As another example, entities in the wearables technology sector, whether healthcare specific or not, may also be subject to the GDPR. For example, companies that develop and sell fitness trackers or other similar health and wellness technology to consumers on an international basis would be considered to be offering a good or service to individuals in the EU. In addition, if a vendor of wearables does not market, sell or operate in the EU but processes the information of a customer who lives in the EU (and purchased the product while on vacation abroad) by receiving the wearable information and maintaining it on the vendor’s servers, the vendor is monitoring the behavior of an EU resident and therefore subject to the GDPR. For many of these entities that employ a direct-to-consumer business model, under which they are not subject to HIPAA as either a covered entity or a business associate, becoming GDPR-compliant will be no small task, akin to what healthcare providers and other covered entities faced when HIPAA was first enacted.
Overview of the GDPR Requirements
As referenced above, one of the key purposes of the GDPR is to regulate the processing of personal data by controllers and processors, as such terms are defined under the regulation.
The GDPR defines “personal data” as any information relating to “an identified or identifiable natural person,” and “processing” as any operation performed on personal data (e.g., collection, use, disclosure, storage).
A “controller” is a person or entity that determines the purposes and means of processing personal data, and a “processor” is a person or entity which processes personal data on behalf of the controller. Different requirements apply depending on whether a person or entity is considered a controller or processor.
The GDPR limits the processing of personal data to six circumstances. The first is where the individual consents to such processing. The other five all hinge on whether the processing is “necessary.” The processing must be necessary for: (1) the performance of a contract to which the data subject is a party (or requested by data subject prior to entering into a contract); (2) compliance with a legal obligation; (3) the protection of the vital interests of the data subject or other natural person; (4) performing a task carried out in the public interest or in the exercise of official authority; or (5) legitimate interests, unless overridden by the interests, fundamental rights and freedoms of the data subject.
Certain categories of more sensitive information, including data concerning health, genetic and biometric information, are subject to more stringent protection. “Data concerning health” is a subset of personal data “related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status.” Processing such health data is prohibited unless, in addition to one of the six circumstances above being present, one of the following ten bases for sensitive data applies:
- 1. The individual has given explicit consent to the processing of personal data for one or more specified purposes;
- 2. Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;
- 3. Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
- 4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
- 5. Processing relates to personal data which are manifestly made public by the data subject;
- 6. Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
- 7. Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
- 8. Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional, subject to certain confidentiality safeguards (the data must be processed by or under the responsibility of a professional subject to the obligation of professional secrecy, or another person subject to an obligation of secrecy, under Union or Member State law or rules established by national competent bodies);
- 9. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; or
- 10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Another significant issue relevant to U.S. healthcare organizations is under what circumstances personal data can be transferred for processing outside of the EU. Chapter V of the GDPR sets forth the conditions that must be met, and for countries that have not been determined to have an adequate level of protection, another enumerated safeguard must be met or a “derogation” must apply (such as explicit consent of the data subject) for the transfer to be considered lawful. So far, the European Commission has not recognized the United States as providing adequate protection, except with respect to those U.S. entities that have self-certified that they meet the requirements of the EU-U.S. Privacy Shield.
In addition to setting the parameters with respect to processing of personal data, as further described below, the GDPR addresses a wide range of other topics, including, without limitation, rights of data subjects, security requirements, establishment of regulatory authorities to implement and enforce the regulation, and applicable penalties.
Comparison to HIPAA
HIPAA and the GDPR are driven by similar public policy objectives, and therefore many of the same concepts apply. Generally, an entity that is subject to HIPAA, whether as a covered entity or a business associate, and that currently implements a robust compliance program under HIPAA, should not find it a significant adjustment conceptually to incorporate the GDPR requirements into its operations. Entities that are not subject to HIPAA, on the other hand, may find compliance to be a steeper uphill climb. For all entities, however, GDPR compliance will require a nuanced analysis to determine what changes are needed to an existing privacy compliance program and how most efficiently to implement. Entities should not underestimate the time and resources needed to actually identify and implement such changes. In addition, some of the provisions of the GDPR are drafted in broad strokes and raise questions as to the intended interpretation, and until EU regulatory authorities issue additional guidance or clarifications, those questions will remain, leaving U.S. entities to make educated guesses as to the meaning or scope of certain provisions.
At its core, the GDPR includes many of the same general requirements as HIPAA, although the terminology and details of the requirements vary. For example, the GDPR has an equivalent concept to HIPAA’s minimum necessary rule, requiring that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).” As another example, the GDPR also includes requirements to implement safeguards to protect the security of information, requiring that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)”, and further requiring that the entity adopt internal policies and implement measures with respect to such security safeguards. GDPR also contains similar concepts with respect to an individual’s information and access rights, as well as contractual requirements between controllers and processors similar to the requirements for business associate agreements.
However, significant differences between the GDPR and HIPAA exist, and the GDPR imposes several additional or different requirements than HIPAA. Although not exhaustive, a few key differences follow.
First, GDPR applies to “personal data,” which is a much broader array of data than protected health information under HIPAA. In this respect, the GDPR is more comparable to state-level consumer protection and data breach notification laws in the United States. See, e.g., Cal. Civ. Code § 1798.82; M.G.L. C. 93H; 201 CMR 17.00.
Second, under the GDPR, a data subject has a “right to be forgotten.” The data subject has a right to have his or her personal data erased and no longer processed under certain circumstances, including (i) if no longer necessary for the purposes for which it was initially collected, (ii) where the data subject withdraws a prior consent, or (iii) where the processing of the data otherwise does not comply with GDPR. There is no corresponding concept under HIPAA. However, some exceptions exist. For example, to the extent a healthcare entity is required to maintain the data pursuant to a legal requirement, such as for record retention purposes, such retention is permitted.
Third, under the GDPR, a controller must report a data breach to the applicable supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it,” unless able to demonstrate that the breach is “unlikely to result in a risk to the rights and freedoms of natural persons.” This is a significantly shorter timeframe than under HIPAA, which has an outside deadline of 60 days for notification of individuals and, in some cases, the media and the U.S. Department of Health and Human Services Office for Civil Rights (OCR). See 45 C.F.R. § 164.400 et seq. Notification to the data subject is also required without undue delay, if the breach is likely to result in a high risk to the subject’s rights and freedoms.
Fourth, unlike HIPAA, GDPR provides a right to compensatory damages for data subjects that suffer damage (whether or not material) as a result of a violation of the GDPR. This is a significant difference; whereas, HIPAA does not include a private right of action, data subjects have standing to sue for violations of the GDPR. In addition, administrative fines can vary depending on the violation, but could be as much as “20 million EUR or, in certain cases, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.” Although settlements with OCR for HIPAA violations have in some instances been in the multi-million dollar range, administrative fines under the GDPR could potentially be even higher. In addition to potential penalties under the GDPR, from a contractual perspective it is likely that many entities in the EU will insist on covenants regarding compliance with the GDPR and corresponding indemnification provisions to do business with a United States entity (similar to the requirements many healthcare providers in the United States impose on offshore business associates, if willing to work with such companies at all).
What’s Next on the Horizon
There has been significant media attention leading up to, and in the wake of, the GDPR’s effective date, and rightly so given the significant global impact on businesses combined with a lack of clarity and lack of additional guidance in many instances. The global scope of the GDPR, combined with questions surrounding implementation, have created several challenges which will likely not be resolved in the near future. The impact during the rollout for some entities has been to chill efforts to do business cross-borders, including some businesses in the U.S. determining not to offer services in the EU, and some persons or businesses in the EU determining not to do business with U.S. entities, due to concerns about GDPR compliance and potential exposure.
Meanwhile, EU member states may adopt additional or more stringent privacy and security provisions, creating a patchwork of additional rules that a U.S. healthcare entity may need to track for purposes of compliance, depending on the scope of such rules and the entity’s operations. In addition, EU member states may issue additional interpretations and procedures with respect to the GDPR. In early August, the HHS Office for Human Research Protections released a Compilation of European GDPR Guidances from the EU and member states to assist research institutions in navigating this complex web.
Lastly, if California legislative activities are any indication, the GDPR is not an idiosyncrasy limited to the EU and those businesses that offer goods or services to, or monitor the behavior of, individuals in the EU. In June 2018, California enacted the California Consumer Privacy Act (CCPA) of 2018, which will establish new privacy rights for California residents and new obligations for California businesses beginning in 2020. The CCPA has drawn comparisons to the GDPR because it establishes many of the same privacy protections. Between the GDPR and the CCPA, it may be that a new baseline for expectations with respect to privacy and security of consumer information is being established.
Stephen K. Phillips is a corporate and health care regulatory partner and the chair of Hooper Lundy & Bookman’s Technology Practice Group in San Francisco. He can be reached at firstname.lastname@example.org.
Amy M. Joseph is a senior counsel in the firm’s Boston office. She advises a wide variety of health care providers on business and regulatory matters. She can be reached at email@example.com.
Kelly A. Carroll, Esq., is a health care regulatory attorney in the firm’s Washington office. Her practice focuses on representing clients in the health care and life sciences industries in a wide range of regulatory and litigation matters. She can be reached at firstname.lastname@example.org.