US health companies not quite ready for EU GDPR privacy rule
The data protection regulation is a privacy-first framework with interoperability promise.
While most U.S. healthcare providers see few European patients on a regular basis, stiff fines for failure to comply with new privacy rules under the EU's General Data Protection Regulation has the sector rushing to prepare.
By several accounts, companies of all stripes are not ready for the arrival of GDPR on May 25. The regulation, adopted by the EU in April 2016, requires all companies to gain "explicit consent" for any data collected from the 511.5 million citizens of the European bloc.
Compliance should be on the minds of U.S. healthcare companies, if only to avoid the hefty price tag that comes with a failure to do so. For the highest level of violation, companies risk getting fined up to $24 million (20 million euros) or 4% of their worldwide annual revenue, whichever is greater. "The penalties for non-compliance are pretty substantial," Bernadette Broccolo, a healthcare attorney at McDermott Will and Emery in Chicago, told Healthcare Dive.
Healthcare organizations that treat, target or collect data belonging to patients from any of the EU's 28 nations fall under the regulation. Data concerning health, genetic data and biometric data are all protected and require explicit patient consent, in addition to any identifiable information such as IP addresses, credit card data and photos.
Barring a major cybersecurity breach, the GDPR isn't likely to directly affect most domestic healthcare entities. However, the regulation is widely considered to be the next-generation model for privacy protections. GDPR "is empowering the end user more so than it ever has before," Lance Pilkington, vice president of global compliance at Liaison Technologies, told Healthcare Dive. It's giving consumers the right to know exactly what data of theirs companies have as well as ultimate control over how it's used.
Given the ever-evolving nature of compliance and the volatile state of data privacy, the GDPR's arrival is worth watching — and maybe replicating.
Armed with a tiered penalty system, GDPR has had no problem commanding attention thus far.
What US healthcare companies need to know about compliance
Unlike U.S. law, which penalizes companies that fail to comply with HIPAA $1.5 million per year for violations of an identical provision, the EU will collect whichever amount is higher. In addition to fines owed to EU authorities, Broccolo said companies will need to compensate the subjects whose data was compromised. Those subjects are also granted representation from nonprofit organizations under the GDPR.
"If you're in for a dime, you're in for a dollar," Broccolo said. "You're not just a little bit involved."
For most U.S. healthcare companies, the GDPR will apply in three different contexts:
- If the company has an establishment in the EU.
- If the company is offering goods or services to people in the EU.
- If the company is monitoring the behavior or health of people in the EU.
"The reality is, if these organizations in the U.S. have one patient who comes in from Europe because they're taking a tour of one of the sites here in the States, now they have to comply," Gary Palgon, Liaison's vice president of sales, told Healthcare Dive. "If there are E.U. citizens who are expats working in the United States, they fall into compliance. If you have someone from the EU coming to the U.S. for a procedure, they fit in that box that has to be checked."
Even if those patients make up a small sliver of the admissions pie, Palgon said, the penalties are too significant to not comply. Pilkington said companies should have a roadmap in place to prove to auditors they're taking the GDPR seriously.
"What auditors will be looking at is, do you have a plan in place? How's it being put in place?" Pilkington said. "You should have distinct steps in how you're preparing your business to be GDPR-compliant."
Companies will need to appoint a data protection officer (DPO) to oversee compliance. That person, according to the GDPR, must have “expert knowledge of data protection law and practices."
With the May 25 deadline looming, U.S. companies are lagging.
According to a recent Netsparker survey of 302 chief executives across industries, 63% of respondents currently have a DPO on staff. The rest are hoping to hire one by May 25.
Of the healthcare executives surveyed by Netsparker, 7% said they're still "minimally aware" of how GDPR will apply to their organization and 14% said their company has only completed a quarter of compliance requirements.
US healthcare companies are not alone in their unpreparedness
Healthcare was the least likely industry to be prepared for GDPR last October, according to a survey from information security company Clearswift. Only 17% of companies across the U.S., U.K., Germany and Australia claimed at the time to have "processes in place" to address the regulation's requirements.
They're not alone. European regulators don't have all their ducks in a row yet, either. Seventeen of 24 authorities that responded to a recent Reuters survey claimed they did not yet have "the necessary funding, or would initially lack the powers, to fulfill their GDPR duties."
The majority of respondents told Reuters they would take a reactionary approach to regulation and investigate "based on merit" — further emphasis on the importance of companies showing regulators they've done their homework.
Still, some big systems say they are not asleep at the wheel.
Deb Salava, vice president of international IT at the University of Pittsburgh Medical Center, told Healthcare Dive her company has been preparing for the GDPR for the past 18 months. With facilities in Italy and Ireland, the health system is well-acquainted with privacy law in Europe, specifically in Italy, which she said has some of the "strongest privacy laws on the book."
Salava said UPMC has always had processes in place to obtain patient consent. The GDPR, however, makes those consents much more specific. "One of the important things we've done is make sure our executives knew and supported the fact that this isn't an IT initiative. It's an organizational initiative, so we've treated it that way," she said. "It cuts across all of our departments. It really is an initiative that will require everyone within our organization in the EU to be cognizant of."
In addition to appointing a DPO and implementing new privacy policies and procedures, UPMC has established programs for its entire EU workforce to train employees in new data-handling practices. But compliance process, she said, will be an ongoing effort. "It doesn't stop on May 25th," Salava said. "Improving our compliance and staying compliant will be something we'll continue to keep in front of us and work on."
Healthcare companies in the U.S. that come into GDPR compliance will have a bit of a head start with the policies and procedures they already have in place for HIPAA. The GDPR, however, is much more stringent than its American counterpart, and more often than not, will require more specificity with consent.
While privacy and security policies and procedures mandated under HIPAA serve as a good baseline for the GDPR's accountability requirements, there are major differences that need to be understood.
HIPAA vs. GDPR
One notable difference between the GDPR and HIPAA is the right to erasure granted by the former. Under the GDPR, organizations are required to honor all patient requests to erase personal data. Healthcare companies will need to have technology that's capable of totally erasing personal data when a consumer revokes their consent and, furthermore, be able to prove they've scrubbed that data completely.
While there are a few exceptions, right to erasure might prove to be the biggest headache for U.S. healthcare companies, which will have to adopt entirely different methods for processing and storing EU patients' data.
Data breaches also pose a sizable threat to GDPR compliance for U.S. healthcare companies, starting with how the GDPR and HIPAA treat responsiveness. HIPAA allows healthcare providers 60 days from the time of discovery to inform patients of a data breach. Under the GDPR, organizations will have only 72 hours to deliver the news to EU patients.
A recent Ponemon Institute survey found that cybersecurity has continued to be a problem for healthcare organizations, with 62% of executives reporting a cyberattack in the past year and more than half of those losing patient data. As of September, 89% of healthcare organizations have experienced a data breach in the past two years, with 45% experiencing more than five breaches.
More than 20 data breaches were reported in March alone, putting the personal health information of up to 120,000 at risk. While appointing DPOs will present healthcare companies with an opportunity to take a proactive approach to privacy, a recent Black Book Market Research survey found that about 80% of organizations lack an executive-level leader to manage cybersecurity enterprise-wide, and just 11% said they plan to bring on a cybersecurity executive in 2018.
The GDPR also grants consumers the right to access and port their data at any time. Under the GDPR, EU consumers will know what data of theirs has been collected, how it's being handled and processed, and have the ability to transmit that data to another entity "without hinderance."
While hospitals have made some progress in interoperability, efforts have mostly focused on data transmission and not on usability. Despite the potential for a GDPR-inspired regulatory framework to help American healthcare overcome interoperability barriers, industry professionals might not be keen on adopting more regulations.
The wide lens on GDPR
The GDPR is ultimately designed to give consumers total control over their data by encouraging companies to improve their data management and processing standards with a privacy-first approach, creating structure and accessibility. But even in an industry embracing growing consumerism, where speculation on the transformative potential of big data has reached "gold rush" status, the GDPR isn't likely to influence American policy in a major way any time soon.
Some experts fear more regulations would stifle innovation. Stanley Crosley, an attorney with Drinker Biddle, said during a Health Datapalooza panel that he would not be in favor of the U.S. adopting the GDPR as an extension of HIPAA. "At this point, there is no differentiation between thinking and acting with data within the scheme of GDPR. You cannot build a scaled database with consent. The specificity of the notice that's required is an administrative burden unlike anything you've seen before," Crosley said. "As a comprehensive scheme, the only thing that is worse than over-regulation is ambiguity for a corporation, and not having any kind of set regulation in the U.S. that covers all 50 states is problematic."
The adoption of GDPR-inspired regulations by one state and not all states, Crosley argued, would cause cross-jurisdictional headaches for private companies. Broccolo agreed. "The chances the U.S. would adopt GDPR are slim to none," she said. "They have quite an elaborate regulatory scheme in place in the form of HIPAA and other federal and state laws. I don't see them replacing that scheme."
Others feel HIPAA and other U.S. regulations have something to gain from the GDPR. Deven McGraw, chief regulatory officer at Ciitizen, a startup that seeks to help patients better access their healthcare information, expressed optimism at Health Datapalooza for a better regulatory environment than U.S. healthcare has currently. "Even within that regulatory bubble we're over regulating and under regulating at the same time. I think we could do better," she said. "Conceptually, even though it would regulate many more of us, I think that's a good thing."
Salava said the GDPR has made UPMC re-evaluate all of its operational practices. She pointed to the recent data breaches at Equifax and Panera as examples of why the U.S. needs improved privacy regulations.
"I think the U.S. can learn something [from the GDPR]. HIPAA notwithstanding, I think it's a bigger issue not only affecting healthcare, but citizen data," Salava said. "I'm anxious to see the U.S. start to take this a little more seriously than we have in the past. Europe is leading this effort."
Follow Tony Abraham on Twitter