Grant Elliott, President and CEO of Ostendio, Inc., presented the webinar “Concerned about GDPR compliance? If you already operate in line with HIPAA you may be closer than you think,” on June 26th. You can watch a replay of this timely presentation here or see a full list of our archived webinars here.

Mr. Elliott discusses the basics of GDPR (General Data Protection Regulation) compliance for those in healthcare:

Q. In a nutshell, what is GDPR?

A. GDPR is a new set of rules designed to give EU citizens more control over their personal data. The GDPR categorizes a broad swath of data, such as name, email, location, IP address, and online behavior as personal data.

Q. If a healthcare facility is fully in the U.S. do they need to worry about GDPR?

A. GDPR only applies if you are located in the EU, or you provide or market your services to people from the EU. If you are only providing services locally in the U.S. it is extremely unlikely GDPR will apply to you.

Q. Of course, in this international world in which we live, almost all communities and facilities will have at least a few individuals from the EU. Will that then mean the facility must comply with GDPR?

A. There continues to remain some confusion around this area and theoretically an EU citizen could invoke their rights under GDPR once they return to the EU. However, there are two primary aspects to consider here:

1. If this is incidental and low volume, it is unlikely that the individual would be able to bring a significant case against the organization as the data being collected will be minimal and more likely to be U.S. data (e.g. U.S address, credit card, etc.).
2. Even if such a situation was followed up by the EU, any action would only ever be relative to the scale of the issue. As such it seems unlikely the EU would ever take action against such isolated incidents.

Q. Facilities already need to comply with so many U.S. regulations. Who is going to be monitoring compliance with GDPR? Do U.S. healthcare facilities really need to follow these rules or is this just a suggestion? Who is governing this and potentially giving out fines?

A. Enforcement in the U.S. is still an open question, specifically if the company has no EU presence. The FTC has made itself the de facto DPA under Section 5 of the FTC Act, although this is being challenged by some.

Q. Where do you suggest a U.S. healthcare system or facility get started in GDPR compliance?

A. Conduct a Data Protection Impact Assessment and/or Risk Assessment. Select an industry recognized Security Framework (ISO 27001, NIST 800-171, HITRUST, SOC 2) to be measured against.

It is always good to seek help from experts. There are an increasing number of GDPR compliance services being provided by both law firms and privacy consultants. Shop around to find an organization that can provide guidance and if necessary help you with implementation.

Be sure to check out Grant Elliott’s webinar and explore our other HIPAA resources, such as our online compliance training courses What is HIPAA? and  HIPAA Business Associate Agreements Under HITECH.