Privacy and Security

GDPR: Add it to the Acronym List!

Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.


By Ann Meehan, RHIA

 

Healthcare is full of acronyms! Every time you read an article or listen to a presentation, at least one new acronym is introduced. Here’s a relatively new one: GDPR. GDPR is the European Union’s (EU) General Data Protection Requirement. Did you see “European Union” and immediately think, “I don’t have to worry about that”? Well, you might be right… but you might be wrong. Before you leave this blog, take a moment to learn something new by exploring what GDPR is and who it impacts. As a health information management (HIM) professional who is tasked with not only protecting patient health information but also other confidential business information, at a minimum you should be aware of what GDPR is.

GDPR is a regulation aimed at strengthening privacy protections for individuals residing in the EU, harmonizing EU states’ data protection laws and creating a standardized mechanism of enforcement, according to a GDPR best practices guide. It affects any business that is based or does business in the EU and largely takes the place of a regulation adopted in 1995 in the EU called the Directive 95/46/EC, or simply the “Directive,” that aimed to protect the personal information of individuals within its jurisdiction and harmonize the laws of its member states to allow the free flow of information between said states, according to the best practices guide.

GDPR goes into effect May 25, 2018, and imposes fines and penalties for failure to comply. A lack of understanding or readiness could be devastating to a business or healthcare organization.

Key GDPR Points Everyone Should Know
GDPR applies to all types of personal information and data from various industries, not just healthcare. Here are some key points that everyone should know.

1. Rights of access

The categories of information which must be supplied in connection with a data subject access request have been expanded, placing further administrative burden on organizations. A data subject is any person whose personal data is being collected, held or processed, according to EU GDPR Compliant, a publication dedicated to GDPR education. Personal data includes name, address, credit card information and even social media posts.

2. Eliminating fees for access

In most cases, organizations will no longer be able to charge a small fee to respond to requests from data subjects.

3. Broadening the right to be forgotten

With GDPR the conditions under which people have a right to have their personal data forgotten—the right to be forgotten—have been clarified and broadened. Organizations will now face a wider spectrum of requests with which they must “erase” personal data upon request. This not only applies to data held by the organization but where data has also been shared or exchanged. See #5 in this list, “Notifying third parties.”

4. The right to restrict processing

GDPR expands the range of circumstances in which data subjects can require restriction of the processing of personal data.

5. Notifying third parties

Organizations will now be required to implement systems and procedures for notifying affected third parties with whom they have shared personal information over which data subjects have exercised their rights.

6. Right of data portability

The right of data subjects to move their personal data between controllers—a natural or legal person, public authority or other body that processes data either alone or together with another entity, according to EU GDPR Compliant—may require a significant investment in new systems and processes. For example, moving an account from one company over to another.

GDPR and Healthcare
As you read through these points, did HIPAA come to mind? Interoperability? Data classification? Notification of disclosures? Limitations on costs associated with release of information? If your healthcare organization has facilities in or does business with the EU, then May 25th is looming and compliance should be a top priority. If, however, GDPR does not apply to your healthcare organization, then consider our HIM peers in the EU.

Just as you are part of a growing movement in healthcare toward a formalized information governance program and infrastructure, the implementation of GDPR and the resulting policies, processes, protocols, and classifications around data and information will also require a more collaborative governance structure. There are similarities between US regulations and GDPR that are worth understanding. Information governance is the best way to ensure that we are prepared for whatever regulatory requirements come our way… whatever the next acronym might be!

 

Ann Meehan is senior consultant, healthcare and life sciences channels and solutions at Iron Mountain.