European Privacy Laws Impact American Companies, Providers

European Privacy Laws Impact American Companies, Providers

American companies—including healthcare providers—have been rushing to comply with the sweeping new privacy law enacted by the European Union (EU) that went into effect on May 25. The General Data Protection Regulation (GDPR) places steep fines for entities that violate its protections, so American companies doing business in Europe, such as Facebook and Google, are doing due diligence to comply. But US providers and researchers should be aware of how the GDPR could impact them.

The GDPR has implications for American providers such as Hospital Corporation of America (HCA), which has clinical sites in Europe, as well as organizations or individuals conducting research there. For example, one of the GDPR provisions requires EU companies to let individuals know, in clear language, how data collected about them is going to be used. According to a Modern Healthcare analysis of the rule, if an organization collects someone’s medical history for clinical care, the organization wouldn’t be able to use that information for research purposes without written consent obtained prior to the encounter.

The GDPR only applies to individuals in the EU, but there may be occasions when an American company is doing research on people who live in Europe.

“Where we need to change our policy primarily is with research,” David Chou, chief information and digital officer at Children’s Mercy Kansas City, told Modern Healthcare. “We’re making a big scramble to get it finalized.”

The article notes that American hospitals such as Beth Israel Deaconess Medical Center in Boston is training its researchers on GDPR compliance.

One of the most popular aspects of the EU’s law is its so-called “right to be forgotten,” which allows individuals to request that companies delete all of their data stored on them. Healthcare consultants say that this could hypothetically apply to insurance company policies regarding pre-existing conditions, David Ross, principal and cybersecurity growth leader for Baker Tilly’s risk, internal audit and cybersecurity practice, told Modern Healthcare.

READ MORE: GDPR applies to all types of personal information and data from various industries, including healthcare. For more info on key points that everyone should know, check out the post “GDPR: Add it to the Acronym List!” from the Journal of AHIMA blog IGIQ.
Mary Butler is the associate editor at Journal of AHIMA.