Regulation from Across the Pond: GDPR’s Implications for United States Health Care Organizations
What’s New?
In May 2018 - merely 14 months from now - the European Union’s (EU) General Data Protection Regulation (GDPR) will go into effect. Organizations established in the European Economic Area (EEA) are subject to the GDPR and must abide by its rules with respect to the collection, processing, and transfer of personal data. And as we explained last year, health care and other organizations not established in the EEA that collect or process European personal data (by offering goods or services to individuals in the EEA or monitoring their behavior) are also subject to the GDPR - a controversial extraterritorial reach.
What Do You Need to Know?
The GDPR requires organizations (data controllers and processors) to have certain protections in place before collecting, processing or transferring Europeans’ personal data. If your organization handles European health or other personal data, this means careful consideration of the GDPR and how it may apply to you. For example, under the GDPR:
- Consent Required to Process Health Data. You may need to obtain the patient’s or data subject’s explicit consent (freely given, specific, informed, and unambiguous) before processing his/her health data. There are exceptions to this consent requirement, including processing necessary for public health reasons or for scientific research, subject to certain requirements. And although consent is generally not required to process health data for the purposes of preventative or occupational medicine, medical diagnosis, the provision of health, social care or treatment, or the management of health, these exceptions only apply to health professionals or other persons subject to an obligation of professional secrecy under EU or Member State law or rules.
- Possibly Stricter Member State-Level Laws. Member States can introduce further conditions with respect to the processing of biometric, genetic, or health data. It is possible, therefore, that a Member State’s law may act to prohibit your collection, processing or transfer of health and other personal data that otherwise complies with the GDPR.
- More Robust Individual Privacy Rights. Data subjects have rights with respect to their personal data that may not be available under HIPAA or other US privacy laws, such as the right to erasure.
- Extensive Data Transfer Requirements. The transfer of personal data from the EEA to your organization and onward transfer of the data by your organization may be prohibited unless certain transfer or onward transfer requirements are met. Some of the legal mechanisms that your organization ought to consider to legitimize such transfers are:
- Consent. Technically, organizations can transfer European personal data by obtaining the data subject’s consent; however, consent is a weak mechanism because EEA law allows the data subject to withdraw his/her consent. Without one of the legal mechanisms discussed below in place as a back-up, your organization could find itself illegally transferring data if consent is withdrawn.
- Privacy Shield. The GDPR provides for an approved certification mechanism, such as the Privacy Shield. As our previous guidance explained, the Privacy Shield is a self-certification framework for data transfers from the EEA to the US only.
- Binding Corporate Rules (BCRs). BCRs are a set of stringent, intra-corporate global privacy policies, practices, processes, and guidelines that satisfy EU standards for data protection, but this option is only available for transfers within intra-company groups.
- Standard Contractual Clauses. The GDPR also provides for standard contractual clauses (SCCs) as a mechanism to legalize cross-border data transfers. SCCs are sets of contractual clauses covering data protection that are pre-approved by the European Commission.
- Other Standard Data Protection Clauses. EEA Member States’ data protection authorities (DPAs) may also adopt other standard data protection clauses, but these are limited in scope (country-specific) and not as widely accepted as SCCs.
What’s the Takeaway?
If you are a US health care or other organization involved in the collection, processing, and/or transfer of Europeans’ health and other personal data, you should know that the GDPR may have requirements applicable to you and your vendors, even if you are not established in the EEA. In particular, you should be mindful of data transfer implications, and ensure that your organization’s transfer of Europeans’ health data complies with the GDPR’s restrictions on data transfer and onward transfer.
If you have not taken steps toward GDPR compliance, you should act now. If your organization is subject to the GDPR, you could be fined up to 4% of total worldwide annual turnover for noncompliance. You could also face other legal actions, especially because the GDPR provides EEA residents with extensive rights, including rights to lodge complaints, an effective judicial remedy, and compensation.
Arent Fox’s Privacy, Cybersecurity & Data Protection and Health Care groups monitor developments in the health care data protection field and regularly advise clients on compliance with GDPR, HIPAA and other data security requirements. If you have any questions about the topic covered here or other matters, please contact Sarah L. Bruno in our San Francisco office; Stephanie Trunk and Samuel Cohen in our Washington, DC office, Thomas Jeffry in our Los Angeles office, or the Arent Fox professional who normally handles your matters.