GDPR is the European Union’s new data protection regulation that went into effect on May 25, 2018. It is the most comprehensive data protection regulation in the world. Of course, healthcare data is regulated by GDPR.
If you do not do business in the EU, advertise in the EU, have no contractors in the EU, and collect no data on EU residents then GDPR does not apply to you. Specifically, for entities not established in the EU, GDPR applies only to entities who:
- Process personal data of EU residents who are physically in the EU and
- the processing relates to either:
- offering goods or services to EU citizens while in the EU or
- monitoring EU citizens’ behavior that takes place within the EU (see Art. 3.2)
Example 1: An academic medical center who advertises to EU residents, begins a dialog with them while they are at home and stores information on them for potential treatment in U.S. is subject to GDPR.
Example 2: A small hospital in the U.S. provides emergency care to an EU resident, discharges them, and performs no follow-up services, in Eagle Consulting Partners’ opinion, is NOT subject to GDPR.
If you have to comply with GDPR and you’re already compliant with HIPAA, you are much closer to compliance than others who have to start from scratch. GDPR is similar to HIPAA in its terminology. For example, GDPR regulates “controllers” and “processors” of “personal data” which are similar to HIPAA’s “covered entities”, “business associates”, and “PHI” — though GDPR regulates the protection of a broader range of personal information, not just health information.
If you have any GDPR-related questions regarding your organization or are interested in customized GDPR/HIPAA-compliant policies, feel free to contact us.