Is the sky falling? GDPR implications in the US

by Adam H. Greene, JD, MPH and Lyra Correa, JD

Adam H. Greene (adamgreene@dwt.com) is a Partner in the Washington DC office of Davis Wright Tremaine LLP and co-chair of its Health Information Practice Group. Lyra Correa (lyracorrea@dwt.com) is an Associate in the Washington DC office of Davis Wright Tremaine LLP.

Pop quiz: An injured Belgian tourist appears at your door for treatment. Do you:

  1. Pay to medevac her across the Atlantic and unceremoniously dump her on the shores of Achill, Ireland (the closest spot to the U.S. in the European Union (EU)

  2. Handwrite all her medical notes on the back of napkins and burn them at discharge

  3. Shutdown the facility for a week while you scramble to come into compliance with the EU’s General Data Protection Regulation (GDPR)[1]

  4. Treat her like a regular patient and protect her information in accordance with the Health Insurance Portability and Accountability Act (HIPAA)[2]

If you answered A, B, or C, then it’s time to take a deep breath and relax. And possibly revisit your Emergency Medical Treatment and Active Labor Act (EMTALA) compliance.

The most reasonable answer is D. Although there are many frantic headlines regarding GDPR, it will likely have limited impact on most US healthcare providers. US healthcare providers should carefully review whether they fall under GDPR, including through marketing efforts and website information collection. If GDPR is applicable, then it is not too late to begin compliance, and HIPAA is a very good place to start.

What is the GDPR?

GDPR is a new set of rules drafted by the EU that are designed to provide a stronger set of protections to give individuals in the European Economic Area (EEA) (i.e., the 28 EU countries plus Norway, Iceland, and Liechtenstein) more control over their personal data. GDPR regulates the collection, use, disclosure, and other “processing” of personal data by “controllers” and “processors.” A “controller” is an entity that determines the purposes and means of the processing of personal data, while a “processor” is an entity that processes the personal data on behalf of the controller. The relationship of the controller and processor is analogous to the relationship between a covered entity and a business associate. The processor (business associate) processes data on behalf of a data controller (covered entity) and is required to protect the data the same way that a controller would. Like HIPAA, GDPR also requires controllers and processors to implement technical and organizational measures to prevent breaches of the personal data. GDPR does not refer to “citizens” or “residents,” but rather applies to the processing of personal data of any person in the EU (a “data subject”), even if the person is only in the EU temporarily.

Stateside impact?

HIPAA may not apply to entities located outside of the U.S. because neither the HIPAA statute nor the regulations address extraterritoriality, and Congress gave no indication that it intended HIPAA to apply outside of the U.S. Unlike HIPAA, GDPR has direct extraterritorial reach to entities that process the personal data of EU data subjects, regardless of whether the processing takes place within the EU. The good news is that GDPR will not affect a majority of US healthcare providers and only affects healthcare providers that are:

  • Physically located in the EU,

  • Market to EU data subjects, or

  • Monitor data subjects’ behavior for activities taking place in the EU.

Marketing to EU data subjects involves more than EU data subjects having mere access to a US healthcare provider’s website or general global marketing. However, if a US healthcare provider actively pursues EU data subjects (e.g., by converting to EU currency on the provider’s website, offering a website specific to an EU country, marketing in the language of the EU country), then GDPR will apply.

Monitoring the behavior of EU data subjects relates to collecting information about an EU data subject’s activities while the data subject is in the EU. For example, as we go from website to website, different websites track information about us, such as what we click on, for purposes of building a profile about us. This is often used to target specific advertisements to us. If a US company collects this information while an individual is using the Internet from the EU, then the US company will become subject to GDPR.

In the scenario above, if the US provider that treated the Belgian patient did not market to the EU to try to attract EU patients and does not continue to provide treatment to the patient after she returns to the EU (e.g., telemedicine), then GDPR is unlikely to apply. However, if the US healthcare provider has a website specifically designed to attract Europeans, or uses website cookies for purposes of creating profiles about the online behavior of patients (or anyone else for that matter) when they are in the EU, then GDPR may become applicable to the US healthcare provider.

In determining whether GDPR is applicable, US healthcare providers should focus on questions such as:

  • Do we have offices in the EU?

  • Do we operate in the EU, such as by performing clinical research in the EU in partnership with EU institutions?

  • Do we advertise in the EU?

  • Does our website include features clearly aimed at attracting EU patients (not just international patients generally)?

  • Does our website include monitoring of patients or other website visitors (e.g., tracking website visitors’ behavior through website cookies or other means) that may capture behavior of EU data subjects?

Even if not directly subject to GDPR, US healthcare providers and other healthcare entities should also be careful about contractually agreeing to comply with GDPR. For example, certain online service providers may interpret that they are required to pass on GDPR-related contractual provisions to anyone who uses their services.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings