What is GDPR?
The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of sensitive data for individuals in the European Union (EU). The data protection regulation was designed to harmonize data privacy laws throughout the EU and replaced the long-standing Data Protection Directive.
GDPR regulations apply to organizations located within the EU, as well as to organizations that offer goods and services or monitor the behavior of EU residents (regardless of the organization’s location).
The regulation protects EU citizens’ personal data by defining how organizations process, store, and destroy it when it’s no longer required. It also gives individuals control of how companies can use information that is directly related to them and provides eight specific rights.
Additionally, it lays down very strict rules governing what happens if access to personal data is breached and the consequences (i.e., costly fines) organizations will suffer.
Related Reading: Meeting GDPR Requirements with GoAnywhere MFT
The Relationship Between GDPR and Healthcare Data
Under GDPR, health data is considered a special category of data, so more rigorous protections exist for it than with other types of personal data. For example, healthcare organizations must understand how their patient information is collected and where it’s stored. This results in safer personal data and patients having more control and insight into their own data, as well.
According to GDPR, there are three types of personal data that are particularly relevant to the healthcare industry:
- Data concerning health: Any data that is related to a person's physical or mental health is considered personal and protected data under GDPR. This includes any information related to the type of care they've received.
- Genetic data: Information related to a persona's genetic makeup is also subject to GDPR protections. This includes any lab results relating to an analysis of a biological sample, as well as any characteristics that might reveal details of the patient's physiology or health.
- Biometric data: Biometrics refer to data related to someone's physical or behavioral characteristics. Such information is considered personal per GDRP (and must therefore be protected) since it can be used to identify a specific person. These include facial images, fingerprints, and more.
GDPR prohibits the processing of these forms of health data unless one of the three conditions below applies:
- The data subject must have given “explicit consent.”
- “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.”
- “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.”
The Impact of GDPR in Healthcare
Most U.S.–based healthcare organizations falsely assume that if they don’t have operations in Europe, then the GDPR doesn’t apply to them. The law, however, covers any data gathered on an EU citizen anywhere in the world. If even the smallest clinic has EU citizens that it treats and therefore stores data on, it would need to comply with GDPR mandates. And even though the GDPR is an EU law, it does have the ability to reach over to U.S. healthcare regulations like HIPAA and can bring civil suits to international court.
One of the GDPR’s eight rights is the “right to erasure” or the “right to be forgotten,” which means that patients have the option to ask a clinic or hospital to erase all the data it has on them under certain circumstances. This is far cry from the core practices of most healthcare organizations, seeing as it’s common practice for them to retain medical records for long periods of time – even indefinitely, to provide for continuity of care.
Other sections of the GDPR, such as the pseudonymization requirement (the ability to replace personal identifiers with nonidentifying references or keys), also conflict with many healthcare organizations basic practices.
Related Reading: The Top 10 Healthcare Data Breaches of 2020
HIPAA vs. GDPR
HIPAA is a healthcare law that includes important data protection elements. By contrast, GDPR is a data protection law that covers all sectors – including healthcare. GDPR is similar to HIPAA in that it requires tight security measures govern the use of medical technologies and clinical assets. However, GDPR is much more stringent than HIPAA.
The Privacy Rule within HIPAA is designed to protect patients’ Protected Health Information (PHI), which covers any information regarding “health status, provision of healthcare, or healthcare payment.” However, GDPR’s scope is much broader.
GDPR broadens the definition of “personal data” and covers any information associated with an “identified or identifiable natural person,” such as computer IP addresses and credit card data. This kind of contact information may fall outside of the HIPAA scope. GDPR also covers all controllers and processors of that data. This means that organizations that operate in the broad healthcare sector, such as providers of health & fitness apps, will also need to ensure GDPR compliance – even though they fall outside of the confines of HIPAA.
GDPR also mandates organizations process data requests from EU patients much more quickly than they do with U.S. standards. And unlike HIPAA, which has a maximum fine penalty of $1.5 million per year, GDPR fines can cost up to €20 million ($24 million in U.S. dollars) or up to four percent of the violator’s annual global revenue – whichever is higher.
Additionally, the GDPR’s data breach notification requirement is just a brief 72 hours, which is far shorter than HIPAA’s 60-day notification period.
Complying with GDPR as a Healthcare Organization
Data breaches occurring within the healthcare industry has become quite the epidemic – and its one that isn’t likely to slow down any time soon. Considering the cost to both organizations and patients involved, it’s critical that IT teams develop a strong cybersecurity strategy that utilizes the most effective tools and solutions, like managed file transfer, to keep sensitive data safe.
Managed file transfer solution, GoAnywhere MFT can help organizations address certain GDPR requirements through several key features, including data encryption, integrity checks of successful file transfers, secure forms for subject consent, and detailed audit trails.
With MFT, you can eliminate the custom programming and scripting normally required for data transfers. MFT can also improve the quality and security of files you send in-house or to remote locations, trading partners, other businesses, or the cloud.
Related Reading: 8 Ways to Protect Your Healthcare Organization from a Data Breach
