EHR systems are the hub of clinical data and clinical workflows in healthcare today making EHR integrations, like HL7 and FHIR, an essential driver of healthcare transformation. We break it down for you here.
GDPR, which stands for General Data Protection Regulation, is the acronym for the much anticipated new European Union (EU) security and privacy framework that goes into effect on May 25th, 2018. GDPR leaves some discretion to EU member states but, as a general rule—and the reason it is getting so much attention—it applies across all EU Member States. It applies to all personal, individually identifiable data storage of EU citizens’ data which extends its coverage to healthcare providers, payors, life sciences, and digital health companies located anywhere.
The EU has been more progressive around data privacy, and that’s especially true for Germany. During World War II, the fascist regime used personal information to target people for all sorts of atrocities. Therefore, Europeans are especially sensitive to personal data being shared. The issue of data privacy and leaks has become more urgent in recent years after it came to light that the U.S. National Security Association (NSA) was spying on European citizen data, starting a snowball effect that also involved issues of data privacy on Facebook and exacted a seismic shift upon international data privacy regulations.
If you do anything with EU citizen healthcare data, then you are at risk of significant penalties for violations. The penalties for violating GDPR can be up to $20m or 4% global revenue, whichever is highest. That’s enough to put most healthcare vendors out of business. If you want to work in the EU, are already in the EU, or even if you could potentially collect EU citizen health data, you need to expand your compliance program and posture to minimize your risk.
Healthcare and health data, “data concerning health”, is one subset of GDPR and specifically applies to data concerning physical and mental health, genetic data, and biometric data. The good news is that GDPR has considerable overlap with HIPAA, and to an even larger extent, HITRUST. Fundamentally, addressing HIPAA and GDPR is about having security as a core tenet of operations; the major difference is ensuring that evidence and documentation is created to prove compliance with each framework.
Get a general overview of how GDPR compares to HIPAA including why GDPR is getting such outsized attention, the definition of GDPR, how to report breaches, the guidelines for health data access, and the required Data Protection Impact Assessments (DPIAs) on the Datica blog.
To understand whether the GDPR applies to your cloud service business, you need to first understand the different definitions of “Controller” and “Processor” and the relationship between the two. Using HIPAA as an analogy to explain: a Controller is like a Covered Entity, a Processor is like a Business Associate, and a Sub-processor is like a Subcontractor.
If you are reading this, within the GDPR, you are most likely a Processor of some sort. Welcome to the club! This is what Datica is as well because any piece of health IT technology that handles identifiable EU citizen data in a cloud-based modality can be considered a “cloud service provider” which means a Processor.
Understand the obligations Processors (and cloud service providers) have within GDPR, risk allocation between business partners, the GDPR definition of data protection by design and default, and the role of HITRUST in GDPR compliance by reading the academy article, GDPR for Cloud Service Providers.
We get asked all the time for the meaning of a data breach. It often comes up when people look at a breach vs. a security incident. It gets even muddier when the term “security incident involving ePHI” is brought into the mix. While seemingly nitpicky, understanding the differences between these terms is essential to reduce your risk and to inform your partners and customers. Ambiguity and opacity is a not a good strategy when it comes to compliance and foundational definitions.
Learn about what counts as a security incident under GDPR, and how GDPR data breach compares to HIPAA data breach in the Datica Academy article, What is a Data Breach under GDPR and HIPAA
One of the most challenging aspects of any security and compliance program is data breach notification. “Beach notification” is actually multiple tasks — surveillance, investigation, and ultimately notification (to end users, partners, and sometimes media). It is time-consuming, expensive, and, when handled poorly, embarrassing for organizations and can lead to more investigations.
The 72-hour security breach requirement written into General Data Protection Regulation (GDPR) Article 33 is rightfully generating a lot of attention and angst. 72 hours is not enough time to do all of the things that organizations are used to doing ahead of notifying authorities and individuals about a breach.
GDPR breach reporting is more prescriptive and more aggressive than the requirements under HIPAA, or likely any other compliance framework. Learn the ins and outs of GDPR data breach requirements in the Datica Academy.
The breach notification requirements outlined in GDPR Article 33 are aggressive —“The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.”
At Datica, we’ve built and tested our breach notification process to meet the most stringent notification requirements of covered entities. At times, we’ve had to adjust our compliance program. The following steps are the ones we went through when we updated our breach reporting. All of these actions should be orchestrated by your data protection officer, the person at your organization who is ultimately responsible for your compliance with GDPR.
The academy post, GDPR Data Breach Notification Checklist walks through the details of each step listed above you should take to bring your breach reporting policies and procedures in compliance with GDPR.
Article 58 of the GDPR grants supervisory authority the ability to not only to investigate controllers and processors but also to impose fines. The administrative penalties are defined in GDPR Article 83. The fines are in addition to other actions, such as audits and corrective actions, outlined in Article 58.
The specific GDPR penalty language, and the bulk of the discussion and interest in the Regulation, is in Article 83. There are two specific fines listed in Article 83 - 1) 10,000,000 EUR, or 2% of total worldwide turnover (revenue) and 2) 20,000,000 EUR, or 4% of total worldwide turnover (revenue).
For a detailed understanding of the reasons for each of the different fine levels, advice on how to minimize your risk of GDPR fines, and a description of Article 84 member States’ penalties, read the Datica academy entry, GDPR Fines and Penalties.
While you are gearing up for the GDPR, one critical facet cannot be overlooked for healthcare enterprises and digital health companies who aspire to work internationally. If your U.S. company plans to bring health data from the EU back to the United States, you must address an additional privacy requirement laid out by the European Court of Justice.
The EU-U.S. Privacy Shield, which replaced the previous Safe Harbour Framework, levies a stronger obligation on U.S. companies today. To comply, companies must either self-certify for the EU-U.S. Privacy Shield or obtain a third-party assessment. This self-certification or assessment confirms that your company meets the Privacy Shield Framework requirements that help protect the personal data of Europeans.
The Datica blog has more information on Privacy Shield so you can know the ropes before pulling data back across the pond.
Datica’s compliance program is comprehensive. The process of expanding and proving compliance across multiple frameworks, both for us and our customers, is not new to us at Datica. You can follow our changes through the updates to our open source policies and procedures; our policies define the operational and technical controls we use. We started with HIPAA and quickly expanded to leverage HITRUST as the core risk framework for our internal compliance program.
We then added SOC2, Privacy Shield, and, most recently, GxP. We plant to complete our full GDPR audit by May 25, 2018, when GDPR goes into effect. Our goal has always been to build and maintain one compliance program to prove compliance with multiple frameworks. In the paraphrased words of HITRUST: one control, many frameworks.
Datica exists to help makers of digital health products be successful whether they work solely with U.S. citizen data or if they dip a toe into the commercial waters between countries. We live in a thriving, global digital economy today. When everyone follows the rules, we increase the chances of digital health success and decrease the chances of getting our hands and wallets slapped in court.
One of the most challenging aspects of any security and compliance program, including GDPR, is breach notification.
This GDPR data breach notification checklist outlines the steps that should be orchestrated by your data protection officer to ensure GDPR compliance.
GDPR compliance is an imperative starting May, 2018 for companies who work with data on EU citizens. Understand the fines and penalties in Article 83.
Cloud Service Providers doing business in the EU are Processors under GDPR—it's kind of like being a HIPAA Covered Entity in the U.S. Read more on GDPR Service Providers.
What is the definition of a security incident and data breach under HIPAA and GDPR and how do they compare? This article breaks down the key terminology.