GDPR Compliance for US Healthcare: What You Need to KnowAttorneys Adam Greene and Robert Stankey Highlight Critical Issues
Strict HIPAA compliance is a great preparation for compliance with the European Union's General Data Protection Regulation, which will be enforced starting May 25, according to attorneys Robert Stankey and Adam Greene, who specialize in regulatory issues.
Certain U.S. healthcare entities that deal with patients from the EU need to comply with GDPR. That includes, for example, those that market their services to EU residents as well as those that are involved with clinical studies in the EU, Greene notes in an interview with Information Security Media Group.
"In a sense, for the small minority of U.S. healthcare providers or other healthcare entities that are subject to GDPR, they've been preparing for GDPR for 15 years now with respect to HIPAA because there is a lot of overlap between HIPAA and GDPR," Greene says. "And arguably, HIPAA may be better than practically any other U.S. privacy regime to prepare you for GDPR. You are pretty far along with GDPR if you have a robust HIPAA compliance program."
Differences Between HIPAA, GDPR
Nevertheless, the two regulations have a number of differences, Stankey points out. That includes, in particular, the GDPR's "right to be forgotten" provision.
"In the GDPR, the requirement to allow people the 'right to be forgotten' is a very broad right, but it has many different exceptions," Stankey explains. "In practice, especially with data that would be collected by a healthcare organization, while an individual may have the right under European law to ask for their data to be deleted, the healthcare provider is not obliged to immediately implement that request."
For example, if a healthcare entity has a U.S. regulatory obligation to report certain health data related to government inspections or insurance billing, those are "legitimate reasons the data can be retained despite the fact that the individual does have this broad right as a matter of principle to ask for that data to be deleted," he says.
In the interview (see audio link below photos), Greene and Stankey also discuss:
- How the GDPR's broad scope of personal information differs from what is considered "protected health information" under HIPAA;
- Steps that healthcare entities need to take right away if they're expected to comply with GDPR;
- The potential for GDPR enforcement actions against healthcare entities.
As a partner at Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the Department of Health and Human Services' Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.
Stankey, a partner at the same firm, focuses on telecommunications, media and technology law. He has an in-depth knowledge of privacy and telecom regulation in the U.S., Europe, and Asia. A former senior in-house lawyer in the U.S. and Europe, he practiced with two international firms in London and is qualified to practice in the U.S. and the U.K.