The European Union’s General Data Protection Regulation (“GDPR”) protects personal data for European Union (“EU”) residents around the world. Under it, any business or organization, including a health care facility, that processes or stores the data of EU residents is subject to GDPR rules and regulations—regardless of whether the, say, health care facility performs services in European Union countries. One way to look at the GDPR is as an expansion of the Health Insurance Portability and Accountability Act (“HIPAA”) Security and Privacy Rules. Similar to the protection that HIPAA provides for protected health information (“PHI”), the GDPR regulates the accessing, processing, storing, and destroying of such personal data.

The overarching theme of the GDPR is that, unlike United States law, it considers the data of EU residents as the personal property of the resident, not of the entity that created, uses, discloses, and stores it. In the U.S., the patient’s chart and all other individually identifiable health information is the personal property of the entity limited only by the patient’s rights to access, amend, and otherwise exercise some control over how it is used or controlled. This theme is carried out in the GDPR’s provisions for individual rights as follows:

• Informed Consent: The right to be clearly informed why the data is needed and how it will be used. Consent must be explicitly granted and can be withdrawn at any time.
• Access: The right to access, free of charge, all data collected, and to obtain confirmation of how it is being processed. This differs from HIPPA, which does not mandate free access, only reasonable, cost based fees, and its right to an accounting would appear to be more restricted.
• Correction: The right to correct data if inaccurate. HIPAA’s right to request correction or amendment probably satisfies this right under the GDPR.
• Erasure and the Right To Be Forgotten (“RTBF”): The right to request erasure of one’s data. HIPAA does not have a provision requiring covered entities to provide for requests for the patient to have his or her data erased. Under current U.S. law and practice, even an erroneous entry relating to another patient must be retained in the chart although it should be flagged as an error.
• Data Portability: The right to retrieve and reuse personal data, for own purposes, across different services. HIPAA probably satisfies this requirement in its access requirement.

The GDPR also has an expanded notification requirement. HIPAA requires notification only on a presumption that any acquisition, access, use, or disclosure of PHI not permitted under the HIPAA Privacy Rule was a breach unless a covered entity or business associate could demonstrate that “there is a low probability that the [PHI] has been compromised based on a risk assessment.” See my January 17, 2013, blog post, “Risk Analysis Change for Breach Notification,” at https://www.veteranspress.com/risk-analysis-change-for-breach-notification-hipaa-hitech-act-blog-by-jonathan-p-tomes.

Rather, the GDPR requires notification of any personal data breach likely to result in a risk to “the rights and freedoms of individuals.” Where that risk is deemed “high,” notification must also be extended to the affected data subjects. Notifications must be made “without undue delay” and where feasible, within 72 hours of the discovery of the breach. In contrast, HIPAA requires “without unreasonable time and no later than 60 days after discovery of a breach.”

Although the GDPR prohibits the unnecessary collection of personal data by health care organizations, several exceptions allow for its collection. In order for health care organizations to collect specific personal data, the collection has to fall into one or more of the following categories:

• Data has been given with explicit consent from the owner. The regulatory consent of HIPAA would appear insufficient, and thus, the provider would need a signed consent even for treatment, payment, and health care operations (“TPO”) data.
• Processing data is necessary to the “vital interests” of the patient/provider. HIPAA has no such provision, but it seems unlikely that one would collect unnecessary data.
• Processing is needed for the purposes of preventative or occupational medicine. Again, probably already covered.
• Data is necessary for the good of the public health. No conflict with HIPAA here.

Failure to comply can result in serious fines. Fines are calculated based on a number of factors but can range up to the greater of $24.8 million or four percent of global annual turnover. Enforcement of these fines may be difficult in the overseas situation, but do you want to bet on it? Or do you want the publicity of being found to have violated European privacy rights?

In conclusion, although many of the things that you are (hopefully) already doing under HIPAA to protect PHI and afford patients their HIPAA rights will satisfy the GPDR, you will have another regulatory burden if you treat foreign patients—that is, those who come to the U.S. for its good medical care that they cannot get at home or who get sick or are injured while in the U.S. for business or pleasure.

Alice here: For an introduction to other international HIPAA considerations, consider reading a book that Jon wrote for the American Bar Association with Rachel V. Rose and Lance H. Rose, What Are . . . International HIPAA Considerations? It is available both on the ABA website at https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=137047376 and on Amazon at https://www.amazon.com/International-HIPAA-Considerations-Rachel-2016-02-07/dp/B01JXTERDE.