The U.S. healthcare system generates about 30 percent of all data, which is subject to strict mandates and requirements surrounding its privacy and protection. From HIPAA to electronic health records (EHR) and the 21st Century Cures Act, healthcare providers are familiar and work hard to comply with data protection. But a game changer – General Data Protection Regulation (GDPR) – is on the horizon and promises “to give individuals greater protection and control over their digital information and will impact not only EU member states, but any business that collects EU citizens’ data,” according to Business Insider.
That broad statement includes and software as a service provider, for example, that is working to create new apps that would work and access data across international boundaries. It also will include any organization that has vendors or vendor solutions with locations or employees in the EU and those that may be working and sharing data with researchers, physicians and healthcare organizations in the EU.
That means substantial changes in the ways physicians and health companies, which are already “awash” in digital health apps and digitizing patient records, must approach data, according to Business Insider:
- Companies will be required to appoint a data protection officer to ensure internal compliance with the regulations if they process sensitive data at scale. They also will be obligated to inform authorities and customers of data breaches within 72 hours. That’s a significant change to current U.S. laws, which give businesses 60 days to report breaches.
- Companies must disclose more precisely how they’re using customers’ data. This means that permissions can’t be bundled together — patients must consent to each permission independently.
- Companies will also be beholden to Europe’s “right to be forgotten ruling” — a concept that’s been practiced in the EU since 2006 and requires data collectors to remove data that’s “inaccurate, inadequate, irrelevant or no longer relevant.”
Combining the EU mandates with existing HIPAA, EHR and other mandates could hurt telehealth and health cloud offerings, according to the article. GDPR also threatens to “add another hurdle for clinical research and the development of precision medicine,” because they require the storage and use of personal health data, lab results, and data from wearables and genome tests.
There are some positives, however, for healthcare systems:
- Companies are required to create tools that enable “data portability” so individuals can move their information more easily from one service provider to another. This will force health systems to make technology updates that will make interoperability possible and that will allow for a fuller picture of patients’ health history.
- GDPR’s privacy-forward policies could help to reverse the negative effects caused by the sheer volume of health data breaches— in March alone, there were 120,000 health data breaches. For example, Apple plans to overhaul its privacy policies ahead of the GDPR rollout to give users’ more control over their personal data.
- It could spur the adoption of alternative modes of data management, such as blockchain. This technology is gaining significant attention because of its ability to act as a single source of trusted information and distribute information securely between a network of participants. It improves transaction times and greatly reducing redundancy and costs.