The General Data Protection Regulation (GDPR) became effective on May 28, 2018. GDPR establishes protection for the privacy and security of PERSONAL DATA about individuals located in the European Union (EU) and other European Economic Area (EEA) countries.

The GDPR definition of Personal Data is any information relating to an identified or identifiable natural person.

GDPR is similar in concept to HIPAA/HITECH for the United States, but not only does it protect an individual’s health information (PHI), but it covers all personal data.

The key aspects of the GDPR are:

  • Consent
  • Data controllers and personal data
  • Transparency
  • Safeguards
  • Data subject rights
  • Data Privacy Impact Assessments
  • Breach notification within 72 hours

GDPR applies to any US-based provider who collects and processes Personal Data about an individual in an EEA country over the internet or through mobile applications if the processing of that data is related to the offering of goods and services or online monitoring of that individual, e.g., use of cookies to track the individual. 

A website that collects personal data for newsletters, marketing materials or other communications may trigger GDPR. Marketing, research, and clinical trials are risk areas for GDPR compliance.  

Generally speaking, if an EU citizen comes to your organization and you collect all of the necessary personal information in order to provide treatment to that patient while the patient is in your office and not in the EU, the data collected is subject to US law.

If the post-treatment of an EU patient includes monitoring of the patient after return to the EU for treatment follow up, the data will be subject to both US law and the GDPR.

The GDPR imposes a more strict and complex set of privacy and security requirements than HIPAA.

To see if your organization is at risk for GDPR compliance, please contact Lorraine Ludwigsen at lludwigsen@hcompliance.com