GDPR and Healthcare

You’ve probably heard about the General Data Protection Regulation (GDPR), the recent European Union (EU) law. If your company processes personally identifiable information of EU citizens even if your office is located abroad, you’re bound by GDPR. The biggest impact will be on the healthcare industry. Special category data, which includes information about an individual’s health and treatment may only be processed within strict compliance rules. This data is now subject to higher standards of protection because much of the data being utilized in healthcare management is considered as sensitive personal data.

4 GDPR Key Areas Relating to Health

1. Important Concepts

There are four types of data in the GDPR that specifically impact the healthcare industry, namely:

A. Health Data – personal data related to the physical or mental health of an individual.

B. Genetic Data – personal data related to the inherited or acquired genetic characteristics that give unique information about the physiology or health of a person.

C. Biometric Data – physical, physiological, or behavioral characteristics that allow or confirm the unique identification of a person, such as facial images or fingerprints.

D. Sensitive Personal Data – includes the 3 types of data listed above. Processing of this data is prohibited unless specific conditions defined in Article 9 (2) of the GDPR apply.

2. Prohibited Under GDPR

Companies or individuals will no longer be allowed to process personal data in order to reveal anyone’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or use genetic or biometric data to uniquely identify a person. It will also be illegal to process data concerning health or data concerning someone’s sex life or sexual orientation.

3. Conditions that Permit Data Processing

The GDPR recognizes that there are certain circumstances where an individual’s personal data must be processed. If any of the conditions outlined in the GDPR Article 9 (2) are met, the data may be processed. Here are three key conditions which may apply:

1.1  The data subject has given “explicit consent” to the processing of those personal data for one or more specified purposes.

2.2  The processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

3.3  The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.

4. Consent

Consent is an important requirement under the GDPR. Clear consent must be given in order for a company to begin processing someone’s data. Consent can no longer be assumed by silence, pre-selected boxes, or inactivity. For the healthcare industry, the GDPR requires “explicit consent.” This means it must be provided in a clear statement whether written or spoken. It requires specific consent for sensitive personal data such as genetic data, biometric data, and data revealing ethnic origin.

Impact on the Healthcare Industry

With the GDPR, the healthcare industry is compelled to be more diligent in managing personal data than previous requirements demand. The GDPR provides for a tougher enforcement approach by the Data Protection Authority (DPA) including the ability to impose significant fines of up to €20 million or 4% of global annual revenue for non-compliance. DPA can issue reprimands, warnings, and bans.

One of the most significant changes under the GDPR is the mandatory data breach reporting. Data breaches must be reported to DPA within 72 hours and the individuals affected must also be notified. Healthcare organizations must have clear, practical, and effective procedures in place that can be acted upon immediately in order to meet GDPR requirements.

Outsourced Data Protection and Cybersecurity Solutions

The wide-ranging requirements of the GDPR present significant challenges for healthcare companies. GDPR requires controllers and processors to designate a Data Protection Officer to oversee GDPR compliance. Moreover, cybersecurity threats are growing and becoming more dangerous each year. Healthcare businesses are under attack like never before. You need a competent and highly professional team of data protection and cybersecurity experts. But with skyrocketing costs, what can businesses do?

Infinit-O Global is helping companies meet regulatory compliance requirements by centralizing and automating critical data processes that need to be executed to achieve compliance. We enable businesses to create and execute strategic data privacy system focusing on mitigating risks, increasing compliance, strengthening cybersecurity, and optimizing technology resources. We can help your organization in protecting your data privacy by providing a complete set of customized solutions for managing your data and cybersecurity platforms. Get in touch with us today to consult about your unique Healthcare IT Support needs. We’re here to help you succeed!