Most healthcare organizations are familiar with the privacy and data security requirements of the landmark HIPAA, and then HITECH, so they have gotten their operations compliant long ago. This may lead people to assume complying with newer privacy laws will be easy given all they are already doing to meet current requirements.
These new statutes, however, could be the flies in their compliance ointment because they are fundamentally different than previous laws. The EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are citizen privacy rights bills versus a cyber-security or data management-focused bill, like HIPAA.
These regulations assign new rights and ownership to data that wasn’t there before and require systemic rethinking of your data handling, not just its security. Before you just had to keep a patient’s records secured; now you might have to be ready to hand them over or destroy them at will. This has profound implications on medical records and the industries that depend on them.
Getting to know the GDPR for healthcare
The GDPR is the most sweeping and onerous of recent privacy laws. Most U.S.-based healthcare organizations falsely assume if they don’t have operations in Europe, the GDPR doesn’t apply to them. The law, however, covers any data gathered on an EU citizen anywhere in the world. If even the smallest clinic has EU citizens that it treats and therefore stores data on, it would need to comply with GDPR mandates.
One of the more difficult parts of the law to deal with is the “right to forget,” which means patients could ask a clinic or hospital to erase all the data it has on them. This goes against the practice of most healthcare organizations to retain medical records for a long time, sometimes even forever, to provide for continuity of care. Other sections such as the data pseudonymization requirement, which details how data records are stored, might also be in conflict with the entity’s practices.
Finally, the GDPR’s breach notification requirement of 72 hours will be a challenge to meet even for the most prepared organization and is far shorter than HIPAA’s 60-day notification rule. While most smaller healthcare entities will probably choose to stick their head in the sand and ignore this law, the larger ones will do so only at their peril.
Even though the GDPR is an EU law, it has the ability to reach over to our healthcare regulatory bodies, like HIPAA, and can bring civil suits in international court.
A deeper look into the CCPA for healthcare
The CCPA is modeled around the GDPR and similar in that it applies any data on California residents, even if it is stored in another state. Luckily, healthcare providers already HIPAA compliant are exempt from the “right to forget” clauses of the CCPA. That, however, only applies to protected health information (PHI). If there is other information that is personally identifiable, such as a billing records, that information must be “forgotten.”
And other parts of the law do apply, such as the right to request a “Do Not Sell” marker on all California residents’ records. Even if a request falls under an exemption, healthcare organizations still have to have processes and procedures in place to respond to consumer requests.
Be proactive, not retroactive
Additionally, both regulations, as well as more in process in other states, call out third-party risk management in more detail than HIPAA or HITECH does. Healthcare organizations will have to pay more attention to how they are monitoring their third-party vendors and develop solutions to manage them.
Given all their other regulatory burdens, many healthcare providers, especially the smaller ones, may choose to put compliance with these regulations on the back burner, at least until a unified federal law is passed. The European Union is, however, already getting busy passing out fines to EU and American companies alike (Facebook and Google were among the first to see complaints)—and it’s only a matter of time before a breach of a big hospital network draws their attention.
And while there are many loopholes and exemptions to defray some of the requirements, there is enough lack of clarity in these new laws to keep regulators and lawyers busy for years litigating it. The bottom line is: Privacy laws and their new treatment of data ownership are probably here to stay, and sooner or later you will have to examine your processes and procedures against these new standards.
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.