GDPR

Subscribe to GDPR
GDPR Lock EU

Data subject access rights and your medical practice: The UK Information Commissioner’s Office (ICO) issues advice.

Medical practices have reported a significant rise in subject access requests (SARs) since the GDPR came into effect in May last year, which is a similar trend in other sectors. Here are some points of advice from the ICO:

  • General Practitioners (GPs) cannot query the reason for requesting the information.
  • Providing a patient with online access to their health records may be sufficient.
  • SAR response may be provided electronically (subject to safeguards such as encryption).
  • GPs can ask the patient or their representative to clarify the information that would be acceptable to satisfy the SAR.

Where an SAR is made on behalf of a patient by their legal representative:

  • GPs may ask for evidence of clear, specific authority of the data subject to exercise their right of access
  • If a GP thinks that more information than is necessary is being requested, they can check that the patient is aware of the full extent of what is being sought
  • In cases where practices have genuine concerns about giving out excessive information, they can provide data directly to the patient

Details from the UK ICO.

Registration to the Privacy Summit is open.

Fox Rothschild’s Minneapolis Privacy Summit on November 8 will explore key cybersecurity issues and compliance questions facing company decision-makers. This free event will feature an impressive array of panelists drawn from cybersecurity leaders, experienced regulatory and compliance professionals and the Chief Division Counsel of the Minneapolis Division of the FBI.

Attendees receive complimentary breakfast and lunch, and can take advantage of networking opportunities and informative panel sessions:

GDPR and the California Consumer Privacy Act: Compliance in a Time of Change

The European Union’s General Data Protection Regulation has been in effect since May. Companies that process or control EU citizens’ personal data should understand how to maintain compliance and avoid costly fines. Health care businesses should also prepare for the next major privacy mandate: the California Consumer Privacy Act.

Risk Management – How Can Privacy Officers Ensure They Have the Correct Security Policies in Place?

Panelists offer best practices for internal policies, audits and training to help maintain protected health information (PHI), personally identifiable information (PII) or other sensitive data. Learn the cutting edge strategies to combat the technology threats of phishing and ransomware.

Fireside Chat

Jeffrey Van Nest, Chief Division Counsel of the Minneapolis Division of the FBI, speaks on the state of affairs in regulation and enforcement; including how to partner with the FBI, timelines of engagement and the latest on cyber threat schemes. His insights offer details on forming effective cyber incident response plans.

Keynote Speaker – Ken Barnhart

Ken is the former CEO of the Occam Group, a cybersecurity industry advisor and the founder and principal consultant for Highground Cyber – a spin-off of the Occam Group’s Cybersecurity Practice Group. For more than a decade, he has helped companies of all sizes design, host and secure environments in private, public and hybrid cloud models. Prior to his work in the corporate sector, Ken served as a non-commissioned officer in the United States Marine Corp and is a decorated combat veteran of Operation Desert Shield\Storm with the HQ Battalion of the 2nd Marine Division.

Geared toward an audience of corporate executives, in-house chief privacy officers and general counsel, the summit will provide important take-aways about the latest risks and threats facing the health care industry.

Stay tuned for more agenda details. Registration is open.

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Whereas HIPAA applies to particular types or classes of data creators, recipients, maintainers or transmitters (U.S. covered entities and their business associates and subcontractors), GDPR applies much more generally – it applies to personal data itself. Granted, it doesn’t apply to personal data that has absolutely no nexus to the EU, but assuming it doesn’t apply to your U.S.-based entity simply because you don’t have a physical location in the EU is a mistake.

So when does GDPR apply to a U.S.-based covered entity, business associate, or subcontractor? As with HIPAA, the devil is in the definitions, so I’ve capitalized certain GDPR-defined terms below. GDPR is comprised of 99 articles set forth in 11 chapters, and 173 “Recitals” explain the rationales for adoption. Similar to the way regulatory preambles and guidance published by the U.S. Department of Health and Human Services (HHS) can be helpful to understanding HIPAA compliance, the Recitals offer insight into GDPR applicability and scope.

Under Article 3, GDPR applies:

(1) To the Processing of Personal Data in the context of the activities of an establishment of a Controller or Processor in the EU, regardless of whether the Processing takes place in the EU;

(2) To the Processing of Personal Data of data subjects who are in the EU by a Controller or Processor not established in the EU, where the Processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or

(b) the monitoring of their behavior as far as their behavior takes place within the EU; and

(3) To the Processing of Personal Data by a Controller not established in the EU, but in a place where EU member state law applies by virtue of public international law.

It is paragraph (2) that seems most likely to capture unwitting U.S.-based covered entities, business associates, and subcontractors that are not established in the EU (though Recital 22 offers further explanation of what it means to be Processing data in the context of the activities of an establishment).

Notably, paragraph (2) makes it clear that while the entity need not be located within the EU for GDPR to apply, the data subject must be. If the U.S. entity offers goods or services to, or monitors the behavior of, data subjects who are “in” the EU, GDPR likely applies. It is the location of the data subject, not his or her citizenship, residency or nationality, that matters. GDPR does not follow the data subject outside the EU, but it does follow the data subject (even an American) into the EU – so long as the Processing of the Personal Data takes place in the EU.

So what does this mean for the U.S.-based covered entity, business associate, or subcontractor not established in the EU? It should carefully review its website, marketing activities, discharge or post-service follow-up procedures, and any other activities that might involve the offering goods or services to, or monitoring the behavior of, individuals in EU. If GDPR applies, the company will need to analyze how its HIPAA privacy and data security policies are inconsistent with and fall short of GDPR requirements. The company, whether a covered entity, business associate, or subcontractor, should also make sure that none of its vendors process data on its behalf in the EU.

In addition to understanding where data subjects are located and where Processing takes place in order to determine GDPR applicability, covered entities, business associates and subcontractors must determine whether they are acting as Controllers or Processors in order to understand their GDPR compliance obligations.

This can create particular challenges for a business associate.  If a covered entity is subject to GDPR, a business associate that creates, receives, maintains or transmits Personal Data on behalf of the covered entity will either be acting as a Processor (for example, where the covered entity simply uses the business associates tools or services to conduct its business), or a Controller (for example, where the business associate reaches out directly to plan members or patients, such as by an email campaign).  If the business associate’s services agreement or business associate agreement makes no mention of the fact that the covered entity is subject to GDPR, the business associate may not know whether it is also subject to GDPR, let alone whether it is a Controller or Processor.

The bottom line is that focusing on compliance with HIPAA and other federal and state laws pertaining to privacy and security of personal information is not enough, even for companies that view themselves as operating solely within the U.S.  A thorough risk assessment should include not only careful consideration of HIPAA requirements, but of the potential applicability and compliance requirements of GDPR.