Health companies collect sensitive personal information like medical reports, health insurance information, biometrics, and whatnot. This information is unique to every individual and cannot be altered like email addresses. Such personal information in the wrong hands raises serious privacy concerns. Therefore, to avoid the misuse of personal data, the European Union (EU) enforced GDPR.
This article details GDPR compliance for healthcare and how it protects your sensitive health data.
What is GDPR?
The EU implemented General Data Protection Regulation (GDPR) on 25 May 2018. It is a set of regulations and guidelines framed by the EU to protect the personal data of EU citizens. These regulations regulate how health companies collect, store, process and transmit personal data of EU residents.
GDPR applies to all health companies based in the EU and outside the EU that deal with the personal data of EU citizens.
When and why was GDPR drafted?
Before GDPR, the Data Protection Act of 1998 was effective. The advancement of technology and data usage by businesses changed significantly over the years. These changes rendered older legislation incomprehensible. Further rise of social media platforms and their usage of personal data for targeted advertising called for better regulations fit-for-purpose in modern times.
Therefore, the EU drafted and implemented General Data Protection Regulation in 2016. It came into enforcement in 2018, applying automatically to all companies dealing with customers in the EU region.
GDPR Compliance for Healthcare
While GDPR deals with all personal data of EU citizens, it has a special category for health data. Given the sensitivity of health data, stringent regulations and penalties are in place to protect it as much as possible. Let’s know more about it.
How does GDPR protect sensitive health data?
Here are a few ways GDPR protects the sensitive health data of EU citizens.
Personal data for healthcare companies
GDPR defines personal data as any reference to identify a person like a name, email address, ethnicity, age, location, social identity, and even online identifiers like IP address.
GDPR compliance for healthcare has three additional definitions for health data:
- Data concerning health – any data revealing physical and mental health status
- Genetic data – all genetic data like inherited or acquired genetic characteristics, DNA etc.
- Biometric data – all unique identification and dactyloscopy data like fingerprints, palm prints, facial recognition, etc.
All health companies need to ensure this personal health data is secured and used only with individuals’ consent. If any data breach occurs, the company needs to inform the authorities and affected individuals (in case of a high-risk situation) within 72 hours of the breach. If not, they are liable to a penalty of up to £10 million or 2% of their global annual turnover, whichever is higher.
Processing sensitive data under GDPR
Health companies can process unidentifiable data at their discretion. But can process identifiable sensitive personal data only if:
- They have the patient’s explicit consent.
- Under other specific contracts or legal obligations
- It is essential for the life of an individual.
- It is in the public interest.
GDPR allows health companies to process health data lawfully, transparently, and for a specific purpose. All individuals whose data is processed must be made aware of what, how and why their data is being processed.
Access to personal data
With GDPR, customers have access to their data collected by health companies. They can view the data, see how it is being used, and transfer the data from one service provider to another with ease. They can also ask the company to change the data if it is incorrect.
To access the data, they can submit a Subject Access Request (SAR) to the health company. The company is bound to provide a full response within 30 working days.
Customers also have the right to be forgotten. It means they can ask the health companies to permanently delete their data from the company’s database.
Data protection officer
GDPR makes it mandatory for companies processing personal data of employees or customers to appoint a Data Protection Officer (DPO). DPO ensures all personal data is processed in compliance with GDPR and other applicable data protection laws. He is also the point of contact between the health company, data protection authority (ICO) and customers.
Who does GDPR apply to?
GDPR compliance for healthcare applies to all companies collecting and processing personal health data, whether they are based in the EU or outside the EU.
If a company is based in the US and deals with EU residents, it needs to comply with GDPR alongside HIPAA and other regulations in the US.
Can health companies use personal data under GDPR? How to process data under GDPR?
Health companies can process the personal health data of customers only if
- They have the patient’s explicit consent
- Under other specific contracts or legal obligations
- It is essential for the life of an individual
- It is in the public interest
What are the health company’s responsibilities in case of a data breach?
Firstly, health companies need to ensure all personal data is secure. They need to employ best cybersecurity practices to avoid any data breach. If any data breach occurs, they need to inform the Information Commissioner’s Office (ICO) within 72 hours.
In cases where a data breach might result in a high risk to the freedom and rights of affected individuals, the company needs to alert all the affected individuals.
What are the fines and penalties for breach of GDPR?
There are two levels of fines imposed on health companies in case of breach of GDPR.
Penalty for failing to report
If the company fails to report a data breach to ICO within 72 hours of becoming aware of it, they are entitled to pay a penalty of up to £10 million or 2% of their global annual turnover, whichever is higher.
Fine for breach of GDPR
For any data breach under GDPR, companies can be fined up to £20 million or 4% of their global annual turnover, whichever is higher.
Companies fined under GDPR
Many companies have been fined for data breaches under GDPR since 2018. Some of the most known ones are:
- British Airways was fined £183 million for data breaches that exposed data, including payment information, of 560,000 users.
- Marriott International Hotel Chain was fined £99 million after an unpatched vulnerability exposed £339 million in user records.
- Google was fined £50 million by the French data protection regulator for forced consent in its Android OS.
- The largest GDPR fine of £637 million is issued to Amazon by Luxembourg regulatory authorities.
Bottomline
Though GDPR is in place to protect the personal health data of customers, it is a cure more than a prevention. Companies need to implement advanced cybersecurity practices, a critical component of GDPR, to insulate health data. GDPR compliance for healthcare is just the beginning; Deeper progress can only be made by emphasising data privacy and digital security.
Further references:
https://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know
