Healthcare Companies Struggle to Comply with GDPR Data Privacy Regulations

By on

Click to learn more about author Stuart Tarmy.

Automated Data Discovery must come first and is essential for compliance.

The upcoming EU (European Union) GDPR (General Data Protection Regulation) prescribes large penalties and fines for non-compliance on all companies that conduct business with consumers in the EU. The healthcare industry, which includes managed healthcare, pharmaceutical, medical devices, insurers and the like, is particularly vulnerable, as they are one of the world’s largest and fastest-growing industries, making up over 10 per cent of the gross domestic product (GDP) of most developed nations. As such, it will be one of the industries most affected by the upcoming regulation.

What you may not know is that the GDPR places significant additional responsibilities on US Healthcare companies who may consider they are already covered through compliance with the Health Insurance Portability and Accountability Act (HIPAA).  Unfortunately, this is not the case. There are significant differences between HIPAA’s ‘protected health records’ regulations and what is required under the GDPR.

The GDPR was developed to put both enforcement and ‘teeth’ into the European data protection & privacy laws, and the penalties for non-compliance are severe. Fines start at 20 million euros ($23.5million) and go up to 4 percent of total global revenue, whichever is greater. In addition, certain EU countries may also impose fines and jail terms on individuals for egregious behavior.

To comply with the GDPR, companies must be able to show that they can discover, secure and purge all their enterprise data upon request. To do this is extremely difficult for most companies. According to a report by Symantec entitled ‘State of European Privacy Report’, approximately 60 percent of businesses do not have the systems in place to help them comply by deleting their customer data. A significant part of the problem is they don’t even know where all their customers’ personal data exists within the enterprise – an essential first requirement to being able to delete it.

Fortunately, new automated, smart data discovery solutions are now making it possible for companies to quickly and efficiently discover and manage their data assets to meet the new regulation.

GDPR is Much Stricter than HIPAA

The GDPR is much stricter than HIPAA. There are several reasons for this. What is considered ‘private data’ under GDPR is much more expansive than under HIPAA, and healthcare companies will need to protect and secure a much wider range of data than they are used to. Personal data, as defined by the GDPR, includes all data that can directly or indirectly identify an individual. This is an extremely broad definition that includes everything from name, address, phone number and SSN to marriage status, education level, racial or ethnic origin, religious or philosophical beliefs, political opinions, association memberships and sexual orientation, as well as data concerning a person’s physical or mental health.

HIPAA, on the other hand, concerns itself solely with the protection and privacy of a person’s health care, including their health records, lab test results, and medical bills, as well as name, address and demographic information. The GDPR definition of ‘data concerning health’ and HIPAA’s ‘protected health information’ are very similar, but clearly the overall GDPR personal information mandate is much broader than HIPAA.

GDPR Consumer Rights are Stricter than HIPAA

The GDPR provides for certain consumer rights protections that are not required under HIPAA. These include the ‘Right to be Forgotten’ and the ‘Right to Data Portability’, or the ability for individuals to easily transfer their data files from one service provider to another.

The ‘Right to be Forgotten’ is a significant part GDPR compliance. In essence, the ‘Right to be Forgotten’ says that any individual may request that information they consider wrong, outdated, slanderous, or no longer relevant, to be deleted from a company’s systems.

The ‘Right to Data Portability’ allows individuals to request that their personal data be moved electronically from one organization to another. While this has been in place for some time in the U.S. financial services industry, e.g., you want to move your stock holdings from one brokerage firm to another, this is a new requirement for most other industries. A company who loses a customer is unlikely to want to support its competitor to onboard the customer it just lost.

Both the ‘Right to Be Forgotten’ and the ‘Right to Data Portability’ will place increasing pressure on health care companies to have a complete understanding of their data assets and how to access them.

GDPR Data Breach Reporting Requirements Stricter than HIPAA

In the event of a data breach, the GDPR has significantly stricter reporting requirements than HIPAA. Under the GDPR, companies will have limited time before a breach must be reported whereas HIPAA allows companies some time to investigate and correct the issue before reporting it.

Specifically, the GDPR requires companies to report breaches within 72 hours to each Country Supervisory Authority where a breach occurs.  In comparison, HIPAA allows notification of a breach within 60 days to the U.S. Department of Health and Human Services (HHS), and only annually if the breach affects less than 500 individuals.

This GDPR requirement for a 72-hour notification to a data breach will require a company to be able to rapidly assess their current data landscape and any changes that have recently occurred.

Automated Data Discovery is The Key to Comply with GDPR

To comply with the GDPR and avoid fines and penalties, companies must have a thorough and current understanding of all their data assets.  New approaches like automated data discovery that utilize Machine Learning are essential in order to have high confidence in the completeness and understanding of your data to comply with the regulation. These products are able to discover all of the data that resides in a company’s databases and/or Data Lakes, including the more difficult legacy, siloed and undocumented systems.

For example, if your company is asked to purge an individual’s personal data under the ‘Right to be Forgotten’, you will need to be able to purge all the information that exists within your enterprise and submit a signed report to the GDPR regulators (Country Supervisory Authority) verifying that you have done so. It is not sufficient to say that you have purged the information from the systems you can easily access, but not the more difficult siloed or undocumented systems.


Leave a Reply

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept