As of May 25, 2018, the GDPR, which stands for the General Data Protection Regulation, was implemented in the European Union (EU). This regulation is much more expansive than our United States HIPAA law, and its coverage area is quite large considering many different countries comprise the EU. The concept of the GDPR is to protect PHI of residents from the EU.
Who must follow the GDPR rules?
This is certainly an area practitioners want to look at very closely to ensure they are within compliance; if they do not, they may be fined. In order to get the compliance process started, practitioners should ask themselves the following questions:
Do I currently have patients who are residents of the EU?
Perhaps some practitioners treat European patients when they are here in the States. If this is the case, these offices must make sure they follow the GDPR and become compliant.
Does my website process any type of personal data for those who visit it?
Websites are clearly not only for U.S. residents; anyone can access a website across the globe. Practitioners must determine whether their websites require additional language in their terms of service policy in order to comply with GDPR.
What is defined as personal data by the EU?
Personal data is any information about an individual — whether it relates to his or her private, professional, or public life. Personal information includes any of the following: the individual’s name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or an IP address.
For example, upon initial arrival to your website, are visitors required or invited to provide personal information? This practice is common, so practitioners can understand who is accessing their website and interested in their practice. Next, it is typical for the practice/practitioners to then utilize this information for their own purposes.
If this sounds familiar, then yes, GDPR will apply, because the practice is now collecting the personal information of someone who (potentially) resides in the EU and additional steps should be taken to ensure that you are compliant.
Now, if the practice does not collect any data — for example if a website only provides educational information and visitors are not providing any personal information — then, as a whole, GDPR will not apply.
Similarly, GDPR will not be an issue if practitioners do not treat or have patients who are current members of the EU.
Fined for Non-Compliance
If the answers to the above questions are yes, practitioners must be in compliance with the GDPR and be aware of the requirements. If business continues as usual, without any necessary adjustments, the practice can be fined for non-compliance. It is important to keep in mind that fines can be as high as 20 million Euro or 4% of your annual revenue.
May 25, 2018 was the starting point for GDPR; it is not that all practitioners must be compliant by this date. Understandably, there may be a time period in play to allow for process review and adjustments. The quicker you access whether the GDPR applies to your practice, the sooner you can be in compliance.
Contact me today with questions or comments.
Stephanie J. Rodin, Esq.
Rodin Legal, P.C.
Tel: (917) 345-8972
Fax: (917) 591-4428