What is the GDPR? GDPR or General Data Protection Regulations is a set of laws passed by the European Union (EU) in May 2018, to provide rules for protecting electronic data on individuals in the European Union. These regulations include similar security restrictions for Europe as HIPAA does for the USA. One of the biggest differences is that the information being protected is all private data, not just health information. The legislation also targets the information from companies that track consumer’s internet history for the purpose of marketing products and services.
Why should laws passed in Europe matter to US companies? The GDPR is enforceable to any company that falls within the rules whether they are European or not. Additionally, other countries in Europe, Asia, and Africa are starting to adopt the GDPR. This raises two questions:
- What would make you subject to the GDPR?
- Will the US adopt the same or similar laws as the GDPR?
- What would make you subject to the GDPR?
Contrary to what the salespeople are telling you, it is unlikely that you will be covered under the GDPR. The official website of the European Union (EU) states that the GDPR does not apply to your business if: “Your company is a service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn’t specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
The National Law Review here in the US says that the GDPR will apply to US healthcare only in the following circumstances:
- A part of your business is physically located within the EU.
- Your business offers goods or services (even if for free) to individuals in the EU. The offering of goods or services is more than mere access to a website or an email address. It includes, for example, marketing activities intended to recruit individuals in the EU to be patients at a hospital in the United States.
- You electronically monitor the behavior of individuals in the EU. This includes monitoring patients after they return to the EU, for example, as part of post-discharge patient engagement to prevent hospital readmission.
Are US healthcare practices subject to GDPR if a European citizen seeks treatment there while traveling or studying in the US? No, protected health information is not Personal Data under the GDPR merely because it concerns an EU citizen. Instead, the data must concern an individual located in a country covered by this legislation. The data collected from an EU citizen at a location in the United States will be subject to US law unless the data was solicited from an individual while the individual was physically located in the EU or the organization continues to monitor the EU citizen after the citizen returns to the EU, such as part of post-discharge patient engagement programs.
Would a US practice be subject to GDPR if it transmits patient records to a healthcare provider in Europe for a patient seeking treatment here? Again, no. Practices here must follow US law, but the EU health care provider must protect the individual’s privacy in accordance with GDPR while the individual is in the EU.
Are US practices subject to GDPR if it does not intentionally market to the EU but an EU resident visits its website? No. Here is a good example from the EU regulations website. A man in Paris went on the website for a pizza delivery service in Miami in order to purchase a pizza for a friend who lives in Miami. The Miami restaurant obviously doesn’t deliberately market their services and products in Europe. This would be considered incidental and not deliberate. Thus, the pizza place does not fall under the jurisdiction of the GDPR.
To read the full National Law Review article: https://www.natlawreview.com/article/does-gdpr-regulate-clinical-care-delivery-us-health-care-providers
- Will the US adopt the same or similar laws as the GDPR?
This is a topic of much debate here in the US. The general belief among the more credible sources is that America has already passed and will continue to pass laws to protect an individual’s private information. It is unlikely that those laws passed will be the same as the GDPR. The political and business culture in the US is very different from most of the world.