Almost a year later, healthcare providers are still struggling to meet GDPR data protection standards. If you’re still working on GDPR compliance, here are some of the major pitfalls to avoid.
It’s been nearly a year since the original General Data Protection Regulation (GDPR) deadline of May 25th, 2018, but some healthcare providers still aren’t meeting EU standards for data security — and many don’t even realize it.
Though widespread changes are certainly being felt across the industry, the complexity of healthcare’s data regulations have caused the sector to lag behind others in terms of GDPR compliance.
For this reason, more and more healthcare organizations have been actively investing in increased IT and data solutions, reexamining their digital strategies and ensuring that they’re compliant every step of the way. However, missteps are relatively common, and penalties are steep — a single mistake can cost providers up to 4% of their annual revenue.
For healthcare providers who are treating, marketing to, or researching data from European patients, it’s important to understand exactly how and when they’re in breach of the GDPR. In fact, complying with EU privacy standards could potentially save providers thousands or even millions of dollars.
Understanding the GDPR
While the GDPR can certainly make life a little more difficult for healthcare providers and marketers, it ultimately serves to protect patient data. The new EU regulations were set to give individuals the right to access information about where their personal data is being kept and how it’s being used.
As a result, healthcare providers have been prompted to take greater responsibility for securing patients’ data and private medical information. Under the new requirements, providers must get clear consent from subjects located in the EU to process and handle their data, and they must include information in consent forms about why data is being collected.
Businesses or organizations that collect or process the data of any Europe-based users are required to comply with the regulations. Unfortunately, this is where many healthcare providers can stumble. It’s easy to simply not realize that a patient is EU-based, especially if their location changes mid-treatment or if they’re being treated remotely.
Recognizing Potential GDPR Pitfalls
It’s essential that US-based healthcare providers learn to recognize when GDPR regulations may be triggered. Often these situations are not as simple as they may seem. For example, the GDPR shouldn’t impact a doctor who happens to treat an EU patient while the patient is in the US — but if the physician continues to monitor that patient’s progress after they return home, things could get more complicated.
While this may seem like an unlikely scenario, a 2015 report shows that about 50,000 EU citizens actually visit the United States for health treatment each year. In addition, hospitals or medical practices that advertise their specialty care in Europe in the hopes of reaching this audience also need to be aware that they may fall under the GDPR umbrella. Some health providers need not even actively advertise in the EU to run up against the GDPR; if your practice uses email marketing, for instance, it’s always possible that you’re sending emails to an EU citizen without their express consent.
“Consent” is the operative word of the GDPR — healthcare providers should remember that, based on GDPR regulations, patients must actively “opt in” to have their data stored or copied. When creating website forms or storing patient data for treatment or marketing purposes, transparency is key. If your CMS offers GDPR compliance settings, use them. Look over your contact database regularly to ensure that all your contacts have opted in to marketing communications. Even better, make sure to consult your legal team to determine what your obligations are to GDPR and how you can meet or improve upon them.
The costs of compliance may mean fewer email subscribers — but the costs of breaching the GDPR are far greater. Even if you’ve achieved full GDPR implementation, complacency may cost your organization, not only in legal fees, but also in consumer trust.