GDPR for US health companies

GDPR has a huge potential impact on US companies. Since coming into force in May 2018,  data protection authorities have dealt with over 200,000 cases, imposing €56 million in fines on companies from all over the world. So, what do you need to know about GDPR compliance?

Is GDPR applicable to all American health companies?

The GDPR (General Data Protection Regulation) doesn't apply to all US based companies. However, it applies to any US company who collects, maintains, or processes the personal data of individuals located within the EU. You must comply even if only one of your users is resident in the EU. It also applies to US companies that are  compliant with the EU-US Privacy Shield.

In healthcare, the biggest impact is on pharmaceutical, biotechnology and medical device companies. Health facility providers, like hospitals have much lower risk. However, if the hospital has patients from EU or in the EU, then GDPR applies.

What is the difference between GDPR and HIPAA?

As a US health company, you will already be used to complying with HIPAA. The good news is that there are many overlaps between HIPAA and GDPR, especially when it comes to PHI. However, there are a few key differences. Firstly, GDPR applies to any personal data (PII). Secondly, data that has been pseudonymized is still treated as personal data under GDPR. Thirdly, GDPR includes additional rights for data subjects such as consent tracking and the right to be forgotten.

GDPR checklist for US eHealth companies

1. Check what user information you already collecting. Do a quick review of your users' locations. If your users are located in the EU, check if “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” It means that even indirect selling falls into this category.
2. Inform your users based in EU. At this point you need to asses all the tools for notifying users about how you use their data.  Now review all the tools you use including your privacy policy and consent tracking.
3. Start storing correctly. Implement procedures to collect user consents and to inform users about the processing of their data. Also implement procedures for compliant health data storage (similar to the Security Rule in HIPAA). Read all about storing user information here.
4. Understand data categories under GDPR. As a healthcare business you face even stricter rules, as the information you are storing can be very sensitive. Under GDPR there are 3 different categories including personal, special and anonymous data. Download our free guide to determine if you are storing health, personal or anonymous data.
5. Appoint a Data Protection Officer (DPO). It is useful to have a person, who will be responsible for GDPR and possesses expert knowledge of data protection law and practices. Read about DPO responsibilities in this article.  
6. Designate a representative in the EU. GDPR Article 27 specifies which non-EU organisations are required to appoint a representative based in one of the EU member states. The representative should be established in one of the Member States where the data subjects live.
7. Have a plan for data breaches. GDPR Articles 33 and 34 lay out your duties in the event personal data is exposed (or potentially exposed), whether through a hack or any other kind of data breach. Reduce the risks of data breaches by using proper access controls and implementing pseudonymization.

How can Chino.io help?

Chino.io is a platform for storing health data in a secure, compliant and simple manner. We are experts in both GDPR and HIPAA. Read our free eBook to learn more on how you can ensure compliance.