GDPR compliance: Considerations for U.S. healthcare organizations

Amy Joseph (ajoseph@health-law.com) is a Senior Counsel in the Boston office of Hooper, Lundy & Bookman PC. Krietta Bowens Jones (krietta_jones@dfci.harvard.edu) is Associate General Counsel at Dana-Farber Cancer Institute in Boston.

On May 25, 2018, the General Data Protection Regulation (GDPR),[1] a new data privacy law applicable to the European Union (EU) and countries in the European Economic Area (EEA), took effect, building upon and enhancing prior data protection requirements. The GDPR applies to the 28 member states of the EU as well as Liechtenstein, Iceland, and Norway, which are part of the European Economic Area. The United Kingdom has also implemented GDPR despite its planned exit from the EU. (For purposes of this article, the defined term “EU” is also intended to include the EEA for ease of reference.)

Specifically, the law regulates the processing of personal data of individuals in the EU, regardless of their citizenship status. “Personal data” is defined broadly as any information that can be used to identify a natural person.[2] The GDPR has extraterritorial reach and applies not only to organizations established in the EU, but also, under certain circumstances, to organizations established in the U.S. that process personal data of individuals in the EU. The public policy rationale behind the GDPR’s expansive scope is the desire to balance the business purposes that necessitate the flow of information to and from countries outside of the EU with individuals’ rights to privacy and control over their personal data.

In the months leading up to the effective date and immediately after, the GDPR received a flurry of media attention as certain U.S. organizations began rolling out GDPR-specific compliance measures (or, in some cases, opting to make services unavailable to individuals in the EU so as to avoid the GDPR’s reach). The news primarily revolved around the impact on social media service providers and other technology companies that offer products or services internationally; however, the GDPR also has the potential to apply to some U.S. healthcare organizations, given the seemingly broad applicability test. For example, engaging in certain clinical research activities or offering medical tourism programs to EU residents could subject a U.S. healthcare organization to the GDPR’s jurisdictional scope.

This article provides a high-level summary of the key questions and concepts for a U.S. healthcare organization to consider in order to determine if the organization is subject to the GDPR, and if so, what measures can be taken to ensure compliance with the new law.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field