Health care providers can protect PII by obeying EU's GDPR

Fraud examiners who work for health care providers should know the stipulations of the EU’s General Data Protection Regulation to protect patients from data breaches. The law also applies to U.S. organizations that provide care for EU citizens.

The global health care industry is facing multiple challenges as it tries to protect patients’ sensitive data from cybercriminals and fraudsters, especially during the COVID-19 age. Just in the U.S., health care organizations have endured at least 172 ransomware attacks since 2016 costing more than $157 million. (See the Feb. 11 comparitech article by Paul Bischoff.)

Here are some key questions about protecting the privacy of all personally identifiable information (PII):

1. What is privacy, and where does it come from?
2. Why do we need regulations to protect privacy?
3. Whose privacy is protected?
4. When does an individual/entity have the right to disclose or collect PII?

The essence of the answers to these questions (and the first one in particular) lie in developed countries’ rules and regulations on privacy, such as these:

• EU: General Data Protection Regulation (GDPR) was adopted in 2016 and enforced in 2018. Also, Article 8 of the European Convention on Human Rights provides a right to respect for one’s “private and family life, his home and his correspondence."
• U.S.: The Fourth Amendment to the Constitution ensures that “the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated …” The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the rights and data privacy of patients by exercising certain rules on health care providers when collecting patients’ protected health information (PHI), as HIPAA identifies PII.
• Chile: On June 16, 2018, the legislature amended its constitution with Law No. 21.096, which established the protection of personal data as a right.
• India: K.S. Puttuswamy vs. Union of India (Supreme Court of India, WRIT PETITION NO 494 OF 2012), in which fundamental rights, as provided in India’s Constitution, is interpreted to include the right to privacy.

So, to answer question No. 1, privacy is a sense of entitlement or the right of individuals to determine what information about themselves might be disclosed to others. In short, the right to privacy is “the right to be left alone,” as Louis Brandeis and Samuel Warren wrote in “The Right to Privacy.” (See the Harvard Law Review, Dec. 15, 1890.)

Now comes question No. 2: Why do we require such regulations? The answer is obvious. We voluntarily supply our PII to open bank accounts, sign up for gym memberships, receive IDs such as drivers’ licenses, buy online etc.

Regulations can keep some companies and governmental agencies in check who otherwise might freely manipulate our data or misuse it for illegal purposes.

And answering question No. 3, if regulations are administered correctly, all citizens regardless of their color, sex, caste or origin should be protected.

On to question No. 4: When does an individual/entity have the right to disclose or collect data? This places the EU’s GDPR in the spotlight.

GDPR’s sweeping mandates

GDPR seeks to protect the data rights and privacy of users who are citizens of the EU member states. According to the law, processing shall be lawful only if and to the extent that at least one of the following applies:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.

All U.S. health care businesses that serve the EU must also abide by GDPR. As per the regulation, U.S. health care providers are required to:

• Put stringent data protection measures in place to preserve customer privacy (Article 5).
• Inform customers in the event of any privacy breach.
• Allow customers to opt-out of data sharing (Article 13).
• Never use any data that the customer hasn’t given consent for others to use (Article 6).

GDPR facts for health care providers (and fraud examiners)

Health care organizations collect vast amounts of data on their patients, which can include routine checkups and consultations, emergency department visits, outpatient or inpatient treatments, diagnostics, surgeries, medical research, and connected care devices, monitors and wearables.

Article 4 of GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” This includes all the health data collected and stored through any of the above services plus genetic and biometric data.

Genetic data includes the results of genetic tests such as DNA, RNA or chromosomal analysis of biological samples. Biometric data includes fingerprints and facial images that help confirm unique identification of a person.

GDPR provides several general rights for individuals, including:

Right to erasure. Article 17 of GDPR, also called the “right to be forgotten,” says that the “data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay …”

Explicit consent. Article 4 of GDPR says that a data subject’s consent means any:

• Freely given,
• Specific,
• Informed and
• Unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Greater control over data. By default, GDPR generally gives data owners greater control. This could have ramifications for the health care industry, which uses patient data and tissue samples for research and quality improvements. GDPR also requires entities to report breaches within 72 hours, which could keep health care providers on their toes.

Comparison of GDPR and HIPAA

According to U.S. Health and Human Services, HIPAA protects:

• Information that patients’ doctors, nurses and other health care providers put in patients’ medical records.
• Conversations patients have with their doctors about their care or treatments with nurses and others.
• Information about patients in their health insurers’ computers systems.
• Patients’ billing information at their clinics.
• Most other health information about patients held by those who must follow these laws.

The HIPAA Privacy Rule protects all “ ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.”

A covered entity is permitted, but not required, to use and disclose protected health information: 1) without an individual’s authorization for such situations as treatment, payment and health care operations 2) an opportunity to agree or object 3) incident to an otherwise permitted use and disclosure 4) public interest and benefit activities 5) a limited data set for the purposes of research, public health or health care operations.

While GDPR and HIPAA serve the same objectives of patient data privacy, they differ in the ways they permit health care operators to manage it.

First, as per HIPAA, a health care provider can collect identifiable health information once it has data security measures in place. The law doesn’t have explicit requirements for patient consent. However, GDPR requires consent “by a statement or by clear affirmative action …”

Second, while GDPR allows patients the “right to be forgotten” through the “Right to Erasure” stipulation, HIPAA doesn’t have any such provision for patients. So, U.S. health care providers need to find ways to track and delete the data of any EU citizen who wishes to have their information removed from hospitals’ records. Not only should health care providers remove the data from their systems, they should also have it removed from the systems of third parties who were privy to this information.

Third, while HIPAA and GDPR both state that health care providers must notify customers and authorities of data breaches, the laws handle data breaches differently. Under HIPAA, all entities must immediately record and report major data breaches that involve the unauthorized disclosure of PHI (as HIPAA calls health care PII). However, providers can report minor breaches that have little impact on them and patients up to one year after incidents.

GDPR requires that providers immediately report breaches, irrespective of nature and size, to authorities and patients. Providers can face fines up to 20 million euros for failing to report and address breaches. (See Understanding GDPR Fines, GDPR Associates.)

Data requests for minors, mentally impaired

GDPR defines “consent” of the data subject as any “freely given, specific, informed and unambiguous indication of the data subjects’ wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Unfortunately, GDPR doesn’t have a set process for collecting information from minors (via parents or guardians) or the mentally impaired (via a family member or third party).

Is data collected by U.S. health care providers legal and GDPR-compliant?

According to Article 9 of GDPR, health care data constitutes information about mental and physical health, genetic health and biometric health (including facial and thumbprint scans). All three types of data can only be shared among service providers if:

• Customers give explicit consent through a clear affirmative act.
• The data is necessary to discharge the duties undertaken by the health care provider.
• Data sharing is a legal obligation.
• The data when shared will protect the interests of the person and/or the general public.

These rules create two major challenges for health care providers: First, GDPR doesn’t expressly state the difference between “consent” (as discussed above) and “explicit consent.” So, EU health care providers still don’t have clarity on the nature of consent/affirmative acts they must receive from patients if they’re to use their PII. Also, the question of the validity of consent arises in situations where the client may soon lose all mental acuity.

(The December 2017 consent guidelines by the WP29 — the European Data Protection Board — further analyzes “explicit consent.” I don’t have the space to delve further, but patients do have general rights to opt-in or opt-out of activities. So, sentences such as “We may use your personal data for internal quality assurance purposes” buried within lengthy terms and conditions of a consent form might no longer be acceptable.)

Second, any data that health care providers collect and process might or might not be legal depending on the EU’s definition of “explicit consent,” and the data might or might not be lawfully processed depending on the variations in stipulations between GDPR and the respective EU member-state rules.

U.S. health care providers doing business in the EU should also review data-processing rules and restrictions of specific EU countries to fulfill obligations that GDPR doesn’t cover.

How U.S. providers can comply with GDPR

Here are some ways health care providers in the U.S. can address GDPR. (This information is from the teachings of Attorney Benjamin Right, an instructor at SANS Institute.)

Appoint a data protection officer

A data protection officer (DPO) can track the collection, management, use and sharing of data per GDPR, HIPAA and EU-related health care regulations.

Keep track of all websites that use cookies to collect data

Whether it’s a hospital’s website or a medical marketing agency that’s providing a sign-up form for a mailing list, health care providers need to monitor website cookies to see what sort of information patients are collecting and how.

Also, monitor for lawful data collection and processing on any foreign-language medical website used extensively in the EU but owned/operated by U.S. companies.

Data-protection impact assessments

Though data-protection impact assessments (DPIAs) aren’t mandatory for health care providers, they’re advantageous if they’re:

• Processing large amounts of personal data.
• Introducing new information-collection processes that affect individuals.
• Sampling populations or forming cohorts for targeted outcomes.

Classify data based on sensitivity

Determine what constitutes “protected information” as per GDPR and whether you possess it so you can focus on meeting the exact compliance requirements.

Allow data access and data portability

HIPAA doesn’t make this mandatory, but its best to provide patients with the freedom to access, transfer and delete their data to comply with GDPR’s stipulations. This will also reduce vulnerability to data breaches.

Implement privacy in design

Unfortunately, GDPR is quite vague about implementation, which makes it open to interpretation and exceptionally dangerous for health care providers.

The best way to tackle this issue is to design and incorporate data privacy rights into systems from the first point of contact with patients. Implementing cybersecurity measures will help reduce health care providers’ vulnerability towards data threats and keep EU patients safe.

Robin Singh, CFE, is a subject matter expert in compliance, ethics and privacy. He’s the group senior regulatory affairs and risk management officer for the health care sector of the government of Abu Dhabi in the United Arab Emirates. Contact him at robin@whitecollar.org and @RegTechDean.