As the General Data Protection Regulation (GDPR) is due to take effect on May 25, 2018, there have been many concerns and uncertainties as to how and by how much the EU regulation will affect data-related activities in the United States and other countries outside Europe.
The GDPR is a regulation that was approved by the European Union in 2016, after four years of strong deliberation, to provide more stringent and expansive guidelines for collection, management, storage, and use of data on EU residents to protect their privacy. The GDPR was adopted to replace the Data Protection Directive 95/46/EC which does not provide sufficient data protection in today’s internet-driven business world.
While the provisions of the regulation apply to all 28 EU member states, all businesses and organizations which process or use EU residents’ personal data in their transactions, regardless of their geographical location, must comply with the new regulations on data protection.
Failure to comply, however, attracts a maximum fine per violation of 4 percent of the company’s global turnover or 20 million euros, depending on which is larger. As it turns, time is running out for a lot of companies and organizations, given the short period left to adapt or risk paying this fine.
Companies required to comply with the regulations include;
- Companies with a presence in an EU country
- Companies outside the EU but which processes data of European residents
- Companies with more than 250 employees
- Companies with fewer than 250 employees but whose data-processing activities affects the rights and freedom of owners of such data, or which includes sensitive personal data.
Privacy data which the GDPR protects include basic identity information, health and genetic information, biometric data, racial or ethnic data, sexual orientation, political opinions, and web data such as IP address, cookie data, and location.
Many companies in the United States have begun amending their “Terms of Service” to comply with the new regulation with regards to data on EU citizens. A 2016 PwC survey indicates that 92 percent of US companies consider GDPR compliance as a top priority and according to an Ovum Report, about two-thirds of US companies acknowledge that they will require making strong operational amendments in handling data on EU residents.
Implications on Health Travel
The new regulation will no doubt change the way stakeholders in the health travel industry address personal data belonging to medical tourists from the EU. Airline operators, hotel administrators, health travel agencies, health tech companies, healthcare providers, and insurers must comply with the regulation, due to the large volume of sensitive and personal data they process.
These companies use data in marketing new “products” or services to a targeted audience and share large volumes of these data with other suppliers or vendors such as Airline operators, hoteliers, and health travel agencies.
The categories of health data protected under the GDPR rule include genetic data, biometric data, and data concerning health. Healthcare providers have an added burden as these “sensitive data” must be held to a higher standard of protection than personal data.
The GDPR rule has no geographical boundaries as healthcare providers and leaders in the United States are also subject to the new rule in so much as they have data on medical tourists from the EU. However, many healthcare providers and organizations outside in the United States have not become acquainted with these requirements and how it will affect the industry.
The GDPR regulates the collection and processing of personal data by processors and controllers. A “controller”, as provided by the regulation, is a natural or legal individual, public authority, agency or other body acting alone or jointly with other groups to determine the uses and ways of processing personal data.
The healthcare providers and insurers that are “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) constitute the controllers of health data in this regard. A “processor” however, refers to a natural or legal individual, public authority, or agency which processes personal information for the controller. Cloud providers and payroll service providers constitute the processors.
The GDPR, therefore, establishes the conditions under which personal data on EU patients or prospective patients may be collected and processed by healthcare providers. It requires controllers and processors to have a lawful basis for collecting and processing personal information about an EU resident, in addition to obtaining the patient’s consent to processing such data.
It also establishes the rights of EU patients to access, amend, and restrict or withdraw personal data, similar to the HIPAA privacy rule.
Under the GDPR rule, consent must be sought from the patient before processing their personal data and according to the provisions of the rule, the consent must be freely given, specific to the purpose for which the data is to be processed, informed, unambiguous, and explicit.
Post-discharge patient engagement also requires that patient health data collection and processing be subject to the GDPR for EU residents who received medical care outside the EU.
To avoid the attendant penalty and implications, stakeholders in the health travel industry need to revisit their security risk strategies to comply with the regulation. The first step is to adhere to the principle of “accountability” as stipulated by the rule and this involves establishing a GDPR compliance program which will assess the organization’s current level of compliance and detect loopholes.
In addition, these medical tourist suppliers need to conduct an audit of all personal data processed by the organization and review their data-protection policies. This data mapping should provide a clear understanding of what types of health data are collected, the purpose for which each is collected, how it is stored, and how long it is retained.
Documenting these audit results may be useful in demonstrating compliance with the rule. This may necessitate the need for a Data Protection Officer (DPO) who must be responsible for compliance with the new standards for data security.
In addition, the new regulation will change the game, particularly in destination brand marketing and advertising for medical tourism companies. Subjecting these to the regulation will alter the marketing systems and analytic tools these companies employ.
Third party processors hired by medical tourism suppliers are also liable to data breach and if these are not compliant to the regulation, it makes the primary supplier non-compliant and at risk of facing the penalty.
In the event a medical tourism agent shares personal data with a vendor such as a hotel, the vendor must provide a Data Processing Agreement (DPA) with the supplier confirming the vendor’s compliance to the GDPR and dictating the purposes for which such data is to be processed.
Given the broad nature and complexity of the GDPR, it is essential for all stakeholders in health travel to pay close attention to their current data handling policies, especially as it concerns EU residents, and create appropriate interventions to maintain unhindered patient flow and protection of patient privacy.