Under what circumstances must a U.S. healthcare provider comply with the European Union's General Data Protection Regulation, which will be enforced beginning in May? In an in-depth interview with Information Security Media Group, regulatory attorney Stephen Wu explains the conditions under which compliance is required.
For example, if a U.S. healthcare provider is marketing its services to European residents, or has a facility in Europe, then it must comply with GDPR, says Wu of the Silicon Valley Law Group.
"But if it's a strictly within-the-U.S. healthcare provider, where it's not attempting to market to Europeans - it's not putting up a website in foreign languages saying 'we'll take your Euros,' and if it's not located in the EU, then that entity is not covered by GDPR," he says.
Those that must comply with GDPR face a long list of requirements, Wu explains. That includes, for example, having patient consent to collect personal data and having a mechanism in place to comply with requests to, in certain circumstances, delete stored data.
Another consideration is determining if an organization must register with the U.S. Department of Commerce to participate in the Privacy Shield program, Wu says. "Participating in the Privacy Shield program means the entity will ensure the adequate protection of the information coming over to the U.S. from Europe," he says.
In the interview (see audio link below photo), Wu also discusses:
- Considerations for U.S. healthcare entities that do not actively seek patients from the EU, yet end up treating European residents and consequently have a data breach impacting those patients' information;
- How GDPR applies to vendors, such as cloud services providers, that handle health data;
- Comparisons between HIPAA and GDPR requirements;
- Upcoming GDPR enforcement activities that could potentially impact U.S.-based healthcare entities and vendors that handle the health data of European patients.
In his role as an attorney at Silicon Valley Law Group in San Jose, Calif., Wu focuses on compliance, liability and information governance in emerging areas of technology law. Wu served as the 2010-2011 chair of the American Bar Association Section of Science & Technology Law. He has also written or co-written several books on information security and the law.