Countdown to Health Care Privacy Compliance; GDPR Minus One Day

By Joan M. Lebow and Clayton W. Sutherland

As we hurtle to our deadline of March 25, 2018 for the European Union’s General Data Protection Regulation (GDPR) implementation, health care providers are quickly assessing gaps in their understanding of what is required by GDPR.  A key area of concern is how the GDPR’s requirements compare to previous requirements under HITECH/HIPAA and FTC requirements.

Elements of Consent and Article 7

Consent in the GDPR can be made easier to understand by breaking down the definition into principle elements and correlating them with the obligations found in the GDPR. The Article 4 definition can be divided into four parts: consent must be freely given, specific, informed, and include an unambiguous indication of affirmative consent. We will address each element in different blogs, starting with “freely given.”

“Freely Given” Element

“Freely given,” under the GDPR definition, is focused on protecting individuals from an imbalance of power between them and data controllers. Accordingly, the Article 29 Working Party (WP29)—the current data protection advisory board created by the Data Protection Directive—has issued guidance for interpreting when consent is freely given. Per this guidance material, consent is only valid if: the data subject is able to exercise a real choice; there is no risk of deception, intimidation, or coercion; and there will not be significant negative consequences if the data subject elects not to consent.[i] Consequently, consent must be as easy to withdraw as it is to grant for organizations to be compliant. Additionally, GDPR recital 43 states the controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment.[ii]

Controllers (who determine the purposes for data processing and how data processing occurs[iii]) bear the burden to prove that withdrawing consent does not lead to any costs for the data subject and thus no clear disadvantage for those withdrawing consent. As a general rule, if consent is withdrawn, all data processing operations that were based on consent and took place before the withdrawal of consent—and in accordance with the GDPR—remain lawful. However, the controller must stop future processing actions. If there is no other lawful basis justifying the processing (e.g. further storage) of the data, it should be deleted or anonymized by the controller.[iv] Furthermore, GDPR recital 43 clarifies that if the consent process/procedure does not allow data subjects to give separate consent for personal data processing operations (granularity), consent is not freely given.[v] Thus, if the controller has compiled multiple processing purposes together and has not attempted to seek separate consent for each purpose, there is a lack of freedom, and the specificity component comes into question. Article 7(4)’s conditionality provision, according to WP 29 guidance, is crucial to determining the “freely given” element.[vi]

GDPR vs. HIPAA/HITECH and FTC Part 2

GDPRHIPAA/HITECHFTC
“Freely given,” under the GDPR definition, is focused on protecting individuals from an imbalance of power between themselves and data controllers.The limitations on health data use and authorization requirements are to help ensure the privacy of patients and protect their right to limit how their data is used.

This protection has various applications, including how data is used for marketing purposes as well as when or if data can be sold.
The FTC protects consumers from the imbalance of power between themselves and businesses providing services. They protect consumers, generally, with FTC Act § 5 powers.
A service may involve multiple processing operations for more than one purpose. In such cases, the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes.

Consent is not considered to be free if the data subject is unable to refuse or withdraw his or her consent without detriment. Examples of detriment are deception, intimidation, coercion or significant negative consequences if the data subject does not consent.

Article 7 (4) of the GDPR indicates that, among other things, the practice of “bundling” consent with acceptance of terms or conditions or “tying” the provision of a contract or a service to a consent request for processing personal data not necessary for the performance of that contract or service, is considered highly undesirable.
When such practices occur, consent is presumed not to be freely given.
An Authorization must include a description of each purpose of the requested use or disclosure of protected health information.
A covered entity may not condition the provision of treatment, payment, enrollment in a health plan, or benefit eligibility to an individual based on the acquisition of an authorization unless it falls under one any of the three enumerated exceptions, which are for psychotherapy notes, marketing or sale of Protected Health Information.

Under HIPAA/HITECH, generally bundling authorizations in with other documents, such as consent for treatment, is prohibited. However, there are three circumstances when authorizations can compound together to cover multiple documents or authorizations.
Unfair and Deceptive Business Practices:

Deceiving/ misleading customers about participating in a privacy program.

Failing to honor consumer privacy choices.

Unfair/unreasonable data security practices.

Failing to obtain consent when tracking consumer locations.

Children's Online Privacy Protection Rule ("COPPA")
A website or online service that is directed to children under 13 cannot collect personal information about them without parental consent.
Under the GDPR, the right to withdraw consent must be as easy a procedure as the one that grants consent for organizations to be compliant.

As a general rule, if consent is withdrawn, all data processing operations that were based on consent and took place before the withdrawal of consent—and in accordance with the GDPR— remain lawful. However, the controller must stop future processing actions.

If there is no other lawful basis justifying the processing (e.g. further storage) of the data, they should be deleted or anonymized by the controller.

GDPR recital 43 states the controller needs to demonstrate that it is possible to refuse or withdraw consent without detriment.
The right to withdraw an authorization is similar to the GDPR right to withdraw consent. The Covered Entity, like the Controllers, has the responsibility of informing data subjects of that right.

The revocation must be in writing, and is not effective until the covered entity receives it. In addition, a written revocation is not effective with respect to actions a covered entity took in reliance on a valid Authorization or if provision of a contract or service was conditioned on obtaining the authorization.

The Privacy Rule requires that the Authorization must clearly state the individual’s right to revoke; and the process for revocation must either be set forth clearly on the Authorization itself, or if the covered entity creates the Authorization, and its Notice of Privacy Practices contains a clear description of the process, the Authorization can reference the Notice of Privacy Practices.
According to better business practice promulgated by the FTC, companies should provide key information as clearly as possible and not embedded within blanket agreements like a privacy policy, terms of use, or even in the HIPAA authorization itself.

For example, if a consumer is providing health information only to her doctor, she should not be required to click on a “patient authorization” link to learn that it is also going to be viewable by the public. And the provider should not promise to keep information confidential in large, boldface type, but then ask the consumer in a much less prominent manner to sign an authorization that says the information will be shared.

Further, the health care provider should evaluate the size, color and graphics of all of their disclosure statements to ensure they are clear and conspicuous.

[i] Working Party 29. “Guidelines for Consent under Regulation 2016/679.” Working Party 29 Newsroom, Regulation 2016/679 Guidance, November 28, 2017, 7-9 30.

[ii] European Parliament, and European Council. “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation).” Official Journal of the European Union, Legislation, 119/8 (May 4, 2016). [Herein after GDPR Publication].

[iii] See, id at 119/33 for Art. 4 (7).

[iv] Working Party 29. “Guidelines for Consent under Regulation 2016/679.” Working Party 29 Newsroom, Regulation 2016/679 Guidance, November 28, 2017, 21, 30.

[v] See, GDPR Publication at 119/8.

[vi] Working Party 29. “Guidelines for Consent under Regulation 2016/679.” Working Party 29 Newsroom, Regulation 2016/679 Guidance, November 28, 2017, 10, 30.

Joan M. Lebow is the Healthcare Regulatory and Technology Practice Chair in the Chicago office of Quintairos, Prieto, Wood & Boyer, P.A. Clayton W. Sutherland is a Class of 2018 graduate of the IIT Chicago-Kent College of Law.

Countdown to Health Care Privacy Compliance; GDPR Minus Eight Days

By Joan M. Lebow and Clayton W. Sutherland

Are you a US healthcare provider with concerns about data privacy, a patient, or a reporter or policymaker trying to understand the changing healthcare privacy landscape?  If you are, then our blog series will help you sort through the essential question about the relevance of the GDPR to you.

The European Council and European Parliament passed Regulation 2016/679, better known as the General Data Protection Regulation (GDPR), to repeal and replace Directive 95/46/EC, known as the Data Protection Directive (DPD). The new regulation creates a single set of privacy protection laws to be implemented in Member States and complied with by participants of the digital information market. Data processing under the GDPR is based on seven core principles: accountability; lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; as well as integrity and confidentiality.[i] These principles provide the foundation for the GDPR and its various compliance requirements. The GDPR applies to processors and controllers of data, similar to the DPD. For clarification, the controller says how and why the data is collected and processed, while the processor acts on the controller’s behalf.

The broadened scope of the GDPR is laid out in Article 3. The regulation applies to all companies processing personal data of EU residents regardless of the company’s location or where the processing takes place.[ii] Further, the GDPR applies to data processing by controllers or processors not established in the EU when the company offers goods or services to EU citizens and the monitoring of data subjects takes place in the European Union. Specifically, Article 3 §2 applies to entities established outside the EU but that conduct data processing activities under certain conditions. According to § 2(a), if you offer goods or services to data subject in the EU or, under § 2(b) if you monitor a data subject’s behavior that occurs in the EU, the GDPR will apply.[iii]

Under the GDPR, processing activities is broadly defined. Consequently, it should be understood as a set of activities—automated or not—that includes: data collection, storage, use, consultation, and disclosure by transmission among other activities.[iv] For example, a company’s medical app that transmits data concerning EU residents to doctors in the US for consultative services would be subject to the GDPR; for the US consultant, the transmission of the data is the prong that triggers application. Moreover, the GDPR applies when a company operates a website that meets Art. 3 § 2, of offering goods and services (business activities) or monitoring data subject behavior in the EU (business activities).

The GDPR data privacy security obligations, requirements, and rights are closing fast on providers in the US. The GDPR goes into effect on May 25, 2018. In the health care arena, US companies must comply with both the GDPR and existing US data security standards. Our blog series will assist with this reconciliation and normalization process for compliance officers and counsel trying to make sense of these overlapping frameworks.

We will start this series by introducing Article 6, and review consent under GDPR as a lawful basis for processing data. Next, we will analyze the GDPR’s definition of consent to help understand the four  primary elements and the conditions for consent found in Article 7. Then we proceed to Article 9, discussing the five  most relevant justifications for health and medical industry participants that want to process special categories of data and how such justifications relate to current compliance requirements in the US.

Consent and Article 6

Under the GDPR, data processing is only lawful if and when it falls under one of the six enumerated justifications in Article 6, including consent, performance of a contract, and satisfying legal obligations. We will primarily focus on consent and relevant sections in this review.

Consent is at the core of the GDPR regulation and is an area of expected focus for enforcement. Article 6(1) states that data processing, when relying on consent, is only lawful if and to the extent that (a) the data subject has given consent to the processing of their data for one or more primary purposes. Thus, obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity. Generally, consent can only be an appropriate lawful basis if a data subject is offered control and a genuine choice with regard to accepting or declining (without detriment/retaliation) the terms offered.

In the table below, we compare and contrast current regimes in the US regarding consent requirements and the GDPR requirements most relevant to the healthcare industry.

GDPR vs. HIPAA/HITECH & FTC

GDPRHIPAA/HITECHFTC
Consent – Not presumed to be given, must be actual consent.

Generally, only an appropriate lawful basis if a data subject is offered control and a genuine choice with regard to accepting or declining (without detriment/retaliation) the terms offered.
HIPAA/HITECH presumes consent to uses and disclosures for treatment, payment, and health care operations in the absence of a patient’s instructions to the contrary, if the provider complies with regulatory requirements.

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations.

The Privacy Rule requires explicit consent for various uses and disclosures including research, marketing and solicitation.
FTC enforcement of consent requirements (regarding health information) generally applies to ancillary providers and specific categories of clinical records not covered by HIPAA/HITECH. Some circumstances call for shared jurisdiction with other agencies.

In addition to the general consumer protection power enumerated in the FTC Act, the FTC has specific enforcement jurisdiction over specific laws that feature consent obligations, including COPPA.
Data processing, when relying on “consent,” is only lawful if and to the extent that:

(a) the data subject has given consent to the processing of their data for one or more primary purposes. Thus, obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity.
By contrast, an authorization is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule.

An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes including research, marketing and solicitation.
FTC jurisdiction for health information includes:

Medical billing companies that collect consumers’ personal medical information without their consent.

Medical transcript companies that outsourced services without making sure the company could reasonably implement appropriate security measures.

Medical billing and revenue management companies that allowed access to consumer information to employees that did not need it to complete their jobs.

Apps that are medical devices that could pose a risk to patient safety if they do not work properly.
Member states have freedom to make laws, usually ones relating to special categories, more stringent than the general consent requirements in the GDPR.Under state law, consent is required by most states for constituencies such as minors, HIV and AIDS patients. Under federal law, a complex consent process attaches to select kinds of substance abuse treatment. All such consent requirements preempt HIPAA/HITECH under the applicable state laws.Before collecting, using or disclosing personal information from a minor, you must get their parent’s “verifiable consent.” Consent must be obtained through a technological medium that is reasonable given the available technology.

[i] See Commission Regulation 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC). 2016 (L 119) 35, 36 [hereinafter General Data Protection Regulation].

[ii] See General Data Protection Regulation at 32-33.

[iii] See id at 33.

[iv] See id at 33 (Definition (2)).

Joan M. Lebow is the Healthcare Regulatory and Technology Practice Chair in the Chicago office of Quintairos, Prieto, Wood & Boyer, P.A. Clayton W. Sutherland is a Class of 2018 graduate of the IIT Chicago-Kent College of Law.