Countdown to Health Care Privacy Compliance; GDPR Minus Eight Days

By Joan M. LeBow and Clayton W. Sutherland

Are you a US healthcare provider with concerns about data privacy, a patient, or a reporter or policymaker trying to understand the changing healthcare privacy landscape?  If you are, then our blog series will help you sort through the essential question about the relevance of the GDPR to you.

The European Council and European Parliament passed Regulation 2016/679, better known as the General Data Protection Regulation (GDPR), to repeal and replace Directive 95/46/EC, known as the Data Protection Directive (DPD). The new regulation creates a single set of privacy protection laws to be implemented in Member States and complied with by participants of the digital information market. Data processing under the GDPR is based on seven core principles: accountability; lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; as well as integrity and confidentiality.[i] These principles provide the foundation for the GDPR and its various compliance requirements. The GDPR applies to processors and controllers of data, similar to the DPD. For clarification, the controller says how and why the data is collected and processed, while the processor acts on the controller’s behalf.

The broadened scope of the GDPR is laid out in Article 3. The regulation applies to all companies processing personal data of EU residents regardless of the company’s location or where the processing takes place.[ii] Further, the GDPR applies to data processing by controllers or processors not established in the EU when the company offers goods or services to EU citizens and the monitoring of data subjects takes place in the European Union. Specifically, Article 3 §2 applies to entities established outside the EU but that conduct data processing activities under certain conditions. According to § 2(a), if you offer goods or services to data subject in the EU or, under § 2(b) if you monitor a data subject’s behavior that occurs in the EU, the GDPR will apply.[iii]

Under the GDPR, processing activities is broadly defined. Consequently, it should be understood as a set of activities—automated or not—that includes: data collection, storage, use, consultation, and disclosure by transmission among other activities.[iv] For example, a company’s medical app that transmits data concerning EU residents to doctors in the US for consultative services would be subject to the GDPR; for the US consultant, the transmission of the data is the prong that triggers application. Moreover, the GDPR applies when a company operates a website that meets Art. 3 § 2, of offering goods and services (business activities) or monitoring data subject behavior in the EU (business activities).

The GDPR data privacy security obligations, requirements, and rights are closing fast on providers in the US. The GDPR goes into effect on May 25, 2018. In the health care arena, US companies must comply with both the GDPR and existing US data security standards. Our blog series will assist with this reconciliation and normalization process for compliance officers and counsel trying to make sense of these overlapping frameworks.

We will start this series by introducing Article 6, and review consent under GDPR as a lawful basis for processing data. Next, we will analyze the GDPR’s definition of consent to help understand the four  primary elements and the conditions for consent found in Article 7. Then we proceed to Article 9, discussing the five  most relevant justifications for health and medical industry participants that want to process special categories of data and how such justifications relate to current compliance requirements in the US.

Consent and Article 6

Under the GDPR, data processing is only lawful if and when it falls under one of the six enumerated justifications in Article 6, including consent, performance of a contract, and satisfying legal obligations. We will primarily focus on consent and relevant sections in this review.

Consent is at the core of the GDPR regulation and is an area of expected focus for enforcement. Article 6(1) states that data processing, when relying on consent, is only lawful if and to the extent that (a) the data subject has given consent to the processing of their data for one or more primary purposes. Thus, obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity. Generally, consent can only be an appropriate lawful basis if a data subject is offered control and a genuine choice with regard to accepting or declining (without detriment/retaliation) the terms offered.

In the table below, we compare and contrast current regimes in the US regarding consent requirements and the GDPR requirements most relevant to the healthcare industry.

GDPR vs. HIPAA/HITECH & FTC

GDPRHIPAA/HITECHFTC
Consent – Not presumed to be given, must be actual consent.

Generally, only an appropriate lawful basis if a data subject is offered control and a genuine choice with regard to accepting or declining (without detriment/retaliation) the terms offered.
HIPAA/HITECH presumes consent to uses and disclosures for treatment, payment, and health care operations in the absence of a patient’s instructions to the contrary, if the provider complies with regulatory requirements.

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations.

The Privacy Rule requires explicit consent for various uses and disclosures including research, marketing and solicitation.
FTC enforcement of consent requirements (regarding health information) generally applies to ancillary providers and specific categories of clinical records not covered by HIPAA/HITECH. Some circumstances call for shared jurisdiction with other agencies.

In addition to the general consumer protection power enumerated in the FTC Act, the FTC has specific enforcement jurisdiction over specific laws that feature consent obligations, including COPPA.
Data processing, when relying on “consent,” is only lawful if and to the extent that:

(a) the data subject has given consent to the processing of their data for one or more primary purposes. Thus, obtaining valid consent is always preceded by the determination of a specific, explicit and legitimate purpose for the intended processing activity.
By contrast, an authorization is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule.

An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes including research, marketing and solicitation.
FTC jurisdiction for health information includes:

Medical billing companies that collect consumers’ personal medical information without their consent.

Medical transcript companies that outsourced services without making sure the company could reasonably implement appropriate security measures.

Medical billing and revenue management companies that allowed access to consumer information to employees that did not need it to complete their jobs.

Apps that are medical devices that could pose a risk to patient safety if they do not work properly.
Member states have freedom to make laws, usually ones relating to special categories, more stringent than the general consent requirements in the GDPR.Under state law, consent is required by most states for constituencies such as minors, HIV and AIDS patients. Under federal law, a complex consent process attaches to select kinds of substance abuse treatment. All such consent requirements preempt HIPAA/HITECH under the applicable state laws.Before collecting, using or disclosing personal information from a minor, you must get their parent’s “verifiable consent.” Consent must be obtained through a technological medium that is reasonable given the available technology.

[i] See Commission Regulation 2016/679 of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC). 2016 (L 119) 35, 36 [hereinafter General Data Protection Regulation].

[ii] See General Data Protection Regulation at 32-33.

[iii] See id at 33.

[iv] See id at 33 (Definition (2)).

Joan M. LeBow is the Healthcare Regulatory and Technology Practice Chair in the Chicago office of Quintairos, Prieto, Wood & Boyer, P.A. Clayton W. Sutherland is a Class of 2018 graduate of the IIT Chicago-Kent College of Law.