GDPR: Different Galaxy, Different Security & Privacy Rules (Part 2 of 5)

Blog Post by Brian Selfridge, Meditology Services IT Risk Management Partner

For decades, we’ve imagined the different life forms we might encounter while traveling in space. The series Star Trek has entertained generations by imagining how things might be different in another galaxy. Likewise, in healthcare; Europe’s newly revised security and privacy directives under the General Data Protection Regulation (GDPR) have us feeling like we need to update security and privacy programs to meet the standards of another galaxy. Many CISOs and Privacy executives are asking the questions, “Does GDPR apply to us?” or “How will GDPR be enforced for US-based healthcare organizations?”

On May 25, 2018, the European Commission mandated that organizations operating within the European Union countries must comply with the newly revised GDPR requirements. The GDPR data protection requirements are a long-awaited update to the 1995 EU Data Protection Directive established before the era of remote medicine/telemedicine, cloud data storage or smart mobile devices such as tablets and smartphones.

The takeaway for U.S.-based firms (healthcare, health plans and business associates servicing health care) is to determine if your organization is required to meet GDPR compliance requirements. There are two conditions which require your organization to comply with GDPR[1]:

  1. The organization operates in a European Union state;
  2. The organization actively markets or delivers services to European patients.

Organizations need to evaluate GDPR requirements. For many healthcare and health plans, GDPR compliance may not apply. However, GDPR becomes a bigger issue for business vendors servicing healthcare, many of which may be based or do business within the European Union. In these cases, the business associates must address GDPR requirements, which may require a significant level of effort to achieve compliance.

GDPR casts a wide net for the types of information that must be protected including any personal data of EU residents. This extends beyond Protected Health Information (PHI) to personal phone numbers, political opinions, sexual orientation, IP addresses, screen names, and more.

U.S. healthcare data security frameworks, such as HITRUST, are including GDPR as part of the certifications options for organizations that operate or interface with European Union members and patients. Privacy requirements in GDPR have also been substantially ramped up beyond HIPAA and US state-level regulations.

Even though it may seem like an unknown galaxy where the regulations are branching into uncharted territory, GDPR compliance is manageable for most U.S.-based health organizations. With an effective date of May 25, 2018, organizations in the US should perform a GDPR risk assessment and determine if they need to engage warp engines to get their enterprise in compliance with these new requirements.

Learn about emerging trends, threats and actionable risk management steps in our annual report: Navigating Through a Changing Cyberspace: 2018 Healthcare Data Security Outlook. Download this free report today and share with your colleagues.

This is PART 2 of a five-part blog series highlighting Healthcare Information Security trends as we pay tribute to the anniversary of the Apollo 11 mission of 1969.


[1] Goodchild, J. InfoRisk Today, “Is Healthcare Ready to Comply With GDPR?” January 16, 2018

Most Recent Posts
SOC 2 + CIS Controls Read More
A Cybersecurity Professional's Guide to HIPAA-Compliant Online Tracking Read More
SOC 2 + HIPAA Examination Read More