AMCs and. Does the new law apply to my organization?

Transcription

1 AMCs and Does the new law apply to my organization?

2 Panelists: David Holtzman VP Compliance Strategies, CynergisTek Karen Pagliaro-Meyer Chief Privacy Officer, Columbia University Medical Center Lynn Rohland Partner, RGP Robert Webster Privacy Counsel, LabCorp June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 2

3 Session Objectives: Review the requirements of the General Data Protection Regulation (GDPR) Discuss how the GDPR may apply to AMCs Actionable steps to achieve compliance and mitigate risks June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 3

4 In-Session Surveys: We will use Poll Everywhere during our panel discussion. Participate by either sending a text message or by visiting the URL from any web browser. Now would be a good time to take a moment to get you set up; please pull out your electronic device. Don t forget to silence it please to minimize disruption. Let s take 1 minute to walk through it: June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 4

5 Poll Everywhere Instructions: To: ##### For web voting, type into your browser: Pollev.com/lynnrohland For text voting, start with a new text: 5-digit number: ##### (To Be Provided) Let s do one quick question right now to get the hang of it: June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 5

6 Practice Question: Is this the first time you have attended the AMC Conference? a) Yes b) No c) I can t recall Yes June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 6

7 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 7

8 What are people saying about GDPR? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 8

9 Survey Question #1: Does GDPR impact your organization s business goals or internal operations? a) Yes b) No c) Unsure June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 9

10 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 10

11 Survey Question #2: How far along is your organization in preparing for the GDPR? a) Completed or Near-Completion b) In-Progress or Beyond Planning Stage c) Not Started or in Planning Stage d) Not Applicable to my Organization e) Unsure June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 11

12 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 12

13 Survey Question #3: Are clients, vendors or other business partners inquiring about your organization s the GDPR preparedness? a) Yes b) No c) Unsure June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 13

14 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 14

15 GDPR Overview: The GDPR is an omnibus data protection law, which will come into effect on May 25, 2018 and replace the EU Data Protection Directive (1995). The GDPR sets standards for the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data. June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 15

16 GDPR Overview (cont d): This regulation applies to any organization offering goods and services in the EU, regardless of geographic location, that controls or processes the data of an EU resident. Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to 20 million or 4% of the organization s total global revenue, whichever is greater June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 16

17 GDPR Overview (cont d): Key definitions under the GDPR: Personal Data - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including name, identification number, location data or online identifier Processing - obtaining, recording or holding information, or carrying out any operation or set of operations on information June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 17

18 GDPR Overview (cont d): Key definitions under the GDPR: Controller - determines the purposes and means of processing personal data Processor - responsible for processing personal data on behalf of a controller Example: Company engages a vendor to help manage its payroll operations. The Company transmits the employee demographic data to the vendor so that the vendor can manage payroll for the employees. June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 18

19 GDPR Overview (cont d): June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 19

20 GDPR Overview (cont d): EU Clients EU Citizens EU Subsidiaries Third Parties US Company June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 20

21 FAQ on Scope of GDPR: Does GDPR apply to non-eu organizations which only processes data about non-eu data subjects, but uses servers located in the EU to do so? Yes Does GDPR apply to non-eu organizations which only processes data about non-eu data subjects but which uses an EU processor to do so? Probably.understanding of GDPR is evolving Does GDPR apply to a non-eu organization which only uses non-eu equipment to process data about EU data subjects? No June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 21

22 Q&A Session: Which health sectors does GDPR impact? And what are their greatest risks? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 22

23 Q&A: Which health sectors does GDPR impact? Healthcare industry better positioned to comply with GDPR than most industries most notably due to the HIPAA Privacy Rule. GDPR builds upon similar HIPAA data protection principals, concepts and themes enforced since 4/14/2003. Impacts providers, insurers, third-party administrators, and researchers that collect and/or process data of EU residents. June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 23

24 Q&A: Which health sectors does GDPR impact (cont d)? It also impacts ancillary markets such as telemedicine, virtual health solutions, clinical research on cures and pharmaceuticals. And of course, there are impacts for cloud services that process and store health data such as for genomic cloud computing. And here s why June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 24

25 Q&A: Which health sectors does GDPR impact (cont d)? It further categorizes three (3) additional health data definitions: 1. Data Concerning Health, 2. Genetic Data, and 3. Biometric Companies must disclose precisely how they're using patient data. Patient permissions cannot be bundled together patients must consent to each permission independently. Data Protection Impact Assessments (DPIAs) are required when health data of the three kinds mentioned above are processed on a large scale. June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 25

26 Q&A: What risks does GDPR present to the health sectors? GDPR has compelled a cultural shift. Data protection is no longer viewed simply as a compliance activity but rather a thorough examination of an organization s data handling practices and its data flows. GDPR is privacy from the perspective of the EU data subject Those that fail to acknowledge and adopt this principle are at greatest risk. June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 26

27 Scenario #1: You are a US-based online telehealth service. What if you have incidental EU encounters? Applicability Criteria Is the processing of data in the context of the activities of an establishment of a controller or processor in the EU? No Analysis Are you offering goods and services to data subjects in the EU? Are you monitoring the behavior of data subjects in the EU? Website localization? (Domain names, language, other?) Acceptance of EU currencies Delivery to EU addresses? registrants service vs marketing s Use of targeting/retargeting platforms? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 27

28 Scenario #1: Analysis You are a US-based online telehealth service. What if you have incidental EU encounters? Conclusion: Maybe subject to GDPR Many factual considerations to take into account. Mere accessibility not enough Consider nexus to European data subjects Even if technically subject to GDPR, may be low risk to proceed as if GDPR does not apply until quantity of EU encounters grow or other risk triggers (i.e. complaints) Risk based decisions need to be weighed against likelihood of enforcement vs burdens of compliance overheads appointment of EU rep, compliance with GDPR fair processing requirements, vendor terms, data export rules June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 28

29 Scenario #2: Data hosted in the EU? Applicability Criteria Is the processing of data in the context of the activities of an establishment of a controller or processor in the EU? Are you offering goods and services to data subjects in the EU? Are you monitoring the behavior of data subjects in the EU? Analysis Unclear. Is the processing in the context of the activities of the US based data controller in which case this limb does not apply? Or, the EU data processor in which case it does apply? Even if controller not directly subject, process will be w/indirect compliance considerations for the controller Website localization? Domain names, language, other? Acceptance of EU currencies Delivery to EU addresses? registrants Service vs marketing s Use of targeting/retargeting platforms? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 29

30 Scenario #2: Analysis What if you host the data from US operations in the EU? Bottom line: Maybe subject to GDPR Unclear legal test of whose activities trigger GDPR requirements Even if technically subject to GDPR, may be low risk to proceed as if GDPR does not apply. Some Data Processors may try to flow-up some compliance responsibilities through the vendor terms required by GDPR June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 30

31 Scenario #3: EU patient(s) in US healthcare facility? Applicability Criteria Is the processing of data in the context of the activities of an establishment of a controller or processor in the EU? Are you offering goods and services to data subjects in the EU? Analysis No No EU establishment No--You are not processing personal data of data subjects in the EU What about when they return to the EU? Is it apparent that you envisage processing their data? What if you also send promotional follow-ups? Is it apparent that you intend to market to individuals in the EU? Is it focused to EU customers? Are you monitoring the behavior of data subjects in the EU? Are you conducting opening analysis? Monitoring access to PHR or EHR? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 31

32 Scenario #3: Analysis EU patients treated in US facility Bottom line: Unlikely data be subject to GDPR No establishment of business located in EU No processing of personal data of data subjects in the EU your patients are not in the EU What about when the patient returns to the EU? What if you continue to contact or monitor the patient after they return to the EU? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 32

33 Q&A Session: If an AMC is impacted by the GDPR, what are some approaches to compliance? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 33

34 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 34

35 Q&A Session: What are some common misunderstandings or oversights about the GDPR in your organization? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 35

36 Q&A Session: The GDPR is already in effect. How can I expedite my organizations compliance efforts and what are the Do s and Don ts to look out for? June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 36

37 Q&A Session: Open to the audience. June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 37

38 Emerging Themes: Most EU member states have not established their laws enacting GDPR standards or enforcement programs Activists are pursuing test cases in against companies that collect or process large amounts of personal data Google LinkedIn Facebook Electronic data standards under development June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 38

39 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 39

40 Survey Question #4: Do I have the information necessary to assist my organization s GDPR compliance efforts? a) Yes b) No c) Getting There d) Unsure June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 40

41 June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 41

42 Survey Question #5: Do I now think that my organization may need to look further into the compliance requirements of the GDPR? a) Yes b) No c) Still Unsure June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 42

43 Thank You for Participating Additional information on the GDPR: Full Text of the GDPR Resource Description Information Commissioner s Office (ICO) Guide to the GDPR EU GDPR Information European Commission Article 29 Working Group Newsroom on the GDPR (Guidance Papers) A Primer on the GDPR: What You Need to Know 5-Minute Video on the GDPR What Does the GDPR Mean for Global Data Protection? (Infographic) Web Link to Source european-union/a-primer-on-the-gdpr-what-youneed-to-know/ June 12,2018 GDPR Panel: NCHICA Conference June 11-12, th AMC Security and Privacy Conference 43