Blog Home
By Jeff Gardosh • June 6, 2018

GDPR in a Connected Health World

At CloudMine, the new GDPR requirements have been on our radar for some time. As such, we want to inform you that CloudMine is committed to creating a GDPR-compliant product and that we take the custodianship, security and privacy of your data very seriously. If you regularly deal with HIPAA some of the controls of the new regulation will look familiar. Below we’ll discuss some of the key components of GDPR and how those controls may fit in with your existing security program.

A critical distinction in the new regulation is that between a Controller and Processor. The Controller needs to be able to ensure and demonstrate that they are complying with the regulation and protecting the rights and freedoms of data subjects in regards to their personal data . The Controller must apply appropriate technical and administrative controls with respect to the scope and context of how they will use the data and the risks inherent in that usage. This role mirrors that of the Covered Entity under HIPAA, the Controller and the CE interact with the customers ( data subjects, patients) and need to assure that their data is protected. Like the updates to HIPAA, HITECH and Omnibus, the GDPR accounts for the complicated nature of modern data processing systems. Under GDPR:

“Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

It is likely, possibly inevitable, that a 3rd party will be involved in processing. GDPR defines the role of those 3rd parties as a Processor. A Processor shall provide assurance that they are implementing sufficient controls that their processing will meet the regulation and protect the rights of the data subject. HIPAA defines a similar role for entities that perform functions on behalf of the Covered Entity. Business Associates are also responsible for implementing sufficient controls to protect sensitive data.

GDPR and HIPAA require formal agreements or contracts to define the role and acceptable use of sensitive data for their Processors and Business Associates. Under HIPAA this is known as a Business Associate Agreement or BAA. These contracts define the responsibilities for meeting the various elements of the regulations, under GDPR the focus is on the Data Subject Rights.  

The goal of GDPR is to protect the rights and freedoms of Data Subjects particularly in regards to their personal data. This manifests in the rights of the data subject, a list of core requirements that define what Data Subjects are entitled to with respect to how their information is used. Data Subjects must be informed on how their data will be used and processed, typically highlighted in a privacy policy. Subjects must also provide consent “which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language” for any processing. Once data is stored on them, Data Subjects can ask for any mistakes or gaps to be corrected ( Right to rectification) for their data to be deleted ( Right to erasure)to be exported (Right to portability) or to stop processing (Right to object). Under HIPAA patients have a right to access and amend their data and must also give authorization. For a Covered Entity many of the necessary elements for handling Data Subjects rights should be built from your HIPAA programs.

To ensure these regulations are being implemented specific roles are assigned that have the responsibility to support the compliance programs. Under HIPAA these are the Security Officer and Privacy Officer. The Security Officer must maintains the policies, programs and technology to protect the confidentiality, integrity and availability of sensitive data. The Privacy Officer oversees the policies and procedures for the safe use and handling of protected information. Under GDPR these roles are combined into one Data Protection Officer. A history of privacy laws means DPOs have been commonplace in European Union (EU) for years, but with GDPR those roles will expand across the globe. DPOs are expected to inform their organization about their obligations under GDPR, monitor their compliance and provide advice. For Covered Entities similar roles and units should already be in place that could support the requirements.

The biggest difference between HIPAA and GDPR is their scope. While both cover huge areas,  large and small companies and millions of people, the crossover may be limited. GDPR applies to the processing of personal data from any European Union Data Subject regardless of where that processing takes place. HIPAA regulates Covered Entities, and their business associates, not the protected data itself or subjects of that data. Covered Entities under HIPAA are health care provides, health plans and healthcare clearinghouses. In reality these organizations are  where health information for most people will be created and managed. There will be Covered Entities that won't often process personal information for EU Data Subjects but they must be prepared to handle that when it happens. HIPAA compliance programs have created the tools, roles and awareness necessary to more easily adapt to the new regulation.

CloudMine’s Connected Health Cloud™ is a secure development platform that specializes in providing a continuum of integrated care through providers, payers and patients/consumers. CloudMine is GDPR and HIPAA compliant and ISO 27001, SOC2 and HITRUST certified. Contact us about how we can help you meet your compliance needs without impeding innovation.