amcs and the general data protection regulation (gdpr · •this regulation applies to any...

AMCsand

Does the new law apply

to my organization?

• David Holtzman – VP Compliance Strategies, CynergisTek

• Karen Pagliaro-Meyer – Chief Privacy Officer, Columbia University Medical Center

• Lynn Rohland – Partner, RGP

• Robert Webster – Privacy Counsel, LabCorp

Panelists:

June 12,2018 2GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference

• Review the requirements of the General Data Protection Regulation (GDPR)

• Discuss how the GDPR may apply to AMCs

• Actionable steps to achieve compliance and mitigate risks

Session Objectives:

June 12,2018 GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference 3

• We will use Poll Everywhere during our panel discussion.

• Participate by either sending a text message or by visiting

the URL from any web browser.

• Now would be a good time to take a moment to get you

set up; please pull out your electronic device.

• Don’t forget to silence it please to minimize disruption.

• Let’s take 1 minute to walk through it:

In-Session Surveys:


Let’s do one quick question right now to get the hang of it:

For text voting, start with a new text:5-digit number: ##### (To Be Provided)

For web voting, type into your browser: Pollev.com/lynnrohland

To: #####

Poll Everywhere Instructions:


• Is this the first time you have attended the AMC Conference?

– a) Yes

– b) No

– c) I can’t recall

Yes

Practice Question:


June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy

Conference7

What are people saying about GDPR?


• Does GDPR impact your organization’s business goals or internal operations?

– a) Yes

– b) No

– c) Unsure

Survey Question #1:



Conference10

• How far along is your organization in preparing for the GDPR?

– a) Completed or Near-Completion

– b) In-Progress or Beyond Planning Stage

– c) Not Started or in Planning Stage

– d) Not Applicable to my Organization

– e) Unsure

Survey Question #2:



Conference12

• Are clients, vendors or other business partners inquiring about your organization’s the GDPR preparedness?

– a) Yes

– b) No

– c) Unsure

Survey Question #3:



Conference14

• The GDPR is an omnibus data protection law, which will come into effect on May 25, 2018 and replace the EU Data Protection Directive (1995).

• The GDPR sets standards for the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.

GDPR Overview:


• This regulation applies to any organization offering goods and services in the EU, regardless of geographic location, that controls or processes the data of an EU resident.

• Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater

GDPR Overview (cont’d):


• Key definitions under the GDPR:

• Personal Data - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including name, identification number, location data or online identifier

• Processing - obtaining, recording or holding information, or carrying out any operation or set of operations on information



• Key definitions under the GDPR:

• Controller - determines the purposes and means of processing personal data

• Processor - responsible for processing personal data on behalf of a controller

• Example: Company engages a vendor to help manage its payroll operations. The Company transmits the employee demographic data to the vendor so that the vendor can manage payroll for the employees.



US Company

EU Subsidiaries

EU Clients EU Citizens

Third Parties



• Does GDPR apply to non-EU organizations which onlyprocesses data about non-EU data subjects, but uses servers located in the EU to do so? Yes

• Does GDPR apply to non-EU organizations which onlyprocesses data about non-EU data subjects but which uses an EU processor to do so? Probably….understanding of GDPR is evolving

• Does GDPR apply to a non-EU organization which only uses non-EU equipment to process data about EU data subjects? No

FAQ on Scope of GDPR:


• Which health sectors does GDPR impact?

• And what are their greatest risks?

Q&A Session:


• Healthcare industry better positioned to comply with GDPR than most industries most notably due to the HIPAA Privacy Rule.

• GDPR builds upon similar HIPAA data protection principals, concepts and themes enforced since 4/14/2003.

• Impacts providers, insurers, third-party administrators, and researchers that collect and/or process data of EU residents.

Q&A: Which health sectors does GDPR impact?


• It also impacts ancillary markets such as telemedicine, virtual health solutions, clinical research on cures and pharmaceuticals.

• And of course, there are impacts for cloud services that process and store health data such as for genomic cloud computing.

• And here’s why…

Q&A: Which health sectors does GDPR impact (cont’d)?


• It further categorizes three (3) additional health data definitions:

1. Data Concerning Health, 2. Genetic Data, and 3. Biometric

• Companies must disclose precisely how they're using patient data.

• Patient permissions cannot be bundled together — patients must consent to each permission independently.

• Data Protection Impact Assessments (DPIAs) are required when health data of the three kinds mentioned above are processed on a large scale.

Q&A: Which health sectors does GDPR impact (cont’d)?


• GDPR has compelled a cultural shift.

• Data protection is no longer viewed simply as a ‘compliance’ activity but rather … a thorough examination of an organization’s data handling practices and its data flows.

• GDPR is privacy from the perspective of the EU data subject

• Those that fail to acknowledge and adopt this principle are at greatest risk.

Q&A: What risks does GDPR present to the health sectors?


What if you have incidental EU encounters?

Applicability Criteria Analysis

Is the processing of data ”in the context of the activities” of an establishment of a controller or processor in the EU?

• No

Are you offering goods and services to data subjects in the EU?

• Website localization? (Domain names, language, other?)

• Acceptance of EU currencies• Delivery to EU addresses?• Email registrants

• service vs marketing emails

Are you monitoring the behavior of data subjects in the EU?

• Use of targeting/retargeting platforms?


Scenario #1: You are a US-based online telehealth service.

• You are a US-based online telehealth service. What if you have incidental EU encounters?– Conclusion: Maybe subject to GDPR

– Many factual considerations to take into account. “Mere accessibility” not enough…Consider “nexus” to European data subjects

– Even if technically subject to GDPR, may be low risk to proceed as if GDPR does not apply until quantity of EU encounters grow or other risk triggers (i.e. complaints)

– Risk based decisions need to be weighed against likelihood of enforcement vs burdens of compliance overheads

• appointment of EU rep, compliance with GDPR fair processing requirements, vendor terms, data export rules


Scenario #1: Analysis



• Unclear. Is the processing “in the context of the activities” of the US based data controller in which case this limb does not apply? Or, the EU data processor in which case it does apply?

• Even if controller not directly subject, process will be w/indirect compliance considerations for the controller


• Website localization?• Domain names, language, other?

• Acceptance of EU currencies• Delivery to EU addresses?• Email registrants

• Service vs marketing emails


• Use of targeting/retargeting platforms?


Scenario #2: Data hosted in the EU?

• What if you host the data from US operations in the EU?

• Bottom line: Maybe subject to GDPR

• Unclear legal test of whose “activities” trigger GDPR requirements

• Even if technically subject to GDPR, may be low risk to proceed as if GDPR does not apply. Some Data Processors may try to “flow-up” some compliance responsibilities through the vendor terms required by GDPR





• No—No EU establishment


• No--You are not processing personal data of data subjects in the EU

• What about when they return to the EU? Is it “apparent” that you “envisage” processing their data?

• What if you also send promotional follow-ups?• Is it apparent that you intend to market to individuals

in the EU? Is it focused to EU “customers”?


• Are you conducting email opening analysis?• Monitoring access to PHR or EHR?


Scenario #3: EU patient(s) in US healthcare facility?

• EU patients treated in US facility

• Bottom line: Unlikely data be subject to GDPR

• No establishment of business located in EU

• No processing of personal data of data subjects in the EU—your patients are not in the EU

• What about when the patient returns to the EU?

• What if you continue to contact or monitor the patient after they return to the EU?



• If an AMC is impacted by the GDPR, what are some approaches to compliance?


Q&A Session:

• What are some common misunderstandings or oversights about the GDPR in your organization?


Q&A Session:

• The GDPR is already in effect. How can I expedite my organizations compliance efforts and what are the “Do’s and Don’ts” to look out for?


Q&A Session:

• Open to the audience.


Q&A Session:

• Most EU member states have not established their laws enacting GDPR standards or enforcement programs

• Activists are pursuing test cases in against companies that collect or process large amounts of personal data– Google

– LinkedIn

– Facebook

• Electronic data standards under development


Emerging Themes:


Conference39

• Do I have the information necessary to assist my organization’s GDPR compliance efforts?

– a) Yes

– b) No

– c) Getting There

– d) Unsure


Survey Question #4:


Conference41

• Do I now think that my organization may need to look further into the compliance requirements of the GDPR?

– a) Yes

– b) No

– c) Still Unsure


Survey Question #5:

• Additional information on the GDPR:


Thank You for Participating

Resource Description Web Link to Source

Full Text of the GDPR http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

Information Commissioner’s Office (ICO) Guide to the GDPR

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

EU GDPR Information https://www.eugdpr.org/

European Commission Article 29 Working Group Newsroom on the GDPR (Guidance Papers)

http://ec.europa.eu/newsroom/article29/news-overview.cfm

A Primer on the GDPR: What You Need to Know http://privacylaw.proskauer.com/2015/12/articles/european-union/a-primer-on-the-gdpr-what-you-need-to-know/

5-Minute Video on the GDPR https://www.youtube.com/watch?v=cBRUYUheTTs

What Does the GDPR Mean for Global Data Protection? (Infographic)

https://digitalguardian.com/blog/what-does-gdpr-mean-global-data-protection-infographic

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

https://www.eugdpr.org/

http://ec.europa.eu/newsroom/article29/news-overview.cfm

http://privacylaw.proskauer.com/2015/12/articles/european-union/a-primer-on-the-gdpr-what-you-need-to-know/

https://www.youtube.com/watch?v=cBRUYUheTTs

https://digitalguardian.com/blog/what-does-gdpr-mean-global-data-protection-infographic

amcs and the general data protection regulation (gdpr · •this regulation applies to any...

Documents